Document View

Online marketing takes a variety of forms, such as email marketing, Internet advertising, and company Web sites. In each instance, privacy concerns are raised. Online marketing and sales affect consumers' control over their personal data, and online marketing impacts consumers' privacy right to be let alone. A growing number of laws and enforcement actions recognize the impact that online marketing has on consumers' privacy rights, and online marketers therefore must ensure that they comply with those laws to reduce liability (and to build trust and maintain relationships with their customers). This article describes the laws, lawsuits, and enforcement actions, along with some recommendations for compliance strategies, for companies that do business with consumers in the United States. The CAN-SPAM Act preempted various state laws and set a national standard. Similar laws have been passed and are being contemplated in other national jurisdictions.

Copyright Aspen Publishers, Inc. Feb 2005

Online marketing takes a variety of forms, such as email marketing, Internet advertising, and company Web sites.

In each instance, privacy concerns are raised. Online marketing and sales affect consumers' control over their personal data, and online marketing impacts consumers' privacy right to be let alone.1 A growing number of laws and enforcement actions recognize the impact that online marketing has on consumers' privacy rights, and online marketers therefore must ensure that they comply with those laws to reduce liability (and to build trust and maintain relationships with their customers).

This article describes the laws, lawsuits, and enforcement actions, along with some recommendations for compliance strategies, for companies that do business with consumers in the United States.

Email Marketing

This section addresses the requirements of the CAN-SPAM Act and its enforcement. The CAN-SPAM Act preempted various state laws and set a national standard. Similar laws have been passed and are being contemplated in other national jurisdictions.

Who Is Affected?

If a company sends business-related email messages, CAN-SPAM applies to it. Generally, CAN-SPAM imposes stricter requirements on commercial messages than on transactional or relationship messages.The purpose behind contacting the recipient has become an important consideration in determining how to comply with the new regulations.

Transactional/relationship messages are those for which the primary purpose is non-commercial. For example, messages that facilitate, complete, or confirm a transaction; deliver goods or services pursuant to a prior transaction; provide notices on warranties or recalls; provide notices regarding ongoing commercial relationships (such as subscriptions or service accounts); or provide employment or benefits information fall into this category. Transactional/relationship messages are not burdened by all of the requirements that apply to commercial messages, but they are subject to the requirement not to use fraudulent header information. It is unclear for how long a company may contact its former customers under CAN-SPAM, but to be safe, if a company contacts a former customer with a new product or service solicitation, it should treat it as a commercial message rather than as a transactional/relationship message.

Commercial messages are those for which the primary purpose is the commercial advertisement or promotion of a commercial product or service (including content on a Web site operated for a commercial purpose). CAN-SPAM will affect companies that use email to solicit sales from current or prospective customers, whether the email is sent directly by the company or through the use of third-party email marketing services (such as companies that rent, sell, or share email lists or collect email addresses and provide email marketing services to other companies). CAN-SPAM applies both to entities that send commercial email messages and to the advertiser originating the message. A company cannot sidestep regulatory landmines by hiring someone to send out email on its behalf.

The FTC issued final regulations2 defining the relevant criteria to facilitate the determination of the primary purpose of an electronic mail message; messages with a commercial primary purpose are subject to the provisions of the CAN-SPAM Act. The FTC published a Federal Register notice of proposed rulemaking (NPRM) in August 2004 seeking public comment on its proposed primary purpose criteria.

As detailed in the Federal Register notice, the final rule is substantially similar to the proposal contained in the NPRM but adds a criterion for determining the primary purpose of an email message containing only "transactional or relationship" content and other minor changes. The notice makes clear that the FTC does not intend to regulate non-commercial speech through the rule. The notice also addresses public comments received about the constitutionality of the CAN-SPAM Act and the FTC's primary-purpose criteria.

The final rule sets forth criteria for determining the primary purpose of various kinds of email messages. These include:

* For email messages that contain only the commercial advertisement or promotion of a commercial product or service (commercial content), the primary purpose of the message will be deemed to be commercial.

