Ch. 05: Privacy

Restatement of Torts (2nd) §§ 652A-E (privacy-related provisions)

Bourke v. Nissan Motor Corp. in U.S.A., No. B068705 (Cal. Court of App., 2nd Dist., July 26, 1993) (finding that employer's reading of employees' email did not violate California common law, constitution, or privacy statutes) (not published) [an alternate source]

Notes

1. What sort of protections do you think common law offers to the privacy of Internet users? Do those protections accord with your reasonable expectations?

2. For a case finding that Washington state law may limit making freely available on the Internet information otherwise available through commercial services, see City of Kirkland v. Sheehan, 2001 WL 1751590, 29 Media L. Rep. 2367 (Wash Super. Ct. May 10, 2001) (enjoining Internet publication of law enforcement officials' social security numbers on grounds that it violated their privacy rights).

3. The court in U.S. v. Bach, 310 F.3d 1063 (8th Cir. 2002), held that defendant's Fourth Amendment rights were not violated when Yahoo!, under the compulsion of a state search warrant but without an officer present, seized defendant's emails on its servers and delivered them to police investigators.

4. For a case affirming that Illinois common law does not prevent the rental of information about consumers' purchasing habits, see Dwyer v. American Express Co., 273 Ill. App. 3d 742, 652 N.E.2d 1351 (Ill. App. 1995).
   
   

McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998) (finding ECPA bars government from obtaining a user's private information from an online service provider absent a warrant, subpoena, or court order) [an alternate source]

Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105 (E.D. Mich. 1998) (finding ECPA does not regulate disclosure to private individual of identity of a subscriber of an electronic communication service) [an alternate source]

In Re: Toysmart.com, LLC, Case No. 00-13995-CJK (Bankr. E.D. Mass. July 20, 2000) (setting forth stipulation and order establishing conditions on sale of customer information by Toysmart.com in settlement of complaint brought by FTC) [an alternative source]

Federal Trade Commission, How to Comply with the Children's Online Privacy Protection Rule (Nov. 1999)

U.S. Dept. of Commerce Safe Harbor Overview (offering introduction to "safe harbor" that allows U.S. companies to avoid prosecution under the European Commission's Directive on Data Privacy by qualifying for certification as providers of "adequate" privacy protection, as defined by the Safe Harbor's Privacy Principles)

Notes

1. Do the legal protections for private email accounts correspond to your reasonable expectations? What about the legal protections for employees' email accounts?

2. Notwithstanding the evidently good intentions behind COPPA, it bears noting that it has increased legal uncertainty, see Lynne Burke, Contending with COPPA Confusion, Wired News, Aug. 23, 2000 (quoting Alex Bentacur, vice president of girl's clothing site 100percentgirls.com, "[T]he law, which we support completely, is so unclear."), raised the costs of doing business online, see Carolyn Duffy Marsan, Net Privacy Law Costs a Bundle, CNN.com, May 16, 2000 (relating high costs of complying with COPPA and effects on market), and even forced some web sites to shut down, see Tamara Loomis, Lawyers Wrestle With Online Privacy, New York Law Journal, July 13, 2000 (reporting that some companies have left the market rather than incur costs of complying with COPPA).

3. The court in In re Toys R Us, Inc. Privacy Litig., 2001 U.S. Dist. LEXIS 16947 (N.D. Cal. Oct. 9, 2001) (MDL No. M-00-1381 MMC, Master File No. C 00-2746 MMC), grappled with the question of whether defendants' use of cookies and web bugs to collect information about plaintiffs' online purchasing and browsing habits violated Title II of the ECPA. The court found, inter alia, that cookies placed on hard drives are not in "electronic storage" for purposes of 18 U.S.C. § 2701 of the ECPA. 2001 U.S. Dist. LEXIS 16947 at *10-*14. The court also found that ECPA § 2520 does not provide a cause of action for aiding and abetting the interception of electronic communications. Id. at *22.

4. For an account of federal authorities violating their own privacy policies--and perhaps even federal law--see White House on Cookies: Doh!, Wired News, June 26, 2000.
   
   
   

Useful Resources and Optional Reading

• Electronic Communications Privacy Act, 18 USC §§ 2510-22 (aka "Wiretap Act"), 2701-2711 (aka "Stored Electronic Communications Act")

• Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-06

• Federal Trade Commission, Children's Online Privacy Protection Rule; Final Rule, 16 C.F.R. 312 (Nov. 3, 1999) [PDF format]

• For the first instance of the FTC alleging a violation of COPPA, see its First Amended Complaint, FTC v. Toysmart.com, LLC, Civ. No. 00-11341-RGS (D. Mass. July 21, 2000).

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, L 281 Official J. European Comm. 31 (Nov. 23, 1995) (setting forth comprehensive privacy regulations and prohibiting the export of personal data to nations that do not meet EU standards for privacy protection)

• In Re DoubleClick, Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001) (dismissing for a variety of substantive reasons plaintiffs' federal claims that defendant's use of cookies violated ECPA, Wiretap Act, and Computer Fraud and Abuse Act, and dismissing for want of supplemental jurisdictional plaintiffs' state law claims) [PDF format]

• In the Matter of DoubleClick Inc., Before the FTC (Feb. 10, 2000) (requesting investigation, injunction, penalty, and other relief for alleged violations of FTC Act); Stephanie Olsen, FTC Drops Probe Into DoubleClick Privacy Practices, CNET News.com, January 22, 2001 (relating that after DoubleClick, Inc. revised its plans for compiling personal profiles of Internet users, the FTC dropped its investigation of the company)

• Andersen Consulting LLP v. UOP, 991 F. Supp. 1041 (N.D. Ill. 1998) (limiting scope of ECPA § 2702 to electronic communication services available to the general public) [an alternate source]

• Shoars v. Epson America, Inc., No. B073234 (Cal. Court of App., 2nd Dist., April 14, 1994) (finding interception of employee email did not violate California constitution or privacy statutes) (not published)

• Solveig Singleton, Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector (Cato Policy Analysis No. 295, Jan. 22, 1998)
  
  

Browse the TRUSTe and BBBOnline websites.

Browse the Anonymizer.com and HushMail websites.

Notes

1. Does industry self-regulation seem likely to offer adequate protection for the privacy of Internet users? Does it seem likely to prevent the problems that might follow from state regulation?

2. Do you know how to configure your browser to reject cookies? Have you done so? Why or why not?

3. Recall our discussion of how filtering software has affected the law and policy of regulating indecent speech. Do you foresee a similar effect with regard to privacy?

4. For an argument that the availability of self-help alternatives for protecting Internet privacy renders regulation by state authorities constitutionally suspect and functionally inferior, see Tom W. Bell, Pornography, Privacy, and Digital Self-Help, 19 John Marshall J. Comp. & Info. L. 133 (2000).