What is Protected as “Private” Online?

Less than one might  think. Online privacy focuses on the use of personal information and how it is contributed, collected, shared and used by the user and other people and companies providing web services.  “Personally Identifiable Information” (a.k.a. “PII”) is protected by a web of laws – but non-personally identifiable information collected by many websites is largely unregulated.

Not all personal information is protected either. A person’s name alone is not privateor protected. A name with a corresponding social security number, driver’s license number, credit/debit card account number or other financial account number is protected as “Personal Information”  under a variety of U.S. state data breach notification laws.  Unauthorized disclosure, theft or breach of  unencrypted personal information triggers notification requirements, and imposes liability for penalties and/or damages on the company whose data was breached. Credit card numbers alone (or when stored with expiration dates) are often not  protected as PII under many state data breach notification laws. No notification to the holder of the account is required despite the ability of criminals to clone fake but functional credit cards with a credit card number and expiration date alone.

 Websites collect both PII and non-personally identifiable information about their users. PII is collected from website visitors when they fill out forms to register for website services or to make purchases from online retail stores.  Non-personally identifiable information is anonymous data about a visitor detected and used by the website for various purposes, such as to remember if a user is a return visitor, or to remember a visitor’s login information or preferences, to operate shopping carts, and serve ads relevant to the consumer’s interests as determined by tracking the user’s browsing habits. In some cases non-personally identifiable information is collected from a user as she browses across multiple sites and provides a detailed picture of the consumer’s habits.  Non-personally identifiable information about a consumer is stored by the website in cookies and log files on the consumer’s own hard drive.

Only a few state laws address protection of privacy online. California’s 2003 Online Privacy Protection Act (OPPA) was one of the first laws to require that websites used by California residents have policies that notify users how the website collects, uses, shares and protects PII collected from visitors and to notify users how to opt-out of collection of PII. OPPA’s definition of PII includes: first and last name, home or other physical address, email address, telephone number, social security number and other identifiers that could permit physical or online contact with the identified user. 

There are numerousU.S.federal laws and federal agency regulations that govern the use of PII and non-personally identifiable information. How personal information is protected online varies by industry and the financial or reputational risk presented by use of personal information.  For online activities, including digital advertising, several federal laws apply including:

  • Children’s Online Privacy Protection Act (COPPA) that requires websites collecting personal information from children under age 13 (whether intentional or not) to provide notice and obtain verifiable consent from parents to the website’s collection and use of a child’s PII. 
  • The CAN-SPAM Act seeks to protect consumers from unsolicited “junk” email by limiting businesses to emailing only those consumers with whom the company has a business relationship.
  • Federal Trade Commission Safe Web Act of 2006 that extends the FTC’s authority over deceptive collection of consumer information on the Internet. If a company’s privacy policy is inaccurate when compared to the company’s actual information collection practices or is confusing to consumers, the FTC may bring an enforcement action requiring changes in data collection and privacy policies, and/or assess monetary penalties.
  • The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and protect sensitive financial information about their customers.
  • The HIPAA Privacy Rule requires healthcare providers to protect the privacy of individually identifiable health information by mandating security standards for the collection and storage of sensitive health information.

As online technology continues its rapid development, experts and government regulators (US and foreign) are calling for changes in privacy laws to protect consumers from invasive collection of non-personally identifiable information.  The FTC issued a report in 2010 calling for “Do Not Track” mechanisms to facilitate consumer choice about online tracking.  The U.S. White House recently released its Consumer Privacy Bill of Rights.

Collection of data about users visiting websites is commonplace online. Digital advertising supports the free web and mobile services people enjoy. Determined to ensurethat privacy concerns not halt technological advances in digital advertising, the industry formed the Digital Advertising Coalition and developed a self-regulatory program, a consumer education program and PII opt-out program and icon to be embedded in ads that collect multi-site data. The FTC and US White House recently commended the industry for its self-regulatory program.