* For email messages that contain both commercial content and transactional or relationship content as set forth in the Act's definition of "transactional or relationship message" and in the final rule, the primary purpose of the message will be deemed to be commercial if either: (1) a recipient reasonably interpreting the subject line of the email would likely conclude that the message contains commercial content or (2) the email's transactional or relationship content does not appear in whole or substantial part at the beginning of the body of the message;

* For email messages that contain both commercial content and content that is neither commercial nor transactional or relationship, the primary purpose of the message will be deemed to be commercial if either: (1) a recipient reasonably interpreting the subject line of the message would likely conclude that the message contains commercial content or (2) a recipient reasonably interpreting the body of the message would likely conclude that the primary purpose of the message is commercial. Factors relevant to this interpretation include the placement of commercial content in whole or in substantial part at the beginning of the body of the message; the proportion of the message dedicated to commercial content; and how color, graphics, type size, and style are used to highlight commercial content; and

* For email messages that contain only transactional or relationship content, the message will be deemed to have a transactional or relationship primary purpose.3

If a company obtains most or all of its email leads and customers from third parties or affiliates, CAN-SPAM will have the greatest impact on its email marketing. The company will need to comply with the new requirements in a way that does not eliminate its ability to locate new customers through email. Most important for such a company will be exercising control over affiliates and third parties that provide it with email addresses and adopting practices to check that the email addresses it obtains are ones for which the third party has obtained consent to send messages and consent to transfer to another party.

What Does the Law Require?

The law contains specific requirements for the format and content of messages, the logistics of collecting email addresses, and determining whether to send a business message to a potential recipient.

Prohibition of False Header/Transmission Information. CAN-SPAM requires senders to use accurate information to identify the origin of a message (including transactional/relationship messages), prohibiting creation of an email account or a domain with false information in order to send non-traceable messages, disguising the origin of a message, or using false or deceptive information in the "From:" or "Subject:" lines of a message. Aside from not using inaccurate information on the origin of the company's messages, best practices for this requirement include confirming that the company's domain name registration contains accurate, current information.

Opt-Out Required. CAN-SPAM requires email advertisers to include a return address or some other mechanism for recipients to request not to receive future mailings and that advertisers must not send future e-mail messages to such recipients more than 10 business days after receiving an opt-out request.

There is a gray area in this requirement. If an advertiser and a third-party email distributor both maintain a database of email addresses and someone unsubscribes from a mailing sent by the distributor on behalf of the advertiser, it is not clear whether the unsubscribe request must be honored for both advertiser and distributor or if the request pertains only to the distributor's database. If the advertiser is required to also unsubscribe the address, must the advertiser also send the address to every other email distributor it uses and require them to remove the addresses from any databases they have? If the advertiser acquires email addresses from third parties in the future, must it remove previously unsubscribed addresses from the new databases? As difficult and resource-intensive as such notification and removal processes might be, at least some of them will be required by CAN-SPAM, and courts will be forced to draw lines on how far companies must go to comply with the opt-out requirements. Until they do, the best practice for a company will be to maintain clear records of its removal of addresses from its databases and to request in writing that third parties who send email messages on its behalf remove those addresses from databases used to send messages on its behalf.

Identification of Advertisements and Advertisers. CAN-SPAM requires that commercial messages contain a valid physical address of the sender and include "clear and conspicuous" identification that the message is an advertisement or solicitation. Use of "ADV" in the subject line (which some state laws required) or some other standard label is not initially required, except for sexually explicit messages, but it may be required in the future. Businesses should consider using a line in the text identifying their messages as advertisements, and describing how they obtained the recipient's email address. For example:

"You are receiving this message because you requested information from (or opted to receive messages from) [name the advertiser or list owner]."

Affirmative Consent. If the recipient expressly consented to receive a message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative, then some of the requirements are relaxed. What constitutes affirmative consent? The CAN-SPAM Act defines affirmative consent to mean that "the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative."

