This is one of eleven chapters contained in The Internet and Business: A Lawyer's Guide to the Emerging Legal Issues, published by the Computer Law Association. Copyright © 1996 by The Computer Law Association, Inc. All Rights Reserved. ISBN 1-885169-05-1. It is the on-line version of a short book that provides an overview of the key legal issues facing Internet users and providers. It is intended for attorneys who advise business clients about Internet use issues.
Chapter Four discusses the constitutional and statutory bases for on-line privacy, and provides recommendations for voluntary self regulation of privacy issues.
Privacy is hard to define off-line. It will be harder still to deal with on-line. Lance Rose has identified the contradictions well.
Strong privacy is a basic civil right . . . .
Strong privacy protects criminals . . . .
Strong privacy contradicts community . . . .
Strong privacy limits business opportunities . . . .
Strong privacy is necessary for on-line commerce . . . .[1]
Today's on-line world and the "global information infrastructure" promised for tomorrow have mixed parentage. Their heritage includes the Internet, the videotex and interactive cable tests of the mid 1980s, computer bulletin boards, commercial on-line services and technologies which are used more routinely such as faxes and electronic funds transfers. Most of the Net's forefathers spawned their own privacy rules. In 1978 Congress passed the Electronic Fund Transfer Act and required financial institutions to disclose the circumstances under which they would provide account information to third parties.[2] The Cable Privacy Act[3] was passed in 1984 in reaction to Warner AmEx's Qube interactive cable test in Ohio. The Electronic Communications Privacy Act[4] amended federal wiretap laws and established privacy standards for e-mail in 1986 when only a handful of people had heard of the technology. In 1991 Congress passed the Telephone Consumer Protection Act which was designed to protect people from unreasonable intrusions by barring unsolicited advertising faxes; it basically defines any printer attached to a telephone line as a fax.[5]
Privacy and confidentiality issues have existed since the earliest days of modern computers. The Census Bureau used Hollerath machines, the first electronic calculators in the 1880 census. Census marshals in that same census signed oaths agreeing not to divulge information they collected about census subjects.[6]
The lawyer dealing with on-line privacy must observe two realities. On the one hand, the general perception of privacy is broader in many respects than the scope of clearly defined legal rights. On the other hand, the privacy law structure ranges from clearly defined to wildly obscure because it flows from multiple sources - constitutional law, tort law, statutes and changing public perceptions. When faced with a privacy issue one must first determine if existing law addresses the issue. If it does not, one does not do a client justice by dismissing the issue. One must examine privacy policy to avoid permitting a client to pursue a strategy that will raise the specter of legislation or litigation. There are unlegislated "smell tests" which are worth observing even when no strictly legal privacy issue exists. However, it is not wise to conclude that every issue that seems to involve privacy in fact creates a privacy problem. Often if one defines the harm caused by a supposed invasion of privacy, one can tailor a business strategy to avoid that harm. On-line privacy issues often beg for self-regulatory and technological solutions.
Another basic point is that by definition privacy is personal. Generally, only live people have a right of privacy. With some exceptions in the "right of publicity" area, dead people lack privacy rights.[7] Privacy rights do not inure to corporations. They use trade secret, contract, misappropriation and agency theories to protect those interests akin to privacy.
Since tort law is part of the common law, it evolves; privacy torts are not static. Nevertheless, Dean Prosser's delineation of four distinct types of privacy rights remains basic. The second Restatement, for which Prosser was the original Reporter,[13] summarizes these rights as follows:
1. Intrusion upon Seclusion -- "One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusions would be highly offensive to a reasonable person."[14]
2. Appropriation of Name or Likeness -- "One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy."[15]
3. Publicity Given to Private Life -- "One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."[16]
4. Publicity Placing Person in False Light -- "One who gives publicity to a matter concerning another that places the other before the public in a false light is subject to liability to the other for invasion of his privacy, if (a) the false light in which the other was placed would be highly offensive to a reasonable person, and (b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed."[17]
Prosser's categories are a starting point for a practitioner examining on-line privacy. The relationship among these separate rights is murky. The Restatement, Second notes that the "only relation" these four distinct wrongs have "to one another is that each involves interference with the interest of the individual in leading,to some reasonable extent, a secluded and private life, free from the prying eyes, ears and publications of others. Even this nexus becomes tenuous in the case of the appropriation of name or likeness . . . which appears rather to confer something analogous to a property right upon the individual."[18]
The traditional privacy torts all require damages to be actionable. Under the Restatement's analysis "[o]ne who invades the right of privacy of another is subject to liability for the resulting harm to the interest of the other."[19] Today people often feel that their privacy is in danger even when they cannot point to particular harm caused by the alleged invasion. Some are convinced that the accumulation of personal data will inevitably cause harm.
