Originally published 1st Quarter 2004
The recent explosion in mobile information technology (IT) products and services for consumers presents an interesting new context for federal, state and international privacy laws. On February 17, 2004, TRUSTe (the independent, non-profit privacy initiative that develops third-party oversight "seal" programs to facilitate industry self-regulation) released its first Wireless Privacy Principles and Guidelines (Guidelines). The Guidelines are the work of an advisory committee comprised of wireless carriers, content providers, consumer groups and other representatives of this market sector. As a general matter, effective self-regulation programs are the optimal balance between protecting consumers and avoiding the costs of unnecessary regulations. In this respect, the Guidelines are a helpful starting point for what is certain to remain a key industry concern.
Privacy cannot be fully understood without factoring in the related concepts of confidentiality and security. Privacy is the ability of the individual to control the release of personally identifiable information that is not available to the general public. Expectations of privacy will vary depending on the nature of the information and the circumstances under which its release is sought. Confidentiality is the degree to which the party who obtains the individual’s information shares it with third parties. Finally, security is the expectation that once personally identifiable information is disclosed, it will be stored in a way that reliably prevents unauthorized intrusion. The need for privacy safeguards increases in proportion to the sensitivity of the information. The most sensitive information contemplates that the stored information will be accorded the highest level of security, and will as a general matter not be shared or disclosed absent voluntary and informed consent by the information’s owner.
While privacy is a very old concept, the Internet and digital technologies have given it new meaning for the individual. Digital technology, together with the Internet platform, enable or even promote sharing and integration of personally identifiable information. Much of this information-gathering can easily be performed on-line without the individual’s knowledge and consent through use of readily available technologies.
There are many different ways that consumers of mobile IT services share information with their provider. Some of these ways are typical Internet use translated into a different technological context. For example, laptops, many handsets or, where applicable, PDAs, can be used to send content that is generated by the user; engage in on-line purchasing or other funds transfers, such as banking or bill-paying; access Web browsers; receive requested information; and download various products that are designed for the wireless device, such as games or office applications.
There are also information-sharing applications that are unique to mobile IT. Most notably, location services enable real-time location of the individual using the device with the likelihood that precision will increase as technology improves. In addition, unlicensed portable wireless technologies, such as Wi-Fi, provide the convenience of mobile computing, but at this time, cannot reliably provide security of information exchanges. Finally, telematic services are primarily designed with the expectation that the user has agreed to surrender certain expectations of privacy. For example, drivers that decide to equip their car with a tag to enable electronic payment of tolls should expect that the toll authority will maintain an electronic record detailing toll payments, including times, dates and locations. Similarly, many telematic systems are used by companies managing fleets of vehicles to ascertain location, manage deliveries/shipments and monitor vehicle maintenance. It is the fleet manager, and not the driver employed by the fleet manager, who "owns" the driver’s location information. (The TRUSTe Guidelines are not applicable to Wi-Fi or telematic services.)
Federal regulation of mobile IT is limited. Generally, federal privacy laws are viewed as a "floor" rather than a "ceiling," opening the door for an increasing number of states to enact their own privacy regimes. Federal statutes of potential relevance to the mobile IT provider are listed below:
The Electronic Privacy Act (ECPA) expands the privacy protections of the Wiretap Act (addressing government surveillance of an individual’s communications) to include all forms of electronic transmissions; eliminates the requirement that limits an individual’s legal protection to transmissions originating from a common carrier; prohibits interception of messages or access to stored electronic communications without a warrant; and restricts both governmental as well as private access to electronic transmissions, including those that are stored. ECPA can be enforced by the state or federal government. In addition, ECPA provides for a private cause of action.
Section 222 of the Communications Act of 1996 imposes a duty on carriers to protect customer proprietary network information (CPNI). The FCC ultimately adopted an "opt out" system for obtaining customer consent to sharing of CPNI after a 10th Circuit opinion found an "opt in" system violates the carrier’s First Amendment rights. States are not preempted from adopting their own regulations in this area, assuming the underlying First Amendment analysis is sustained, but it is unclear whether that can be accomplished. For example, the state of Washington adopted an "opt in" system with privacy protections exceeding those adopted by the FCC, but after Verizon succeeded in obtaining a permanent injunction, Washington suspended the rules in February of 2004. This provision also prohibits wireless carriers from disclosing wireless location information without the customer’s express prior authorization. Wireless location information may, however, be shared with appropriate officials responding to an emergency, or if it is automatic crash information. The FCC has declined to adopt rules implementing this provision, nor has the FCC been presented with an opportunity to enforce it. In this respect, TRUST-E provides an industry self-enforcement mechanism for proper handling of location-based information.
