Calendar of Events Weather Traffic and Transportation Message Board Directory
for on This Site All the Web Google
 

 

Law & Technology

Law and Technology

Barriers to Enforcing Your Privacy Rights

By Deborah Pierce

Jan 17, 2002 --

Privacy Policies and Fair Information Practices



Fifth in a series



This article will focus on the importance of the "Enforcement" provision of Fair Information Practices and some of the barriers to getting good enforcement. Without enforcement, the opt-in/opt-out discussion (from the "Notice" column), along with everything else I've discussed in this series, becomes moot.

Note that the sidebar has many more links than usual; the debate is especially vigorous on this issue and there are a lot of resources available. I've included links to news stories about each of the cases I've discussed, and if available, links to case information.

Enforcement

For the most part, enforcement of privacy rights in the corporate realm has been the responsibility of the very corporations who collect and use customer personal information. Under this kind of regime, we have only their word that our privacy will be protected. Several corporate presentations that I've seen define Fair Information Practices as Notice, Choice, Access and Security--completely leaving out Enforcement!

Laws are either weak or non-existent at the state level, and it isn't much better at the federal level. Federal law is sketchy, the proverbial "patchwork" of privacy laws. We have the Fair Credit Reporting Act to protect credit information, the Video Privacy Protection Act to protect the privacy of video tapes you rent (but arguably not DVDs you may rent), the Cable Communications Policy Act to protect the privacy of cable TV shows you watch (but arguably not digital TV or TiVo), and a few others. There is no federal law, however, that penalizes a company such as DoubleClick or Toysmart if they misuse or negligently handle your personal information.

Because we don't have an omnibus privacy law with strong enforcement provisions, the debate centers on self-regulation versus imposition of new, stronger state or federal law.

Enforcement web links
Toysmart case (Federal Trade Commission action)
http://www.ftc.gov/opa/2000/07/toysmart2.htm

Real Networks issue
http://www.zdnet.com/zdnn/stories/news/0,4586,2387000,00.html

Seal Programs

Truste
http://www.truste.com

BBBOnline
http://www.bbbonline.org

Litigation

Rothken law firm--DoubleClick
http://www.techfirm.com/

Legislation/Bill tracking:

Center for Democracy and Technology (CDT) (privacy legislation link)
http://www.cdt.org/legislation/107th/privacy/

Electronic Privacy Information Center (EPIC)
http://www.epic.org/privacy/bill_track.html
Problems with Self-Regulation

Enforcement of privacy policies is often left up to a seal program, such as TRUSTe or BBBonline. Corporations often point to a seal to show that they are good citizens and are protecting customer privacy. But what if a corporation acts outside the scope of the agreement that it signed with the seal program? This scenario has been played out with the Real Networks debacle. RealPlayer was sending information back to Real Networks, which appeared to violate the privacy policy; but Real's agreement with TRUSTe only related to its Web site. So Truste's hands were tied--technically the company didn't violate anything it had agreed to with TRUSTe--so no penalty could be levied against the corporation.

What happens if the company ends up in bankruptcy court? In its privacy policy, Toysmart said that it would never sell personal information that it had collected about its customers. When Toysmart ended up in bankruptcy court, part of the assets to be sold was its database filled with customer information. This particular story had a happy ending (the data was never sold), but it could have easily gone the other way.

Litigation is an option of last resort for individuals who feel that their privacy has been compromised. But invasion of privacy suits often fail, and litigation is expensive: Many can't afford the time and money needed to bring a successful suit.

A good example of how enforcement works in practice is the DoubleClick case. In an initial flurry of activity, the Federal Trade Commission (FTC) and several states' attorneys general announced investigations, and several class action suits were brought against DoubleClick on various grounds, including invasion of privacy. At this point, all investigations have been ended without any action, the federal suit has been dismissed; the class action suit in California has been in litigation for over a year, but the outcome is still uncertain.

Legislation

Most privacy advocates believe that well thought out, strong privacy law(s) are the best way to give consumers control over their personal information. The question is, should it be done at the state or federal level?

State laws may seem, at first blush, to be a great solution--each state can decide for itself how to protect privacy online. But, how do we reconcile 50 different sets of privacy laws? How does a corporation with offices in 50 states apply all of these laws to its business?

Another possibility is to pass a law at the federal level. What would a federal law look like?

Generally, corporations would like to see a federal law that follows the self-regulation model, notice and choice (where choice is opt-out), some access, reasonable security, and enforcement done by the FTC, a state attorney general or a seal program. Their model law would preclude a private right of action for consumers, i.e. only the FTC or a state attorney general could bring suit against a company.

Privacy advocates would prefer to see an opt-in approach for choice, enforcement that carries real penalties for companies who flout the law, and a private right of action for individuals.

One interesting question is whether states would be prevented from enacting their own, more stringent privacy protections (in legal jargon, "preemption"). This issue has come up before in privacy legislation. For example, legislation proposed by Senators Phil Gramm, Leach and Bliley (aka "GLB" the financial privacy law) doesn't preempt the states from putting more privacy protective laws in place, provided that they don't conflict with GLB. Privacy activists tend to disfavor preemption; corporations point out that this could lead back to the problem of 50 different privacy policies.

What can you do?

* If you are interested in reading more about current privacy legislation at the federal level, two web sites offer the bill numbers, and a short analysis of each bill. See the sidebar for more information.

* Write to your congress people and let them know that you support strong privacy legislation.

* Read privacy policies and email companies if you don't like their policies.

Deborah Pierce is the founder and executive director of privacyactivism.org, which has its headquarters in Bellevue. She spent the last four years as a staff attorney at the Electronic Frontier Foundation, www.eff.org. To contact her, send e-mail to editor@seattlepress.com, attention Deborah Pierce.

Reader Comments

Discuss this article in the forums!

   No comments yet!
 

© 2008 Seattle Press on Line.

Powered by JournalMaker.