"[A]t the recipient's own initiative" encompasses the way most people sign up for email communications-by filling out a form on a Web site. But what about those online forms that require a user to check or uncheck a box to NOT sign up for email communications? The first part of the definition-"in response to a clear and conspicuous request for such consent"-may cover those forms, but the issue will probably result in litigation. If a company employs check boxes to obtain consent to send email messages to consumers, the good practice to meet the clear and conspicuous requirement is (1) to clearly word the request for consent, (2) to prominently display the request, rather than placing it away from other places where the consumer is entering information or indicating preferences on the company's online form, and (3) NOT to check the boxes indicating consent as a default and require consumers to uncheck them. The better practice will be to follow consents with a confirmation message to the email address, with the best practice being a double opt-in, following consents with a confirmation message that requires the recipient to respond or to click a link to confirm control over the email account as well as consent.

An additional component of the affirmative consent definition requires those who wish to rent their email lists to third parties to provide "clear and conspicuous notice" to recipients at the time they consent. Companies that wish to play it safe will no longer be able to bury such information in their privacy policy. Instead, they should incorporate such notice into their registration forms. The best practice is not to transfer a company's email lists to third parties.

There appears to be a loophole in this requirement: It applies to the sender of the message, not to the content. This means that, as long as the company with the consent sends the message, it need not provide notice regarding third parties. For example, an online publisher that sends a newsletter containing third-party advertisements does not need to provide notice regarding distribution of the recipient's email address to third parties.

No Deceptive Advertisements or Messages. In addition to these general requirements, CAN-SPAM provides strong criminal and civil penalties for some of the most egregious spam tactics, such as:

* Accessing computers to send email messages without authorization;

* Using an automated means to register for more than five email addresses using false identifying information and using those addresses to generate spam;

* Sending spam using "harvested" addresses, that is, addresses obtained by using an automated means to obtain addresses from a Web site or online service operated by another person, where the operator provided notice that it would not transfer users email addresses for use in sending unsolicited email messages;

* Sending spam using "dictionary attacks," that is, using an automated means to generate multiple possible email addresses by combining names, letters, or numbers into numerous permutations;

* Falsifying email origin or header information, or not including a functional return address using deceptive subject lines; and

* Failing to place warning labels on sexually explicit material.

The best practice for this requirement? Simple-do not engage in the prohibited types of behavior. A company's IT department should confirm that its email server does not have an open relay or allow third parties to send email through its servers without the company's permission, and have password requirements to limit unauthorized access to email accounts. Additionally, if a company obtains email addresses from third parties, or employs third parties to send email messages on its behalf, then the company should consider contractual protections (such as warranties of compliance with CAN-SPAM and indemnifications for violations) and periodic monitoring of the third party's practices, because a company ultimately may be held liable for violations committed by a third party acting on its behalf, even if it was unaware of such activity.

What Should a Company Know?

Companies that use email to communicate with current or potential customers, suppliers, service providers, or employees should review their email policies and practices to ensure that they comply with the CAN-SPAM requirements. A company in this position should consider the following first steps:

* Review the content of current and future email communications to determine whether those messages comply with CAN-SPAM. If the messages do not comply, then determine what changes need to be made in the substance of future messages.

* Establish a template for business messages that is CAN-SPAM compliant, including items such as an opt-out mechanism that remains functional for at least 30 days after the message is sent. An alternative is to develop a checklist for outgoing email messages.

* Establish a process for managing opt-out requests to ensure that no business email messages are sent after an opt-out request is received. This process should include any third parties that send messages on behalf of the company or with which the company shares or rents email address lists.

* Inform the relevant departments about the requirements of CAN-SPAM and what steps they will need to take to ensure compliance. If there is a template or checklist for business messages, make sure that the people sending those messages for the company use the template or checklist.

* Audit email address lists to determine how they were collected and whether the addressees provided affirmative consent to receive email communication from the company.

* Seed the lists of all affiliates that distribute the company's email marketing with the company's own email address. Checking email messages received is an easy way to spot non-compliance and will improve the ability to control affiliates and third-party email marketing partners.

Companies can help to enforce CAN-SPAM by reporting spam to the FTC's email spam database (uce@ftc.gov), which the FTC uses to pursue law enforcement actions against people who send deceptive spam, and by reporting other online fraud or scams to the FTC using its online complaint form available at www.ftc.gov/fa/complaint.htm.4

Enforcement

Enforcement occurs through Internet Service Provider (ISP) and Attorney General lawsuits or through FTC enforcement actions. There is no private right of action under the CAN-SPAM Act. ISPs, Attorneys General and the FTC have been increasingly active in seeking to enforce the CAN-SPAM Act. Some examples of the initial lawsuits and enforcement actions are detailed below.

