Académique Documents
Professionnel Documents
Culture Documents
Privacy Policies:
Summary of Best Practices
1 Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO CONGRESS, July
1999 [hereinafter “1999 FTC Report”]. Available online at http://www.ftc.gov/os/1999/07/
privacy99.pdf.
4 See Jenna Wortham, Facebook Glitch Brings New Privacy Worries, THE NEW YORK TIMES, May
5, 2010. Available online at http://www.nytimes.com/2010/05/06/technology/internet/
06facebook.html.
1 of 7
Privacy Policy Memo 2 of 7
share online5, and that expectation should factor into any privacy policy analysis
as an overarching principle.
Since the late 1990s, the Federal Trade Commission has held a series of
forums, roundtables, and hearings on the topic of consumer privacy online. In
1998, the Commission released a key report that highlighted four guiding
principles in crafting privacy policies: notice, choice, access, and security. 6 These
principles are not new to government policy; instead, they stem from a meta-
analysis of a variety of seminal governmental reports and non-governmental
information privacy codes, both foreign and domestic. The principles were first
summarized in this form by a U.S. Department of Health, Education, and Welfare
report in 1973 7, and have been incorporated into privacy policy doctrine by the
Trade Commission in 1998 8 and 2001 9. The remainder of this section explains in
detail the Commission’s fair information principles outlined above.
a. Notice
Notice requires organizations to disclose their privacy practices to
consumers before any information is actually collected. 10 The Commission
expects privacy policies to be binding and enforceable: organizations must
5 Barbara Ortutay, Study finds young do care about online privacy, THE ASSOCIATED PRESS, April
15, 2010. Available online at http://www.msnbc.msn.com/id/36561309.
6 See, generally Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO
CONGRESS, June 1998. [hereinafter “1998 FTC report”] Available online at http://www.ftc.gov/
reports/privacy3/priv-23a.pdf.
7 Department of Health, Education, and Welfare, RECORDS, COMPUTERS AND THE RIGHTS OF
CITIZENS, July 1973. Available online at http://aspe.hhs.gov/datacncl/1973privacy/
tocprefacemembers.htm.
9 Federal Trade Commission, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC
MARKETPLACE, May 2000. Available online at http://www.ftc.gov/reports/privacy2000/
privacy2000.pdf.
10In practice, it occasionally may not be possible to notify the user first: many third-party
analytics applications collect usage information before a user could view the privacy policy. The
FTC has not yet addressed this issue.
10/14/10 2
Privacy Policy Memo 3 of 7
comply with their privacy policies such that they refrain from using personal
information in any way that is not explicitly mentioned. 11 Notice is the most
essential principle expounded by the Commission: without it, the other principles
are rendered ineffective because consumers lose the ability to make an informed
decision about precisely how their information is used. 12
Notice requires a laundry list of disclosures to users about the data and the
entities that collect it. Here are the relevant inquires as laid out by the
Commission in their 1998 report:
• Who is collecting the data?
• What data is collected?
• How is the data being collected?
• What is the collected data being used for?
• Is any third-party receiving the collected data?
• What happens if the user chooses not to provide the requested data?
In order for notices to be effective, the policy document or other relevant
information must be placed in a clear and conspicuous manner in a prominent
location on both the home page of the website as well as any other page where
information is collected. 13 The document should be clear in identifying the
purposes for which data are to be used. While the organization is free to make
later changes, such freedom also implies that the changes are not arbitrary or
incompatible with the original purpose. 14 If changes create inconsistent policies
that are applied to the original document, it may undermine consumer
confidence in the rest of the policy. 15
11 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980),
para. 10.
10/14/10 3
Privacy Policy Memo 4 of 7
16 In re Gateway Learning Corp., 138 F.T.C. 443, File No. 042-3047 (2004); FTC 2000 Report, pg. 26.
17 1998 FTC Report, pg. 8-9.
18Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data
[hereinafter “EU Policy”], art. 14. Available online at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?
uri=CELEX:31995L0046:EN:HTML.
