Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Laws and Business International Report |
GROWING CONSUMER EXPECTATIONS regarding the handling of personal data means that organisations with websites on the Internet ought to take data protection aspects into account. If your organisation's website collects personal data, it is time to consider creating an on-line privacy statement.
For the time being, adopting a privacy policy statement and making it available on-line is thought to be good business practice rather than a legal requirement. Countries such as the United States, which mainly rely on self-regulation, can do nothing but encourage organisations to adopt privacy policies for their websites. However, European Union member states, which have strict data protection regimes, are also struggling to get the message across to companies. The EU Data Protection Commissioners have stressed that anyone collecting or disseminating personal data on the Internet must comply with the data protection principles. This includes informing visitors to the sites of the uses and disclosures that will be made of their personal data.
MOST WEBSITES LACK PRIVACY STATEMENTS
While compliance with data protection laws may be required, the actual practices are difficult to monitor. However, to avoid any problems, companies collecting personal data on their websites, for example via on-line forms, should create statements defining their privacy policy.
Surveys conducted in the United States and Hong Kong indicate that this is not yet a routine practice. The US Federal Trade Commission found last year that only 2% of the 1400 websites it visited for the survey provided a comprehensive privacy policy. Most of the sites surveyed, some 85%, collect personal information. Only 14% of these sites provided any notice of their information collection practices. Another survey looking at 531 websites in Hong Kong revealed that more than 60% of the sites surveyed collected personal information by using on-line forms. In the period from July to October 1998, 6.2% of the sites studied displayed a privacy policy statement.
CREATING GOOD PRIVACY STATEMENTS
A good privacy policy statement is clearly visible and placed on the startup page as well as on all pages that collect personal data. Alternatively, there should be a link to the page including the statement.
Privacy statements should tell users who is collecting the data, and for which purposes. Visitors to the sites must to be able to see this notification before disclosing any personal information. The users should also be able to print a hard copy of the privacy statement. Privacy statements should mention the right of access to personal data, and the right to have inaccurate data corrected or deleted.
Further aspects that need to be included in a privacy statement depend on the type of information the organisation collects. If it is financial data, additional security measures are required. Sensitive or childrens' data should preferably not be collected at all. It is important to tell the visitors how their data will be treated in news groups, chat rooms and forums. The organisations should also provide their full contact details and, to follow good practice, notify that they will not pass any personal data to third parties. Other details that organisations may wish to reveal about their websites are the possible use of cookies, and possibilities for anonymous browsing. If the organisation's website is linked to other sites, it may be wise to inform visitors that the organisation does not bear any responsibility for the practices of those sites.
FROM POLICY TO PRACTICE
Some major companies, especially those based in the United States, have already adopted privacy policies for the Internet. On the other hand, many companies do not mention anything about privacy aspects on their homepages which collect personal data.
Even though the level of privacy protection on European Internet sites may not be good, the companies collecting personal data are, in theory, obliged to take data protection legislation into account. However, companies operating in countries that do not have data protection legislation do not necessarily have any obligation, or incentive, to adopt good information handling practices.
The story is different with big multinationals, such as American Express, which has adopted fair privacy principles. The company has placed its privacy statement on a prominent place on the opening page. However, there is room for some improvement. While American Express does not collect e-mail addresses from those just browsing, the addresses that have been released voluntarily in order to pay for a service or check a credit card bill will be used unless the customer explicitly opts out by writing to American Express. Although the company has a list of privacy principles which provide protection for consumers, it does not include the right of access and correction. On the positive side, the company conducts reviews by outside experts to evaluate its compliance with its own privacy policy.
ESSENTIAL PRIVACY PRACTICES FOR RETAILERS
Retailers use the Internet increasingly to enable customers to shop on-line. While all of them ought to have comprehensive privacy policies, practices vary enormously.
A UK based retail company, Marks & Spencer UK, does not provide a privacy policy as such on its website. There are notices on on-line order forms though, which tell us that the company is registered under the 1984 Data Protection Act, and that it will not make personal data available to companies outside the Marks & Spencer Group. Again, there is an opportunity to opt out from receiving any marketing material. The company rightly warns about the insecurity of transmission of data electronically, but does not touch upon issues such as correcting or deleting the data, or the use of cookies. A plus point is that the company openly mentions that it may monitor or record phone calls to the company for quality assurance or staff development purposes.
Predicted to become increasingly popular, on-line shopping for food is a service that many supermarkets offer over the Internet. When placing an order, the customer is requested to provide certain personal data. This is the case also when requesting a loyalty card. Tesco, for example, broadly tells website visitors that the personal data is collected in order to provide a better service, but that you have the option of not receiving any marketing materials. Interestingly, the information about their loyalty card includes a statement that personal data will not be given to third parties, but this is not mentioned on the on-line application for a shopping account. Information about the security arrangements is yet again on a different page. To sum up, the company has made a good attempt to include some information about data protection, but is lacking some important facts, such as access rights.
Some companies do not even mention the word privacy, and only include information about network security in a legal disclaimer. This is the case, for example, with UK-based Computer Bookshops. Claiming to be Europe's largest wholesale trade distributor of computer books, the company collects personal information via its website, but does not inform the customers of the use that is made of that data. A legal disclaimer warns about the insecurity of information and payment over the Internet, and makes it clear that the company denies liability.
CONSEQUENCES OF NOT INFORMING CUSTOMERS
While most e-commerce transactions are business-to-business, companies need to understand that, without consumer trust, e-commerce will not grow as fast as hoped. In addition, there is the threat of litigation.
One might, of course, think that as companies' information practices are so difficult to monitor on the Internet, there is little need to do anything. However, a US Federal Trade Commission ruling from last year proves differently. It ordered a US based company, GeoCities, which had disclosed customer information to third parties, to post a prominent privacy policy on its website, and to implement it (PL&B Dec '98 p.2).
Hong Kong Privacy Commissioner Stephen Lau takes the view that while organisations are expected to have a privacy policy statement, it is not, strictly speaking, a statutory requirement. In Europe, the UK Data Protection Registrar, for example, expressed concern over poor security measures on websites. The ODPR is planning to publish guidance on Internet matters in the future.
WHERE TO GET HELP
To a certain extent, the lack of comprehensive on-line privacy statements may result from the fact that the department designing the site has no contact with the company's data protection manager. This points to the fact that internal co-ordination should be improved.
There is plenty of assistance available for creating privacy statements. Consultancies are competent to design privacy policy statements for the Internet that fulfil international privacy requirements. (PL&B offers this service!) Also, the Internet itself hosts information about how to create a privacy statement.
Useful sites to visit include TRUSTe at http://www.truste.org which provides a wizard for creating a statement, the Internet Chamber of Commerce at http://www.icc.org/privacy.htm, the Federal Trade Commission at http://www.ftc.gov/opa/1998/9806/privacy2.htm, PrivacyExchange at http://www.privacyexchange.org, the EU Data Protection Working Party (see recommendation 2/97 about data protection and the Internet) at http://europa.eu.int/comm/dg15, the Hong Kong Privacy Commissioner's Office at http://www.pco.org.hk, and other national Privacy Commissioners' websites.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/15.html