SC Lawyer, July 2008, #3. Web Site Visitors and Online Privacy: What Have You Agreed to Share?.

• Author: By Allyson W. Haynes

South Carolina Lawyer

2008.

SC Lawyer, July 2008, #3.

Web Site Visitors and Online Privacy: What Have You Agreed to Share?

South Carolina Lawyer July 2008 Web Site Visitors and Online Privacy: What Have You Agreed to Share? By Allyson W. Haynes Introduction

Imagine that while making an online purchase from a retail Web site, you disclose certain personal information, including your e-mailaddress. Soon thereafter, you receive an onslaught of unsolicited e-mails from advertisers seeking your business. Has the Web site company violated the law by sharing or even selling your e-mail address? If you want to sue the Web site, can you do so in the forum of your choice? The answer might lie not in state or even federal legislation, but in a contract that you unwittingly entered when you made the online purchase. You might have agreed not only that the Web site can share your personal information, but that if any dispute arises concerning the use of that information, you must arbitrate or sue in a particular state's courts. Unbeknown to most, online privacy policies increasingly purport to govern what can be done with Web site visitors' personal information. Are they in fact binding contracts?

Whether an online visitor discloses personal information during a purchase or simply because the visitor wishes to receive information in the future, that disclosure is likely the subject of an online privacy policy. Increasingly, privacy policies have become the place where Web site operators can limit their liability for treatment of personal information by disclosing that they might in fact do exactly that. The current legal framework governing privacy policies gives great importance to the concepts of notice and truthful disclosure - i.e., is the Web site treating a consumer's personal information the way the site promised it would when the consumer provided its personal information to the site? In fact, if the Web site complies with its own promises, there is little else to prevent the site from doing with the information whatever it wants - sharing, selling or otherwise making use of the information - besides the Web site company's own interest in attracting and maintaining customers.

I. Privacy Policies and the Online Trade in Personal Information

A. Online provision of personal information

From the simple act of providing an e-mail address for the purpose of receiving an e-mail newsletter, to the provision of a credit card number and mailing address to facilitate a purchase, to the most risky provision of social security numbers and other financial information to a bank to apply for a loan, personal information is given freely and often in the ever-growing online American market.

There is growing attention to the security that Web sites afford personal information in the wake of recent high-profile personal information disasters, such as the theft of personal information from a Veterans Administration employee, putting at risk the identities of more than two million active-duty military personnel, see Hope Yen, Data on 2.2M Active Troops Stolen from VA, Boston Globe Online, June 6, 2006, www.boston.com/news/nation/washington/articles/2006/06/06/veterans_groups_sues_over_data_theft; AOL's disclosure of search data entered by more than 650,000 subscribers, see Saul Hansell, AOL Removes Search Data on Vast Group of Web Users, N.Y. Times, Aug. 8, 2006, at C4; and the security breach at LexisNexis resulting in improper access to personal information belonging to about 310,000 people, see David Colker, LexisNexis Breach is Larger: The Company Reveals that Personal Data Files on as Many as 310,000 People Were Accessed, L.A. Times, Apr. 13, 2005, at C1. These events have attuned the public to the importance of the security with which personal information is stored and the resulting risk of identity theft if such information is lost or stolen.

Lawyers and the public alike should be aware of a different kind of risk - the risk that a visitor will unwittingly agree to allow a company to share or sell her personal information to third parties. Such disclosure can also result in identity theft, as well as contribute to the less pernicious, but thoroughly irritating and often expensive, increase in spam.

Concern over online personal privacy has grown considerably over the last 10 years. However, the legislative solution - online privacy policies - may actually decrease protection of consumer information by encouraging Web sites to protect themselves instead.

B. Privacy policy terms

Online privacy policies have appeared all over the Internet both in response to increases in legislation requiring such disclosure and as a voluntary measure by Web sites to appeal to consumers by emphasizing the care with which they treat consumer information. Today, it is rare to visit a Web...