10/14/10 4
Privacy Policy Memo 5 of 7
The Trade Commission outlines three different models for consent over
data usage: opt-in, opt-out, and “nuanced control” 19. With opt-in, the user
affirmatively grants permission to an organization to use their information for a
secondary purpose. Opt-out is the reverse: the user must affirmatively tell the
organization that it does not want its information to be shared.
As of the key 1998 FTC report, the Commission did not explain which
consent regime is preferred. Instead, they reference a U.S. Department of
Commerce report in a footnote that suggests that the selection of regime should
be based on the “sensitivity” of the information, such that opt-in is required
before collecting organizations can use sensitive information for a secondary
purpose. 20 The Commission never defines “sensitive information” in the triad of
reports on fair information use. However, they do describe it in the context of
online behavioral advertising, which shares the same issue of secondary sharing.
In a 2009 staff report, the Commission defines sensitive information as
information about children and adolescents, medical information, financial
information and account numbers, Social Security numbers, sexual orientation
information, government-issued identifiers, and precise geographic location. 21
Another important concern raised in the 2000 report is the prevalence of
organizations that ambiguously call their policy opt-in when it is really opt-out.
For instance, it is not an opt-in regime when users are considered to have opted-
in when as soon as they provide information requested by the collecting
organization. Furthermore, pre-filled checkboxes buried at the bottom of the
page that allow third-party marketing communications also do not count as opt-
in. Consumers may mistakenly assume that their information will not be shared
19 As of the 1999 FTC Report, the Commission had not yet provided a name for non-binary consent
options. They only mention that there are “possibilities to move beyond the opt-in/opt-out paradigm.” This
is an extrapolation of that idea.
20U.S. Department of Commerce, SAFEGUARDING TELECOMMUNICATIONS-RELATED PERSONAL
INFORMATION, October 1995. Available online: http://www.ntia.doc.gov/ntiahome/
privwhitepaper.html#CONSENT.
21Federal Trade Commission Staff Report, Self-Regulatory Principles For Online Behavioral Advertising,
February 2009, pg. 42. Available online at www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
10/14/10 5
Privacy Policy Memo 6 of 7
because they were told that they did not need to do anything to prevent the
further use of information, when in reality, the pre-filled checkbox missed by the
user signs away all privacy rights in the data.
The 1998 Commission report also suggests the use of consent controls that
extend beyond limited opt-in or opt-out regimes. The shortcoming with these
methods is that they merely let the user assert whether they want to allow
secondary uses or not; they generally do not have the ability to allow secondary
uses in some cases and contexts but not in others. In many ways, the nuanced
approach is something between the opt-in/opt-out methods and a case-by-case
analysis. This method is used currently by a variety of social networking sites who
utilize a social graph to control access throughout a database of content. 22
Currently, the Trade Commission has not yet passed judgment on these models.
Europe, though, seems to be getting more conservative on privacy, and are
currently advocating a full opt-in model for all user content and interactions on
social media. 23
c. Access
Access refers to an individual's ability both to access data about him or
herself -- i.e., to view the data in an entity's files -- and to contest that data's
accuracy and completeness. 24 User access to information should be incorporated
as a routine and regular part of organizational data management. 25 That is, it
should not require to complicated procedure or legal process for users to be able
to see, correct, and challenge information that is stored about them.
In order to minimize the burden of data access requirements to
corporations, the Trade Commission recently empanelled the Advisory
Committee on Online Access and Security. The Committee’s main task was to
22Facebook, for instance, has a very nuanced consent system. Unfortunately, it comes close to being a case-
by-case analysis, and makes for a very overwhelming sea of selections for an end-user. See, for example,
http://graphics8.nytimes.com/packages/images/newsgraphics/2010/0512-facebook/gif1.jpg
23 http://www.crn.com/security/224701767;jsessionid=IFTGK15GBXBODQE1GHRSKH4ATMY32JVN
24 1998 FTC Report, pg. 9.
25 OECD, Explanatory Memo, para. 59.
10/14/10 6
Privacy Policy Memo 7 of 7
10/14/10 7