It's time to
Render Your Vision.

RVC logo

Render Visions
Consulting

Are Online Privacy Policies Required by Law?

Image by: Brian Turner

When I initially got involved with designing websites, I remember being unclear about whether online privacy policies are required by law for the average website and blog operator. When I researched the issue, I quickly realized the answer is not a simple one. The short answer is: it depends. The longer, more complete answer is contingent on whether we are talking about federal law or state law. At the federal level, it depends on the age of the website-visitor. At the state level, it depends on which state the site-visitor resides in. The goal of this article is to provide clarity on this issue at both levels.

Federal Level

[Update: May 2011] In April 2011, U.S. Senators John Kerry and John McCain introduced ”The Commercial Privacy Bill of Rights Act of 2011.” This bill empowers the Federal Trade Commission to establish rules that require collectors of PII to provide, among other things, notice to individuals on PII collection practices and the purpose for such collection. Previously, the FTC only recommended this type of notice and took action only when companies violated their own policies. Now, explicit notice will be required by federal law. Here is a link to a press release summarizing the key aspects of the Commercial Privacy Bill of Rights. If you would like to track the status of this bill in Congress, use the links in the text box below.


To be clear, there are numerous bills pending in Congress that address online privacy, and full disclosure tends to be a common element. Just take a look at a recap compiled by InsidePrivacy.com. It’s an excellent summary of  privacy and data security-related bills proposed at the federal level so far in 2011. Bottom line, it seems imminent that federal law will soon require all collectors of PII to maintain an accessible privacy policy.

The Federal Trade Commission (FTC), an independent agency of the United States government, was established in 1914 through the Federal Trade Commission Act.

The Federal Trade Commission Act, 15 U.S.C. § 41, et seq., empowers the FTC to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. Pursuant to this mandate, the FTC can take action against companies that fail to comply with their own privacy policies or otherwise misrepresent their information management practices. The FTC also can address unfair misuse of personal information where the practice (a) inflicts substantial harm on consumers that they cannot reasonably avoid and (b) does not offer offsetting benefits to consumers or competition. (Source: FTC website: http://www.ftc.gov/speeches/swindle/perspectivesonprivacy.shtm)

It’s interesting to consider that when Woodrow Wilson (28th President of the United States) persuaded congress to pass the Federal Trade Commission Act, he had no clue that a century or so later it would play a key role in battling cybercrimes like fraudulent spam, spyware, and phishing in a virtual world called the Internet. While technology has evolved dramatically since Wilson’s administration, the core mission of the FTC remains the same: protect the consumer.

Examples of FTC Cases: Companies that Violated Their Own Privacy Policy

Here are some examples of cases in which the FTC has taken action against businesses that violated their own privacy policy (in addition to other violations in some instances):

News Release: 06/24/2010 – Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program (Source: FTC website: http://www.ftc.gov/opa/2010/06/twitter.shtm)

News Release: March 4, 2008 – Student Lender Settles FTC Charges That It Failed to Safeguard Sensitive Consumer Information and Misrepresented Its Security Practices (Source: FTC website: http://www.ftc.gov/opa/2008/03/studlend.shtm)

News Release: January 17, 2008 – Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information, in Violation of Federal Law. Credit Card Numbers, Expiration Dates and Security Codes of Thousands of Consumers Compromised (Source: FTC website: http://www.ftc.gov/opa/2008/01/lig.shtm)

Other Federal Laws Regarding Information Privacy

As previously mentioned, under federal law, online businesses that collect personal information from children under the age of 13 are required to have a privacy policy. The federal law at work here is the Children’s Online Privacy Protection Act or COPPA (for details on COPPA go to the FTC website at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html). The purpose is to give parents control over information collected from their children online and how that information is used.

While the Federal Trade Act and the Children’s Online Privacy Act are the two key federal laws that deal with online privacy policies, there are other federal laws that also deal with consumer personal information and privacy protection:

  • The Gramm-Leach-Bliley Act protects consumers’ personal financial information held by financial institutions.
  • The Fair Credit Reporting Act protects the privacy and accuracy of consumer credit history reporting handled by credit bureaus.
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individually identifiable health information.

