Privacy policy
A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to protect a customer or client's privacy. Personal information can be anything that can be used to identify an individual, not limited to but including name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.[1] In the case of a business it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.[2]
The exact contents of a privacy policy will depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions. Most countries have their own legislation and guidelines of who is covered, what information can be collected, and what it can be used for. In general, data protection laws in Europe cover the private sector as well as the public sector. Their privacy laws apply not only to government operations but also to private enterprises and commercial transactions.[3]
History
In 1968, the Council of Europe began to study the effects of technology on human rights, recognizing the new threats posed by computer technology that could link and transmit in ways not widely available before. As well, in 1969 the Organisation for Economic Co-operation and Development (OECD) began to examine the implications of personal information leaving the country. All this led council to recommend that policy be developed to protect personal data held by both the private and public sectors, leading to Convention 108. In 1981, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was introduced. One of the first privacy laws ever enacted was the Swedish Data Act in 1973, followed by the West German Data Protection Act in 1977 and the French Law on Informatics, Data Banks and Freedoms in 1978.[4]
In the United States, concern over privacy policy started around the late 1960s and 1970s saw the passage of the Fair Credit Reporting Act. Although this act was not designed to be a privacy law, the act gave consumers the opportunity to examine their credit files and correct errors. It also placed restrictions on the use of information in credit records. Several congressional study groups in the late 1960s examined the growing ease with which automated personal information could be gathered and matched with other information. One such group was an advisory committee of the United States Department of Health and Human Services which in 1973 drafted a code of principles called the Fair Information Practices. The work of the advisory committee led to the Privacy Act in 1974. The United States signed the Organisation for Economic Co-operation and Development guidelines in 1980.[4]
In Canada, a Privacy Commissioner of Canada was established under the Canadian Human Rights Act in 1977. In 1982, the appointment of a Privacy Commissioner was part of the new Privacy Act. Canada signed the OECD guidelines in 1984.[4]
Fair information practice
There are significant differences between the EU data protection and US data privacy laws. These standards must be met not only by businesses operating in the EU, but also by any organization that transfers personal information collected concerning citizens of the EU. In 2001 the United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program.[29] The FTC has approved TRUSTe to certify streamlined compliance with the US-EU Safe Harbor.
Current enforcement
In 1995 the European Union (EU) introduced the Data Protection Directive[5] for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year the U.S. Federal Trade Commission (FTC) published the Fair Information Principles[6] which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies.
The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act[7] and the Online Privacy Protection Act of 2001,[8] but none have been enacted. In 2001, the FTC stated an express preference for "more law enforcement, not more laws"[9] and promoted continued focus on industry self-regulation.
In many cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices.[10] The FTC's powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA),[11] and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).[12]
In some cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgements. However, such lawsuits are often not an option, due to arbitration clauses in the privacy policies or other terms of service agreements.
Applicable law
US
While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:
- The Children's Online Privacy Protection Act (COPPA)[13] affects websites that knowingly collect information about or target at children under the age of 13.[14] Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions[15] COPPA includes a "safe harbor" provision to promote Industry self-regulation.[16]
- The Gramm-Leach-Bliley Act[17] requires institutions "significantly engaged"[18] in financial activities give "clear, conspicuous, and accurate statements" of their information-sharing practices. The Act also restricts use and sharing of financial information.[19]
- The Health Insurance Portability and Accountability Act (HIPAA) privacy rules[20] requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.[21]
Some states have implemented more stringent regulations for privacy policies. The California Online Privacy Protection Act of 2003 - Business and Professions Code sections 22575-22579 requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site".[22] Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on web sites as deceptive or fraudulent business practices.[23]
Canada
Canada's federal Privacy Law applicable to the private sector is formally referred to as Personal Information Protection and Electronic Documents Act (PIPEDA). The purpose of the act is to establish rules to govern the collection, use and disclosure of personal information by commercial organizations. The organization is allowed to collect, disclose and use the amount of information for the purposes that a reasonable person would consider appropriate in the circumstance.[24]
The Act establishes the Privacy Commissioner of Canada as the Ombudsman for addressing any complaints that are filed against organizations. The Commissioner works to resolve problems through voluntary compliance, rather than heavy-handed enforcement. The Commissioner investigates complaints, conducts audits, promotes awareness of and undertakes research about privacy matters.[25]
European Union
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union directive adopted in 1995 that regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.[26]
The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data".[27] The seven principles governing the OECD’s recommendations for protection of personal data were:
- Notice—data subjects should be given notice when their data is being collected;
- Purpose—data should only be used for the purpose stated and not for any other purposes;
- Consent—data should not be disclosed without the data subject’s consent;
- Security—collected data should be kept secure from any potential abuses;
- Disclosure—data subjects should be informed as to who is collecting their data;
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.[28]
The OECD guidelines, however, were nonbinding, and data privacy laws still varied widely across Europe. The US, while endorsing the OECD’s recommendations, did nothing to implement them within the United States.[29] However, all seven principles were incorporated into the EU Directive.[30]
There are significant differences between the EU data protection and US data privacy laws. These standards must be met not only by businesses operating in the EU, but also by any organization that transfers personal information collected concerning citizen of the EU. In 2001 the United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program.[31] The FTC has approved a number of US providers to certify compliance with the US-EU Safe Harbor.
