[ formatted version ] [ home ] [ about ] [ forum ] [ RSS ] [ help ] [ search ]




[ Hear the podcast: Audio | Transcript ]

In a world where literally everything you do can leave a digital fingerprint, nothing strikes a visceral chord among web users more than the issue of privacy. There is very little that one can do in complete anonymity when it comes to surfing the web. It is only a question of how willing various data collectors are in maintaining the privacy of users. The potential for abuse is enormous. It should be no surprise then, that when a company acts in a questionable manner with respect to the privacy rights of users, the freewheeling libertarian-minded web community strikes back with furious condemnation.

We all want sensitive personal and financial data to be secure from theft and misuse. But the issue of privacy is more than security alone. There are complex questions of who controls the data about us (individually and collectively) and how it is used. What rights do users have to preserve their privacy? What are the rights of data owners who exploit information about web users without their permission? How should permission be obtained? And indeed, who can (or should) claim ownership over the data collected? Is it the merchant, or advertiser, or service provider, or consumer who should be in control?

To be sure, legitimate businesses that collect data on the web are mindful of the privacy concerns of users. Responsible web operations post privacy statements that outline the usage of data collected about visitors to their sites. Industry groups have made a point of promoting the use of such statements. Current public policy is polarized on the issue. Some argue that industry can regulate itself against privacy abuses. But others doubt this, and contend that government intervention is needed to protect the rights of consumers and enforce protection rules. The U.S. Federal Trade Commission offers guidelines for handling consumer information (see below).

Managing data privacy is further complicated by the global nature of the Web. Different countries take different approaches to protecting consumer privacy. The European Union's Directive on Data Privacy enacted in 1998 is a case in point. The law prohibits the transfer of personal data to non-European Union nations that do not meet its guidelines for privacy protection. The Directive provides for the creation of government data protection agencies that will oversee the registration, and in some cases the approval, of databases containing personal information.

There are 30 or so federal statutes and over 100 state statutes governing information privacy in the U.S. The approach has been piecemeal in protecting privacy. It blends government oversight with industry self-regulation, and varies from sector to sector. Because of this, companies doing business over the Web with consumers residing in the E.U. can find themselves in non-compliance with the local requirements for privacy protection. To help companies comply with the E.U. regulations the Department of Commerce has developed a set of rules under which U.S. businesses should operate, called the safe harbor principles.

A particularly troublesome aspect of privacy abuse concerns children. No matter how well intentioned companies may be, most feel that special precautions must be taken when advertising is directed at children. But in a world where authenticating who is at the other end of a web connection is never an absolute certainty, how do we best preserve the privacy rights of children? The Federal Trade Commission has constructed the Children's Online Privacy Protection Rule in an attempt to curb potential abuses.

Notice/Awareness Give consumers notice of an entity's information practices before any personal information is collected from them, including:
  • identification of the entity collecting the data;
  • identification of the uses to which the data will be put;
  • identification of any potential recipients of the data;
  • the nature of the data collected and the means by which it is collected if not obvious;
  • whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information;
  • the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
Choice/Consent Give consumers options as to how any personal information collected from them may be used, including secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Access/Participation Give consumers the ability both to access data about themselves -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
Integrity/Security Ensure that consumer data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form. Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.

Provide a mechanism to enforce fair information practices. Among the alternative enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory schemes enforceable through civil and criminal sanctions.

Source: U.S. Federal Trade Commission, Privacy Online: A Report to Congress, June 1998.


Learning Objectives:

  • Define online privacy issues;
  • Identify rules, regulations, and legislation addressing basic privacy and online privacy issues;
  • Identify tools and techniques for protecting online privacy;
  • Identify key components in creating an online privacy policy and in enforcing self-regulation;
  • Identify the benefits of privacy risk management.

Things to read:

Guide to Online Privacy
Center for Demoracy and Technology | 10.21.2009

Engaging Privacy and Information Technology in a Digital Age: Executive Summary
National Research Council | 05.30.2007

The New Vulnerability: Data Security and Personal Information
Daniel Solove | 08.31.2004

FACTA, the Fair and Accurate Credit Transactions Act
Privacy Rights Clearinghouse | 08.00.2004

The Lack of Clarity in Financial Privacy Policies
Annie Antón, et al. | 08.01.2004

The Privacy Problem
Fred H. Cate | 03.21.2003

Most People Are Privacy Pragmatists: A Harris Poll
Humphrey Taylor | 03.19.2003

Privacy Online: A Report on the Internet Practices and Policies of Commercial Web Sites
William F. Adkinson, Jr., Jeffrey A. Eisenach, and Thomas M. Lenard | 03.25.2002

Privacy Online: Fair Information Practices in the Electronic Marketplace (Read pp. 1-38)
U.S. Federal Trade Commission | 05.22.2000

Case study:


Things to watch:

Myths about Privacy
Robert Ellis Smith | 05.23.2001

Hungry minds:

A Taxonomy of Privacy
Daniel Solove

The Impact of Data Restrictions On Consumer Distance Shopping
Michael A. Turner

The Adverse Impact of Opt-In Privacy Rules
Michel E. Staten and Fred H. Cate

DRM and Privacy
Julie Cohen

The Death of Privacy?
A. Michael Froomkin

Information Privacy/Information Property
Jessica Litman

Online Profiling: Report and Recommendations to Congress
U.S. Federal Trade Commission

Privacy in Cyberspace
Arthur Miller

The Cookie Concept
Viktor Mayer-Schönberger

Beyond Concern: Understanding Net Users' Attitudes About Online Privacy
Lorrie Faith Cranor, Joseph Reagle, and Mark S. Ackerman

The Architecture of Privacy
Lawrence Lessig

Surfer Beware III: Privacy Policies without Privacy Protection
Electronic Privacy Information Center

Multi-National Consumer Privacy Survey
IBM Global Services

Georgetown Internet Privacy Policy Survey
Mary Culnan

Guidelines for Online Privacy Policies
Online Privacy Alliance

W3C Platform for Privacy Preferences
P3P Project

Consumer Privacy
Mary Culnan and Sandra Milberg

Top 12 Ways to Protect Your Online Privacy
Electronic Frontier Foundation

A Survey of Consumer Privacy Attitudes and Behaviors
Harris Interactive

On the airwaves:

The Privacy Train Has Left the Station
Katherine Mangu-Ward | 01.22.2007

Conversations About Privacy: Is Anything Actually Private?
Steve Inskeep and Renee Montagne | 03.08.2006

Look it up:


Data privacy

European Union Directive 95/46/EC


HTTP cookie

Places to visit:

Computers, Freedom & Privacy

Electronic Froniter Foundation

Electronic Privacy Information Center

Free Annual Credit Reports

FTC Privacy Page

Privacy Foundation

Privacy International

Safe Harbor

The Privacy Place


Previous topic:


Next topic:

Intellectual Property

Course information:

© 2010 Michael Rappa
Page last updated: