Recent activities by government authorities in Europe and in the United States suggest a developing trend toward application of broader privacy requirements associated with personally identifiable information. This trend is likely to continue, and it holds significant implications for all organizations that collect, process, analyze, or distribute the personal information of individuals. In this environment, it is prudent for counsel to review existing information management policies, practices, and processes to ensure that they are consistent with the emerging trends in information privacy.
Privacy authorities in Europe have determined that certain forms of the seemingly ubiquitous "cookies" used to monitor online activities are included within the scope of the European information privacy rules. Cookies are the small segments of code which are installed on the computers of users when they visit many popular Web sites. The cookies collect information about the user. That information is accessed when the user visits the Web site, and it enables the server hosting the site to identify the user and his or her interests and prior experiences at the site.
Cookies can enhance the quality of the user's online experience. By immediately informing the Web site's server of the user's identity and previous activities, they can help to anticipate the interests of the user and move quickly to meet the user's needs. Cookies can also collect a range of personal information associated with each user. It is this information which the European authorities consider to be regulated personal information. To the extent that cookies are used to collect or analyze personally identifiable information, they are now subject to all of the European information privacy rules.
In the United States, the Federal Trade Commission is currently revising the rules it implemented as a result of the Children's Online Privacy Protection Act (COPPA). Under COPPA, the FTC implemented a set of regulations governing online collection of personal information from children under the age of thirteen. Among other requirements, the COPPA rules make it mandatory that, prior to collection of the personal information from children, notice of the intended collection should be provided and consent should be obtained from an appropriate parent or guardian.
The FTC's proposed revisions to the COPPA regulations address the collection of personal information from children in association with online advertising systems. As online advertising has evolved, a range of advertising networks have emerged. Those online systems collect, share, and analyze information regarding Internet users in order to facilitate the targeting of online advertising. Online advertising networks are diverse and extensive. They include some highly popular systems that are not always recognized by consumers as advertising, such as the Facebook "like" button feature. In its proposed modifications to the COPPA regulations, the FTC currently proposes to clarify the regulations by expressly including personal information collected or used by online advertising systems within the scope of COPPA.
The FTC also proposes to clarify its rules by expressly including location tracking systems within the scope of COPPA. Systems that track and monitor the geographic location of individuals are routinely integrated into smartphones, tablet computers, and other mobile devices. Some geo-location monitoring systems are capable of connecting the location information with the identity of the mobile device user, thus these systems are able to create and maintain a complete record of the travels of specific individuals. The FTC now proposes to include personally identifiable geo-location information associated with children as information regulated by COPPA.
The European and FTC actions suggest a growing recognition by government authorities that oversight of collection and use of personally identifiable information should not be limited by the type of technology or system involved. It now appears that government authorities are increasingly willing to apply existing measures devised for personally identifiable information to protect that information no matter how it is collected and processed.
A variety of developing technologies are likely to add more complexity to the privacy issue. For example, commercial enterprises are now reportedly making use of systems that combine facial recognition imaging technology with electronic credit card records to create automatically a profile for each customer immediately upon entry into the store or other commercial establishment. These profiles identify the customer and include his or her credit card history, assisting the merchant to assess the customer's purchasing power and most likely product interests.
In this environment, counsel should routinely review and continue to monitor the information privacy policies and practices of his or her organization. Based on the recent privacy actions in Europe and the United States, it appears that authorities are likely to extend existing information privacy protection to each new generation of technology used to collect and process that information. Prudent counsel will act to make sure that the systems and practices applied to manage and protect personal information are technology-neutral and are effectively applied to all personal information, no matter how it is collected or for what purposes it is used.
Craig Blakeley is an attorney with the law firm, Alliance Law Group. For more than 25 years, he has provided counsel on the legal, regulatory, and public policy issues affecting the creation, distribution, and use of telecommunications, computer, and digital media technologies and services. Mr. Blakeley has written and lectured extensively on information technology law topics around the world, with publications on issues in law and technology including Global Information Technology Law which discusses telecommunications, Internet, e-commerce and e-government, and intellectual property issues in 22 countries.
Jeffrey Matsuura is Of Counsel to Alliance Law Group. Mr. Matsuura previously served as Assistant Professor and Director of the Program in Law & Technology at the University of Dayton Law School in Dayton, Ohio. Mr. Matsuura has written and lectured extensively on information technology law topics around the world and is the author of numerous articles and books on issues related to law, policy, and technology including Global Information Technology Law. He previously served on the faculty of the University of Dayton School of Law, where he directed that institution's Program in Law and Technology, and as a research fellow at the University of Edinburgh and the Smithsonian Institution.