General Practice, Solo & Small Firm DivisionMagazine

Volume 17, Number 2
March 2000




This article describes the emerging legal principles of online privacy. Though developments continue at breakneck speed, a few core concepts have been established. The concepts appear prominently in both legislative proposals and self-regulatory efforts by the online business community, but the Federal Trade Commission (FTC) has articulated them the most effectively.

FTC Takes Lead on Internet Privacy. Starting in 1995, the FTC conducted workshops and hearings to study online privacy concerns. In 1998 and 1999, the FTC submitted reports to Congress concerning the state of online privacy. Both reports emphasized the Commission's goal to "encourage and facilitate effective self-regulation as the preferred approach to protecting consumer privacy online." The reports identified certain core principles of Internet privacy and assessed the extent of industry's self-regulatory response.

Franchisors should become familiar with the five principles that the Commission declared to be "fair information practices." Consumers should be given notice of a franchisor's online information practices so that they can make informed decisions about disclosing personal information. Consumers should have a choice as to the use and dissemination of information collected from or about them. Consumers should have access to information collected about them and a practical way to contest its accuracy and completeness. Data collectors should take adequate steps to ensure the security and integrity of the information they collect. Finally, consumers should have a mechanism to ensure compliance with the substantive principles and recourse for failure to comply.

A unique issue for franchisors is the extent to which they must, or should, control the information practices of their franchisees. Although there has not yet been a hint of "vicarious liability" that would render a franchisor liable for a franchisee's online privacy violations, it is not hard to imagine an injured customer seeking redress from the owner of the mark that is displayed on the website that caused the injury. Franchisors should consider adopting and implementing a uniform privacy policy for the entire franchise system.

A related issue is equally challenging. If a franchisee maintains a website using the franchisor's mark and collects personal information from visitors to the site, does the franchisor or franchisee own the data collected? The more rights the franchisor asserts in the data, the greater the risk that the franchisor will be deemed responsible for information practices that were used to collect the data. Thus, the franchisor's concerns about fair information practices must include franchisees' websites as well as its own.

Self-Regulation Does Not Preclude Enforcement. FTC encouragement of self-regulation has not precluded use of the agency's enforcement powers against online data collectors. The FTC reportedly has more than 80 investigations under way concerning cyberspace matters. Two enforcement actions involving children's online privacy already have been settled.

In August 1998, the FTC issued a complaint and entered into a consent order with GeoCities, a company that provides free e-mail service, contests, and children's clubs through its website. The consent order mandates improved disclosure of GeoCities' information practices, usage consistent with such disclosure, implementation of an opt-in provision, and parental consent prior to submission of personally identifiable information by children. The notice provision requires GeoCities to place hyperlinks at every location on its site at which personally identifiable information is collected. The hyperlink must contain a notice stating that GeoCities collects personal information and that, by clicking on the hyperlink, users can learn more about how the information will be used.

In May 1999, the FTC issued a complaint and proposed consent order arising from its investigation of the Liberty Financial Services (LFS) website. The LFS website features several areas targeted to children and teens, surveying them about weekly allowances; types of financial gifts received; spending habits; part-time work history; college plans; and family finances. The survey also collects the individual's name, address, age, and e-mail address. The consent order prohibits LFS from misrepresenting its use and collection of personal information and requires parental consent to provide the information. LFS must post a clearly articulated privacy policy that clarifies what information is collected, how it is used, and how the consumer can access his personal data. The order requires LFS to implement specific procedures to obtain "verifiable parental consent" prior to collecting and using children's data.

Industry Guidelines and Privacy Seal Programs. The 1999 FTC report to Congress highlighted the Online Privacy Alliance (OPA), a cross-industry coalition of corporations and associations formed in large part to encourage industry self-regulation. Although OPA does not enforce its standards on members or others, it is notable both because of its strong support for privacy seal programs and because it has helped define the commercial standards for privacy policies under a self-regulatory framework. OPA's focus is on the adoption and posting of privacy policies by commercial entities. OPA has created guidelines for privacy policies that resemble the FTC's fair information practices. With respect to enforcement, the OPA recommends a verification and monitoring program, a complaint resolution program, education, and outreach. The OPA favors the development of privacy seal programs to maintain the self-regulatory framework. Privacy seal programs operate like a seal of approval. Website operators that agree to meet specified privacy standards and to be subject to an enforcement mechanism are entitled to display the program's seal on their website.

Impetus for Legislation. Despite the preference for self-regulation, federal laws have been enacted, and other proposals bear watching. The Children's Online Privacy Protection Act (COPPA), the only Internet privacy bill passed in Congress in 1998, required the FTC to adopt regulations for commercial websites regarding the collection, use, and disclosure of information about children under the age of 13. The FTC's rules directly affect franchisors whose websites include pages geared toward children, such as the "kids club" pages of many fast-food chains. The rules apply to every website that is either targeted to children under the age of 13 or whose owner has actual knowledge that the site is visited by children under 13. The rules govern notices websites must give about information practices, how websites treat personal information obtained from children under 13, and what rights parents have with respect to such information. The FTC's rules also require parental consent for most uses of a child's personal information.

During the 1998-1999 legislative session, U.S. lawmakers introduced five major bills that related specifically to Internet privacy: S. 809, Online Privacy Protection Act of 1999, which would require website operators to provide notice regarding the type of personal information and how it is used and disclosed, and require users to consent to or limit disclosure of such information; H.R. 1685, Internet Growth and Development Act of 1999, would require websites to post policies regarding the collection, use, and disclosure of personally identifable information; S. 854, Electronic Rights for the 21st Century Act, would create an "opt-out" system, under which providers of "electronic communications" and "remote computing services" would be required to explain "clearly and conspicuously" how consumers could request that personal data not be disclosed; H.R. 313, Consumer Internet Privacy Protection Act of 1999, would require operators of interactive consumer services to request permission from consumers to disclose personally identifiable information to third parties; and H.R. 367, Social Security Online Privacy Protection Act of 1999, would require operators of interactive consumer services to request permission from consumers to disclose Social Security numbers or related personally identifiable information to third parties. These proposals are only a hint of the coming flood of state and federal legislation.

European Union Privacy Directive. European authorities have not been willing to give self-regulation a chance. The European Union's Directive on the Protec-tion of Personal Data (EU Directive) restricts the information that may be gathered about individuals in EU member states and forbids the export of personal data from EU member states to any country that fails to ensure an adequate level of data protection. EU officials have indicated that the United States does not meet their data protection standards. If negotiations to reconcile the standards are unsuccessful, EU member states could forbid the transfer of certain types of personal data from the EU into the United States.

David W. Koch is a partner and Meredith Fuchs is an associate with the firm of Wiley, Rein & Fielding in Washington, D.C.

For more Information About the Forum on Franchising

  • This article is an abridged and edited version of one that originally appeared on page 47 of Franchise Law Journal, Fall 1999 (19:2)
  • For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
  • Website:
  • Periodicals: Franchise Law Journal, quarterly journal; The Franchise Lawyer, quarterly newsletter.
  • Books and Other Recent Publications: Building Franchise Relationships; Fundamentals of Franchising; The Franchise Law Compliance Manual.

Back to Top