Federal Internet Regulations: They're Not Just For Kids Anymore

Privacy is one of the hottest issues on the Internet.  Until recently, there had been no federal regulations that required any specific measures to protect privacy, apart from general prohibitions against unfair and deceptive practices.  Online firms thus had to abide by whatever privacy policy they published, or risk a class action lawsuit or an enforcement proceeding by the Federal Trade Commission (FTC) for deceptive practices.

The landscape changed this spring.  In April, the FTC published privacy regulations to implement the Children’s Online Privacy Protection Act (COPPA), and in May it published proposed regulations under the Financial Services Modernization Act of 1999.  Although these two sets of regulations apply only to companies engaged in certain specified activities, they both reflect four basic standards that the FTC has described as “widely accepted fair information practices:” notice, choice, access and security.  Consequently, any company that collects personal information about consumers – essentially every company that does business online – should take notice of the regulations, since they provide useful guidelines for the kind of practices that are acceptable.

Privacy Regulation Under COPPA

An operator of an online service is subject to COPPA if it meets two requirements.  First, the Act applies only to operators of online services that are directed at or knowingly servicing children under 13 years of age. The FTC has indicated that it will consider several factors in determining whether a site is “directed” at children, including, but not limited to the site’s: subject matter, content, age of models, language, advertising, and the use of animated characters or other “child-oriented” features.

Second, the Act applies only to sites that collect personal information online.  Personal information is individually identifiable information that would allow a child to be identified and contacted, such as full name, address, email, telephone number, or any information. 

The operator of a site that meets these two requirements must: (1) provide notice as to how personal information is collected, used and disclosed; (2) notify parents and obtain their consent prior to collecting, using or disclosing information about a child; (3) refrain from conditioning participation in activities on the provision of personal information unnecessary for the activity; (4) allow parents to review and amend their child’s information as well as prohibit further collection; and (5) establish procedures to protect the security of personal information collected from children. 

Privacy Notice: Placement and Content

The FTC’s Final Rule and guidelines specify that an operator must post on its homepage a clear and prominent link to a notice of its privacy and information practices.  The link should be distinguishable from other links.  Preferably, it should be in a larger font and/or different color.  The notice must be placed at each page on which personal information is collected.  An operator of a general audience site with a separate area for children users must post a link to its notice on the children’s homepage.

The content of the notice must be clear, without any extraneous or confusing material, and it must convey: (a) the name and contact information of the entity collecting and maintaining the personal information; (b) the types of personal information collected; (c) the planned use(s) of the information; (d) whether the information will be disclosed to third parties (and if so, the types of businesses engaged in by these third parties); and (e) a statement that the operator does not condition participation in an online activity on the disclosure of more personal information than “is reasonably necessary.”

Parental Notice, Consent and Access

Before any personally identifiable information is collected from a child, an must operator provide written notice to the parent, by mail or email, containing the same information as required on the Web site.  The operator must also obtain the parent’s “verifiable consent.”  The sufficiency of “verifiable consent” has been the subject of considerable debate; the FTC has announced that it will decide the issue by means of a sliding scale that weighs the use of the information against the reliability of the consent.  If the operator plans to use personal information about children for “internal” purposes only, verifiable consent can be obtained from the parent via email.  If, on the other hand, the operator plans to disclose the child’s information to third parties or make it publicly available the consent must be obtained by more reliable means, such as by a signed form or letter sent by fax or mail.

Finally, the operator has a duty to provide the parent, upon request, with a list of the general type of information the operator collects as well as the specific information that has been collected about the child.  Upon review of the information, the parent has the right to delete information and prohibit further collection.

The statute authorizes the FTC and state Attorneys General to bring enforcement actions.  The Act also provides that an operator’s compliance with a “self-regulatory plan” drafted by an operator or industry group and approved by the FTC will shield an operator from liability in an enforcement action.

Privacy Regulation Under the Financial Services Modernization Act

The main focus of the Financial Services Modernization Act was to repeal Depression-era rules that placed barriers between the offering of banking, insurance and securities services and products.  One provision of the bill, however, regulates the  collection of personal information from customers.  The FTC rule implementing this provision  applies to companies providing a broad range of financial services including a host of activities that are “closely related” to banking, such as financial-data processing, sales of financial software and property-appraising services.

The FTC rule rests upon the same principles of notice, choice, access and security as the regulations published under COPPA.  Companies covered by the rule are required to give clear and conspicuous notice to consumers as to what personal, nonpublic information is being collected about them.  The companies also must reveal the conditions under which the financial institution will disclose nonpublic information to affiliated and nonaffiliated third parties.  Personal information about the consumer includes data collected involuntarily (by a “cookie” computer file that tracks a consumer on the Internet) or voluntarily (information provided by a consumer in an online application for a mortgage loan).  The rule also requires that the notification policy be active or verified. Consequently, a company cannot simply post a notice on a Web site, but must require some affirmative acknowledgment, such as a click on a button before a consumer can purchase a financial product.  In addition, the financial institution must provide its customer with annual notice of the policy.  Finally, whereas the COPPA regulations require the parent to “opt in” to data collection, the rule implementing the Financial Services Modernization Act requires only that consumers be given a “reasonable opportunity” to “opt out” of having their information shared with either affiliated or non-affiliated firms.

The Future of Regulation

Implementation of the COPPA Rule and publication of the Final Rule for the Financial Services Modernization Act of 1999 have not been the only Internet privacy initiatives taken by the FTC recently.  Indeed, regulations implementing these two statutes are just the beginning of the FTC’s efforts to implement a more expansive regulatory scheme.  On May 22, 2000, following a 3-2 vote split along the party lines of the Commission members, the FTC changed its longstanding policy of encouraging privacy to be patrolled by industry-self regulation by asking Congress to enact legislation granting the FTC broad authority to police all online privacy.

This vote came in conjunction with the Commission’s release of its third annual report to Congress on the status of online privacy.  This year’s report randomly selected 335 Internet sites as well as analyzed 90 of the Internet’s most-visited sites.  The FTC reported that only 20 percent of the randomly selected sites adequately met existing government guidelines concerning notice, choice, access and security.  Of the most popular sites, less than half adequately abided by FTC guidelines, with less than one in 10 containing a seal indicating compliance with one of the industry’s self-regulatory compliance programs.  The FTC’s Chairman, Robert Pitofsky, cited the Report in Congressional testimony in which he argued that industry self-regulation alone will not provide enough consumer confidence to allow full utilization of the Internet. 

Whatever the outcome of legislative and regulatory efforts, online firms must also be concerned about private lawsuits. Late last year as many as 15 suits were filed in federal and state courts against online advertiser DoubleClick, with more litigation against DoubleClick, Amazon.com, RealNetworks and Buy.com in the wings.  All these suits claim that the businesses are collecting and disseminating personal information about consumers without their permission.

As a result, any company that collects data from consumers online should be familiar with the FTC’s four principal rules of privacy protection, even if the regulations issued under COPPA or the Financial Services Modernization Act do not expressly apply. A proactive, well-reasoned policy may spare a firm from scrutiny by the federal government, state officials and private litigants.