The tort rights which Prosser identified have served as justification for legislation. Prosser predicted in the 1960s that excessive telemarketing could invade privacy as an intrusion upon seclusion.[20] Congress found such an invasion when it passed the Telephone Consumer Protection Act[21] in 1991 and the Telephone Consumer Fraud and Abuse Act in 1994.[22] These laws evidence a trend toward merging consumer protection and privacy principles.
The commercial misappropriation species of privacy has expanded into virtual property right for celebrities.[23] Some would argue that it should be a quasi-property right belonging to consumers. Max Frankel explained this approach in a New York Times Magazine column. Frankel described a conversation with a market researcher who interrupted his dinner with a telephone call:
"Knowing that my answers would be sold not only to the inquiring auto maker but also to rafflemongers, credit-card usurers, catalogue peddlers and countless junk mailers, I decided that information about me, like anything created by me, is valuable property. You want it for your business, let's deal."[24]A privacy lawyer needs to anticipate litigation with privacy overtones arising apart from the immediate context of Prosser's four torts. For example, theft of personal data may sound in misappropriation as well as privacy. Fiduciary relationships give rise to special duties of confidentiality and their breach can create liability.[25] One can imagine instances in which a failure to keep data securely could be negligent. The imagination soars with the possibilities -- from misdirected e-mail to accidental disclosure of a personnel file on a company bulletin board.
The right received its "strongest recognition"[26] in Justice Douglas' 1964 opinion in Griswold v. Connecticut,[27] a case involving limitations on the dissemination of birth control information. Douglas located the constitutional privacy right in the "penumbras" emanating from explicit rights including the First Amendment's right of association, the Third Amendment's "prohibition against quartering of soldiers 'in any home' in time of peace," the Fourth Amendment's 'right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures,' the Fifth Amendment's right against self-incrimination, and the Ninth Amendment's reservation of rights to the people.[28] Douglas's opinion was not an 'opinion of the court' since while a majority joined in the Griswold result, they did not fully concur with the opinion.[29] Nevertheless, the right of privacy Justice Douglas unearthed became the foundation for the United States Supreme Court's opinion recognizing women's abortion right in Roe v. Wade.[30]
Robert Ellis Smith, publisher of the Privacy Journal, opined in 1993, that the future of constitutional privacy seemed limited to family, contraception and similar issues in the Rehnquist era.[31] Nevertheless, the right appeared most recently in 1995 when the Supreme Court, in a 5-4 decision upheld a Florida Bar Association ban on lawyers' direct mail solicitations to accident victims within thirty days after their tragedies.[32] The case is important in the on-line context because the tensions between privacy rights and commercial free speech will intensify on-line. The Court managed to deal with privacy without deciding the matter on privacy grounds. It found that the Bar's strictures were justified because the public perceived the letters to be an invasion of privacy and therefore their transmission harmed the reputation of attorneys in general.
The Fourth Amendment's bar on warrantless searches -- not just its penumbrae -- impacts on-line communications. On-line crime exists. It ranges from stock fraud to pedophilia. Prosecutors and defense counsel alike will grapple with applications of precedents from the world of hard copy mail and analog telephones.
In 1928, the Supreme Court held that wiretapping was not an unlawful search and seizure because nothing physical was searched and nothing tangible was seized.[33] In 1967, the Court reversed itself and prohibited admission of evidence generated from warrantless wiretaps.[34] Since then cases have often examined the individual's "reasonable expectation of privacy" to determine whether a warrant was required.[35]
Prosecutors, industry representatives and civil libertarians addressed the issue of privacy and the Fourth Amendment in the e-mail context in that medium's infancy. They united to draft the Electronic Communications Privacy Act which Congress passed in 1986.[36] This Act addresses some of the basic privacy issues involved with e-mail, including the procedural steps required to search it.
Finally, courts on occasion have found broader privacy rights in state constitutions than exist in the federal.[37] Conceivably these may give rise to on-line privacy rights, or inconsistent approaches to privacy among the states.
