[Previous] [No next] [Title]

Part 3: Solutions


Mark Berthold

Parts 1 and 2 appeared in the previous issue.

Drafting Website Privacy Notices

Killingsworth[36]usefully outlines a four-step process aimed at ensuring that all relevant issues are systematically addressed. An excellent template is provided by the Hong Kong Privacy Commissioner's Website [37] but the following general comments may be made.

(i) Audit of Current Practices

At the outset it is essential to ascertain what the website does. All personal data collected and the method of collection must be identified and catalogued. Conformity to national privacy principle 1 requires identifying the organisation's functions and activities and determining the relevance of the data collected accordingly. Once identified their dissemination, both internal and external, requires tracing.

The site must also be searched to locate all statements about the disclosure or use of personal information collected or concerning privacy rights.

(ii) Goal-setting

The next step is determining what data the organisation really wants to collect and what it wants to do with the data. Tags may be required to identify which version of a privacy policy applies, and for what purposes the data were collected (to distinguish primary and secondary uses).

Most larger businesses will collect personal data through both online and off-line operations. Off-line collections may well occur in a variety of ways, such as through interviews, questionnaires or obtained from other organisations. A crucial issue will therefore be whether the website privacy policy should apply to all data collected both online and off-line, or be restricted to the former. The Privacy Act does not distinguish between the two but in view of resource implications an organisation may wish to adopt a phased approach.

(iii) Policy development, drafting and site plan

Having defined the goals, the handling of personal data must be mapped out in the website and to reflect that map in the privacy policy. This is a strategic exercise as the national privacy principles accommodate a range of positions depending on the business plan of the company owning the website.

The first point is that the privacy statement must be easy to find. Secondly, Organisations subject to the Privacy Act are required by national privacy principle 1 to notify individuals of various matters which will form the core of the privacy policy and merit being set out in full:

(a) the identity of the organisation and how to contact it; and (b) the fact that he or she is able to gain access to the information; and (c) the purposes for which the information is collected; and (d) the organisation' (or the types of organisations0 to which the organisation usually discloses information of that kind; and (e) any law that requires the particular information to be collected; and (f) the main consequences (if any) for the individual if all or part of the information is not provided.
Furthermore, website visitors must be notified of all these matters at or before the time of the collection personal data, this being practicable online. The Privacy Commissioner's `tip' for complying with this requirement online is therefore that the notification is on the same page as an order form or prominently linked to it, for example it could come up before the individual completes the transaction.

Once determined, the privacy policy should be formulated in terms readily understood by the average Internet user. A privacy notice should reflect an awareness of the capabilities and deployment of online functions such as cookies. It must also address the requirements of the national privacy principles as elaborated on by the Privacy Commissioner's Guidelines and the requirements of any applicable code. Familiarity with these legal requirements and standards is therefore required of the drafter. It does not follow, however, that conventional legal drafting techniques are appropriate. In his testimony regarding the Consumer Internet Privacy Enhancement Act, Rotenberg[38] points out that too many privacy statements impose `speed bumps' on the information superhighway by being `Long, confusing, and full of obscure legal language. It is ironic that a principle intended to make consumers aware of privacy practices has been subverted to one that misleads and frustrates consumers on a regular basis'.

It is increasingly recognized that people do not read documents online in the comparatively deliberate and systematic manner that hard copy occasions.[39] An online visitor tends to scan a computer screen. Nor can a website now assume it is being accessed by users of personal computers, as mobile phones assume this facility. The challenge for websites is present succinct privacy statements.

Nor can it be assumed that it will be a human attempting to comprehend a website's stated privacy policies. P3P is a `smart agent' to negotiate with a site's machine-readable privacy notices. P3P is controversial, but for present purposes the point is that insofar as a privacy notice is a legal document P3P will if anything require a more explicit account of its policies than would a human. This would seem to follow from general legal principles, such as that a legal document must be read as a whole. As Yair Galil[40]comments `if and when the use of P3P spreads, users and lawyers would do well to scrutinize its specifications with the same care they now devote to privacy policies on websites'.

`Opt-in' or `opt-out' rights

Opt-in/out choices in respect of the use of personal data for specified purposes raise both presentational and legal issues. While they may not form part of the body of the privacy notice, they clearly interact with it. From the visitor's perspective, exercising opt-in/out rights is expensive and inefficient. The challenge of facilitating a consumers expeditious navigation of the website will be ill served by confronting users with an elaborate set of opt-in or opt-out choices. It must always be borne in mind that every website is competing with an army of competitors only a few clicks away. A website that minimises requests of its visitors to consent to the secondary use of personal data will avoid alienating them and enhance its credibility.

Legal issues also arise. `Consent' is defined by the Privacy Act as meaning `express consent or implied consent'. `Implied' consent must, no less than express consent, be actual consent, albeit inferred. The Privacy Commissioner's Guidelines intimate the difficulties facing an organisation wishing to claim that an individual has provided the necessary `consent' to the disclosure or use of personal data for a secondary purpose, merely through failing to object. Under his Guidelines, the Privacy Commissioner will be more disposed to accept that `implied' consent has been established where the individual is likely to have read the information about use or disclosure; the opt-out is clearly stated; the opt-out is not bundled with other purposes; opting-out involves no financial cost and little effort from the data subject and the consequences are harmless; and a subsequent opt-out fully restores the individual's situation.

The Privacy Commissioner's Guidelines add that:

It is unlikely that consent to receive marketing material on-line could be implied from a failure to object to it. This is because it is usually difficult to conclude that the message has been read and it is generally difficult to take up the option of opting out as its is commonly considered that there are adverse consequences to an individual from opening or replying to email marketing-such as confirming the individual's address exists. This may also apply where material is distributed using other automated processes (This would not prevent an organisation from seeking opt-in consent online if NPP 2.1 allowed it).
The position for Australian websites targeting European consumers is even less equivocal. The EU Directive's general definition of data subject consent requires that it be a `freely given specific and informed indication of his wishes' and as regards direct marketing, that it be `unambiguous'.

Another drafting challenge is to accommodate the numerous exceptions to the national privacy principles, repetition of which in the privacy statement would be stupefying for website visitors (as indeed they presently are in the formulation of the national privacy principles).

A website privacy policy is likely to evolve over time and should say so. However, it follows from the discussion above of the contractual status of privacy notices that subsequent versions should be specifically identified as such.

(iv) Implementation and maintenance

Perhaps the greatest risk of unauthorised disclosure arises from staff ignorance and adequate staff training is therefore essential. All third party contracts should also be reviewed to ensure that any assurances about third-party use of data are consistent with the privacy policy.

Privacy seal programs

The main US examples of self-regulatory efforts to ensure website privacy are privacy seals. Seal programs require websites to agree to disclose their privacy policies and license the right to use the seal logo that ostensibly guarantees privacy protection. Customised privacy policies are developed which are based on the site's data handling practices. Licensing entails ongoing compliance reviews and should be coupled with a mandatory dispute resolution mechanism.

Privacy seals aim to address a credibility problem that privacy notices may generate. A US study found that fifty-nine percent of Internet users surveyed `do not trust companies' ability or intention to keep personal information, regardless of what their privacy policies say'[41] The extent of such scepticism in Australia appears to be undocumented, but a survey found that twenty-six percent of Australian consumers indicated that a privacy seal would make them much more likely to purchase from a site.[42]

A comprehensive joint study of web seals was conducted in 2000 by the Information and Privacy Commissioner of Ontario and the Australian Privacy Commissioner.[43]

Comparison with US

The two leading US seal companies have achieved a privacy `peacemaker' role, with their ranking just behind Verisign for familiarity and trust in a 1999 survey of 27 certification marks.[44] Adoption of a seal program based solely on US standards would not satisfy the requirements of the Australian Privacy Act, let alone those of the EU. This is because the Australian national privacy principles represent a comprehensive statement of the OECD principles with some EU inspired elaborations such as additional controls on sensitive information. By comparison, the US has marginalised the full range of fair information principles by restricting them to notice, choice, access and security. These are summarised by the FTC in the following terms[45]:

1. Notice: data collectors must disclose their information practices before collecting personal information from consumers.

2. Choice: consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was collected.

3. Access: consumers should be able to view and contest the accuracy and completeness of data collected about them.

4. Security: data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorised use.

Reidenberg[46] and others have noted that pronouncements construing the fair information principles primarily in terms of the fundamental precepts of awareness and choice do not meaningfully limit the collection of personal information, the subsequent use or disclosure of that information, nor the other matters addressed by the national privacy principles. Privacy seal programs that restrict their focus to the US `notice and choice' paradigm will accordingly not satisfy the requirements of the national privacy principles.

The role of properly conceived schemes based on the national privacy principles will grow in proportion to their recognition, but only if they are robustly enforced. Key elements in a credible scheme will be some `bite' as well as just bark. This should include cancellation of the seal and referral to the Privacy Commissioner of disputes that cannot be resolved through the seal's dispute resolution mechanisms. Periodic reviews of the site's practices and verification of removal of personal information as requested are also desirable.

Conclusion

Posting a website privacy policy is a necessary if not sufficient requirement for securing online privacy. It is necessary because unless a website articulates its privacy policy the consumer cannot make an informed decision on whether to provide the site her personal information on an agreed basis. It is not sufficient because the organisation has to then abide by the privacy notice's undertakings. We have seen that the legal obligation to comply with its privacy undertakings include not only the Privacy Act (which does not, however, apply to all businesses) but also the Trade Practices Act's proscription on misleading and deceptive conduct, and the common law principles of contract and the duty of confidence.

When framing their privacy statements Australian businesses will look to the standards contained in the Privacy Act's national privacy principles. Those organisations that do not depend solely on Australian customers should examine the need to go further and supplement these where necessary to satisfy benchmark EU requirements.

Looking ahead

It is in the long-term interests of e-commerce that privacy notices become increasingly standardised. The development of widely shared conventions is necessary for seamless surfing of the Net. Just as the proliferation of icons differentiating user interfaces confounds users, so too will a variety of privacy notices. While software developers may wish to invoke copyright protection against copycats, privacy notices (or rather customised components thereof) would appear to be ideal candidates for `copyleft' waiving protection fn A starting point would be the adoption of a common terminology based on the Privacy Act. Codes of practice should play a key role in this respect.

The exponential growth of the Internet can obscure the fact that its general adoption only occurred in the last few years. Like other features of the Net, the intricacies of tracking technologies the nuances privacy notices of will evolve from being an arcane speciality to common knowledge. Standardisation will only accelerate this learning curve amongst consumers. Websites will find that active complicity is required of their visitors if their personal data are to used or disclosed for secondary purposes. Increasingly websites will have to deal with customers acquainted with the consequences of disposing of their personal data and who price it accordingly.

To accelerate this process, proactive roles by both the Privacy Commissioner and the ACCC are vital. The success of their respective contributions will not only promote online privacy but also presumably their own institutional clout. Interestingly, they have recently signed a memorandum of understanding in this regard.[47]

Whether viewed primarily as a privacy issue or a consumer issue, website privacy notices would appear to provide particularly good returns for any institutional effort expended. There are two main functions involved, namely the educational and the regulatory.

Addressing first the regulatory aspect, as digital data catchment areas, websites engage at the critical collection stage of personal data-critical because it may be the only stage of the data processing cycle in which the data subject is directly involved and can therefore assert her rights. Secondly, being online, these catchments are immediately accessible not only to consumers but to the investigators of the respective regulatory agencies tasked to promote compliance.[48]

The educational role is also crucial. The websites of the two Australian regulators currently display a focus on organisations, but Net users also need educating-a point recognised by the Hong Kong Privacy Commissioner's website.[49] This is because cyberspace is a privacy frontline where a single mouse click can separate the quick and the privacy dead. Instilling well-honed responses is essential if privacy rights are not to be inadvertently surrendered. The general populace needs to grasp that cookies aren't just in the kitchen. Electronic butlers like P3P may in time be delegated the task of negotiating with websites on privacy, but their viability is not yet established.

Is being online so perilous? The article has primarily treated the Net as a digital market place. Does it really matter that much if a person gets spam? Time consuming and annoying perhaps, but much of life is. This assumes, however, that websites only use personal data they collect for marketing purposes. But:

Such detailed profiling makes it possible to scrutinize the lifestyles of workers and job applicants. The storage of people's doings in electronic memory means, ultimately, that no act remains unknown. In the electronic age, the corporate monastery's gate is guarded by a computerized Saint Peter, who differs from the omniscient God only in that he is not forgiving. During the job interview, the applicant's entire life up to that moment flashes by, and he or she has to account for all sins: at age six, you flamed your buddy on the Net in a politically incorrect manner: at fourteen, you visited pornographic websites: at eighteen, you confessed to a chat room that you had experimented with drugs...[50]
Which brings us to the issue of data retention-but that will have to await another article!

Markberthold@caslon.com.au My thanks to Bruce Arnold of Caslon Analytics (http://caslon.com.au) for his comments. The second edition of Hong Kong Privacy Law by Mark and Raymond Wacks will be published by Sweet & Maxwell Asia later this year.

[36] Killingsworth, Supra

[37] www.pco.org.hk/english/publications/pics_5.html (visited 27 March 02). Crucially, it makes the point that retention periods should be specified-the final paragraph of this paper highlights why this is so important.

[38] Rotenber, Marc `Epic Testifies on Internet Privacy Bills' www.epic.org

[39] see www.useit.com

[40] `P3P: An Imperfect Tool For Privacy' The Internet Law Journal 14 July 2001

[41] Bergerson, Supra

[42] Ernest & Young `Online Retailing in Australia' January 2001

[43] http://www.privacy.gov.au/publications/seals.html (visited 27 March 02)

[44] cited by Killingsworth, Supra

[45] Federal Trade Commission `Privacy Online: Fair Information Practices in the Electronic Marketplace' May 2000

[46] Reidenberg, Joel `Restoring Americans' Privacy in Electronic Commerce' 14 BerkeleyTech L.J 771, 1999.

[47] www.privacy.gov.au/news/media/02_3.html (visited 27 March 02).

[48] The Hong Kong Privacy Commissioner's Office's successes on this front demonstrate its effectiveness : Annual Report 1999-2000

[49] `Internet Surfing with Privacy in Mind: A Guide for Individual Net Users http://www.pco.org.hk/english/publications/guide_privacy_mind_5.html (visited 27 March 02)

[50] Himanen, Supra


[Previous] [No next] [Title]