September 26, 2016

    Customer Information and Privacy

    What is private customer information?

    Many of the applicable regulations in this area refer to “personally identifiable information,” or PII, which is defined in California Business and Professions Code §22577(a), for example, as any individually identifying information that allows a person to be contacted physically or online. This includes a person’s first and last name, physical street address, e-mail address, telephone number, or social security number. PII also includes information concerning a person (such as birthday, weight, or hair color) that is collected online and maintained in personally identifiable form in combination with one of the above identifiers.

    May I collect and use customer information?
    You can collect information from people who use or visit your web site and use it to transact business with them. Some businesses use customer information for their own internal marketing purposes, such as to determine what kind of products or services to offer the next time the customer uses the site, or to develop targeted lists of customers who have the same likes or dislikes. Businesses also may provide PII to affiliates or third parties.

    Common web tools for collecting and using customer information include cookies and web bugs. Sharing PII collected directly from the customer or indirectly through web tools like cookies is acceptable as long as you comply with applicable regulations concerning the posting of privacy policies, the content of those policies, and how the information is used.

    Cookies are data about your visit deposited on a customer’s computer hard drive by the Web site. When the customer returns to that site, the cookie data will reveal that the customer has been there before. The web site might offer products or ads tailored to the customer’s interests, based on the contents of the cookie data. Most cookies are used only by the web site that placed it on the customer’s computer. But some, called third-party cookies, communicate customer data to an advertising clearinghouse that in turn shares the data with other online marketers.

    A web bug is a graphic in a web site or an "enhanced" e-mail message that enables a third party to monitor who is reading the page or message. The graphic may be a standard size image that is easily seen, or it may be a nearly invisible one-pixel graphic. The web bug can confirm when the web page is viewed and record the IP address of the viewer. The IP address is a multi-digit number that uniquely identifies a computer or other hardware device (such as a printer) attached to the Internet.

    When is a privacy policy required?

    The Federal Trade Commission urges commercial web site operators to spell out their information collection practices in privacy policies posted on their web sites. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission enforces the promises in privacy statements, including promises about the security of consumers’ personal information.

    The California Online Privacy Protection Act of 2003 (“OPPA”) requires owners of commercial Web sites or online services that collect PII from California consumers to post a conspicuous privacy policy on its Web site and comply with that policy. OPPA defines a consumer as any individual who seeks or acquires goods, services, money, or credit for personal, family, or household purposes. If you do not comply with OPPA, you risk a civil suit for unfair business practices. It applies to:

    • Any person or entity that owns a commercial Web site or an online service
    • Collects and maintains PII
    • From a consumer residing in California
    • Who uses or visits such Web site or online service

    For more information about OPPA, you can visit the California Office of Privacy Protection’s Web site at http://www.privacy.ca.gov/lawenforcement/laws.htm. The full text of OPPA can be found in California Business and Professions Code §§22575-22579, available at
    http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001 -23000&file=22575-22579

    Federal regulations may require certain privacy policies
    If you own a commercial Web site and other online service directed at children 12 and under, or which collects information regarding users’ age, you must comply with the Children's Online Privacy Protection Act of 1998 (COPPA). Under COPPA, you must provide parents with notice of your information practices and obtain parental consent prior to the collection of personal information from children. COPPA further requires that such sites provide parents with the ability to review and correct information about their children collected by such services. If you operate a commercial website or an online service directed to children under 13 that collects personal information from children or if you operate a general audience website and have actual knowledge that you are collecting personal information from children, you must comply with the COPPA. To determine whether a website is directed to children, the Federal Trade Commission (FTC) considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features.

    To determine whether an entity is an "operator" with respect to information collected at a site, the FTC will consider who owns and controls the information; who pays for the collection and maintenance of the information; what the pre-existing contractual relationships are in connection with the information; and what role the website plays in collecting or maintaining the information.

    COPPA and the FTC’s rules relating to it apply to individually identifiable information about a child that is collected online, such as the child's full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. These rules also cover other types of information (hobbies, interests and information collected through cookies or other types of tracking mechanisms) when they are tied to individually identifiable information.

    An operator must post a clear and prominent link to a notice of its information practices on the home page of its website or online service and at each area where it collects personal information from children. The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. The operator must also provide direct notice to any parent whose child interfaces with the website in a manner that is governed by COPPA. Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child's parent. This means an operator must make reasonable efforts (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child receives notice of the operator's information practices and consents to those practices.

