College of Management, North Carolina State University, Raleigh, nc 27695-7229

Download 81 Kb.
Date conversion13.12.2016
Size81 Kb.
1   2   3   4   5   6


If the 2003 version of OPPA is enacted into law, it is envisioned in the statute that enforcement will take place through actions by state attorney generals and by the FTC. Section 4 of OPPA allows states, through their attorney generals, to bring actions that they believe violate any regulation fashioned by the FTC on behalf of state residents. Such actions include bringing a suit to enjoin unlawful actions of websites or online service providers, actions to enforce compliance with the regulation, actions for damages, restitution, or other compensation and any other relief a court may deem appropriate. Before filing an action, the state attorney general shall provide to the FTC written notice of the action and a copy of the complaint. Upon notification, the FTC shall have the right to intervene, which means that the FTC will prosecute the case instead of the state.

OPPA, if passed into law, would supercede “State law to the extent that it [OPPA] establishes a rule of law applicable to an online privacy action that is inconsistent with State law.” Importantly, “Nothing in this Act supercedes State law with respect to the prosecution of fraud.” The implication of this interaction between OPPA and State law is that individuals harmed by actions of websites and online service providers would still have the option to file a private civil suit, based on common law fraud under State law. OPPA itself, however, does not provide for a private right of action by citizens, which is, perhaps, a recognition that class action lawsuits in this area are infeasible. If a website or an online service provider made a promise with respect to PII that it knew was false, the breach of such promises may constitute both a violation of OPPA and common law fraud, but individuals harmed by such actions could only sue under common law fraud. Of course, the attorney general in the state could sue the defendants for violations of OPPA, or the FTC may intervene and sue under powers given to it by OPPA.

EU Directives are basically commands to Member States to enact laws consistent with the Directive. There is nothing in the 2002 Directive that allows for private rights of actions for violations of the Directive. By passing laws that make certain actions of websites and online service providers illegal, enforcement of the 2002 Directive takes place through legislation and other police actions of law by the governments of Member States. As with most aspects of ensuring privacy, the EU places enforcement into the hands of governmental authorities, rather than private actions. As mentioned above, this is the same approach taken by OPPA, which does not contain a private right of action, though OPPA does not preclude private common law fraud suits.
Table 1: FIP Coverage Summary


Current U.S. Law


EU Directives

Notice / Awareness

None in general but there are requirements in the GLB Act and HIPAA regulations that require notice.

Hyperlink to privacy policy that notifies the user as to who is collecting PII, what PII is collected, how PII is used, and what information is transferred to third parties.

Hyperlink to privacy policy that notifies the user as to who is collecting PII, the purpose for collecting PII, categories of third parties who receive the PII, and the right to access and the right to rectify PII.


Industry specific - Websites that fall under the provisions of COPPA, HIPAA or GLB.

Websites must provide a meaningful and simple online process for users to consent to (or limit) disclosure of PII for purposes unrelated to those for which the PII was obtained.

EU law generally requires that users be given a choice before their PII is used for any other purpose than completing a transaction.

Access / Participation


Websites must provide (upon request of user)

i) a description of types of PII collected and transferred to a third party,

ii) reasonable procedures for the user to obtain PII.

Websites must provide users access to PII and conditional procedures to modify incorrect PII.

Security / Integrity

None – however, common lawsuits based on negligence are a potential consequence of not using commercially reasonable measures to protect the integrity of stored PII.

Requires websites to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information it collects or maintains.

Must take appropriate technical and organizational measures to safeguard security of its services.

Enforcement / Redress

FTC and state attorney generals can file unfair trade practice suits for websites that do not adhere to promises made in their privacy policies.

For violations of OPPA state attorney generals are empowered to file suits for injunctions and damages unless the FTC decides it wants to file a nationwide claim.

There are no private rights of action but enforcement takes place through information regulatory agencies in each member nation.

4Conclusion and Implications

For most transactions that take place on the Internet, U.S. based websites are not regulated. If they collect PII, they are not required to provide notice. They are not required to give end-users, a choice as to whether secondary use is made of PII collected to complete transactions. For users whose PII is collected by U.S. based websites, they have no right to access that information or to recommend corrections of inaccuracies. Websites that are negligent in their storage of PII are potentially liable under common law suits, but the amount of damages involved rarely justify a suit by individual users even if joined together in a class action suit. The Federal Trade Commission and state attorney generals have filed legal claims against websites that violate the terms of their own privacy policies, but neither the FTC nor state attorney generals have the resources to seriously dent the vast bulk of fraud that occurs in cyberspace let alone the misuse of PII according to the FIPs.

On a piecemeal basis, U.S. legislators have provided some legal protection for the privacy of financial and medical records and for information obtained from children under 13. Also, there are significant efforts by private parties in the U.S. to guarantee user privacy on the Internet, but analysis of these efforts is outside the scope of this paper. Compared with the EU, however, there is far less legal protection of online privacy in the U.S. EU law requires that data subjects be notified when PII is collected about them and the 2002 EU Directive extended the notice requirement to the attachment of cookies and other tracking mechanisms. In general, those attempting to use PII for purposes other than the transaction for which it was collected must obtain an affirmative opt-in from users according to EU law. Users living in EU member states are entitled to access to PII collected about them and have the right to participate in correcting mistakes. The EU does require that those that store and transmit PII use commercially reasonable means for maintaining confidentiality. Enforcement in the EU is accomplished through data protection commissions.

