Subj: Online Privacy: Perspectives of Online Privacy Alliance
From: Tim Lordan, 202-638-4371, tim@privacyalliance.org
To: Internet Caucus Advisory Committee

Excerpt from the Online Privacy Alliance Legal Framework White Paper, 
See http://www.privacyalliance.org/news/12031998-5.shtml

LEGAL PRIVACY PROTECTIONS IN US (COPPA, FEDERAL STATUTES, STATE LAWS AND COMMON 
 LAW PROTECTIONS)

CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998 (COPPA)

Recently, in response to a study by the FTC concluding that additional 
 regulation  was needed to protect the privacy of children, the U.S. Congress 
enacted  the Children’s Online Privacy Protection Act of 1998. The Act directs 
the FTC to  promulgate regulations that govern the collection, use, and 
disclosure of  “personal information” obtained online from a child (defined as 
anyone under the  age of 13) by an operator of a commercial website or online 
service directed to  children, as well as any operator with actual knowledge 
that it is collecting  personal information from a child.1 6 “Personal 
information” is defined to  include  “individually identifiable information,” 
such as a child’s name, address,  phone number, social security number, e-mail 
address, or any other “identifier  that  . . . permits the physical or online 
contacting of a specific individual.”[1 7]    The Act  further reaches any other 
information collected online that is combined with any  of the above 
identifiers.[1 8]   For example, if a website were to assemble a  file 
 including a child’s name, address, and a list of past purchases, the 
information  about purchases would be deemed subject to the Act.

Congress directed the FTC to promulgate regulations concerning the  collection, 
use, and disclosure of this personal information about children.  These 
 regulations must require, **inter alia,** that website and online service 
 providers  subject to the Act

(1) provide notice on the website of what information is collected, how  the 
operator uses the information, and if/when it discloses the information;

(2) obtain verifiable parental consent for the collection, use, or disclosure of 
 such information;

(3) permit a parent to obtain any data his/her child has provided to the 
 operator;

(4) allow the parent to require the operator to delete such data and/or not  to 
collect further data; and

(5) “establish and maintain reasonable procedures to protect the 
 confidentiality, security, and integrity of personal information collected from 
 children.”[1 9]

The Act establishes several narrow exceptions to its reach. For example, its 
 requirements do not apply either to information collected from a child online 
 that  is used on a one-time basis to respond to a request and is not maintained 
in  retrievable form or to a request for the name of a parent when made for the 
sole  purpose of obtaining consent to collect information about the child.[2 0]   
The  Act  also contains a “safe harbor” provision under which an operator is 
deemed to  comply with the FTC regulations if it follows a set of self-
regulatory  guidelines  approved in advance by the FTC (after an opportunity for 
the public to  comment) as meeting the requirements of the FTC regulations.[2 1]

A violation of the regulations promulgated by the FTC under the Act is deemed to 
 be a violation of Section 5 of the FTC Act,[2 2] the penalties for which are 
 described  above. Moreover, the Act provides that certain other specified 
agencies also  shall  enforce the Act and the FTC regulations against companies 
that those agencies  regulate; for example, the Department of Transportation 
must enforce the Act  with  respect to airlines, and the Federal Reserve Board 
is charged with enforcement  against its member banks.[2 3]  In addition to 
these forms of federal  enforcement,  the Act authorizes state attorneys general 
to bring enforcement actions for  injunctive and/or monetary relief for any 
violation of the FTC regulations.[2 4]

OTHER FEDERAL STATUTES THAT PROTECT THE PRIVACY OF CONSUMER INFORMATION

Numerous other federal statutes also protect the privacy of particular types  of 
information and provide regulatory and/or judicial enforcement mechanisms:

*** Electronic Funds Transfer Act , *** 15 U.S.C. ง 1693 et seq. -- This Act 
 requires  institutions that provide electronic banking services to inform 
consumers of the  circumstances under which automated bank account information 
will be  disclosed to third parties in the ordinary course of business. The Act 
is  enforced by  the Federal Reserve Board, and violations can result in civil 
and/or criminal  penalties.

*** Electronic Communications Privacy Act , *** 18 U.S.C. ง 2510 et seq. -- 
 This  statute prohibits the unauthorized interception or disclosure of many 
types of  electronic communications, including telephone conversations and 
electronic  mail, although disclosure by one of the parties to the communication 
is  permitted.  Violators of this statute are subject to criminal penalties and 
civil liability.

*** Video Privacy Protection Act , *** 18 U.S.C. ง 2710 -- This statute forbids 
 a video  rental or sales outlet from disclosing information concerning what 
tapes a  person  borrows/buys or releasing other personally-identifiable 
information. The Act  further  requires such outlets to provide consumers with 
the opportunity to opt out from  any sale of mailing lists. The Act is enforced 
through civil liability actions.

