Exposing Legal Land Mines

Article excerpt

Legal Watch

Protecting the privacy and integrity of e-records is a critical issue for information professionals; understanding e-records laws and company policies can help

The legal landscape is changing rapidly with the passage of new laws whose intent is to bring technology under control through the legal system. These new laws provide guidance not only on what is considered an electronic record or electronic signature but also on how these technologies should create and maintain data to meet legal evidentiary requirements and ensure its privacy.

The new laws cover a wide variety of complex issues, but there is one that is most important: the privacy of collected information, both on the Internet and within corporate systems. What these laws do not address is the hidden legal menace of spoliation - the intentional or unintentional destruction of evidence -- that can cause great harm to a business in litigation or in achieving compliance under a regulatory agency.

There is no federal privacy requirement in the United States for electronically created or captured information, In this area the United States has adopted the policy of self-regulation rather than imposed regulation, with some exceptions, which are addressed later. The Federal Trade Commission (FTC), under the authority of the Federal Trade Commission Act, has the authority to monitor unfair or deceptive trade practices of businesses. This is done by reviewing the privacy policy posted on a business' Web site.

Although a business is not required to adopt a privacy policy, if it does adopt one and does not follow that policy, the FTC may bring an enforcement action against the company for unfair or deceptive practices. Possible consequences of not complying with the posted privacy policy would be the issuance of a cease and desist order or the imposition of civil fines. Most actions have been settled with the FTC rather than litigated.

A congressional report recently released details of how government Web sites use cookies and collect social security numbers in violation of federal law. Of the 10 sites that reported policies, not one was meeting the provisions of its own stated privacy policy.

Companies must be aware that the European Union (E.U.) has stringent privacy rules for data protection and these rules affect companies doing business with E.U. member countries, whether traditionally or over the Internet. In August 2001, a survey of 75 U.S. corporate Web sites found that none measured up to the E.U. standards for ensuring the privacy of customers' personal information.

U.S. regulations ensuring privacy protection are focused in three major areas: information collected from children, financial information, and health information.

Protecting Children

The Children's Online Privacy Protection Act of 1998 (COPPA), which was enacted on October 21, 1998, and became effective April 21, 2000, is directed at companies whose Web sites are intended for children or who have actual knowledge that a person from whom they collect information is a child. It regulates the online collection, use, and disclosure of individually identifiable information of children under the age of 13 years. COPPA requires parental consent prior to online collection of information about children, and sites must have prominent links to their privacy policy on all pages.

Recent studies suggest that companies need to be more attentive to the requirements of COPPA and the consequences of non-compliance. The Center for Media Education issued a report in April 2001 in which 153 Web sites were examined. The majority did not obtain prior parental consent or provide parental notice before collecting personal information from children and did not feature prominent links to their privacy policies as required by COPPA. Violations of COPPA are prosecuted by the FTC under section 5 of the FTC Act as unfair or deceptive trade practices. …