Calendar of Events Weather Traffic and Transportation Message Board Directory
for on This Site All the Web Google
 

 

Law & Technology

Law and Technology

What are they doing with my personal information? Privacy Policies and Fair Information Practices

By Deborah Pierce

Nov 08, 2001 -- Could your credit card number or social security number being made visible on the Internet after a "Data Valdez" incident (think Exxon Valdez only with data instead of oil)? What if you've checked a privacy policy, and you discover that the company actually does something completely contrary to what they've described? Are secret profiles being created about you from the web sites you visit? Are there errors in a database entry about you - and if so, can you fix them?

Rattling off these scenarios is what we in the legal profession call a "parade of horribles". Unfortunately, in the realm of consumer privacy, these scenarios occur almost weekly. What can you do to prevent yourself from having your privacy compromised in this way?

One way is to require that companies that engage in business follow Fair Information Practices guidelines. These guidelines have provided the internal skeleton of many of the Federal privacy laws that we have in this country, including the Privacy Act of 1974 and the Fair Credit Reporting Act. If incorporated into privacy laws carefully, they give us specific rights that we can use to help protect our own privacy, both online and off-line.

This short series of articles will explain each of the components of Fair Information Practices to give you the practical knowledge you need to help you take control of some of the data flow about you. You'll also be armed with information so that you can ask probing questions about the privacy practices of a company you are contemplating doing business with. In this first article, after a brief general discussion, I'll focus on the first component, "notice".

Fair Information Practices Defined

Over the last twenty-five years, government, industry, and privacy advocates have generally agreed that the core areas of Fair Information Practices include Notice, Choice, Access, Security, and Enforcement.

Notice: The data collector should give you information about their data handling practices. What information are they collecting about you? Are they sharing it with others without your permission?

Choice: The data collector should give you a choice about how they can use the data: opting-in or opting-out. In other words, do they need to get explicit permission first or will they use the information unless you tell them not to?

Access: What rights does the data collector give you with regard to the information that has been collected about you? Can you view it? Amend it? Delete it? How much access do you have? Can you see everything that has been collected about you or just a part of it?

Security: Does the entity use adequate security in protecting the information they have stored in their databases? Do they use encryption? Have they undergone any internal audits to review their data practices?

Enforcement: What rights do you have if your information has been compromised either because of misuse or neglect? Do we need more privacy laws or is corporate self-regulation enough?

Notice

The main purpose of notice is to let you know what privacy practices a particular entity adheres to. Some of the key items to look for (or to ask about) are do you have a way to prevent others from accessing your personal information without your permission? What happens if you choose not to allow a corporation to share your personal information - do you get put on hold longer when you call them, are you excluded from some or all discounts? Does the corporate policy allow you to see your file and amend it if there is incorrect information in it?

If the privacy policy is silent on all of the above issues, you can look in any written materials handed out by the company about their practices.

In the worst case scenario, the company may say that they will share any and all information they collect and that you have no "expectation of privacy" when you use the site. Your only alternative, really, is to consider doing business with other companies if you aren't happy with their practices.

Notice off-line can look very different than it does online. Off-line, if you see any privacy statement at all, it will more than likely be buried in the fine print of your bills. In many cases there won't be a privacy statement at all, such as when you make a catalogue purchase over the phone. Not only will you likely get more mail (in the form of more catalogues and other offers), but you may get more marketing calls as well. Did you know that if you order something via catalog using the helpful 800 number they provide, that even if you have complete call blocking, your phone number is visible to that company? It's very convenient to purchase items in this manner, but unless you opt-out, your phone number may be shared with others.

Conclusion

Whether off-line or online, the notice requirement of Fair Information Practices states that the data collector should let you know of their data use practices. Read the privacy policies online and ask questions off-line. In either case, if the answers you get aren't satisfactory, or if the privacy policy on the web site is too vague, consider taking your business elsewhere.



Reader Comments

Discuss this article in the forums!

Anonymous Dec 27, 2001
   "Data Valdez" is exactly whats coming... this was a great article. keep it up

 

© 2008 Seattle Press on Line.

Powered by JournalMaker.