*** Telephone Consumer Protection Act of 1991 , *** 47 U.S.C. ง 227 -- This 
 provision mandates that any company making a telephone sales call first consult 
 its list of those who have elected not to receive such calls. The statute 
grants  the  Federal Communications Commission (“FCC”) the authority to 
prescribe  regulations necessary to protect residential subscribers’ privacy 
rights. The  Act also  bans unsolicited fax messages. It is enforced by the FCC 
and through civil suits  that  can give rise to substantial penalties.

*** The Cable Communications Policy Act of 1984 , *** 47 U.S.C. ง 551 et seq. , 
 as  amended by The Cable Television Consumer Protection and Competition Act of 
 1992 -- This Act establishes written disclosure requirements regarding the 
 collection  and use of personally identifiable information by cable television 
service  providers  and prohibits the sharing of such information without prior 
consent. The Act  also  provides consumers with the right to access cable 
company records for purposes  of inspection and error correction. The statutory 
provisions are enforceable  through private rights of action for damages.

*** Communications Act , *** 47 U.S.C. ง 222 -- This provision requires 
 telecommunications carriers to protect the confidentiality of customer 
 proprietary  network information, such as the destinations and numbers of calls 
made by  customers, except as required to provide the customer’s 
telecommunications  service or pursuant to customer consent. These requirements 
are enforced by the  FCC.

*** Federal Aviation Act , *** 49 U.S.C. ง 40101, et seq. -- Department of 
 Transportation regulations promulgated under authority of this Act generally 
 require airlines to keep passenger manifest information, such as the names and 
 destinations of passengers, confidential and prohibit use of this data for 
 commercial or marketing purposes.[25] These regulations are enforced by the 
 Department of Transportation.

*** Health Insurance Portability and Accountability Act of 1996 , *** 42 U.S.C. 
 ง 1301, et  seq. -- This Act provides that the Secretary of Health and Human 
Services must  promulgate regulations regulating the privacy of individually 
identifiable  health  information if Congress itself does not enact legislation 
on this subject by  August  1999. The Secretary has already issued a set of 
recommendations to Congress that  include provisions such as restricting the 
disclosure of patient identifiable  information and providing patients with 
notice about how such information will  be  used and to whom it will be 
disclosed.

*** Office of Thrift Supervision Policy Statement on Privacy [2 6]*** -- This 
 policy  statement advises savings associations on how to best protect consumer 
privacy.  Among other things, the statement urges savings associations to 
provide notice  to  consumers as to how personal information will be used and in 
what circumstances  such information may be disclosed to third parties.

*** Right to Financial Privacy Act of 1978 , *** 12 U.S.C. ง 3401, et seq. -- 
 This Act  mandates that the federal government present proper legal process or 
“formal  written request” to inspect an individual’s financial records kept by a 
 financial  institution (including a credit card company) and give simultaneous 
notice to  the  consumer to provide him/her with the opportunity to object. Both 
government  agencies and financial institutions that violate this Act are 
subject to civil  court  actions.

STATE LAW PROTECTION

In addition to sectoral privacy protection at the federal level, states provide 
 both  statutory and common law privacy protection with respect to numerous 
types of  data, particularly in the financial and credit sectors. These state 
laws  sometimes  complement similar safeguards at the federal level by providing 
alternative  remedies and enforcement schemes. In other cases, the state laws 
provide  protection for types of data that federal laws do not reach.

1. STATE STATUTES

A number of states have statutes that generally concern privacy of financial 
 data.  Illinois, for example, regulates the circumstances in which a bank may 
disclose  a customer’s financial records, including any information “pertaining 
to any  relationship established in the ordinary course of a bank’s business.”[2 
7] In  addition  to the state analogues to the FCRA discussed above, a number of 
state statutes  specifically address the use of consumer credit information, 
particularly for  marketing purposes. Maine, for example, generally forbids any 
sale or disclosure  of  mailing lists or account information of credit card 
holders to a third party  without  an explicit opt-in by the consumer.[2 8] 
Florida and Hawaii also have opt-in  schemes for dissemination of credit card 
lists, except that they allow  disclosures to  a third party as long as that 
party is prohibited from divulging  consumer information except to carry out the 
purpose for which the cardholder  provided the information.[2 9]  California 
requires that, before a credit card  issuer  discloses marketing information to 
any person, the issuer must inform the  cardholder of such disclosure by written 
notice that provides an opportunity to  opt  out of the program.[3 0]

State statutes also extend privacy protections to other sectors of the economy. 
 A  number of states, for example, restrict the collection and disclosure of 
 information gathered by insurance companies. These statutes, based on the 
 Insurance Information and Privacy Protection Model Act promulgated by the 
 National Association of Insurance Commissioners, often require insurance 
 companies and agents to provide a policyholder or applicant notice concerning 
 the types of personal information that may be collected about him or her from a 
 third party and the individual’s rights to access and correct information in 
the  company’s files.[3 1]  Many state statutes also protect the privacy of 
medical  information by, for example, providing patients a general right of 
access to  their  medical records [3 2] and protection from disclosure of 
medical records by  licensed  health-care providers.[33/]

2. STATE COMMON LAW

States also provide privacy protection through a number of common  law 
doctrines. On a general level, virtually all states recognize a tort of 
 invasion of  privacy. This tort is generally divided into four categories: 
intrusion upon  seclusion  of another, appropriation of another’s name or 
likeness, unreasonable publicity  given to another’s private life, and publicity 
placing another in a “false  light”  before the public.[3 4 /]  The most 
relevant form of this tort in the context of  protecting an individual’s private 
data is giving unreasonable publicity to  another’s private life. Although this 
tort is unlikely to apply to the  disclosure of  arguably public information 
such as names and addresses, release of more private  information such as 
transaction histories might trigger this tort.[3 5 /]

In certain cases, the relationship between the consumer and the holder  of 
consumer data gives rise to a legally cognizable duty not to disclose  consumer 
 information or to do so only in particular circumstances. A number of states, 
 for  example, have recognized an implied contractual duty on the part of banks 
not  to disclose information about a depositor’saccount.[3 6 /]  A similar duty 
 arguably  arises in the context of a creditor-debtor relationship [3 7 /]  and 
a security  firm- customer relationship.[3 8 /]

Finally, state regulation of professionals, such as accountants, doctors, 
 lawyers, and psychologists, often impose restrictions on the use and disclosure 
 of  personal information such professionals obtain from their clients. Often 
the  state  code simply enforces or supports the self-regulatory code adopted by 
the  profession. For example, many states protect communications between doctors 
 and psychiatrists and patients, recognizing those professions’ commitment to 
 safeguarding such communications. Some states also have recognized that 
 accountants have a general duty to maintain the confidentiality of  client 
information.[3 9 /]   State laws often provide additional protections by 
 determining that these professional codes of conduct create fiduciary duties on 
 the part of professionals and permitting civil suits for breach of those 
duties.

---------------------------------

FOOTNOTES: 

[1 6 /]  Children’s Online Privacy Protection Act of 1998, งง 1302(1), 
 1303(b)(1).

[1 7 / ]  Id. ง 1302(8).

[1 8 /]   Id. ง 1302(8)(G).

[1 9 / ]]  Id. ง 1303(b)(1).  [2 0 / ]  Id. ง 1303(b)(2).

[2 1 / ]  Id. ง 1304.

[2 2 / ]  Id. ง 1303(c).

[2 3 / ]  Id. ง 1306(b).

[2 4 /]   Id. ง 1305.

[2 5 / ] See 14 C.F.R. งง 243.7, 243.9.

[2 6 /]  Office of Thrift Supervision, ***Statement of Privacy and Accuracy of 
 Personal Customer  Information*** (Nov. 1998).

[2 7 /]  Ill. Rev. Stat. ch. 202, ง 5/48.1; see, e.g., Minn. Stat. ง 13A.01; 
 N.J. Stat. Ann. ง 17:16K-3.

[2 8 / ] Me. Rev. Stat. Ann. tit. 9-A, ง 8-304.

[2 9 /]  Fla. Stat. ch. 817.646; Haw. Rev. Stat. ง 708-8105.

[3 0 / ] Calif. Civ. Code ง 1748.12(b).

[3 1 /]  See, e.g., Cal. Ins. Code ง 791; Conn. Gen. Stat. Ann. ง 38-501; Ill. 
 Rev. St. ch. 215, ง 5/1001.

[3 2 / ] See, e.g., Cal. Health & Safety Code ง 1795; Colo. Rev. Stat. ง 25-1-
 801.

[3 3 /]  See, e.g., Fla. Stat. chs. 455.241, 395.017.

[34 /] ***Restatement (Second) of Torts*** ง 652A (1977).

[3 5 /]  But see Dwyer v. American Express , 652 N.E.2d 1351 (Ill. App. 1995) 
 (rejecting invasion  of privacy claim based on alleged sale of card member 
lists sorted by buying  patterns because  customers voluntarily used card and 
company had ownership interest in data).

[3 6 / ] See, e.g., Barnett Bank of West Florida v. Hooper , 498 So.2d 923, 935 
 (Fla. 1986); Twiss v.  State Dept. of Treasury, 591 A.2d 913, 919-20 (N.J. 
1990).

[3 7 / ] See, e.g., Pigg v. Robertson, 549 S.W.2d 597, 600 (Mo. Ct. App. 1977).

[3 8 / ] See, e.g., Barnsdall Oil Co. v. Willis , 152 F.2d 824, 828 (5th Cir. 
 1946).

[3 9 /]  See, e.g., Alaska Sta. ง 8.04.662; Ariz. Rev. Stat. ง 32-749; Conn. 
 Gen. Stat. ง 20- 281j