Australia
The Privacy Act 1988 provides the legal framework for privacy in Australia.[32] It includes a number of national privacy principles.[33]
India
The Information Technology (Amendment) Act, 2008 made signification changes to the Information Technology Act, 2000, introducing Section 43A. This section provides compensation in the case where a body corporate that possesses, deals or handles any sensitive personal data or information in a computer resource that it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person.
In 2011, the Government of India prescribed the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[34] by publishing it in the Official Gazette.[35] These rules require a body corporate to provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information.[36] Such a privacy policy should consist of the following information in accordance with the rules:
- Clear and easily accessible statements of its practices and policies;
- Type of personal or sensitive personal data or information collected;
- Purpose of collection and usage of such information;
- Disclosure of information including sensitive personal data or information;
- Reasonable security practices and procedures.
The privacy policy should be published on the website of the body corporate, and be made available for view by providers of information who have provided personal information under lawful contract.
Online privacy certification programs
Online certification or "seal" programs are an example of industry self-regulation of privacy policies. Seal programs usually require implementation of fair information practices as determined by the certification program and may require continued compliance monitoring. TRUSTe,[37] the first online privacy seal program, included more than 1,800 members by 2007[38] Other online seal programs include the Trust Guard Privacy Verified program,[39] eTrust,[40] and Webtrust.[41]
Technical implementation
Some websites also define their privacy policies using P3P or Internet Content Rating Association (ICRA), allowing browsers to automatically assess the level of privacy offered by the site, and allowing access only when the site's privacy practices are in line with the user's privacy settings. However, these technical solutions do not guarantee websites actually follows the claimed privacy policies. They also require users to have a minimum level of technical knowledge to configure their own browser privacy settings.[42] These automated privacy policies have not been popular either with websites or their users.[43]
Criticism
Many critics have attacked the efficacy and legitimacy of privacy policies found on the Internet. Concerns exist about the effectiveness of industry-regulated privacy policies. For example, a 2000 FTC report Privacy Online: Fair Information Practices in the Electronic Marketplace found that while the vast majority of websites surveyed had some manner of privacy disclosure, most did not meet the standard set in the FTC Principles. In addition, many organizations reserve the express right to unilaterally change the terms of their policies. In June 2009 the EFF website TOSback began tracking such changes on 56 popular internet services, including monitoring the privacy policies of Amazon, Google and Facebook.[44]
There are also questions about whether consumers understand privacy policies and whether they help consumers make more informed decisions. A 2002 report from the Stanford Persuasive Technology Lab contended that a website's visual designs had more influence than the website's privacy policy when consumers assessed the website's credibility.[45] A 2007 study by Carnegie Mellon University claimed "when not presented with prominent privacy information..." consumers were "…likely to make purchases from the vendor with the lowest price, regardless of that site's privacy policies".[46] However, the same study contends where privacy information is clearly presented, consumers prefer retailers who better protect their privacy and may "pay a premium to purchase from more privacy protective websites". Furthermore, a 2007 study at the University of California, Berkeley found that "75% of consumers think as long as a site has a privacy policy it means it won't share data with third parties," confusing the existence of a privacy policy with extensive privacy protection.[47]
Critics also question if consumers even read privacy policies or can understand what they read. A 2001 study by the Privacy Leadership Initiative claimed only 3% of consumers read privacy policies carefully, and 64% briefly glanced at, or never read, privacy policies.[48] The average web site user once having read a privacy statement may have more uncertainty about the trustworthiness of the web site than before.[49] One possible issue is length and complexity of policies. According to a 2008 Carnegie Mellon study the average length of a privacy policy is 2,500 words and requires an average 10 minutes to read. The study cited that "Privacy policies are hard to read" and, as a result, "read infrequently".[50]
References
- ↑ McCormick, Michelle. "New Privacy Legislation." Beyond Numbers 427 (2003): 10-. ProQuest. Web. 27 Oct. 2011
- ↑ Webfinance, Inc (2011). "Privacy Policy". Retrieved 23 October 2011.
- ↑ Cavoukian, Ann (1995). Who Knows: Safeguarding Your Privacy in A Networked World (paperback). Random House of Canada: Random House of canada. ISBN 0-394-22472-8.
- ↑ 4.0 4.1 4.2 Cavoukian, Ann (1995). Who Knows: Safeguarding Your Privacy in A Networked World (paperback). Random House of Canada: Random House of canada. ISBN 0-394-22472-8.
- ↑ Overview of the Data Protection Directive, EC.europa.eu
- ↑ U.S. Federal Trade Commission Fair Information Practice Principles, FTC.gov
- ↑ HR 237 IH, The Consumer Internet Privacy Enhancement Act, as Introduced in House, 107th Congress Loc.gov.
