The second FIP maintains that before information is collected from data subjects their consent should be obtained. In particular, compliance with the consent/choice principle requires websites provide consumers with options regarding whether and how personal consumer information may be used for purposes beyond those for which the information was provided . If the user supplies information, the user is aware that the information is being provided and presumably notice/awareness has been satisfied. Of the 90% of commercial websites collecting PII from users only 47% of those support choice or consent to some extent .
There are two aspects to the choice/consent element of the FIPs. In some cases, the data subject is unaware that data are being collected about him or her, in which case, notice of data collection becomes imperative in order for the data subject to make informed decisions about uses of his or her PII. In other situations, the user supplies PII in order to complete a transaction, and therefore the user is clearly on notice (or aware) that the website or online service provider is collecting PII about them. Quite obviously in order to fulfill an online book order, a website would have to obtain a customer’s name, address, credit card number and possibly other data. The initial distribution of PII from user to website does not require notice since it is the user that is supplying the information. The real issue is what happens to that information (or PII) after the transactional need is satisfied? Ideally, the user should be permitted to choose what happens to his or her PII.
According to the 2003 version of OPPA, choice or consent of users would be required by websites and online service providers. In particular, under Section (b)(1)(A)(ii) of OPPA, these organizations would have
“(ii) to provide a meaningful and simple online process for individuals to consent to or limit disclosure of personal information for purposes unrelated to those for which such information was obtained or described in the notice under clause (i);…”, [clause (i) is the OPPA notice requirement presented in 3.1 above].
Under OPPA, then, organizations collecting personal information online about website users would have to obtain their consent (opt-in) to use information collected for one purpose, such as processing a book order, for other purposes. This OPPA requirement seems contrary to the commercial practices of many websites and online service providers that collect PII and use it according to terms stated in their privacy policies, but often do not separately require the data subject’s consent for secondary use of information collected.
3.2.1Current U.S. Law Regarding the Need to Obtain Consent to Use PII
As with notice, current U.S. law generally does not require that websites or online service providers offer users a choice as to whether they consent to the collection of PII. There are, of course, significant exceptions provided by several federal statutes that include the following:
The Children’s Online Privacy Protection Act (COPPA) requires that websites obtain verifiable parental consent before obtaining any PII from children 13 and under,
HIPAA regulations prohibit non-consensual secondary use of medical information, but there are numerous exceptions for public health, medical research, fraud detection and other reasons.
The Gramm-Leach-Bliley Act requires banks and other financial institutions regulated by the Act to obtain consent from customers for some disclosures of financial data to third parties for marketing purposes.
3.2.2Current EU Law Regarding the Need to Obtain Consent to Use PII
On the other hand, the 2002 EU Information Directive is emphatic that websites and online service providers must obtain consent before using “information on the private life of natural persons…” According to the 2002 Directive,
Any further processing of such data which the provider of the publicly available electronic communications services may want to perform, for marketing of electronic services or for the provision of added services, may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the providers of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to such processing.
Essentially, what the 2002 Directive requires is that users [the EU term is “subscriber”] be given an option to opt-out after full information is provided to them. Furthermore, the 2002 Directive requires that “Traffic data used for marketing communications or for the provision of value added services should also be erased or made anonymous after the provision of the service.” The 2002 Directive does indicate that “the obligation to erase traffic data or to make such data anonymous when it is no longer needed for the purpose of the transmission of a communication does not conflict with such procedures on the Internet as the caching in the domain name system of IP addresses or the caching of IP addresses to physical address bindings or the use of log-in information to control the right of access to networks or services.”
When providing personal information to a website, the user is presumably aware that information is being collected. However, the user may be under the misapprehension that the information will only be used for the intended transaction, but this is often not the case. Additionally, as previously mentioned, cookies are often used without the user’s awareness. Therefore, the user is sometimes unable to exercise a choice to disallow the cookie. The 2002 EU Directive addresses this by stating that “[U]sers should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.” The 2002 Directive does indicate that, “Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”
The bottom line is that EU law requires adherence to the consent/choice FIP, while that is not part of U.S. law, except for the three areas discussed above relating to financial data, health data and information obtained from children. U.S. based websites typically do not ask for permission to attach cookies, and indeed, refuse entrance to various parts of their websites for browsers that are programmed to reject cookies. Under EU law, conditioning admission to certain services or parts of a website to acceptance of cookies is allowed but users must be notified and have an informed opportunity to reject cookie attachments.