Lawsuits (Civil)

America Online, EarthLink, Microsoft, and Yahoo! have launched a second wave of lawsuits under the CAN-SPAM Act, targeting a variety of wrongdoers. This new activity follows previous lawsuits filed by the same companies against other spammers, starting in March 2004.

* Originally filed six lawsuits against hundreds of people who were accused of sending millions of unwanted emails in violation of CAN-SPAM. The defendants include some of the nation's most notorious large-scale spammers. The Internet providers, collectively with tens of millions of subscribers, said that they shared information, resources, and investigative information to identify some of the defendants.

* Second wave: Yahoo! sued East Coast Exotics Entertainment Group Inc. and Epoth LLC for delivering sexually explicit bulk spam email messages to Yahoo! mail users. America Online sued two John Doe defendants, including one that targets a sender of SPIM, or unwanted instant messages, in what is believed to be the first suit ever brought for misusing instant messaging. EarthLink filed several lawsuits against Joe Doe defendants trying to sell drugs and mortgages. Microsoft sued defendants who allegedly spoofed the domains of all four ISPs to market a number of products in violation of CAN-SPAM.

* Filing the anonymous lawsuits gives the ISPs the right to start discovery and issue subpoenas to find the spammers' actual identities. As a first step, the ISPs will subpoena domain registrars, Web hosting services, and companies that enabled sending of the spam.

Microsoft sued Levon Gillespie of Los Angeles, who runs www.CheapBulletProof.com ("your source for unbreakable email marketing services"), under the part of Washington state's anti-spam law that outlaws assisting in the transmission of spam. Gillespie sells hosting services to spammers using servers physically located in China and ostensibly beyond the reach of US law, hence "bulletproof."

In October, a Florida spammer agreed to pay $25,000 to settle a Massachusetts state lawsuit alleging violations of the CAN-SPAM Act. The suit was the first filed by any state under the federal CAN-SPAM Act. "Internet marketers should note that Massachusetts takes seriously federal and state laws meant to protect against unwanted and misleading e-mails," Massachusetts Attorney General Thomas F. Reilly said.

Law Enforcement (Criminal)

Federal and state law enforcement agencies have quietly arrested or charged dozens of people with crimes related to junk email, identity theft, and other online scams over the past year. The Department of Justice announced the arrests or convictions of more than 150 individuals and the return of 117 criminal complaints, indictments, and informations in "a collaborative nationwide enforcement operation directed at major forms of online economic crime and other cybercrimes."

Many of the cases were developed by an unusual investigative team that combined federal law enforcement officials and executives from industries that do business through the Internet. Nearly two dozen investigators work in an office in Pittsburgh operated by the National Cyber-Forensics and Training Alliance, a nonprofit organization with close ties to the FBI. Much of the financing for the efforts, known as Operation Slam Spam (by the DMA) and Operation Web Snare (by the DOJ), comes from the Direct Marketing Association, a trade group that wants to promote what it sees as the legitimate use of email marketing.

Prosecutors had hoped to announce some prominent convictions last summer, but the cases have proven to be more complex than expected, in part because of new evidence turned up at each step. In April, the Justice Department brought what it said was the first criminal prosecution under CAN-SPAM against three people in suburban Detroit. Last month, however, the case was quietly dismissed at the government's request. A Los Angeles man who used other people's wi-fi networks to send thousands of unsolicited adult-themed email messages from his car pleaded guilty to a single felony ill what prosecutors say is the first criminal conviction under the CAN-SPAM Act. Nicholas Tombros, 37, reportedly drove around the Los Angeles beachfront suburb of Venice with a laptop computer and a wi-fi antenna sniffing out unsecured residential access points, which he then used to send thousands of untraceable spam messages advertising pornography sites. Officials have not revealed how they caught him.