- ↑ HR 89 IH, Online Privacy Protection Act of 2001, as Introduced in House, 107th Congress Loc.gov
- ↑ Kirby, Carrie "FTC drops the Call for New Internet Privacy Laws," SFGate, October 5, 2001. SFgate.com
- ↑ Implementation of 15 U.S.C. §§ 41-58, FTC.gov
- ↑ Electronic Privacy Information Center, Air Travel Privacy, Epic.org. Also see FAA Enforcement Database at FAA.gov.
- ↑ Helmer, Gabriel M. "Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules Security, Privacy and the Law, Foley Hoag, LLP, May 2009. Securityprivacyandthelaw.com. Also see FCC Enforcement Center at FCC.gov
- ↑ The Children's Online Privacy Protection Act, FTC.gov
- ↑ COPPA Safe Harbors discussed, Cybertelecom Federal Internet Law & Policy - an Educational Project. Krohn & Moss Consumer Law Center, Cybertelecom.org
- ↑ Discussion of compliance with the Children's Online Privacy Protection Act, FTC Privacy Initiatives, FTC.gov
- ↑ Data Privacy, A Safe Harbor Approach To Privacy: TRUSTe Recommendations, Center for Democracy and Technology, CDT.org
- ↑ Gramm-Leach-Bliley Act, Loc.gov
- ↑ "The Financial Privacy Requirements of the Gramm-Leach-Bliley Act", FTC Facts for Business", FTC.gov
- ↑ Information Regarding the Gramm-Leach-Bliley Act of 1999, US. Senate Committee on Banking, Housing, and Urban Affairs. Senate.gov
- ↑ Understanding HIPAA Privacy, HHS.gov Health Information Privacy, HHS.gov
- ↑ Notice of HIPAA Privacy Practices. Privacy/ Data Protection Project, Miller School of Medicine Miami University, Miami.edu
- ↑ Privacy Laws, California Office of Information Security and Privacy Protection CA.gov
- ↑ Deceptive Trade Practices, Enotes.com
- ↑ http://laws-lois.justice.gc.ca/eng/acts/P-8.6/
- ↑ http://www.priv.gc.ca/information/guide_e.cfm/
- ↑ "New draft European data protection regime". m law group. Retrieved 20 February 2012.
- ↑ See The Organization for Economic Co-Operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html (last modified January 5, 1999)
- ↑ Anna Shimanek, Note, Do you Want Milk with those Cookies?: Complying with Safe Harbor Privacy Principles, 26 Iowa J. Corp. L. 455, 462–463 (2001)
- ↑ Id. at 463
- ↑
- ↑ Safe Harbor Compliance, Export.gov
- ↑ "Privacy Act 1988". AustLII. Retrieved 2013-06-25.
- ↑ "National Privacy Principles". Office of the Australian Information Commissioner. Retrieved 2013-06-25.
- ↑ http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
- ↑ G.S.R. 313(E) dated 11 April 2011
- ↑ Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- ↑ TRUSTe, Truste.com
- ↑ CDT Guide to Online Privacy, Center for Democracy and Technology, 2009. CDT.org
- ↑ Trust Guard Privacy Verified Seal program. Trust-Guard.com
- ↑ Etrust, Etrust.org
- ↑ Webtrust Seal Program, Webtrust.org
- ↑ Softsteel Solutions "The Platform for Privacy Preferences Project (P3P)", Softsteel.co.uk
- ↑ CyLab Privacy Interest Group, 2006 Privacy Policy Trends Report. January, 2007 Chariotsfire.com
- ↑ Millis, Elinor, "EFF tracking policy changes at Google, Facebook and others," Cnet Digital News, June 2009. Cnet.com
- ↑ Fogg, B. J. "How Do People Evaluate a Web Site's Credibility? (abstract)" BJ, Stanford Persuasive Technology Lab, November 2002, Consumerwebwatch.org. Stanford Web Credibility Project found at Stanford.edu.
- ↑ Acquisti, Alessandro and Janice Tsai, Serge Egelman, Lorrie Cranor, "The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study" Carnegie Mellon University, 2007. Econinfosec.org
- ↑ Gorell, Robert. "Do Consumers Care About Online Privacy?" October, 2007. Grokdotcom.com citing to a study by Chris Hoofnagle, UC-Berkeley's Bolt School of Law. Samuelson Law, Technology & Public Policy Clinic, Berkeley.edu
- ↑ Goldman, Eric. "On My Mind: The Privacy Hoax," October, 2002, EricGoldman.org
- ↑ Gazaleh, Mark. "Online trust and perceived utility for consumers of web privacy statements", WBS August, 2008.
- ↑ Out-Law News. "Average privacy policy takes 10 minutes to read, research finds," Out-Law.com, July 2008.
Further reading
- Gazaleh, Mark (2008). Online trust and perceived utility for consumers of web privacy statements WBS: London
- Cavoukian, Ann (1995). Who Knows: Safeguarding Your Privacy in A Networked World (paperback). Random House of Canada: Random House. ISBN 0-394-22472-8.