Most clear-cut privacy rights exist by virtue of express statutes. In the United States, Congress and state legislatures have generally dealt with privacy issues on a sectoral basis. Because of the sectoral approach, a lawyer confronting a privacy issue must examine laws affecting the product involved, the parties to the transaction, the information collection method, the proposed use of the information and the communications and storage media in question to see if any specific statute applies.
There are specific federal privacy laws dealing with government record keeping,[38] videotape rental records,[39] credit reports,[40] political contributors,[41] tax records,[42] cable television viewing habits[43] and delivery of pandering materials through the mail.[44] There are a wider still variety of state laws with privacy overtones.[45] There are a few federal laws which may provide some guidance to future regulation.
The public's fears about computers and privacy often involve dossier building through data-matching. One can build meaningful profiles by compiling and comparing data from multiple data bases. Government agencies can use the technique to catch people committing fraud. Businesses can use it to spot prospects. Surprisingly, this area is barely regulated. The Privacy Act of 1974, as amended in 1988, regulates how government agencies may match data from two or more databases.[46] In April of 1994, the Federal Communications Commission promulgated a rule involving permissible uses of information generated from Automatic Number Identification (ANI) systems through which a telephone call recipient can identify callers' numbers.[47] The regulations only allow the use of ANI data "for services directly related to the originating telephone subscriber's call"[48] and specifically bar the reuse or sale of such information.[49] This rule was scheduled to go into effect in April of 1995, but at the last minute its implementation was delayed indefinitely.[50]
The Omnibus Crime bill of 1994, included provisions related tothird parties access and use of drivers license and registration data.[51] The law is of interest because it provides a variety of levels of access to information based on the proposed use of the information.
In at least one important instance federal privacy regulation is relatively informal. No explicit law regulates databases containing personal medical information. However, in June of 1995, the Federal Trade Commission and the Medical Information Bureau, the nation's largest insurance reporting agency, announced an agreement under which the bureau and its member insurance companies will comply with the same rules with respect to medical data as the credit reporting industry does with respect to financial data.[52]
Two federal laws are particularly important because they deal specifically with interactive on-line media.
The Electronic Communications Privacy Act[53] ("ECPA") governs the privacy of e-mail in public e-mail systems. It bars interception, use or disclosure of e-mail by third parties. It sets the standards which law enforcement authorities must meet to gain access to e-mail. It does not apply when a party has consented to the electronic eavesdropping. Most importantly, it is generally read not to apply to operators of strictly private e-mail systems (e.g., employers). This interpretation has not been litigated, and may become less important as private systems become open to a company's suppliers, customers and others. Many companies are establishing the scope of privacy in e-mail, ordinary mail and voice mail communications through their human resources policies.
There are three good resources for understanding the ECPA and implementing it practically. The Electronic Mail Association (now the Electronic Messaging Association) published a summary of the law[54] and a "Tool Kit" for formulating corporate e-mail policies.[55] Lance Rose provides a solid summary in his book NetLaw.[56]
The Cable Privacy Act was the first federal law to deal with interactive transactions. It establishes standards for use of personal transaction information by cable companies. It provides (with exceptions) that "a cable operator shall not use the cable system to collect personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber . . . ."[57] Cable operators may not disclose most "personally identifiable information"[58] without a subscriber's positive consent. Personal information does not include "aggregate data which does not identify particular persons."[59] The statute may be the first to have recognized on-line transactional capabilities - it allows electronic consent.[60] A cable operator may disclose subscribers' names and addresses if it has given them the opportunity "to prohibit or limit" such disclosure and "the disclosure does not reveal directly or indirectly" their viewing habits or on-line purchases.[61] The law gives cable subscribers the right to review and correct their records,[62] and requires destruction of records when "the information is no longer necessary for the purpose for which it was collected."[63]
2. International
Some jurisdictions outside the United States have taken a comprehensive approach to privacy. Often attorneys dealing with on-line law need to consider global issues since access to the information infrastructure in many instances does not recognize boundaries.
In July of 1995, the European Parliament adopted a far-reaching Directive on Personal Information which will require each of the member countries to adopt strict privacy legislation.[64] Quebec has enacted the most expansive privacy law in North America regulating virtually all databases containing information about live individuals.[65] Taiwan recently passed a "computer processed personal data" law.[66]
It is not clear how or who will resolve on-line jurisdictional issues. Privacy may be one of the first areas in which such resolution is required. It may be noteworthy that Microsoft built consent features into its Microsoft Network reportedly in anticipation of strict European privacy rules even before the European Parliament had passed the most recent Directive.[67] Cautious lawyers may choose to counsel that clients follow the "strictest common denominator."
