In the EU, organizations that collect personal data must do so in accordance with the Data Protection Directive. US businesses must also provide an “adequate level of protection” if they do business with the EU. Personal data can only be gathered under strict conditions and for a legitimate purpose. Further, this information must be managed by the organization in a way that protects certain rights and prevents misuse.
If you are a US company, you can comply with the requirements by joining the US-EU Safe Harbor Program. To do so, you must adhere to the following seven Safe Harbor Privacy Principles:
- Notice-Organizations must notify individuals about the purpose for which they collect and use information about them, contact information of the organization, the means the organization provides for limiting its use and disclosure, and the kind of third parties that the organization discloses your information to if any.
- Choice-Organizations must provide the opportunity to opt out (and if the information is sensitive like health information, it must be in the form of an opt in) of the collection of personal information that will be disclosed to a third party or used for any purpose beyond that of its original collection.
- Onward Transfer-In order to disclose to a third party, an organization must comply with the above Notice and Choice principles.
- Access-Individuals must be able to view, correct, amend, or delete their personal information, with some exceptions.
- Security-Reasonable precautions must be made by organizations to protect personal information.
- Data Integrity-Personal information collected must be relevant to all the purposes it will be used for.
- Enforcement-Organizations must have accessible independent recourse mechanisms for complaints to be resolved and have damages awarded if applicable. They must also have procedures for verifying the adherence to all principles, and to correct problems from any failures to comply.
In Canada, the applicable law is the Personal Information Protection and Electronic Documents Act or “PIPEDA.” It applies to any organization that collects, uses, or discloses personal information in the course of commercial activities. As a US company, you will still fall within the scope of PIPEDA if you have operations in Canada. Also, even if you do not have any Canadian operations but are collecting the personal information of Canadian citizens, you may be found to be within the scope of the law.
Any collection, use, or disclosure of personal information under this law can only be for purposes that a reasonable person would consider appropriate under the circumstances. In addition to this, there are ten principles that are to be followed to comply.
- Accountability-There must be people responsible for your organization’s compliance with the ten principles, protect all personal information, and implement personal information policies and practices.
- Identifying Purposes-The organization must identify, document, and inform the user the reasons for collecting personal information at the time of collection or beforehand.
- Consent-The user must be meaningfully informed of the purposes for collection and use or disclosure of the personal information and then consent to them.
- Limiting Collection-An organization cannot deceive, mislead, or be indiscriminate with their collection of personal information or statements of reasons for collecting it.
- Limiting Use, Disclosure, and Retention-Personal information cannot be used beyond its original purpose for collection or kept longer than is necessary. There must also be procedures in place for retention, destruction, and the resolution of grievances in relation to the data.
- Accuracy-The possibility of disclosing or making a decision based on personal information that is incorrect must be minimized.
- Safeguards-The personal information must be protected from loss, theft, unauthorized access, disclosure, copying, use, or modification, regardless of the information’s form.
- Openness-The organization must have understandable policies for the management of personal information that are readily available to users.
- Individual Access-Users should generally be given the opportunity to access the personal information that the organization possesses.
- Challenging Compliance-The organization must provide simple and easily understandable complaint procedures that inform of all avenues of recourse, investigate all complaints, and take appropriate corrective measures.
COPPA became effective in April of 2000, and it applies to commercial websites that collects personal information from children under 13 years old, whether or not the collection is mandatory or voluntary. Personal information is defined by the act as any information that is individually identifiable, or would allow someone to identify or contact the child. If your website does this, then you must take certain measures in order to comply with this law.