The DOJ encourages victims of online crime to file a complaint online with the Internet Crime Complaint Center (IC3).The IC3 is a joint venture of the FBI and the National White Collar Crime Center. The IC3 staff reviews complaints, looking for patterns or other indicators of significant criminal activity, and refers investigative packages of complaints to the appropriate law enforcement authorities in a particular city or region. Victims can use the IC3 online form available at www.ifccfbi.gov/cfl.asp or the FTC online form available at https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_ CODE=PU01 to report complaints about consumer fraud and deception.

The lawsuits and enforcement actions have tended to go after the worst offenders. Legitimate marketers do not currently need to fear enforcement actions for mere technical violations of the CAN-SPAM Act. However, legitimate marketers do need to worry about compliance with CAN-SPAM due to the potential for enforcement and the impact of negative publicity.

Internet Advertising

Many of the general principles of advertising law apply to Internet advertising, but new issues arise as technology develops. As businesses develop online advertising, they should consider the following issues.5

According to the FTC, the same consumer protection laws that apply to commercial activities in other media apply online. The FTC Act's prohibition on unfair or deceptive acts or practices encompasses Internet advertising, marketing, and sales. In addition, many FTC rules and guides are not limited to any particular medium used to disseminate claims or advertising, and therefore, the FTC will apply them to online activities.

Disclosures that are required to prevent an advertisement from being misleading, to ensure that consumers receive material information about the terms of a transaction, or to further public policy goals must be clear and conspicuous. In evaluating whether disclosures are likely to be clear and conspicuous in online ads, advertisers should consider the placement of the disclosure in an advertisement and its proximity to the relevant claim. Additional considerations include:

* The prominence of the disclosure;

* Whether items in other parts of the advertisement distract attention from the disclosure;

* Whether the advertisement is so lengthy that the disclosure needs to be repeated;

* Whether disclosures in audio messages are presented in an adequate volume and cadence and visual disclosures appear for a sufficient duration; and,

* Whether the language of the disclosure is understandable to the intended audience.

To make a disclosure clear and conspicuous, advertisers should:

* Place disclosures near, and when possible on, the same screen as the triggering claim;

* Use text or visual cues to encourage consumers to scroll down a Web page when it is necessary to view a disclosure;

* When using hyperlinks to lead to disclosures:

- Make the link obvious;

- Label the hyperlink appropriately to convey the importance, nature and relevance of the information it leads to;

- Use hyperlink styles consistently so that consumers know when a link is available;

- Place the hyperlink near relevant information and make it noticeable;

- Take consumers directly to the disclosure on the click-through page; and

- Assess the effectiveness of the hyperlink by monitoring click-through rates and make changes accordingly;

* Recognize and respond to any technological limitations or unique characteristics of high-tech methods of making disclosures, such as frames or pop-ups;

* Display disclosures prior to purchase, but recognize that placement limited only to the order page may not always work;

* Creatively incorporate disclosures in banner ads or disclose them clearly and conspicuously on the page the banner advertisement links;

* Prominently display disclosures so that they are noticeable to consumers, and evaluate the size, color, and graphic treatment of the disclosure in relation to other parts of the Web page;

* Review the entire advertisement to ensure that other elements-text, graphics, hyperlinks, or sound-do not distract consumers' attention from the disclosure;

* Repeat disclosures, as needed, on lengthy Web sites and in connection -with repeated claims;

* Use audio disclosures when making audio claims, and present them in a volume and cadence so that consumers can hear and understand them;

* Display visual disclosures for a duration sufficient for consumers to notice, read, and understand them; and

* Use clear language and syntax so that consumers understand the disclosures.

FTC rules and guides that use specific terms"written," "writing," "printed," or "direct mail"-are adaptable to new technologies.

* Rules and guides that apply to written ads or printed materials also apply to visual text displayed on the Internet.

* If a seller uses email to comply with FTC rule or guide notice requirements, the seller should ensure that consumers understand that they will receive such information by email and provide it in a form that consumers can retain.

* Direct mail solicitations include email. If an email invites consumers to call the sender to purchase goods or services, that telephone call and subsequent sale must comply with the Telemarketing Sales Rule requirements.

Behavior Tracking

Claria (formerly Gator) and aQuantive are promising to deliver more robust behavioral targeting6 by tracking consumer behavior across multiple sites. Tacoda Systems is developing a new system7 to segment and refine ad targeting based on consumer interactions using information collected on consumers who visit sites using its audience management system.

The practice of third parties using data harvested on one Web site for advertisements on another is not uncommon8 in the online advertising world. The potential with the improved behavioral targeting is that every click or decision consumers make will contribute to their online profiles. Although media companies relish the ability to direct advertisements more precisely, and behavioral targeting arguably improves the relevancy of advertisements consumers see, it raises important questions about consumer privacy and will likely result in complaints by consumer privacy advocates.

Spyware and Adware

Spyware is the biggest new consumer issue facing businesses. It is the largest topic of consumer complaints to Dell, AOL, and Microsoft. An AOL study revealed that 80 percent of users had spyware on their systems, arid only 5 percent had consented to it. Technological solutions are available (blockers and cleaning programs), but the problem (as with many of these issues) is that as technological solutions are developed, the perpetrators come up with ways to get around the solutions.

Spyware is annoying, but is it a privacy problem? Laws are taking several approaches to the problem.

* Privacy (e.g., H.R. 2929)-but what if information is never transferred or is not personally identifiable?

* Trespass or violation of computer security-surreptitious installation on computers is an invasion (e.g., S.2145).

* Trademark infringement (e.g., Utah)-lower courts are split on whether adware that triggers advertisement pop-ups to a company's name violates trademark law.

* Deceptive trade practice (e.g., FTC, California)-if people are deceived, it is a deceptive practice?

In fact, the FTC has told Congress that anti-spyware legislation is unnecessary because existing fraud laws provide regulators with sufficient legal authority to contend with spyware perpetrators.

What exactly is "spyware"? Spyware has been defined as programs that perform certain behaviors without appropriate user consent. According to unvw.whatis.com:

Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.

Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared. However, spyware is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window. Adware, software designed to serve advertising, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information.

The cookie is a well-known mechanism for storing information about an Internet user on the user's computer. However, the existence of cookies and their use is generally not concealed from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site stores information about a person in a cookie that the person does not know about, the cookie mechanism could be considered a form of spyware.

FTC's telltale signs of spyware:

* Barrage of pop-up advertisements;

* Browser hijacked to sites not requested by the user;

* Sudden or repeated change in computer's Internet homepage;

* New and unexpected icons or new and unexpected toolbars in the computer's browser or the system tray at the bottom of the computer screen;

* Keys that do not work (for example, the "Tab" key that might not work when the person tries to move to the next field in a Web form);

* Random error messages;

* Computer or Internet connection crashing; and

* Sluggish or noticeably slow performance when opening programs or saving files.

Various types of spyware range from pop-up advertisements to keystroke loggers. They can be arranged along a continuum from innocuous, such as advertising (pop-ups), data collection, configuration changes, dialing, monitoring, and remote resource use, to malicious activity. The problem is that many definitions typically used for spyware also can capture legitimate, useful programs. For example, a keystroke logger is bad when used by a hacker to collect passwords, but good when used by a parent to monitor a child's surfing habits.

So why is it important to talk about spyware? Why would a legitimate business want to use spyware as a marketing model? There are two reasons. Companies that engage in software sales may want to provide free or discounted software to consumers and use adware to defray the costs (broadcast model). Second, companies may want to distribute advertising through adware systems.

Adware may be a good option for the consumer provided that certain conditions exist:

* Specific disclosure to the consumer about the adware, what it does, why it is downloaded, how to remove it;

* Most important information should be at the top of the disclosure (clear and conspicuous);

* User consent must be specific;

* Effects of the adware should be tied to the value proposition (e.g., pop-ups titled or otherwise connected to the provider);

* Consumers should have the option to change their minds and stop getting ads; however, this might require them to uninstall the software that came with the adware (e.g., KaZaa);

* Adware should not impact the computer's performance; and

* Adware companies should listen to and act on consumer complaints.

Companies that partner with adware providers should carefully examine the practices of the partner; CAN-SPAM demonstrates that advertisers cannot hide behind third-party providers.