One could certainly read public opinion to support more rules. Louis Harris and Associates has conducted a series of surveys of public opinion about technology and privacy in cooperation with privacy advocate Alan Westin.[68] The American Civil Liberties Union funded a 1994 survey of American Public Opinion About Privacy at Home and at Work.[69] The 1992 Harris survey found that:
89% [of the respondents] agree that computers give people more convenient access to useful information and services; 78% agree that computers provide customers with more individualized service than before; and 79% agree that computers have improved the quality of life in our society. On this last point, public approval is up from 63% holding that view in 1978 . . [70]
. . . . .
At the same time, strong majorities of the public also agree that computer use has raised serious confidentiality and privacy dangers for consumers and the citizenry:
. . . . .
Finally, in terms of public policies, a striking 67% of the public, two out of three Americans, agree that 'if privacy is to be preserved, the use of computers must be sharply restricted in the future.' Thirty-nine percent (representing 72.2 million people 18 or over) support this view very strongly.[71]Westin and Harris announced a survey in 1994 about consumer attitudes toward on-line services. Much of it focused on prospective interest in such services rather than in actual use. Most likely it will serve as a useful benchmark. Hints of why the privacy agenda has not advanced further are in this survey, however. It notes that "[c]oncerns (about privacy)" are highest among the oldest, least educated and lower income groups surveyed. Southerners are more concerned than Northerners. Blacks are more concerned than whites. Conservatives are more concerned than liberals.[72] Significantly, "[n]early three quarters (73%) of the American public would rather see companies and industry associations voluntarily provide privacy policies, that is, if the alternative is government regulation."[73]
Westin clearly favors self-regulation, even while he advocates the model under which individuals would have some sort of property right in their personal information. His Privacy and American Business newsletter and conferences are reliable sources for thosetrying to craft self-regulatory data protection policies.
The self-regulatory model works. The Direct Marketing Association ("DMA") started its Mail Preference Service almost twenty-five years ago to deal with people who did not want to receive unsolicited advertising mail. Consumers can write the association to have their names deleted when mailing lists are rented. The Association encourages its members to disclose their list rental polices and to allow consumers to opt not to let their names be rented. The Association has used this service as a mainstay of its defense against regulation, and as a guideline when legislation became inevitable. Congress incorporated its "disclosure and opt out" scheme into the Cable Privacy Act, the Video Privacy Act and the Telephone Consumer Protection Act.
In 1973, a committee appointed by the Secretary of the U.S. Department of Health, Education and Welfare issued a seminal study, Records, Computers and the Rights of Citizens.[74] The report recommended a federal Code of Fair Information Practice for all automated data record keeping systems -- both public and private. Civil and criminal remedies would have attached to violations.[75] The basic Code provided:
Today's commercial on-line services are taking the lessons of self-regulation seriously. The major services all have guidelines related to the rental of their mailing lists. In late 1994, America Online almost found itself in the midst of a Congressional investigation because its disclosures were said to be inadequate and hard to find. The issue fizzled when the Democrats lost control of the House. By April of 1995, the commercial service's trade association had published a set of Guidelines for On-line Services -- The Renting of Subscriber Mailing Lists. These guidelines deal with transfer of information from on-line services to third parties. They do not deal with a service's own use of customer information, or use of information by third party content suppliers. By contrast, the Prodigy service has a comprehensive disclosure statement. As any user of that service knows, it profiles its members in order to target them with advertising while they view its content. Its disclosure statement tells people quite specifically that it will so profile them. It says:
Prodigy uses personal information only for purposes necessary to provide Prodigy's products and services. These services are . . . to personalize the Prodigy service based on members' interests, including making members aware of editorial features, advertisements, and commercial offerings.Some have argued that in a world of point and click contracting it will be hard not to provide easy opt out from frivolities, such as mailing list rental. At the same time, such opt out may well mask more significant internal modeling.
Self-regulation was given a significant boost in mid-1995 when two task forces studying the National Information Infrastructure issued reports. These reports had a fairly tortured history in the bureaucracy.
