This is the third article in our series about trackers and internet privacy laws. Click here to start with the first article.
There is no general U.S. law restricting the use of someone's personal information. There are some very good laws that prevent the release of certain kinds of data. For example, health care providers can’t disclose protected health care information without the patient's consent (1). But, it's generally not illegal for someone to use or disclose your personal information, especially once you voluntarily provide it; like to social networking sites.
Europe is generally more pro-consumer; and is considering adopting some very strict data privacy laws.
U.S. State Laws
More Bark than Bite
The states generally have tort laws that let you sue and recover damages from people or businesses who violate your privacy. A few have gone even further. Minnesota and Nebraska prohibit disclosure of personally identifying information. In California and Utah, non-financial businesses must disclose how they plan to share or sell such information. See Selected State Laws Related to Internet Privacy.
However, you still have to sue whoever improperly used or sold your information (if you can find them). You must prove your case in court if they won't settle, and you can generally only recover money damages. The penalties per violation are often too small to discourage improper use of data. The Minnesota law prohibits class actions, so it's harder to combine many small claims in one powerful lawsuit. Attorney fees are recoverable in some places, which helps.
But seriously, how many people are going to suffer the stress of protracted civil litigation for the possibility of only a few hundred dollars in damages?
U.S. Federal Law
Too Little, and Usually Too Late
The primary law used by the Federal government to discourage improper use of personal data is Section 5(a) of the Federal Trade Commission (FTC) Act. However, the Act does not prevent companies or individuals from collecting, using or selling your personal information. It does not stop them from tracking what you do or where you go online. And it does not require them to adopt or publish policies stating how they are going to use your personal information.
What does it do?
The Act prohibits ‘‘unfair or deceptive acts or practices” that affect commerce. And exactly what is considered "unfair" or "deceptive"? As you might expect, there is a lot of wiggle room here:
- Deceptive: In short, a "deceptive act" is one that is likely to mislead a reasonable consumer.
- Unfair: An "unfair act" is one that causes substantial injury that the consumer could not reasonably have avoided and is not outweighed by benefits to competition or other consumers.
So...it's OK if some consumers get hurt so a new business can gain a foothold in the marketplace? Corporate profits over personal injury? That doesn't seem like the right balance.
How is the act enforced?
Only the Federal Trade Commission ("FTC") can file complaints against those it believes has violated the act. You cannot. But the FTC can’t possibly resolve every problem for the millions of internet users in the U.S.
If the FTC decides not to file a complaint against a company that has misled or injured you, there’s not much you can do, except maybe sue the company in state court. Have fun with that.
Even when the FTC does file a complaint, it is often too late; after a lot of your personal information has already been collected and used…and the damage has already been done.
Are we doing anything about this? According to the New York Times, attempts to enact better Federal legislation to protect information privacy have stalled. Big surprise.
Privacy Rights in Europe
The European Union is heading in the opposite direction; toward more online privacy. A 1995 law already provides some rights to internet users; and various EU member countries have their own laws as well.
A proposed new privacy law would protect online users in Europe even more and would apply to companies located outside the EU. It goes far beyond U.S. law. Among other protections, it would require social media and other companies to:
- Get permission to sell users' personal information;
- Disclose to users what information the companies have about them; and
- Delete such information on request (called the “right to be forgotten”) .
The proposed law also includes stiff penalties for violations and would apply to all EU countries if adopted.
Facebook is clearly concerned about this type of legislation, mentioning in several places in its recent IPO that new laws, regulations or lawsuits could hurt its business. Facebook virtually ignores the damage (other than to itself) that irresponsible use of personal information could do to millions of ordinary people. Apparently it’s all about squeezing every drop of profit out of the bottom line (or at least having the ability to do so).
Facebook has already had problems there. In August of 2011, the Northern German State of Schleswig-Holstein found that Facebook’s “Like” button tracker violated German and European privacy laws; and ordered all sites in the state that use the Like button to remove it or face big fines.(1)
Microsoft also seems concerned. Its chief operating officer and associate general counsel in Europe recently said the proposals “may be too prescriptive” (we think he meant “PROscriptive”, but we get the point).
We're guessing that Google, which profits from your personal data much more than Facebook, is not happy about it either.
Subscribe to this blog (it's free) so you can keep up with any new legal privacy developments that we might post in the future.
Disclaimer: The information provided in this article and the related comments is not intended to be legal advice, but merely conveys general information related to technology issues that are in the news; and does not create an attorney-client relationship. If you need legal advice, speak to a qualified attorney.