Web www.jaredmore.com

Privacy

Case Study: Federal Trade Commission vs. Geocities

Geocities a California company founded in 1994. Geocities was one of the first companies to allow the average internet subscriber to have a website. The users dubbed "homesteaders" were able to sign up with Geocities and use a variety of easy to use tools to create a website without having to know HTML or FTP protocol. By 1999 Geocities had attracted more than 3.5 million users to its website and at the time was the third most visited site on the web.

However like any business Geocities needed to make money. They did this by requiring the "homesteaders" to display advertisements on their web sites of which Geocities kept the profit. Despite the fact that this made web sites look unprofessional and possibly divert attention from the homesteader's website, Geocities continued to grow and attract new customers.

Geocities had other less obvious money making plans in mind as well. When a person wanted to become a Homesteader they had to fill out a registration for on Geocities website. Among the mandatory information this form collected was First and last name, zip code, e-mail, date of birth and gender. Potential homesteaders were then asked if they wanted to receive "special offers" from advertisers. If they did they were able to select from a list which offers and who they wanted to receive these offers from.

Most people are naturally reluctant to give out their personal information so Geocities included a privacy statement on their website. This privacy statement said that Geocities would never sell their information and that any offers made to customers would be clearly explained and they would get the customers permission before sending them information on their offers.

The FTC filed a complaint against Geocities alleging that they did sell customer information, including information gathered from children to third parties and other breaches of their privacy clause. the FTC alleged that this practice and others outlined in the complaint constituted unfair or deceptive acts under the Federal Trade Commission Act.

This suit was settled by Geocities. Geocities entered into a consent order in August of 1998. Geocities admitted no wrongdoing in the case, but agreed among other things to:

• not to misrepresent in the future how it would use personal information collected from its users
• not to collect any personal information from children without their parents permission
• to provide a "clear and prominent notice" on its home page and at each location where information is collected
• to include a link from it's privacy statement for five years, to information about "safe surfing" on the FTC's website
• to establish an "information practices training program" for it's employees

Despite this legal debacle Geocities continued to grow and was bought by Yahoo in a 3.6 billion dollar stock deal in May of 1999. Today Geocities continues to be a fully integrated part of Yahoo's services.

Internet Privacy Laws and Policies

Historical Recognition of Privacy

Privacy is not a guaranteed right under the United States Constitution. The courts have agreed over the years that citizens have certain rights relating to privacy under the constitution. For example your home or belongings can not be searched without a warrant based on probable cause because your home is considered private. over 115 years ago the affect of technology on individual privacy was addressed in a legal article published in 1890. The article "The Right to Privacy" was written by Samuel Warren and Louis Brandeis and published by the Harvard law Review.

Warren and Brandeis wrote that "the existing law affords a principle which may be invoked to protect the privacy of an individual from invasion either by the too enterprising press, the photographer, or the possession of any other modern device for recording or reproducing scenes or sounds." today's "modern device", the internet has opened a whole new legal can of worms for privacy.

Privacy and Technology

So what type of information may a company collect on line and what can they do with it?

personal information such as, name, address, Date of Birth, Income, hobbies telephone numbers and e-mail addresses is highly valuable and useful to marketers. Besides being submitted through a form, personal information can be gathered by an on line e-commerce store or other website in the form of purchase records, or recorded in an electronic tracking device such as a "cookie".

You may be surprised to learn that there is no U.S. Law which forbids this type of information gathering. Short of medical and financial records, there is no law which prevents what a company may do with this information either.

The Role of Website Privacy Policies

Website privacy policies are a commonplace occurrence on many large and small web sites these days. Though they are not required by any law privacy policies offer a degree of trust between you and a potential customer. A person who is asked to provide personal information through your website will likely have reservations as to why they should trust your company and what you will do with their private information. A privacy policy can help ease this doubt.

However if you do put up a privacy clause be careful. What you are doing is essentially creating a legally binding document. As you can see from the FTC v. Geocities case, a privacy statement is a promise to the customer and is essentially law. If you promise not to sell your users e-mail addresses, don't. If you promise to take certain steps to protect your customers credit card information, you must even though those steps may be burdensome. Also if you offer a user access to any personal information you collect on them then you must provide them a way to do so.

The Elements of a Privacy Policy

If you are going to put a privacy policy on your website the best thing to do is look at others privacy policies. Many look the same but the difference is in the fine print. A seemingly protective privacy policy may be worded in such a way that the company may be allowed to do just about anything with the information gathered. Here are some common elements to a privacy clause. You should consult an attorney if you want to make a privacy clause so that you may protect yourself and your company.

• what personally identifiable information is collected from visitors to the website
• who collects the information
• with whom the information may be shared
• what choices the visitor has about collection, use and distribution of the information
• the kind of security procedures that are in place the loss, misuse, or alteration of information
• how visitors can access and correct any inaccuracies in the information collected

There are some on-line tools which can help you in the creation of a privacy policy one of them is the Organization for Economic Cooperation and Development (OECD). They have a privacy statement generator which uses a questionnaire to develop a policy for your website.

General Privacy Laws

There is no U.S. law except the Children's Online Privacy Protection Act which specifically address on-line privacy issues. However there are several laws which have around a lon time which directly affect the way you should do business on-line. Some other laws which may affect you are

• Fair Credit Reporting Act (FCRA)
• Electronics Communications Privacy Act (ECPA)
• Health Insurance Portability and Accountability Act (HIPPA)
• Gramm-Leach-Bliley Act

The Children's Online Privacy Protection Act

COPPA is a law that was put into effect in 1998 to protect the personal information of children under the age of 13. If you want to collect information from children you should consult an attorney familiar with COPPA. Ignoring COPPA can prove very costly and painful.

COPPA is the only law directly relating to privacy on the internet. This law is designed primarily to protect children from aggressive marketers and potential predators who may gather their personal information. COPPA allowed the FTC to make create regulations regarding the gathering of information from children and this led to the Children's Online Privacy Protection Rule. This rule was implemented by the FTC in November 1999 and lays out the specific rules which the FTC implemented as a result of COPPA.

COPPA in a nutshell requires that website owners who knowingly collect information from children under 13 to do the following:

• provide parents notice of their information practices
• obtain prior verifiable parental consent for the collection, use and/or disclosure of the of personal information from children
• provide a parent, upon request, with the means to review the personal information collected from their child
• provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child
• limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity.
• establish and maintain reasonable procedures to protect the confidentiality, security and integrity of the personal information collected

International Privacy Laws

There are also other international privacy laws that one should be aware of when doing business online. In 1995 The European Union (EU) enacted a law called the European Directive on the Protection of Personal Data (EU Directive). This law was put into effect by the European Union to protect the personal information and establish a rule that governed all nations in the EU to help harmonize the flow of electronic information between the countries. Another law to be concerned about would be the Canadian Privacy Act. This act in a nutshell requires any US company who purchases or uses private information from Canadians to comply with the strict regulations and obligations on this information which the Act defines.

 

Next - free speech and the internet