In the fall of 1993, President Clinton appointed two different groups to explore public policy issues and the National Information Infrastructure. One was an inter-agency task force, the Information Infrastructure Task Force ("NII Task Force"), the other was a private sector task force, the National Information Infrastructure Advisory Council ("NIIAC"). Meanwhile, the Commerce Department's National Telecommunications and Information Agency ("NTIA") was studying the issue. In February of 1994, the NTIA published an excellent summary of current privacy law and requested comments on privacy on the information superhighway.[78] Shortly thereafter, the NII Task Force's working group on privacy published its preliminary thoughts on the issue and requested comments. Yet thereafter, the NIIAC task force began studying the issue.
Both task forces have now issued their sets of principles that they intend to serve as guidelines for use of personal data on-line, and the NTIA has published a "white paper" on its findings.[79] While neither set of guides is likely to be enacted as law soon, they are both good checklists and update the HEW Report's Fair Information Practices Codes well. The NII Task Force's report is particularly noteworthy.[80] It acknowledges the complexity of the issues involved and sets forth a set of basic principles which form a useful checklist. These include principles of information privacy, information integrity, information quality, data acquisition, notice, data protection, fairness, awareness and empowerment. The guides would place obligations on those who collect, maintain and use data, and also suggest that data subjects have a duty to obtain information before supplying data.
Author-lawyer-scholar Anne Wells Branscomb has broken through traditional notions of privacy (and free speech) to identify subsets of rights to consider when facing information issues on behalf of individuals or corporations.[81] The rights include:
Anonymity: True anonymity in the Networld would mean that no one could trace the source of an electronic message.[82]
Autonomy: the right to exert some modicum of control over one's electronic environment.[83]
Accountability: the acceptance of responsibility for one's actions.[84]
Secrecy: the right to prevent disclosure of information.
Privacy: the right to prevent unwelcome and unauthorized intrusions.
Confidentiality: the right to release information with restrictions, to prevent others from obtaining the information without the subject's consent.
Publicity: the right to release information into the public domain at a time and place of one's own choosing.
Commerciality: the right to sell information for fair value.
Accessibility: the right to obtain information.
Reciprocity: the right to receive value in exchange for value given.
Integrity: the right to control the accuracy and reliability of information.
Interoperability: the right to transparency in the transfer of information.
Responsibility: the duty to act responsibly.
Liability: the right to have grievances redressed.
Commonality: the right to share information in the public domain.
Equity: the right to have no wrong go unrighted[85]The NII Task Force said "privacy should not be addressed as a mere afterthought, once personal information has been acquired. Rather, information users should explicitly consider the impact on privacy in the very process of designing information systems and in deciding whether to acquire or use personal information in the first place."[86]
Branscomb's delineations and the NII Task Force's observations produce
"practical" recommendations to counsel dealing with on-line privacy issues.
Consider the consequences of data collection and use throughout the process.
Define the issues involved with care. Be sensitive to the evolution of
the medium.
Copyright © 1996 by John H. Awerdick. All Rights Reserved.
John H. Awerdick
Stryker, Tams & Dill
Two Penn Plaza East Phone: (201) 491-3952 Fax: (201) 491-9692
E-mail: jawerdick@aol.com or jawerdic@stryker.com
John H. Awerdick is an attorney with the firm of Stryker, Tams & Dill in New Jersey. Previously he was a Vice President of Columbia House with responsibilities for government relations, consumer affairs, business affairs and marketing services and an Attorney in the Broadcast Section of the CBS Inc. Law Department. His practice includes privacy issues relating to the direct marketing industry. His articles on databases and privacy have appeared in the DataLaw Report and the Practical Lawyer.
1. L. Rose, NETLAW 165 (1995).
2. 15 U.S.C.A. § 1693c(a)(9) (1982).
3. 47 U.S.C.A. § 551 (1991 and Supp. 1995).
4. 18 U.S.C.A. §§ 2510-2521, 2701-2709, 2711 (1970 and Supp. 1995).
5. 47 U.S.C.A. §167; 227(a)(2), (b)(1)(C) (Supp. 1995) See the Federal Communication Commission ("FCC") regulations implementing this statute at 64 C.F.R. § 64.1200 (1994).
6. See U.S. Dep't. of Health, Education & Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers And The Rights Of Citizens 194-198 (1973) ("HEW Report").
