computer_lock Title


Currently, there are no regulations or industry standards regarding corporate privacy policies in general. This is one of the reasons why corporate privacy policies vary to such a great degree from site to site -- because there are no standards that regulate what issues a privacy policy has to address or what language must be used to address these issues. Companies can approach them in whatever way they see fit, which inevitably leads to vastly different results. There are also no regulations concerning whether or not a company needs to have a privacy policy at all, so many corporations can choose not to post a policy if they don't see the need for one.

Although there are no standards for privacy policies that apply to all companies, regulations do exist for certain industries and groups of users. The health care industry, for example, must adhere to the standards set forth in the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the finance must meet the standards of the Gramm-Leach-Bliley Act (GLBA) of 1999, and the collection of personal information of children is regulated for all industries under the Children's Online Privacy Protection Act (COPPA) of 1998. The California Online Privacy Protection Act (OPPA) of 2003 has raised an interesting legislative issue -- this act sets certain standards for privacy policies, and applies to any company that does business with California consumers, which effectively forces most major companies to comply with its provisions. A bill called the Online Privacy Protection Act of 2005 that would set similar standards of privacy for all corporations has been introduced in Congress, but is currently being reviewed by a subcommittee and is thus omitted from our analysis.

HIPAATop of Page

HIPAA contains a Privacy Rule section that dictates certain requirements that health care organizations must meet in order to protect the information of their clients. The Privacy Rule applies to health plans, health care clearinghouses and health care providers who conduct certain financial and administrative transactions electronically. HIPPA dictates that these organizations must implement privacy procedures and notify patients about their privacy rights and how their information may be used. Additionally, it dictates that a consumer must give their permission before their health information can be used or shared with others for certain purposes such as marketing, and allows them to get a report on when and why their information was shared. Although these provisions are not specific to online privacy, all of the organizations covered under HIPPA must comply with these provisions in all aspects of their business, and thus if they conduct any business online they must be sure to post their privacy policy to inform consumers of their rights. This gives the privacy policies of health care organizations a degree of unity and consistency that is not present in the general corporate world as a whole.

GLBA Top of Page

The GLBA apply to "financial institutions" as defined by the FTC, which include banks, securities firms, insurance companies, and many other companies that provide financial products and services to consumers. The two parts of the GLBA that are relevant to our studies are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule dictates that the company must have a privacy notice that is "a clear, conspicuous, and accurate statement of the company's privacy policies." [FTC] The Financial Privacy Rule also requires companies to allow consumers to opt-out of having their information shared with certain third parties. The Safeguards Rule dictates that all financial institutions must have safeguards to protect information about their customers. Thus, because of the Financial Privacy Rule, all financial institutions that conduct business online must have a clear and accessible privacy policy that, at the very least, outline all of the rights granted to consumers under the GLBA.

COPPA Top of Page

COPPA applies to any web site that is directed to children under 13 that collects personal information from them or to any web site that collects personal information where they know that the information that they are collecting comes from children. Its basic provisions require that a "clear and prominent" link to the privacy policy must exist on the home page and that the privacy policy itself must be "clearly written and understandable." Furthermore, the legislation explicitly states what must be included in the content of the privacy policy -- this includes things such as the contact information for the operators of the page, the kinds of information that will be collected from children, how the information that is collected will be used, and information about what rights parents have to their child's information. COPPA provides the most specific guidelines out of all of the legislation we have examined, presumably because it was written to deal explicitly with online policies whereas the other legislation dealt mainly with their respective industries and only dealt with the online aspects as a tangent.

OPPA Top of Page

The California Online Privacy Protection Act of 2003 was passed in California and prescribes specific guidelines for owners of commercial web sites or online services that collect personal information from California residents. These guidelines include conspicuously posting their privacy policy on their web site and complying with the policy, disclosing the type of personally identified information that is collected form consumers, providing a description of how a consumer can request changes to their information, describing the process by which the company will notify users of changes in the privacy policy, and identifying the effective date of the privacy policy. The content of this act is not radically different from provisions in HIPAA or GLBA and is actually quite similar to COPPA. What makes this act interesting is that even though it was only passed by the California legislature, because it applies to all businesses and services that collect information from California residents, it effectively dictated requirements for all major businesses. As it currently stands, if other states pass their own legislation regarding privacy policies, companies that want to conduct business in those states will have to update their policies accordingly. This could potentially lead to a very confusing (and expensive) situation where companies would only be able to offer commercial services in certain states based on whether or not they are in compliance with the state's privacy legislation. For this reason, it may be more effective to push for national legislation similar to COPPA that would cover adults.