    The regulations include several exceptions that allow operators to collect a child's email address without getting the parent's consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards. Also, at any time a parent may revoke his/her consent, refuse to allow an operator to further use or collect a child's personal information, and direct the operator to delete the information.

    For more information about COPPA, see these page on the FTC website devoted to COPPA and children's online issues: www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm www.ftc.gov/kidzprivacy; http://www.ftc.gov/privacy/privacyinitiatives/childrens.html. For the full text of COPPA, please see http://www.ftc.gov/ogc/coppa1.htm

    CAN-SPAM: Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
    If your web site or online service sends unsolicited commercial email messages, you must comply with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”). Under the CAN-SPAM Act, such unsolicited email must be labeled as such, and include the sender's physical address as well as instructions about how recipients of the message can opt-out from future mailings. To learn more about the CAN-SPAM Act, visit www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm

    What should my privacy policy include?

    A privacy policy should describe how you collect information, the kind of information you collect, how you use and share the information, customers’ choices on how their information is used, how you will notify customers of changes to your policy, and your policy’s effective date. Be sure to indicate the entities to which the policy applies, such as subsidiaries or affiliates. Finally, consider offering your customers the chance to review and change their information. Consider including the following elements in your privacy policy:

    1. How you collect information
      1. include both your offline and online practices for managing information
      2. if you collect information from sources other than your customers, describe this
      3. if you collect personal information through web technologies like cookies or web beacons, describe this
    2. The kind of information you collect
      1. be reasonably specific
      2. list categories of information you collect from online customers and visitors (i.e., contact information, billing information, etc.)
      3. provide examples of the categories of information your company collects (i.e., contact information such as your name and e-mail address)
    3. How you use and share the information
      1. describe your use of customer information beyond what is necessary for fulfilling a customer transaction
      2. explain how you share information with other entities
      3. list the different types of companies with which you share customer information
      4. if you share information with companies that have a direct link or live feed of customer information through a web site, be sure to include this
    4. Give customers choices on how their information is used or disclosed
      1. give your customers a simple, effective way to consent to or opt out of sharing their information with other companies
      2. allow an adequate length of time for customers to exercise their option – somewhere between 1 week and 60 days is sufficent, 30 days is frequently used
      3. explain how customers can opt out of information sharing
      4. provide multiple methods of opting in or out – in addition to internet-based methods like e-mail or hyper-text links, offer a toll-free telephone number and/or a physical mail address
      5. explain the extent of a customer’s option to limit sharing of personal information
      6. notify customers when their option out of information sharing will take effect
      7. provide confirmation to the customer of their consent or opt out
    5. How you will notify customers of changes to your policy
      1. the policy on your website should be the current version
      2. provide an additional way of telling your customers that there are changes to your policy
      3. provide customers opportunities to opt-in or opt-out of modified terms
    6. Your policy’s effective date
      1. clearly identify the date the policy will begin to be in effect

    For more privacy policy content recommendations, please see the California Office of Privacy Protection’s November 22, 2004, publication “California Information-Sharing Disclosures and Privacy Policy Statements,” available at www.privacy.ca.gov/recommendations/infosharingdisclos.pdf

    When should I use opt-in language in my privacy policy?
    With opt-in language, customers are not bound to the terms unless they affirmatively agree to them. It requires affirmative action on the part of customers, such as e-mailing their preference, for your information-sharing policy to apply. Opt-in language is more protective of the customer. This kind of language is appropriate when asking for the right to share information about children or other sensitive data such as would identify credit card numbers, medical, or racial data.

    • COPPA requires an opt-in mechanism for agreeing to the disclosure of children’s personal information. Web sites or online services must use the most reliable method available to gain parent’s consent for disclosure, which is more than just ordinary internet or email options. Under COPPA, such methods to obtain parent consent include offering a form for a parent to sign and fax back, requesting that a parent use a credit card to complete a transaction, maintaining a toll-free phone number, and accepting emails with a digital signature or using other digital key technology.
    • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires an opt-in mechanism for agreeing to the disclosure of a person’s health-related information. HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit health-related information in electronic transactions.
    • The EU Data Protection Directive requires consumers’ opt-in consent to disclose information about race, national origin, medical history, religious affiliation, or political beliefs to third parties. For more information about complying with the Directive, see section What kind of privacy policy do I need if my customers are citizens of the European Union? below.