7. See D. A. Elder, THE LAW OF PRIVACY (1991) 375-448; J. T. McCarthy, THE RIGHTS OF PUBLICITY AND PRIVACY §§ 9.1 to 9.5 (1987-1995).
8. See, e.g., R. E. Smith, THE LAW OF PRIVACY EXPLAINED 6 (1993); Elder, supra at 1.
9. 4 Harv. L. Rev, 193 (1890).
10. Id. at 195.
11. Id. at 219.
12. Id.
13. See RESTATEMENT (SECOND) OF TORTS vol. 3 at vii-viii (1977).
14. Id. § 652B.
15. Id. §652C.
16. Id. § 652D.
17. Id. § 652E.
18. Id. § 652A. comment b.
19. Id. § 652A(1).
20. Id. §652B comment b; illustration 5.
21. 47 U.S.C.A. § 227 (Supp. 1995).
22. 15 U.S.C.A. §§ 6101-6108 (Supp. 1995).
23. See generally, Elder, supra, at 375-448; McCarthy, supra.
24. M. Frankel, Word & Image - Cyberrights, The New York Times Magazine, Feb. 12, 1995, at 26.
25. Elder, supra, at 343-374.
26. Smith, supra, at 37-38.
27. 381 U.S. 479 (1965).
28. 381 U.S. at 484.
29. See Smith, supra, at 40.
30. 410 U.S. 113 (1973).
31. Smith, supra, at 41-42.
32. Florida Bar v. Went For It, Inc., - U.S. -, 115 S.Ct. 2371 (1995).
33. Olmstead v. U.S., 277 U.S. 438 (1928).
34. Katz v. U.S., 389 U.S. 347 (1967).
35. One increasingly hears the "expectation of privacy" standard espoused in the civil privacy arena, and it may be migrating there as a standard. For example, the Presidentially appointed inter-agency task force studying the National Information Infrastructure suggests that "[w]hat counts as a reasonable expectation of privacy . . . is not limited by what counts as a reasonable expectation of privacy under the Fourth Amendment. . . . In many instances, society has deemed it reasonable to protect privacy at levels higher than that required by the Fourth Amendment." Privacy Working Group, Information Policy Committee, Information Infrastructure Task Force, Privacy And The National Information Infrastructure: Principles For Providing And Using Personal Information (June 6, 1995) ("NII Task Force Report"). Online. Available HTTP: http://ntiaunix1.ntia.doc.gov:70/0/papers/documents/niiprivprin-final.html.
36. 18 U.S.C.A. §§ 2510-2521, 2701-2709, 2711 (1970 and Supp. 1995).
37. See e.g., Hennessey v. Coastal Eagle Point Oil Co., 129 N.J. 81, 95-96 (1992).
38. 5 U.S.C.A. § 552a (1977 and Supp. 1995).
39. 18 U.S.C.A. § 2710 (Supp. 1995).
40. 15 U.S.C.A. § 1681-1681t (1982 and Supp. 1995).
41. 2 U.S.C.A. §§ 438(a)(4) (1985).
42. 26 U.S.C.A. § 6103 (Supp. 1995).
43. 47 U.S.C.A. § 551 (1991 and Supp. 1995).
44. 39 U.S.C.A. § 3008 (1980).
45. See, e.g., ME. REV. STAT. ANN. tit. 9-A § 8-304 (Supp. 1995) (barring sale or rental of lists of credit card holders' names, addresses and account numbers without express, written consent); N.J.S.A. § 56:11-21 (Supp. 1995) (prohibiting requirements that people writing checks put a credit card number on the check as a form of identification).
46. 5 U.S.C.A. § 552(a) (1977 and Supp. 1995).
47. Calling Number Identification, 59 Fed. Reg. 18319-18320 (1994) codified at 47 C.F.R. § §64.1600-64.1604 (1995).
48. 47 C.F.R. § 64.1602(a)(1) (1995).
49. 47 C.F.R. § 64.1602(a)(2) (1995).
50. Calling Number Identification, 60 Fed. Reg. 15495-96 (1995).
51. 18 U.S.C.A. §§ 2721-2725 (Supp. 1995).
52. FTC Press Release, Nation's Largest Insurance Reporting Agency Agrees to Expand Consumer Rights, June 21, 1995. As this article was going to press a bipartisan group of legislators was supporting comprehensive federal medical privacy legislation. See Kolata, When Patients' Records Are Commodities for Sales, New York Times, Nov. 15, 1995, at A-1, col. 1. In addition, the Federal Trade Commission has indicated a strong interest in on-line privacy issues and held hearings on the subject.