The type of privacy policy focused on in this series of articles deals specifically with personally-identifiable information (PII) collected online by website operators.

Website operators based in the United States that also do business outside the country have a heightened responsibility for maintaining compliance with online privacy laws. That’s because there are significant differences between U.S. privacy laws and those of some other countries. While the topic of international agreements is outside the scope of this article, multinational companies and domestic website operators do have at least one thing in common when it comes to information privacy – they are challenged with complying with more than one authority. At a minimum, domestic website operators must comply with federal law as well as multiple state privacy laws. And depending on the type of consumer information collected, they may also be bound by industry standards such as PCI DSS (Payment Card Industry Data Security Standards).

Due to the ever-increasing problem of identity theft and the explosive growth of internet fraud and mishandled sensitive information in recent years, many states are enacting their own laws for how website operators must handle the personal information of their residents. Some states have established requirements that go far beyond federal mandates. From a website operator’s perspective, that’s a problem.

State Laws and Online Privacy Policies

This is where things can get messy for the average website owner. As legal requirements evolve, website operators that collect personally-identifiable information may need to make changes to their internal procedures as well as their online privacy statement. Hence, website operators need to stay on top of privacy regulations and periodically review their own privacy policies to ensure compliance. For busy entrepreneurs, this can be a real challenge. Just imagine trying to keep up with legislation in this area for all 50 states.

While sound data privacy and security practices should be in place to begin with, one solution for online entrepreneurs is to develop a policy that meets the requirements of the states with the toughest standards. This will ensure compliance nation wide.

The following list is intended to provide a basic understanding of the evolving nature of privacy laws at the state level (as of September 2010) as they relate to website operators across America. States are listed based on effective dates of legislation – oldest to most recent. Excerpts came from each state’s official website as indicated by source links.

Keep in mind that these laws apply to commercial entities and individuals doing business in the respective state. This includes website and blog operators that collect personally-identifiable information regardless of where the website or blog is based.

Pennsylvania – (Effective 2004) Pennsylvania law makes it an offense if, in the course of business, a person:

…knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (Source: PA General Assembly website, http://www.legis.state.pa.us/WU01/LI/LI/CT/HTM/18/00.041.007.000..HTM)

Utah – (Effective January 1, 2004) Utah has very specific requirements for commercial entities that collect personal information about Utah residents with intent to sell it. The Notice of Intent to Sell Nonpublic Personal Information Act stipulates that notice shall be sufficiently conspicuous so that a reasonable person would perceive the notice before providing the nonpublic personal information. (Source: http://www.le.state.ut.us/~2003/bills/hbillenr/hb0040.pdf and http://le.utah.gov/~code/TITLE13/13_37.htm)

Enacted in 2006, Utah’s Protection of Personal Information Act applies to “any person who conducts business in the state and maintains personal information”. The law prohibits unlawful use of personal information and specifies that personal information not retained must be properly destroyed or erased. (Source: Utah Code, Title 13: Commerce and Trade, Chapter 44: Protection of Personal Information Act, Section 201: Protection of Personal Information. Enacted by Chapter 343, 2006 General Session; http://le.utah.gov/~code/TITLE13/htm/13_44_020100.htm)

California – (Effective July 1, 2004) Online Privacy Protection Act of 2003 – Business and Professions Code sections 22575-22579. This law requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its policy. (Source: ca.gov, http://www.privacyprotection.ca.gov/privacy_laws.htm#six)

Connecticut – (Effective October 1, 2008) Connecticut’s privacy policy requirements apply when Social Security numbers are involved. Hence, the name: An Act Concerning the Confidentiality of  Social Security Numbers. The law requires all personal information to be safeguarded by individuals and businesses but the need for a published privacy policy exists only when Social Security numbers are collected. An excerpt:

Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. (Source: ct.gov, http://www.cga.ct.gov/2008/ACT/PA/2008PA-00167-R00HB-05658-PA.htm)

Nevada - (Effective January 1, 2010) Nevada has established some of the toughest requirements regarding online information privacy and security. Like California and Massachusetts, Nevada goes significantly beyond federal law in this area. For example, if a website operator collects payment card information from a Nevada resident, the state of Nevada requires the operator to comply with the Payment Card Industry Data Security Standard (PCI DSS) in its entirety except for the type of encryption. For encryption, Nevada goes beyond PCI DSS. It requires compliance with the encryption technology standards established by the National Institute of Standards and Technology (NIST). (Source: http://www.leg.state.nv.us/nrs/nrs-603a.html)

Website operators that do not collect payment card data but do collect other personal information from Nevada residents must also use encryption when transmitting the data across public networks. Here is an excerpt. “Subsection 1” refers to the payment card data requirements.

A data collector doing business in this State to whom subsection 1 does not apply shall not:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or

(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.

Massachusetts - (Effective March 1, 2010) Massachusetts’ law applies when ANY personal information is collected from its residents:

Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…. (Source: mass.gov website, http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf)

Massachusetts then goes beyond most other states with its requirements for administrative, technical, and physical safeguards. From ongoing employee training and data access controls to encryption, malware protection and taking responsibility for third party service providers, it looks to me like Massachusetts, like Nevada, is emulating the standard used by the Payment Card Industry (PCI DSS). And if information security is the goal, that makes sense. Why reinvent the wheel? The Payment Card Industry Data Security Standard has been evolving over many years through the efforts of card issuers like Visa, MasterCard, Amex, and Discover.

The bottom line is, as of this writing, Massachusetts, California, and Nevada have some of the toughest requirements when it comes to online privacy policies.

Nebraska (Effective July 15, 2010) Similar to Pennsylvania and federal law, Nebraska does not specifically require website operators to maintain an information privacy policy. However, under their Deceptive Trade Practices statute, Nebraska made it illegal if a person:

… knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (Source: Nebraska revised statute 87-302, http://nebraskalegislature.gov/laws/statutes.php?statute=87-302

So, in effect, Nebraska, like Pennsylvania, enacted a state law that mirrors the federal law that governs online privacy policies, The Federal Trade Commission Act. The common theme is website operators must keep promises made in their online privacy policy. This gives victims of personal information abuse more legal avenues for remedies and relief.

Breach Laws Regarding Personal Information Security

Until recent years, state laws focused primarily on requirements for handling data security breaches. The regulatory structure seemed to be one of split responsibilities. Federal laws were focused on handling up-front data privacy protection requirements and preventive recommendations, and most state laws were focused on after-the-fact measures such as disclosure procedures and victim notification if breaches occurred. As you can see from the above list, in recent years more and more states are getting involved with the “up front” requirements in an effort to avoid data security breaches in the first place.

As an example of a state with laws dealing with after-the-fact measures, Washington State’s “breach law” applies to any person or business that collects personal information from residents of Washington. This law includes definitions, rights and remedies and requires collectors of personal information to notify the owners of the personal information immediately after discovery that personal information of WA residents has been acquired by an unauthorized party.

The Washington breach law also addresses liability and allows financial institutions to recoup data breach costs (i.e. cost of reissuing credit cards and debit cards) from businesses and card processors who are negligent in securely managing or transmitting personal information. (Source: WA State government website, http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255&full=true)

The internet is still a relatively new phenomenon when compared to the age of the legal system in this country. Moreover, internet related technologies have been advancing at an extremely rapid pace. That has placed privacy laws and the regulators that enforce them at a distinct disadvantage. Some people believe that the best way to protect personal information online is to do so with more legal requirements centralized at the federal level.

Efforts to Standardize Internet Privacy Laws

The expectation that website operators across this country know about and comply with the growing assortment of regulations of a random and growing number of states, is probably not realistic. Given the world wide reach of the internet, standardizing personal information privacy laws across the 50 states (if not the world) seems to make the most sense. According to Wikipedia:

…the U.S. congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act and the Online Privacy Protection Act of 2001 but none have been enacted. In 2001, the FTC stated an express preference for “more law enforcement, not more laws” and promoted continued focus on industry self regulation. (Source: http://en.wikipedia.org/wiki/Privacy_policy)

Earlier this year, however, U.S. Senator John Kerry (D-Mass.) pledged to pursue federal legislation to give people more control over how their personal information is collected and distributed online. Here is an excerpt:

…as a matter of law, we need new baseline standards for privacy protection that ensure people’s identity is treated with the respect it deserves. Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress.  The Commerce Committee, under Chairman Hollings a decade ago, considered similar privacy legislation. We have learned a great deal more about this issue over the past decade and working together I believe we will successfully enact this legislation next year. (Source: press release, July 27, 2010, John Kerry website: http://kerry.senate.gov/press/release/?id=8c575cbf-dbda-4cac-b207-8d8a2b4251a1)

More recently, Senator Kerry, in conjunction with Carly Fiorina, president and CEO of Hewlett Packard, released an article entitled “Congress should act to boost online privacy”. Here are two relevant excerpts:

Internet privacy policies are a recent invention. Two years ago the FTC reported that only 10 percent of the most popular Web sites posted privacy policies. This year the figure has nearly topped 90 percent. Many businesses have made significant efforts to meet consumer privacy concerns. Still, more must be done. Too many privacy policies are too hard to read, too long, and too convoluted to be of any help to consumers.

Congress can play a catalytic role by insisting on simple and convenient postings of privacy policies. Internet users should not have to click five times to translate legalese before they know what a site will do with their personal information. Crystal-ball gazers could never have predicted even two years ago many of the innovations that have occurred on the Internet. Rather than trying to prescribe every detail of what businesses must do to protect consumer privacy, government should articulate online privacy goals and allow businesses the flexibility they need to meet these goals.

(Source: John Kerry website: http://kerry.senate.gov/press/in_the_news/article/?id=9619e19e-30c7-434b-9dca-85ded45cd55c)

The reality is if online privacy policy regulations continue to be developed by individual states, website and blog operators will not be able to keep up. Inadvertent violations are bound to occur. In my opinion, these types of regulations should be standardized at the federal level and mirrored by the states if they choose to do so to expedite the enforcement process in the courts.

[Update: May 2011] The good news is, if The Commercial Privacy Bill of Rights Act becomes law, we will be moving in that direction. See ”11 Reasons to Have a Privacy Policy Posted on Your Website or Blog” for more information about this legislation.

Recap

[Update: May 2011] Going back to the original question “Are online privacy policies required by law?”… until the Commercial Privacy Bill of Rights Act is signed into law, the answer is: “it depends on the age of the site visitor and the state they reside in.” Currently, if a website or blog collects personal information from children under the age of 13, the answer is yes based on federal law. If a site’s visitor resides in one of the growing number of states that have enacted online privacy laws, the answer is also yes.

Right now, the prudent path for website operators is to abide by the state laws with the most comprehensive requirements. Today, that’s Massachusetts, Nevada, and California. Drafting your privacy policy based on an optimal combination of requirements from those states will keep your website or blog in compliance with privacy laws for the foreseeable future. And if you take this approach, you will still be in compliance when the Commercial Privacy Bill of Rights Act of 2011 is signed into law.

As always, when in doubt, seek assistance from a qualified professional.

Now that we know online privacy laws do exist and in what circumstances they apply to the average website or blog operator, the next question is “What is personal information or PII?” You cannot really be sure your site complies with these laws until you have a clear understanding of the specific data elements they apply to.

If you are interested in reading further about this issue, please check out an article I posted on one of my other sites. It defines personal information, or more specifically, personally-identifiable information (PII) and provides a couple of examples of how clarity is critical. If the law does not clearly define what PII is, some companies will take advantage and make it up as they go.

1 comment to Are Online Privacy Policies Required by Law?