Legal Concerns for Online Communities: Privacy

Legal Concerns for Online Communities
A look at Personal Information Privacy
​

Online communities are a growing media on the world wide web. Instead of going to their local coffee shop (or sometimes at their local coffee shop) people are logging into an online community to converse with long lost friends or meet new people that share common interests. While online communities provide a remarkable information sharing platform, they also prove a fair share of legal concerns. In this article we will review one of the most pressing legal issues for online communities: the collection and use of personal information.


Background

As technology advanced in the 1960s and 70s legislators and their constituents became increasingly concerned about the collection of electronic data by the federal government and how the government used this information. In response, the Department of Health, Education, and Welfare (HEW) issued a report, entitled Records, Computers, and the Rights of Citizens, which recommended that Congress create and pass legislation that would provide individuals with reasonable controls around the personal information they share and protect any such information that was collected. As a direct result, Congress passed the Privacy Act of 1974.
Over 30 years later the expansion of the internet has once again pushed this topic to the forefront of many debates. While the Privacy Act of 1974 only applies to the federal government, many feel that the regulations put in place should also apply to all organizations that request personal information. In 1997 the Federal Trade Commission (FTC) supported a series of surveys to study the extent to which websites adhered to the principles outlined in the Privacy Act of 1974. By 1999 the FTC was confident that additional legislation was not needed. The FTC further determined that sites that were not run by the government were self-regulated exceptionally well. This was due in large part to "seal programs" developed by the Better Business Bureau. If a website carried that seal it indicated that the website operators had agreed to comply with a certain set of recognized privacy guidelines. However, by 2000 the FTC changed its stance after learning that only 40% of the 100 most popular websites had actually implemented the guidelines.
While work began on drafting privacy legislation that would apply to all electronic databases, a series of events took place within the government that shifted the focus from all civilian websites to government run websites. Between 1999 and 2005 a variety of memos from the White House Office of Management & Budget and news stories from the Associated Press and C|Net.com reported dozens of government agencies were not in compliance with the Privacy Act of 1974. As a result Congress passed the E-Government Act which established and updated set of privacy guidelines for personal information collected by the federal government. The E-Government Act includes the following guidelines:

• Federal websites must include a privacy notice.
• The privacy notice must address what information is being collected, why it is being collected, and what is the intended use of the information.
• The privacy notice must provide an opportunity for the individual to refuse to provide the all or part of the requested information and how the information is shared.
• The privacy notice must describe how the collected information will be secured.

Impact on Online Communities

It wasn't until February 2009 that the FTC issued a report entitled FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising. In this report the FTC stresses that there are four main principles that operators should abide by when hosting their websites.

1. Transparency and Consumer Control: Consumers should be aware of what data is being collected for use in providing advertising and have the choice to opt in or out of sharing this information.
2. Reasonable Security and Limited Data Retention for Consumer Data: Consumers should be ensured that personal information they choose to share will be safeguarded and retained for the minimum amount of time necessary before being properly destroyed.
3. Affirmative Express Consent for Material Changes to Existing Policy Promises: Websites looking to make changes to their current privacy policies must inform consumers and obtain their permission before they can use previously collected information in ways not allowed by the current privacy policy.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising: Companies should get express permission to use any sensitive information (such as about health, finances, or children) for advertising purposes.

Since no formal legislation has been passed nationwide the individual states, such as Connecticut, Utah and California, have enacted their own legislation. In one way or another these states require that websites that are open to their residents must disclose their privacy policies. For example, the California Online Privacy Protection Act requires that "any person or entity that collects personally identifiable information (PII) from California residents through an internet website or online service for commercial purposes to post conspicuously its privacy policy on its website or online service and to comply with that policy." The National Institute for Standards and Technology (NIST) has defined PII as either information that can individually identify an individual (i.e. social security number, passport number, full name, or photo) or information elements that when linked together could identify an individual (i.e. telephone numbers, IP address, or date of birth). The Act also requires that the privacy policy must identify what type of PII will be collected and if this PII is shared with any 3rd parties. This legislation essentially requires any website that is open to residents from California to adhere to the law. Websites and online services that do not comply are at risk for civil suits for unfair business practices.

Even though the government has not completed the passage of legislation yet, they are building momentum. In 2005 the 109th Congress stated that the collection of PII by government and commercial websites was a major concern. On September 7, 2009 the Associated Press reported that Rep. Rick Boucher of Virginia is drafting a bill that would impose sweeping legislation in this area. Rep. Boucher expects that websites will have different rules depending on the risk associated with the information collected by that website. If a website collects information for advertising purposes it may simply have to ask users if they wish to opt-out of providing the information. However if a website requests sensitive PII like a social security number or health information then the privacy policy would be an opt-in system.


Protecting your Community

As the interest in online communities grows so will the concern over the use of personal information. Providing users with a privacy policy now and being transparent about your intentions is the best way to safeguard your online community. You want to ensure that your privacy policy addresses the four principles outlined by the FTC. To guide you through this process you can use the following "Top Ten" list.

Top Ten Questions to Answer in Your Privacy Policy

1. How does your community define "personal information?" (E.g. Will your site follow the NIST definition? Does your definition include information shared in forum discussions, offline, or only through site registration?)
2. What data is being collected for use in providing advertising/sharing with third parties?
3. What information is automatically logged by your site (e.g. IP address)?
4. Does your site use cookies, and if so how?
5. Can community members opt out of sharing their personal information, and if so how?
6. Do you intend to safeguard the personal information shared on your site, and if so how?
7. How long do you plan to retain the personal information collected on your site?
8. Do you plan to inform your community about changes to your privacy policy?
9. Would you use information gathered under an old privacy policy for actions that are now allowed under a new privacy policy?
10. How would community members go about changing or modifying their personal information?

If you are still looking for guidance on how to construct your privacy policy, you may want to review the privacy policies of existing sites and determine what you agree with and what you don't. Here are a few suggestions for policies to review:

• Facebook: Privacy Policy | Facebook
• Admin Addict: Privacy | AdminAddict
• Twitter: Twitter / Twitter Privacy Policy
• IGLOO Online Communities: http://www.igloosoftware.com/company/legal/privacypol

Finally, there are a variety of online privacy policy generators available to help you construct a document that is right for your community. However, just as your community is unique, your privacy policy should be uniquely yours. Using a generator should be the start of your privacy policy development and not the end. Here are a few privacy policy generator sites that can help you on your way:

• The Direct Marketing Association: Privacy Policy Generator
• Google Adsense Privacy Policy Generator: Google Adsense Privacy Policy Generator - Create a Privacy Policy Adsense
• Organisation for Economic Co-Operation and Development: OECD Privacy Statement Generator

This post has been promoted to an article

 

Awesome article, sure to help so many people!

 

This is very informative! Thanks for posting!