Since the Internet involves the transmission of large amounts of data among and between a large number of people and organizations, privacy of such data is of great concern. This problem has been widely discussed and debated and is likely going to grow in intensity as the collection and communication of personal data continues to increase. However, this is not an entirely new phenomenon.
Even before the Internet existed, laws were enacted to protect individuals from the use and disclosure of personal information. The Electronic Fund Transfer Act passed in 1978 required financial institutions to disclose the circumstances under which they would provide account information on individuals to third parties. The Cable Privacy Act, Electronic Communications Privacy Act (ECPA), and the Telephone Consumer Protection Act were all designed to protect individuals from unreasonable intrusions on the personal privacy of individuals.
Because privacy flows from constitutional, tort, legislative, and public perceptions, it is difficult to provide general legal guidance as to how such issues might be handled by the courts. It should be noted, however, that corporations do not have a right to privacy. A corporation must therefore rely upon the intellectual property and unfair competition laws.
The United States Constitution limits the ability of the government to obtain private information about individuals. These constitutional protections are, however, limited to government intrusion into personal privacy and do not cover circumstances where an individual voluntarily places personal information into commercial use or makes such information accessible to another party.
The ECPA covers some of the basic privacy issues surrounding the use of e-mail, including the procedural steps necessary to search and retrieve such information.
Other Laws Affecting Online Privacy
Privacy issues on the Internet may differ depending upon the product, parties, method of collecting information, use of the information, and storage medium involved in the collection and use of information.
For example, there are federal privacy laws which cover government record keeping (5 U.S.C. § 552); videotape rental records (18 U.S.C. § 2710); credit reports (15 U.S.C. § 1681); political contributors (2 U.S.C. § 438); tax records (26 U.S.C. § 6103); cable TV viewing habits (47 U.S.C. § 551); and delivery of pornography through the mail (39 U.S.C. § 3008).
The ECPA regulates the privacy of e-mail messages in public e-mail systems by prohibiting the interception, use, or disclosure of e-mail by third parties. The ECPA also sets forth procedural safeguards and standards that law enforcement agencies must follow when seeking access to e-mail. The ECPA does not apply if a party has consented to such monitoring, and it may not apply to private e-mail systems such as those operated by employers. Most businesses and organizations that have implemented e-mail systems have also developed corporate policies which specifically clarify the scope of privacy, if any, employees are entitled to within the employer‘s system. (See the section of this Guide entitled Employment Law – Privacy of Employee E-mail).
In USA vs. Bradford Councilman, 373 F. 3rd 197 (1st Cir. 2004); 2004 WL 1453032, the First Circuit United States Court of Appeals determined that there was no violation of the Wire Tap Act as amended by the Electronic Communications Privacy Act (ECPA) when stored e-mail was accessed, because, since it was in storage, no “interception” occurred within the meaning of the federal laws. The defendant was an officer of a business that operated an online listing service for rare and out of print books. The business also provided e-mail service to some of its customers who were book dealers. The government claimed that the business developed and used computer code that enabled them to intercept, copy and store e-mail messages that were being transmitted from Amazon.com to their book dealer customers and to obtain commercial advantage by reading these messages prior to them being received by the intended recipients. Defendants argued successfully that since the definition “electronic communication” in the statute makes no reference to stored communications no “interception” can occur while the e-mails are in electronic storage. Since there is no illegal interception as defined by the law the defendant argued there was no violation of the federal law. The case demonstrates the difficulty in application of these older federal wiretap laws to more recent Internet based technology as the court states “the language [of the statute] may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly.” A strongly worded dissent suggests that the narrow approach of this court renders the Wiretap Act irrelevant.
It is important for businesses to notify their employees that their e-mails may be monitored and the employees have no right to privacy to such communications. Employers might even request that their employees sign a statement acknowledging that the employer has the right to monitor, access, and disclose any e-mail messages received or transmitted on their system. Such policy should be clear and unambiguous and, once implemented, applied by the employer consistently and fairly.
The Federal Trade Commission (FTC) brought an enforcement action targeted at the privacy practices of a web site operated by Geocities. The FTC accused Geocities of deceptive trade practices in its collection and use of personal information obtained from web site visitors. Geocities used an on-line application for new members and sold the collected information to third-party marketers. The FTC claimed that Geocities misrepresented that the collected information was used only for specific advertising offers requested by members. In a consent order, Geocities agreed to post a clear and prominent “Privacy Notice” which would disclose what information is being collected, for what purposes, to whom the information will be disclosed, and how consumers can access the information. Parental consent is necessary before collecting information from children under 13 years old and Geocities must give members the opportunity to have their information deleted from Geocities’ and third party’s databases, In The Matter Of Geocities, Federal Trade Commission File No. 9823015, August 13, 1998 (consent order is available at http://www.ftc.gov/ os/1998/08/goe-ord.htm).