Personal information includes:
- First and last name
- Address including street name
- Online contact information
- Username that functions as online contact information
- Telephone number
- Social Security Number
- Persistent identifier that can be used to recognize a user over time and different website services
- A photo, video, or audio file, containing a child’s image or voice
- Geolocation information sufficient to identify street and city name
- Other information about the child or parent collected from the child when combined with one of the above identifiers
If you collect personal information such as those described above, you must follow these steps to comply with COPPA:
a. You must name the individuals collecting or maintaining personal information, as well as provide their contact information.
b. You must describe the personal information that is collected, how it is collected, how it is used, and whether you disclose the information to third parties, as well as the categories of businesses of the third parties and how they use the information if you do disclose to third parties.
c. You must describe the parents’ rights with regard to the personal information. You must tell parents that you will not require a child to disclose more information than is reasonably necessary to participate in an activity, that they can review their child’s personal information, request its deletion, refuse to allow any further collection or use of the child’s information, agree to the collection and use of the child’s information with the option to disallow any further collection or use of the child’s information, and lastly, the procedures to exercise these rights.
2. You must also give direct notice to parents and obtain verifiable parental consent prior to collecting personal information online from children, with some limited exceptions. Parents must also be given the option to consent to the collection of a child’s information by the website but disallow the disclosure of such information to third parties, unless this information is considered integral to the website, which must be made clear to the parents.
3. You must also maintain the confidentiality, security, and integrity of information collected by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
4. You can only collect and keep such information for as long as is necessary to fulfill the purpose it was collected for, and you must take reasonable measures to protect and securely delete the information afterward.
If you have any questions about whether or not your website falls under COPPA or how to comply with COPPA, do not hesitate to reach out to the Law Office of E.C. Lewis, PC, the home of your Denver Business Lawyer, Elizabeth Lewis at 720-258-6647 or email her at Elizabeth.Lewis@eclewis.com.
Additionally, in September of 2013, California enacted a novel addition to their law on website privacy policies known as “do not track.” This law, AB 370, requires websites that collect personally identifiable information or “PII” of California residents to include certain information in their privacy policies, which must be available in a conspicuous link on their website. PII is defined by California law as:
“individually identifiable information about an individual consumer collected online…from that individual…in an accessible form, including any of the following: first and last name, physical address, email address, phone number, social security number, and any other identifier that permits the physical or online contacting of a specific individual.”
Such disclosures must state whether or not PII is collected, what categories of PII are collected, if PII is made available to third parties, if users can adjust such collections of information, describe how the site notifies users of changes to such collections, the effective date of the policy, whether other parties collect PII when you use their website, and whether or not “do not track” signals from web browsers are complied with. “Do not track” is a signal from a web browser to a web site that is designed to inform the website that the user does not wish to have their usage and information followed and saved by websites, and the idea is that the website would then comply with that request.
Currently, most major web browsers (Internet Explorer, Safari, Chrome, and Mozilla Firefox) support “do not track” signal transmissions, but you have to turn it on. See your preferred web browser’s website for information on how to do this. However, many websites do not listen or comply with such signals, so be sure and take additional measures if you want to prevent this kind of tracking.
In a recent ruling by a Virginia court, the court ruled that Yelp.com, which provides online review from consumers for companies, had to release information about consumers who “anonymously” review companies. In the Virginia case, the owner of Hadeed Carpet Cleaning, Joe Hadeed, alleged that the reviewers of his site were not real customers and needing information about them to determine if they were real customers. If the individuals leaving negative comments were actual customers, then the review would be protected under the first amendment. However, if the reviews were not from customers then they would not be protected speech and Mr. Hadeed would be able to sue the reviewer. Mr. Hadeed requested information about the reviewers from Yelp; however, Yelp refused to disclose the information.
The court ruled that Yelp must reveal the names of the users to Mr. Hadeed because if the users were not customers then the speech was not protected speech. Yelp has stated that it disagrees with the ruling and that it will silence critics online. However, others hope that it will ensure that when businesses are reviewed, it is by actual customers.
This case highlights other issues that have been present about Yelp, namely issues with “hidden” results and the number of inaccurate reviews on the site. At this time, there is no news about whether Yelp will appeal the decision so online reviewers should be aware that reviews should be accurate and truthful because they may not be as anonymous as you think.
If you are a business that has had issues with possible inaccurate reviews online, please contact me, your Denver Business Attorney, Elizabeth Lewis at 720-258-6647 or firstname.lastname@example.org.