The 2002 EU Directive builds on the protections provided for in the 1995 Information Directive. In the U.S. there have been several reform proposals tendered in Congress, but so far none has been enacted. The current comprehensive proposal for privacy, the Online Privacy Protection Act, if adopted would require U.S. based websites to incorporate most of the Fair Information Practices in their standard operating procedures. Many websites do have privacy policies that incorporate some of the FIPs, but for many other websites enactment of OPPA would cause substantial changes in current commercial practices.

The differing privacy laws create a dilemma for executives, managers and security professionals. When managers or Chief Privacy Officers produce website privacy policies that conform to the most restrictive online privacy laws, the organization is expected to adhere to those laws. However, it is expensive to comply with restrictive privacy laws and similarly, valuable marketing data may be lost to business rivals. Some policy analysts emphasize the importance of “ethics”, but recent Internet history and basic economy theory suggest that if there is a profit to be made by acquiring, storing or transmitting PII, someone will take advantage of the opportunity. Given the vastness of cyberspace, misuse of PII is often undetected. When organizations do engage in surreptitious behavior with regard to PII, consumers typically must rely on voluntary actions by non-profit, watchdog groups. It is the authors’ opinion that such reliance is not a viable safeguard against thousands of websites and online service providers, large and small, whose ethical commitments are attenuated because of profits considerations (i.e., if they do not do “it” others will and those others will become more profitable as a result).

A topic for further research is an empirical investigation of whether the commercial practices of EU websites are significantly different from those of U.S. based websites. It is clear that there are substantially more guarantees for the privacy of PII in EU law, but whether those guarantees are evident in the practices of large and small websites is worthy of investigation. Once the 2002 Directive is implemented, we should see fewer EU based websites that do not have a hyperlink to their privacy policies on their home pages relative to U.S. based websites. Users dealing with websites subject to EU law should have more options with respect to the use of their PII, greater access and participation in correcting their files and other protections discussed above.

Investigators in the legal/privacy field should have a keen interest in measuring the impact of the 2002 EU Directive on commercial practices of EU based websites. It could also be said that much of the difference between commercial practices in the U.S. and EU are attributable to the impact of the 1995 EU Information Directive. There is no doubt that the 1995 EU Information Directive caused major changes in the commercial practices of EU based collectors and transmitters of information, including websites, and through the Safe Harbor Principles commercial practices of U.S. firms have been impacted. Researchers in this area may have difficulty disentangling the effect of EU Directives because these directives have been foisted upon some U.S. firms through the Safe Harbor Principles. If OPPA is enacted into law, its effects should obliterate differences in commercial practices of U.S. and EU websites and online service providers, so perhaps longitudinal studies are appropriate.

References (numbered by appearance)

  1. 1-Ives, B. and Jarvenpaa, S.L. Applications of global information technology: Key issues for management. MIS Quarterly (Mar. 1991), 33-48.

  2. 2-Milberg, S.J., H.J. Smith and S.J. Burke. Information Privacy: Corporate Management and National Regulation. Organization Science, Vol.11, No.1, January-February, pp.35-57, 2000.

  3. 3-Milberg et al 1995.

  4. 4-Loring, T. An Analysis of the Informational Privacy Protection Afforded by the European Union and the United States. Texas International Law Journal, Spring 2002.

  5. 5-Westin, A. Privacy and Freedom. Atheneum, New York, 1967.

  6. 6-Earp, J.B., A.I. Anton, L.Aiman-Smith and W. Stufflebeam. “Crossed Signals: What Users Really Want from Internet Privacy Policies.” The Academy of Management, August 1-6, 2003.

  7. 7-Hofstede, G. Cultures and Organizations. McGraw-Hill, Berkshire, England, 1991.

  8. 8-Dresner, S. Data protection roundup. Privacy Laws Bus. (U.K.) (33) January, pp 2-8, 1996.

  9. 9-The Code of Fair Information Practices, U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, viii, code_fair_info.html, 1973.

  10. 10-[OECD00] CDT’s Guide to Online Privacy: Privacy Basics: The OECD Guidelines, accessed on August 6, 2002 at, 2000.

  11. 11- Baumer, D.L., J.B. Earp, and P.S. Evers, Tit for Tat in Cyberspace: Consumer and Web Site Responses to Anarchy in the Market for Personal Information, Journal of Law and Technology, Vol. 4(2), 2003, pp: 217-274.

  12. 12-Earp, J. B. and D.L. Baumer, Innovative Web Use to Learn about Consumer Behavior and Online Privacy, Communications of the ACM, Vol. 46 No. 4, 2003, pp: 81-83

  13. 13-Volokh, 2000

  14. 14-Online Privacy Protection Testimony of FTC Commissioner Sheila F. Anthony Before the U.S. Senate Committee on Commerce, Science, and Transportation, May 25, 2000, located at:

  15. 15-Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress, 2000.

  16. 16-W.F. Adkinson, J.A. Eisenach and T.M. Lenard. Privacy online: A Report on the Information Practices and Policies of Commercial Web Sites. Washington, DC: Progress & Freedom Foundation, 2002. Downloaded July 18, 2003:

  17. 17-Baumer, Earp and Payton. ACM Computers and Society.

1 S. 2201, 107th Cong. . 2002.

2 Chapter 1, Article 2(d) defines a “controller” as “the natural or legal person, public authority, agency or any other body which alone or with others determines the purposes and means of the processing of personal data.

3 Cite the AIDS blood case and the original Learned Hand case.

1   2   3   4   5   6

The database is protected by copyright © 2016
send message

    Main page