E‐Commerce and Information Privacy: Privacy Policies as Personal Information Protectors

• DOI: http://doi.org/10.1111/j.1744-1714.2007.00031.x
• Date: 01 March 2007
• Published date: 01 March 2007

E-Commerce and Information

Privacy: Privacy Policies as

Personal Information Protectors

Corey A. Ciocchetti

n

I. INTRODUCTION

Armed with $29.95, a computer, and my name and address, I recently

purchased my identity. Determined to discover the extent of my personal

information readily available in cyberspace, I undertook this assignment

by opening my browser and ordering a comprehensive background check

on myself.

1

Fifteen minutes later, via e-mail, I received the results and

discovered a neatly organized vita including an extensive address history

(stemming back to my days as a second-grader), my past and present

property ownership records, political party affiliation, various information

concerning my current neighbors and past relatives (including my father-

in-law’s ex-wife), and much more.

2

Adding in a free Google search utilizing

only my first and last name, I instantaneously obtained detailed employ-

ment information, a chronology of my educational history, a list of my

community service activities, and a recent picture.

3

r2007, Corey A. Ciocchetti

Journal compilation r2007, Academy of Legal Studies in Business

55

American Business Law Journal

Volume 44, Issue 1, 55–126, Spring 2007

n

Assistant Professor, Business Ethics and Legal Studies, Daniels College of Business, Uni-

versity of Denver; J.D., 2002, Duke University School of Law; MA (Religious Studies), 1999,

University of Denver; BA (Economics) and BSBA (Finance), 1998, University of Denver;

Member, Colorado Bar. Thanks to Jillian Ciocchetti and John Holcomb for their thoughtful

advice and constant support!

1

The background check was provided by Intelligent Investigations, http://www.intelligent

investigations.com (last visited Sept. 14, 2006) and is on file with the author.

2

Additionally, this background check is designed to produce the following pieces of informa-

tion, if applicable: known aliases; results of a nationwide criminal search; sexual offense

conviction records; bankruptcies; tax liens and judgments; UCC filings; airplane and boat

registrations; and hunting, fishing, and concealed weapons permits. Id.

3

Google, Search for ‘‘Corey Ciocchetti,’’ http://www.google.com/search?hl=en&q=corey+

ciocchetti (last visited Oct. 5, 2006).

Individually, each of these pieces of personal information represents

a mere pixel of my life, but when pieced together, they present a rather

detailed picture of my identity. This typeof data is commonly refer red to as

personally identifying information (PII)

4

and the concept of piecing

together personal data to form an individual profile, or ‘‘digital dossier,’’

5

is known as data aggregation.

6

The more comprehensive the data

aggregation, the more attention such aggregation merits because of

the potential problems created when this cache of personal information

is accessed inappropriately.

7

Such unauthorized access may result in

cases of identity theft, stalking, harassment, and other invasions of

privacy.

8

Problematically, the U.S. legal system attempts to prevent

such abuses primarily through a sector-based regulatory regime whereby

some transmissions of PII are strictly regulated while others remain

completely unregulated.

9

Web site visitorsFwho are confronted with

these differing information privacy statutes in fine print but desire

to quickly purchase a particular good or service onlineFhave

become accustomed to ignoring the implications of submitting their PII

4

See, e.g., Grayson Barber, Personal Information in Government Records: Protecting the Public

Interest In Privacy,25S

T.LOUIS U. PUB.L.REV.63, 118 & n.332 (2006) (defining personally

identifying information with reference to the Privacy Act of 1974, 5 U.S.C. §552a(a)(4) (2000));

TRUSTe, Guidance on Model Web Site Disclosures, http://www.truste.org/docs/Model_Privacy_

Policy_Disclosures.doc (last visited Sept. 29, 2006) (‘‘personally identifiable information’’ is used

throughout the TRUSTe literatureFincluding in its Model Web Site DisclosuresFto refer to any

information submitted via a Web site that can identify the person submitting such data).

5

See DANIEL SOLOVE,THE DIGITAL PERSON:TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE

1–10 (2004).

6

Daniel Solove, A Taxonomy of Privacy, 154 U. PA.L.REV.477, 506–11 (2006) (describing data

aggregation as an important part of a larger, defined group of activities that affect privacy).

7

See, e.g., David Lazarus, Cool iPods also Play Stolen Data, S.F. CHRON., Apr. 7, 2006, at D1

(discussing a case where a suspect allegedly stored stolen PII in the form of tax returns,credit

files, and loan applications on an iPod); TomZeller, Jr., U.S. Arrests 7 on Charges of Credit Data

Trading, N.Y. TIMES, Mar. 29, 2006, at C4 (discussing a U.S. Secret Service investigation into

various online forums where stolen PII was traded).

8

See, e.g., Dave Wedge, Authorities Allege BC Student Hacker Stole $$ and Info,BOSTON HERALD,

Feb. 7, 2003, at 10 (demonstrating various invasions of privacy caused when a Boston College

computer science student installed key-logging software on various campus computers to

monitor the online activities of fellow classmates).

9

See discussion infra Part III.

56 Vol. 44 / American Business Law Journal

online.

10

This neglect leads to vast amounts of PII being distributed into

cyberspace where such information is virtually irretrievable and may be

intercepted or purchased by commercial entities, governments, or indivi-

duals for marketing or other more sinister purposes.

11

In some cases, this

information may only surface in a legitimate comprehensive background

check, but in a more menacing scenario, it may wind up in the hands of a

remotely located identity thief without the consent or control of the person

the information identifies.

This article offers a solution to this problem by proposing a new

federal law designed to make electronic privacy polices more effective. It

argues that a well-written, conspicuously posted, standardized electronic

privacy policy will help maintain the delicate balance between protecting

PII and preserving transactional efficiency in a world filled with powerful

data processing systems. Part II begins this analysis by detailing the

historical background of privacy policies in the United States, presenting

a synopsis of the PII debate in America, introducing the concept of an

electronic privacy policy, and identifying the major problems plaguing

contemporary policies. Part III analyzes U.S. law as it relates to electronic

privacy policies, identifies particular strengths and weaknesses, and con-

cludes with an analysis of various federal and state privacy policy enforce-

ment actions as well as industry self-regulation techniques. Part IV

suggests a systematic reform designed to strengthen the protection of

PII without excessively burdening e-commerce efficiency by calling for the

enactment of a new federal lawFreferred to in this article as the

E-Commerce Privacy Policy Awareness Act (EPPAA)Fthat would require

all commercial Web sites collecting PII in interstate commerce to post a

compliant electronic privacy policy. This legislation would preempt

conflicting state laws, supplement existing sector-specific federal

legislation, and require privacy policies to analyze seven key areas of

information privacy without requiring any specific content. This section

10

See, e.g., B.J. Fogg et al., Consumer Reports WebWatch, How Do People Evaluate a Web Site’s

Credibility: Results from a Large Study 86 (Oct. 29, 2002), http://www.consumer

webwatch.org/pdfs/stanfordPTL.pdf (in a survey asking 2,600 Web site visitors which aspects

they use to determine a Web site’s credibility,fewer than one percent of respondents claimed

that a posted privacy policy influenced this decision).

11

See, e.g., Jay MacDonald, How Much are Your Personal Details Worth,BANKRATE.COM, http://

www.bankrate.com/brm/news/pf/20060221b1.asp (last visited Sept. 29, 2006) (the article

catalogs the ‘‘going price’’ on 46 separate items of PII stemming from a military record

worth $35 to a phone number worth $0.25).

2007 / E-Commerce and Information Privacy 57