Privacy policy
A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data.[1] Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.[2] In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.[3][4] Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.
The exact contents of a certain privacy policy will depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions. Most countries have own legislation and guidelines of who is covered, what information can be collected, and what it can be used for. In general, data protection laws in Europe cover the private sector, as well as the public sector. Their privacy laws apply not only to government operations but also to private enterprises and commercial transactions.
History[edit]
In 1968, the Council of Europe began to study the effects of technology on human rights, recognizing the new threats posed by computer technology that could link and transmit in ways not widely available before. In 1969 the Organisation for Economic Co-operation and Development (OECD) began to examine the implications of personal information leaving the country. All this led the council to recommend that policy be developed to protect personal data held by both the private and public sectors, leading to Convention 108. In 1981, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was introduced. One of the first privacy laws ever enacted was the Swedish Data Act in 1973, followed by the West German Data Protection Act in 1977 and the French Law on Informatics, Data Banks and Freedoms in 1978.[5]
In the United States, concern over privacy policy starting around the late 1960s and 1970s led to the passage of the Fair Credit Reporting Act. Although this act was not designed to be a privacy law, the act gave consumers the opportunity to examine their credit files and correct errors. It also placed restrictions on the use of information in credit records. Several congressional study groups in the late 1960s examined the growing ease with which automated personal information could be gathered and matched with other information. One such group was an advisory committee of the United States Department of Health and Human Services, which in 1973 drafted a code of principles called the Fair Information Practices. The work of the advisory committee led to the Privacy Act in 1974. The United States signed the Organisation for Economic Co-operation and Development guidelines in 1980.[5]
In Canada, a Privacy Commissioner of Canada was established under the Canadian Human Rights Act in 1977. In 1982, the appointment of a Privacy Commissioner was part of the new Privacy Act. Canada signed the OECD guidelines in 1984.[5]
Current enforcement[edit]
In 1995 the European Union (EU) introduced the Data Protection Directive[6] for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year, the U.S. Federal Trade Commission (FTC) published the Fair Information Principles[7] which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies.
The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act[8] and the Online Privacy Protection Act of 2001,[9] but none have been enacted. In 2001, the FTC stated an express preference for "more law enforcement, not more laws"[10] and promoted continued focus on industry self-regulation.
In many cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices.[11] The FTC's powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA),[12] and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).[13]
In some cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgments. However, such lawsuits are often not an option, due to arbitration clauses in the privacy policies or other terms of service agreements.
Online privacy certification programs[edit]
Online certification or "seal" programs are an example of industry self-regulation of privacy policies. Seal programs usually require implementation of fair information practices as determined by the certification program and may require continued compliance monitoring. TRUSTArc (formerly TRUSTe),[42] the first online privacy seal program, included more than 1,800 members by 2007.[43] Other online seal programs include the Trust Guard Privacy Verified program,[44] eTrust,[45] and Webtrust.[46]
Technical implementation[edit]
Some websites also define their privacy policies using P3P or Internet Content Rating Association (ICRA), allowing browsers to automatically assess the level of privacy offered by the site, and allowing access only when the site's privacy practices are in line with the user's privacy settings. However, these technical solutions do not guarantee websites actually follows the claimed privacy policies. These implementations also require users to have a minimum level of technical knowledge to configure their own browser privacy settings.[47] These automated privacy policies have not been popular either with websites or their users.[48] To reduce the burden of interpreting individual privacy policies, re-usable, certified policies available from a policy server have been proposed by Jøsang, Fritsch and Mahler.[49]