South Carolina Lawyer
SC Lawyer, July 2008, #3.
Web Site Visitors and Online Privacy: What Have You Agreed to Share?
South Carolina Lawyer July 2008 Web Site Visitors and Online Privacy: What Have You Agreed to Share? By Allyson W. Haynes Introduction
Imagine that while making an online purchase from a retail Web site, you disclose certain personal information, including your e-mailaddress. Soon thereafter, you receive an onslaught of unsolicited e-mails from advertisers seeking your business. Has the Web site company violated the law by sharing or even selling your e-mail address? If you want to sue the Web site, can you do so in the forum of your choice? The answer might lie not in state or even federal legislation, but in a contract that you unwittingly entered when you made the online purchase. You might have agreed not only that the Web site can share your personal information, but that if any dispute arises concerning the use of that information, you must arbitrate or sue in a particular state's courts. Unbeknown to most, online privacy policies increasingly purport to govern what can be done with Web site visitors' personal information. Are they in fact binding contracts?
I. Privacy Policies and the Online Trade in Personal Information
A. Online provision of personal information
From the simple act of providing an e-mail address for the purpose of receiving an e-mail newsletter, to the provision of a credit card number and mailing address to facilitate a purchase, to the most risky provision of social security numbers and other financial information to a bank to apply for a loan, personal information is given freely and often in the ever-growing online American market.
There is growing attention to the security that Web sites afford personal information in the wake of recent high-profile personal information disasters, such as the theft of personal information from a Veterans Administration employee, putting at risk the identities of more than two million active-duty military personnel, see Hope Yen, Data on 2.2M Active Troops Stolen from VA, Boston Globe Online, June 6, 2006, www.boston.com/news/nation/washington/articles/2006/06/06/veterans_groups_sues_over_data_theft; AOL's disclosure of search data entered by more than 650,000 subscribers, see Saul Hansell, AOL Removes Search Data on Vast Group of Web Users, N.Y. Times, Aug. 8, 2006, at C4; and the security breach at LexisNexis resulting in improper access to personal information belonging to about 310,000 people, see David Colker, LexisNexis Breach is Larger: The Company Reveals that Personal Data Files on as Many as 310,000 People Were Accessed, L.A. Times, Apr. 13, 2005, at C1. These events have attuned the public to the importance of the security with which personal information is stored and the resulting risk of identity theft if such information is lost or stolen.
Lawyers and the public alike should be aware of a different kind of risk - the risk that a visitor will unwittingly agree to allow a company to share or sell her personal information to third parties. Such disclosure can also result in identity theft, as well as contribute to the less pernicious, but thoroughly irritating and often expensive, increase in spam.
Concern over online personal privacy has grown considerably over the last 10 years. However, the legislative solution - online privacy policies - may actually decrease protection of consumer information by encouraging Web sites to protect themselves instead.