Web Site Sales

Companies that take orders or provide services over the Internet will need to collect certain personally identifiable information in order to fulfill the orders or deliver the services. The question: What requirements must be met in order to lawfully collect, use, and disclose that personally identifiable information? What if the company wants to use information collected from consumers for a purpose other than completing the immediate transaction, such as marketing other products and services, or sharing such information with third parties?

Do companies that collect consumer information online need to have privacy policies? In California, yes. Elsewhere in the United States, currently no, but privacy policies must be observed as posted. Under the FTC Act, the FTC guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use, and secure consumers' personal information. (Additionally, under the Gramm-Leach-Bliley Act, the FTC has implemented rules concerning financial privacy notices and the administrative, technical, and physical safeguarding of personal information, and it enforces against pretexting, and the FTC protects consumer privacy under the Fair Credit Reporting Act and the Children's Online Privacy Protection Act).

FTC Privacy Policy Enforcement

Notable recent cases brought by the FTC9 include the following.

Petco Animal Supplies, Inc.

Petco Animal Supplies, Inc., a national seller of pet food, supplies, and services, has agreed to settle FTC charges that security flaws in its www.PETCO.com Web site violated privacy promises that it made to consumers and violated federal law. The FTC alleged that, contrary to Petco's claims in its privacy statement, Petco did not take reasonable or appropriate measures to prevent commonly known attacks by hackers. The flaws allowed a hacker to access consumer records, including credit card numbers. The settlement requires that Petco implement a comprehensive information security program for its Web site. This is the fifth FTC case challenging deceptive claims by businesses about the security they provided for consumers' personal information.

"Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect," said Lydia Parnes, Acting Director of the FTC's Bureau of Consumer Protection. "The FTC will hold companies to their word."

Petco has sold pet food and supplies to consumers through its online store since February 2001. According to the FTC complaint,10 Petco made security claims on its Web site, such as:

At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access.

Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it.

According to the complaint, however, the Web site was vulnerable to commonly known Web-based application attacks, such as structured query language (SQL) injection attacks. The FTC alleged that Petco created these vulnerabilities in its Web site by failing to implement reasonable and appropriate security measures to secure and protect sensitive consumer information, including simple, readily available defenses that would have blocked such attacks. The FTC also charged that the sensitive information that Petco obtained through its Web site was not maintained in an encrypted format, as it claimed. As a result, a hacker was able to penetrate the Petco Web site and access credit card numbers stored in unencrypted clear text. The FTC charged that Petco's claims were deceptive and violated the FTC Act.

The settlement prohibits Petco from misrepresenting the extent to which it maintains and protects sensitive consumer information. It also requires Petco to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. It requires that Petco arrange biennial audits of its security program by an independent third party certifying that Petco's security program is sufficiently effective to provide reasonable assurance that the security, confidentiality, and integrity of consumers' personal information has been protected. The settlement also contains record keeping provisions to allow the FTC to monitor compliance.

Gateway Learning

In its complaint, the FTC alleged that Gateway Learning rented the customer information it had collected, contrary to explicit promises made in its privacy policy ("We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer's explicit consent"). The privacy policy also stated that, "[i]f at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by email" and that customers would "then be able to opt-out of this information usage by sending an e-mail" to a specified address.

The FTC alleged that, after collecting customers' information, Gateway Learning changed its privacy policy to allow it to share the information with third parties without notifying customers or getting their consent ("From time to time, we may provide your name, address and phone number (not your e-mail address) to reputable companies whose products or services you may find of interest"). The new policy was posted on the site, and allowed a customer to opt out of the sharing by sending an email, so the change arguably complied with the original policy.

Even so, the FTC alleged that the change was inconsistent with the company's previously posted policy, focusing on the facts that the company (1) had promised not to rent information, then changed its policy to permit rental of the information "without any indication that the policy had materially changed or what aspects of the policy had changed" and (2) applied the new policy retroactively without seeking affirmative consent from customers whose personal information had already been collected. The FTC concluded that the changes were therefore false and misleading, in violation of federal law. The case is complicated (of course) by the fact that the information was collected from parents and included details about their children, but that fact was not the essential gravamen of the complaint.

The settlement bars Gateway Learning from making deceptive claims about how it will use customers' information and from applying material changes in its privacy policy retroactively without customers' consent. It also requires that the company give up $4,600 it earned from renting the data. Like other FTC settlements of privacy policy violations, the settlement contains requirements that the company demonstrate its compliance and a 20-year probation period for the company.

This is the first FTC case to challenge deceptive and unfair practices in connection with a company's material change to its privacy policy. However, this is not an extraordinary scenario; a company, having promulgated an initial privacy policy that promises to never share customer information, later decides that sharing information would benefit the company (and perhaps the customers), so the company changes its privacy policy to reflect its new business plan, then decides that it would be unnecessary or impractical to notify all of its customers about the change.

Indeed, given the new attention on privacy policies (due to influences such as California's now-effective privacy policy law and the Northwest passenger data class action lawsuits, many companies are updating their privacy policies. Incautious updating may mean that other companies will soon find themselves in the same predicament as Gateway Learning. If the updating gets over into making material changes, for example, allowing the company to do more with customers' information than the company stated it would do in the original privacy policy, then the company may be risking the same fate as Gateway Learning.

Therefore, if a company is considering changes to its privacy policy that will increase its discretion to use customers' information collected under the old privacy policy, particularly if the changes will allow the company to share, rent, or sell the information, then the company should take steps to notify the existing customers and obtain their consent. Obtaining legal advice on how to make such changes will help to avoid the risk of even greater legal expenses arising out of responding to an FTC investigation and the long term costs (in fines and negative publicity) that may arise from making ill-advised changes.

Northwest Airlines

While not an FTC action, this case is important for interpreting and applying privacy policies In a decision dated June 6, 2004, US District Court Judge Paul Magnuson dismissed seven consolidated class action lawsuits against Northwest Airlines for failing to state any claims on which relief can be granted". Notably, the court based its decision in part on the conclusion that the plaintiffs could not seek to enforce the privacy notice posted on Northwest's Web site unless they could demonstrate that they had read it.

The plaintiffs contended that the airline, in giving passenger information to the government in the wake of the September 11, 2001, terrorist attacks, violated laws and its own privacy policy. The dismissal has online privacy advocates renewing calls for federal privacy legislation, suggesting that the decision calls all privacy notices into question.

The court dismissed the plaintiffs' claims under the Electronic Communications Privacy Act (ECPA) because the court ruled that defining "electronic communications service" under the ECPA to include online merchants or service providers like Northwest "stretches the ECPA too far." The court dismissed the plaintiffs' claims under the Fair Credit Reporting Act because those claims required "not liberal application of the statute, but wholesale disregard of the statute's purposes and definitions." The plaintiffs' claims under the state Deceptive Trade Practices Act and for negligent misrepresentation were held to be preempted by the Airline Deregulation Act (ADA), and other state law claims were dismissed for other failures to prove various elements.

The breach of contract and express warranty clauses were the most interesting because the plaintiffs had alleged that Northwest's privacy notice constituted a unilateral contract. The court noted that the plaintiffs did not allege that they actually had read Northwest's privacy notice prior to providing Northwest with their personal information (although they did generally allege that they had "relied to their detriment" on Northwest's policy). The court pointed out that the usual rule in contract cases is that "general statements of policy are not contractual" and held that the privacy notice on North west's Web site did not constitute a unilateral contract. Furthermore, because the plaintiffs did not allege that they actually had read the privacy notice, they had failed to allege an essential element of a contract claimthat the alleged offer was accepted by the plaintiffs.

While much of the reporting on and reaction to the decision has focused on the importance of that issue, the opinion went on to note that, even if the privacy notice was sufficiently definite to constitute a contract offer and not merely a policy and even if the plaintiffs had alleged that they had read the policy before giving their information to Northwest, "it is likely that Plaintiffs' contract and warranty claims would fail as a matter of law" because the plaintiffs did not allege any contractual damages arising out of the alleged breach. The damages claimed were damages arising out of the torts alleged in the complaint, not damages arising out of the alleged contract. Because damages are an essential element of a breach of contract claim, the failure to allege damages would be fatal to the plaintiffs' contract claims.