E‐Commerce and Information Privacy: Privacy Policies as Personal Information Protectors

Date01 March 2007
Published date01 March 2007
E-Commerce and Information
Privacy: Privacy Policies as
Personal Information Protectors
Corey A. Ciocchetti
Armed with $29.95, a computer, and my name and address, I recently
purchased my identity. Determined to discover the extent of my personal
information readily available in cyberspace, I undertook this assignment
by opening my browser and ordering a comprehensive background check
on myself.
Fifteen minutes later, via e-mail, I received the results and
discovered a neatly organized vita including an extensive address history
(stemming back to my days as a second-grader), my past and present
property ownership records, political party affiliation, various information
concerning my current neighbors and past relatives (including my father-
in-law’s ex-wife), and much more.
Adding in a free Google search utilizing
only my first and last name, I instantaneously obtained detailed employ-
ment information, a chronology of my educational history, a list of my
community service activities, and a recent picture.
r2007, Corey A. Ciocchetti
Journal compilation r2007, Academy of Legal Studies in Business
American Business Law Journal
Volume 44, Issue 1, 55–126, Spring 2007
Assistant Professor, Business Ethics and Legal Studies, Daniels College of Business, Uni-
versity of Denver; J.D., 2002, Duke University School of Law; MA (Religious Studies), 1999,
University of Denver; BA (Economics) and BSBA (Finance), 1998, University of Denver;
Member, Colorado Bar. Thanks to Jillian Ciocchetti and John Holcomb for their thoughtful
advice and constant support!
The background check was provided by Intelligent Investigations, http://www.intelligent
investigations.com (last visited Sept. 14, 2006) and is on file with the author.
Additionally, this background check is designed to produce the following pieces of informa-
tion, if applicable: known aliases; results of a nationwide criminal search; sexual offense
conviction records; bankruptcies; tax liens and judgments; UCC filings; airplane and boat
registrations; and hunting, fishing, and concealed weapons permits. Id.
Google, Search for ‘‘Corey Ciocchetti,’’ http://www.google.com/search?hl=en&q=corey+
ciocchetti (last visited Oct. 5, 2006).
Individually, each of these pieces of personal information represents
a mere pixel of my life, but when pieced together, they present a rather
detailed picture of my identity. This typeof data is commonly refer red to as
personally identifying information (PII)
and the concept of piecing
together personal data to form an individual profile, or ‘‘digital dossier,’’
is known as data aggregation.
The more comprehensive the data
aggregation, the more attention such aggregation merits because of
the potential problems created when this cache of personal information
is accessed inappropriately.
Such unauthorized access may result in
cases of identity theft, stalking, harassment, and other invasions of
Problematically, the U.S. legal system attempts to prevent
such abuses primarily through a sector-based regulatory regime whereby
some transmissions of PII are strictly regulated while others remain
completely unregulated.
Web site visitorsFwho are confronted with
these differing information privacy statutes in fine print but desire
to quickly purchase a particular good or service onlineFhave
become accustomed to ignoring the implications of submitting their PII
See, e.g., Grayson Barber, Personal Information in Government Records: Protecting the Public
Interest In Privacy,25S
T.LOUIS U. PUB.L.REV.63, 118 & n.332 (2006) (defining personally
identifying information with reference to the Privacy Act of 1974, 5 U.S.C. §552a(a)(4) (2000));
TRUSTe, Guidance on Model Web Site Disclosures, http://www.truste.org/docs/Model_Privacy_
Policy_Disclosures.doc (last visited Sept. 29, 2006) (‘‘personally identifiable information’’ is used
throughout the TRUSTe literatureFincluding in its Model Web Site DisclosuresFto refer to any
information submitted via a Web site that can identify the person submitting such data).
1–10 (2004).
Daniel Solove, A Taxonomy of Privacy, 154 U. PA.L.REV.477, 506–11 (2006) (describing data
aggregation as an important part of a larger, defined group of activities that affect privacy).
See, e.g., David Lazarus, Cool iPods also Play Stolen Data, S.F. CHRON., Apr. 7, 2006, at D1
(discussing a case where a suspect allegedly stored stolen PII in the form of tax returns,credit
files, and loan applications on an iPod); TomZeller, Jr., U.S. Arrests 7 on Charges of Credit Data
Trading, N.Y. TIMES, Mar. 29, 2006, at C4 (discussing a U.S. Secret Service investigation into
various online forums where stolen PII was traded).
See, e.g., Dave Wedge, Authorities Allege BC Student Hacker Stole $$ and Info,BOSTON HERALD,
Feb. 7, 2003, at 10 (demonstrating various invasions of privacy caused when a Boston College
computer science student installed key-logging software on various campus computers to
monitor the online activities of fellow classmates).
See discussion infra Part III.
56 Vol. 44 / American Business Law Journal
This neglect leads to vast amounts of PII being distributed into
cyberspace where such information is virtually irretrievable and may be
intercepted or purchased by commercial entities, governments, or indivi-
duals for marketing or other more sinister purposes.
In some cases, this
information may only surface in a legitimate comprehensive background
check, but in a more menacing scenario, it may wind up in the hands of a
remotely located identity thief without the consent or control of the person
the information identifies.
This article offers a solution to this problem by proposing a new
federal law designed to make electronic privacy polices more effective. It
argues that a well-written, conspicuously posted, standardized electronic
privacy policy will help maintain the delicate balance between protecting
PII and preserving transactional efficiency in a world filled with powerful
data processing systems. Part II begins this analysis by detailing the
historical background of privacy policies in the United States, presenting
a synopsis of the PII debate in America, introducing the concept of an
electronic privacy policy, and identifying the major problems plaguing
contemporary policies. Part III analyzes U.S. law as it relates to electronic
privacy policies, identifies particular strengths and weaknesses, and con-
cludes with an analysis of various federal and state privacy policy enforce-
ment actions as well as industry self-regulation techniques. Part IV
suggests a systematic reform designed to strengthen the protection of
PII without excessively burdening e-commerce efficiency by calling for the
enactment of a new federal lawFreferred to in this article as the
E-Commerce Privacy Policy Awareness Act (EPPAA)Fthat would require
all commercial Web sites collecting PII in interstate commerce to post a
compliant electronic privacy policy. This legislation would preempt
conflicting state laws, supplement existing sector-specific federal
legislation, and require privacy policies to analyze seven key areas of
information privacy without requiring any specific content. This section
See, e.g., B.J. Fogg et al., Consumer Reports WebWatch, How Do People Evaluate a Web Site’s
Credibility: Results from a Large Study 86 (Oct. 29, 2002), http://www.consumer
webwatch.org/pdfs/stanfordPTL.pdf (in a survey asking 2,600 Web site visitors which aspects
they use to determine a Web site’s credibility,fewer than one percent of respondents claimed
that a posted privacy policy influenced this decision).
See, e.g., Jay MacDonald, How Much are Your Personal Details Worth,BANKRATE.COM, http://
www.bankrate.com/brm/news/pf/20060221b1.asp (last visited Sept. 29, 2006) (the article
catalogs the ‘‘going price’’ on 46 separate items of PII stemming from a military record
worth $35 to a phone number worth $0.25).
2007 / E-Commerce and Information Privacy 57

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT