In 1995 the European Union (EU) introduced the Data Protection Directive for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year the U.S. Federal Trade Commission published the Fair Information Principles which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies.
Fair Information Practice
The four critical issues identified in Fair Information Principles are:
- Notice – data collectors must disclose their information practices before collecting personal information from consumers
- Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided
- Access – consumers should be able to view and contest the accuracy and completeness of data collected about them
- Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
In addition the Principles discuss the need for enforcement mechanisms to impose sanctions for noncompliance with fair information practices.
Current enforcement in the United States.
The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act and the Online Privacy Protection Act of 2001, but none have been enacted. In 2001, the FTC stated an express preference for "more law enforcement, not more laws" and promoted continued focus on industry self regulation.
In most cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices. The FTC's powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA), and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).
Applicable US law
While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:
The Gramm-Leach-Bliley Act requires institutions "significantly engaged in financial activities give "clear, conspicuous, and accurate statements" of their information-sharing practices. The Act also restricts use and sharing of financial information.
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.
There are significant differences between the EU data protection and US data privacy laws. These standards must be met not only by businesses operating in the EU, but also by any organization that transfers personal information collected concerning citizen of the EU. In 2001 the United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program. The FTC has approved eTrust to certify streamlined compliance with the US-EU Safe Harbor.
Online Privacy Certification Programs
Online Certification or "Seal" programs are an example of industry self regulation of privacy policies. Seal programs usually require implementation fair information practices as determined by the Certification program and may require continued compliance monitoring. TRUSTe, the first online privacy seal program, included more than 1,800 members by 2007 Other Online Seal programs include the Better Business Bureau Assurance on the Internet eTrust, and Webtrust.
Some websites also define their privacy policies using P3P or Internet Content Rating Association (ICRA), allowing browsers to automatically assess the level of privacy offered by the site. However, these technical solutions do not guarantee websites actually follows the claimed privacy policies. They also require users to have a minimum level of technical knowledge to configure their own browser privacy settings. These automated privacy policies have not been popular either with websites or their users.
Many critics have attacked the efficacy and legitimacy of privacy policies found on the Internet. Concerns exist about the effectiveness of industry-regulated privacy policies. For example, a 2000 FTC report Privacy Online: Fair Information Practices in the Electronic Marketplace found that while the vast majority of website surveyed had some manner of privacy disclosure, most did not meet the standard set in the FTC Principles. In addition, many organizations reserve the express right to unilaterally change the terms of their policies. In June 2009 the EFF website TOSback began tracking such changes on 56 popular internet services, including the monitoring the privacy policies of Amazon, Google and Facebook.
- Overview of the Data Protection Directive, EC.europa.eu
- U.S> Federal Trade Commission Fair Information Practice Principles, FTC.gov
- HR 237 IH, The Consumer Internet Privacy Enhancement Act, as Introduced in House, 107th Congress Loc.gov.
- HR 89 IH, Online Privacy Protection Act of 2001, as Introduced in House, 107th Congress Loc.gov
- Kirby, Carrie "FTC drops the Call for New Internet Privacy Laws," SFGate, October 5, 2001. SFgate.com
- Implementation of 15 U.S.C. §§ 41-58, FTC.gov
- Electronic Privacy Information Center, Air Travel Privacy, Epic.org. Also see FAA Enforcement Database at FAA.gov.
- Helmer, Gabriel M. "Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules Security, Privacy and the Law, Foley Hoag, LLP, May 2009. Securityprivacyandthelaw.com. Also see FCC Enforcement Center at FCC.gov
- The Children's Online Privacy Protection Act, FTC.gov
- COPPA Safe Harbors discussed, Cybertelecom Federal Internet Law & Policy - an Educational Project. Krohn & Moss Consumer Law Center, Cybertelecom.org
- Discussion of compliance with the Children's Online Privacy Protection Act, FTC Privacy Initiatives, FTC.gov
- Data Privacy, A Safe Harbor Approach To Privacy: TRUSTe Recommendations, Center for Democracy and Technology, CDT.org
- Gramm-Leach-Bliley Act, Loc.gov
- "The Financial Privacy Requirements of the Gramm-Leach-Bliley Act", FTC Facts for Business", FTC.gov
- Information Regarding the Gramm-Leach-Bliley Act of 1999, US. Senate Committee on Banking, Housing, and Urban Affairs. Senate.gov
- Understanding HIPAA Privacy, HHS.gov Health Information Privacy, HHS.gov
- Notice of HIPAA Privacy Practices. Privacy/ Data Protection Project, Miller School of Medicine Miami University, Miami.edu
- Privacy Laws, California Office of Information Security and Privacy Protection CA.gov
- Deceptive Trade Practices, Enotes.com
- Safe Harbor Compliance, Export.gov
- TRUSTe, Truste.com
- CDT Guide to Online Privacy, Center for Democracy and Technology, 2009. CDT.org
- BBB Seal Program. Better Business Bureau® Assurance on the Internet, BBBOnLine, Inc., BBBonline.org
- Etrust, Etrust.org
- Webtrust Seal Program, Webtrust.net
- Softsteel Solutions "The Platform for Privacy Preferences Project (P3P)", Softsteel.co.uk
- Millis, Elinor, "EFF tracking policy changes at Google, Facebook and others," Cnet Digital News, June 2009. Cnet.com
- Fogg, B. J. "How Do People Evaluate a Web Site's Credibility? (abstract)" BJ, Stanford Persuasive Technology Lab, November 2002, Consumerwebwatch.org. Stanford Web Credibility Project found at Stanford.edu.
- Acquisti, Alessandro and Janice Tsai, Serge Egelman, Lorrie Cranor, "The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study" Carnegie Mellon University, 2007. Econinfosec.org
- Gorell, Robert. "Do Consumers Care About Online Privacy?" October, 2007. Grokdotcom.com citing to a study by Chris Hoofnagle, UC-Berkeley's Bolt School of Law. Samuelson Law, Technology & Public Policy Clinic, Berkeley.edu
- Goldman, Eric. "On My Mind: The Privacy Hoax," October, 2002, EricGoldman.org
- Online trust and perceived utility for consumers of web privacy statements: UK Overview - WBS Mark Gazaleh (2008).
- FTC Guideline Publication Archive.
- EFF Best Practices for Online Service Providers (2008) including Privacy Policies.