53. 18 U.S.C.A. §§ 2510-2521, 2701-2709, 2711 (1970 and Supp. 1995).
54. J. Podesta & M. Sher, Protecting Electronic Messaging: A Guide To The Electronic Communications Privacy Act Of 1986 (1990).
55. D. R. Johnson & J. Podesta, Access To And Use And Disclosure Of Electronic Mail On Company Computer Systems: A Tool Kit For Formulating Your Company's Policy (Electronic Messaging Association 1991).
56. Rose, supra, at 167-173.
57. 47 U.S.C.A. § 551(b) (1991).
58. 47 U.S.C.A. § 551 (1991 and Supp. 1995).
59. 47 U.S.C.A. § 551(a)(2)(A) (Supp. 1995).
60. 47 U.S.C.A. § 551(c)(1) (Supp. 1995).
61. 47 U.S.C.A. § 551(c)(2)(C) (1991).
62. 47 U.S.C.A. § 551(d) (1991).
63. 47 U.S.C.A. § 551(e) (1991).
64. European Parliament and Council of the European Union, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 24 October 1995. Online. [June 1996] Available HTTP: http://elj.warwick.ac.uk/elj/jilt/dp/material/directiv.htm.
65. Quebec Privacy Act, S.Q., 1993, c.17.
66. Computer Processed Personal Data Law, promulgated 11 August 1995. Effective 13 August 1995.
67. D. Caruso, Technology, New York Times, July 24, 1995, at D4 col. 5.
68. LOUIS HARRIS & ASSOCIATES, THE EQUIFAX REPORT ON CONSUMERS IN THE INFORMATION AGE (1990); LOUIS HARRIS & ASSOCIATES, HARRIS-EQUIFAX CONSUMER PRIVACY SURVEY 1991 (1991); LOUIS HARRIS & ASSOCIATES, HARRIS-EQUIFAX CONSUMER PRIVACY SURVEY 1992 (1992) ("Harris-Equifax 1992;QUOT;); LOUIS HARRIS & ASSOCIATES, INTERACTIVE SERVICES, CONSUMERS AND PRIVACY (1994) ("Harris Interactive").
69. A. H. Contril and S. D. Contril, LIVE AND LET LIVE, AMERICAN PUBLIC OPINION ABOUT PRIVACY AT HOME AND AT WORK (1994).
70. Harris-Equifax 1992 at 12.
71. Id. at 13.
72. Harris Interactive at 64.
73. Id. at 67.
74. HEW Report, supra note 6.
75. Id. at xxi.
76. Id. at xx, xxi.
77. See Awerdick, An Examination of The Secondary Use Principle of Information Privacy, 2 DataLaw Report 2 (1994).
78. NTIA Notice of Inquiry; Request for Comments, 59 Fed. Reg. 6842 (1994).
79. See NII Task Force Report, supra note 35.
For the NIIAC report, see National Information Infrastructure Advisory Council, Common Ground: Fundamental Principles for the National Information Infrastructure First Report of The National Information Infrastructure Advisory Council (March 1995). Online. Available HTTP: http://nii.nist.gov/common-ground.txt
For the NTIA 'White Paper', see U.S. Department Of Commerce, National Telecommunications and Information Administration, PRIVACY AND THE NII: Safeguarding Telecommunications-Related Personal Information. Online. Available HTTP: http://www.ntia.doc.gov:70/00/policy/privwhitepaper.html.
80. The NII Task Force Report, supra note 35, is published as an appendix to this book.
81. See A.W. Branscomb, WHO OWNS INFORMATION? (1994); Branscomb, Anonymity, Autonomy, and Accountability: Challenges to the First Amendment in Cyberspaces, 104 Yale L.J. 1639 (1995).
82. 104 YALE L.J. at 1641.
83. Id. at 1644.
84. Id. at 1645.
85. WHO OWNS INFORMATION, supra, at 181.
86. NII Task Force report, supra note 79. at II .A. Acquisition
Principles.
Excerpted from The Internet and Business: A Lawyer's Guide to the Emerging Legal Issues, published by the Computer Law Association. Copyright © 1996 by The Computer Law Association, Inc. All Rights Reserved. ISBN 1-885169-05-1.
http://www.cla.org/RuhBook/chp4.htm