    When should I use opt-out language in my privacy policy?
    With opt-out language, customers are bound to the terms unless they affirmatively communicate their disagreement with them. It requires affirmative action on the part of customers, such as e-mailing their preference, for your information-sharing policy not to apply. Opt-out language is less protective of the customer. If you are planning to use customer PII for your internal marketing purposes only, it is probably not necessary to give customers the right to opt-out of such uses. However, customers need opt-out rights if you share customer PII with non-affiliated third parties.

    How should it be posted?

    Privacy policies should be conspicuously posted. Under California’s OPPA, this means that the policy should be on your website’s homepage or main page, or accessible from the homepage or main page through a hyperlink. Generally, hyperlinks should be so clearly visible that any reasonable person would notice it on your page. The link should be either text or an icon, and should include the word privacy. An icon hyperlink must be easily seen on the page; for example, the icon color should show up clearly against the background color of the page. A text hyperlink should be written in capital letters, and in larger and contrasting type, font, or color than the other text on the page.

    A privacy policy link on every web page where personal information is collected ensures that the customer will have every opportunity to read and understand your policy.

    What is an online privacy seal?
    Online privacy seal programs have been web businesses’ primary self-regulatory enforcement mechanism. These programs require their licensees to implement certain fair information practices and to submit to various types of compliance monitoring in order to display a privacy seal on their web sites. They are an efficient way to alert consumers to your information practices and to demonstrate your compliance with program requirements.

    Which online privacy seal programs are available?
    TRUSTe, the first online privacy seal program, has grown from over 500 licensed Web sites in 1999 to more than 1400 sites in a variety of industries in 2005. TRUSTe participants agree to post their privacy policies and submit to audits of their privacy practices in order to display the logo. TRUSTe has also started specialized seal programs addressing children's privacy, health information privacy, and the European Union/Safe Harbor privacy principles. www.truste.org

    The Council of Better Business Bureaus BBBOnLine Privacy Seal has licensed over 628 sites since the program was launched in March of 2000. The BBBOnLine Privacy Program awards the privacy seal to businesses that have met program requirements, including posting of an online privacy notice meeting privacy principles, completion of a comprehensive privacy assessment, monitoring and review, and participation in the programs consumer dispute resolution system. www.bbbonline.org

    The American Institute of Certified Public Accountants, CPA WebTrust, independently verifies and tests e-commerce sites for compliance with its Principles and Criteria. www.cpawebtrust.org

    The Entertainment Software Rating Board independently applies and enforces ratings, advertising guidelines, and online privacy principles adopted by the computer and video game industry. ESRB Privacy Online was the first privacy seal certification program to be sanctioned by the U.S. Federal Trade Commission as a "Safe Harbor" under COPPA. www.esrb.org/privacy.asp

    How else should I make my privacy policy available?
    On your website, format your policy so that it can be downloaded and/or printed as a separate document. Also, consider providing your policy in languages other than English.

    What kind of privacy policy do I need if my customers are citizens of the European Union?
    The United States’ approach to privacy protection relies on a mix of legislation, regulation and self-regulation. The European Union relies on comprehensive legislation to protect privacy, the European Commission’s Directive on Data Protection that went into effect in October, 1998. To make doing business with the European Union easier, the United States Department of Commerce created a safe harbor framework for United States organizations. This safe harbor framework was approved by the European Union in 2000. By complying with the safe harbor, organizations in the United States can assure European Union organizations or individuals that they provide adequate privacy protection. To meet the safe harbor requirements, a privacy policy must adhere to seven principles: notice, choice, onward transfer, access, security, data integrity and enforcement. For more information on the safe harbor principles, see www.export.gov/safeharbor/sh_overview.html

    How can I qualify for the safe harbor?
    To qualify for the safe harbor, an organization can either join a self-regulatory privacy program that adheres to the safe harbor's requirements or develop its own privacy policy that conforms to the safe harbor. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements, publicly declare that they do so, and annually certify to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements. An organization must also state in its published privacy policy statement that it adheres to the safe harbor. For more information on joining the safe harbor, see www.export.gov/safeharbor/checklist.htm

    How do I know which organizations already comply with the safe harbor?
    The Department of Commerce maintains a list of all organizations that file self certification letters and make both the list and the self certification letters publicly available. This list is available at http://web.ita.doc.gov/safeharbor/SHList.nsf/WebPages/Safe+Harbor+List