The Telephone Consumer Protection Act (TCPA), prohibits intrusive telemarketing practices as well as unsolicited "blast faxes," and requires maintenance of a company-specific do-not-call list. Most recently, TCPA amendments create a national regime that allows consumers to register any of their telephone numbers on a national "do not call" list. Registration prohibits telemarketers from calling registered numbers subject to several specific exceptions, and regulates conduct of telemarketers during authorized calls. The FCC and FTC both enforce the TCPA.
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act,"(GLB) protects consumers’ personal financial information retained by banks, securities firms, insurance companies and other providers of financial products and services to consumers. Electronic funds transfers, on-line banking and on-line stock trading would, for example, be subject to GLB regardless of the provider. Eight federal agencies and the states have authority to enforce GLB. One of the primary federal enforcers, the FTC, does not have jurisdiction over communications carriers, therefore it is questionable whether it would take action against any mobile IT providers that offer the implicated financial services to consumers.
The Communications Assistance to Law Enforcement Act (CALEA) requires telecommunications providers to make network modifications to ensure government access (pursuant to lawful process) to wire, electronic and call-identifying information. CALEA does not apply to information service providers. The FCC announced that it will soon initiate a proceeding to address FBI concerns about the impact of this restriction on the government’s ability to access voice communications transported over the Internet. Nonetheless, to expedite resolution of this issue, the FBI (together with other federal law enforcement agencies) filed a "Joint Petition for Expedited Rulemaking" with the FCC, that effectively interprets CALEA’s definition of telecommunications service to encompass "broadband" and IP-enabled voice communications. It appears that the FBI’s interpretation of CALEA is overly broad and at odds with the pertinent legislative history. Resolution of these issues will focus in part on balancing the privacy expectations of subscribers to mobile IP services, as prescribed by CALEA, against the law enforcement needs asserted by the FBI.
The USA PATRIOT Act enables the government, under limited circumstances, to obtain "roving warrants" on an expedited basis to authorize surveillance of a target’s Internet use anywhere in the United States.
The Children’s Online Privacy Protection Act (COPPA) prohibits knowing collection of information by Web hosts from children under 13 absent informed consent of the child’s parents. The FTC enforces the COPPA rule, but, given the FTC’s jurisdictional limitation on enforcement against communications carriers, it remains to be seen whether the FTC would attempt to enforce COPPA against a Web host that is also a carrier. Conceivably, the FTC might segregate the Web hosting activities, which are not telecommunications, from the carrier’s other services.
The European Commission Directive on Data Protection prohibits transfers of personal data to countries outside the European Union (EU) if those countries do not satisfy the European "adequacy" standard for privacy protection. Unlike the United States, which enforces data privacy rights through a mixture of federal, state and self-regulation, the EU relies on comprehensive legislation. To reconcile these approaches, the Department of Commerce developed the EU Safe Harbor. The EU approved the EU Safe Harbor approach in July of 2000. Under EU Safe Harbor, the Department of Commerce maintains a list of companies that have self-certified compliance with criteria that satisfy the European "adequacy" standard. To date, the EU Safe Harbor has not enjoyed significant levels of support from U.S. companies, primarily because there is a lack of comfort with enforcement of European laws in the U.S., and the perception that appearing on a public list of self-certifying companies increases the likelihood of government oversight.
Enforcement of on-line consumer privacy rights has predominantly been accomplished via industry best practices, such as the Guidelines. Endorsement of self-regulation by the federal government significantly increases the likelihood that self-regulation will limit liability. Self-regulation of on-line privacy is guided by Fair Information Practices, which have been recognized by both the U. S. and EU as appropriate data privacy protections. The basic elements of Fair Information Practices are providing the consumer with (1) notice that information is being collection and how it will be used; (2) choice of whether to share personally identifiable information; (3) reasonable access to personally identifiable information and other information associated with the personally identifiable information; (4) reasonable efforts are made to protect the collected data from loss, misuse, alteration destruction or improper access; and (5) a commitment by nearly all industry members to subject themselves to compliance monitoring by an independent third party. All privacy self-certification programs that have been accepted and/or endorsed by government, consumer groups and the courts are derived from Fair Information Practices. It is clear that TRUST-E’s Guidelines apply these policy considerations to wireless privacy.
The TRUST-E Guidelines provide the wireless industry with a potentially useful approach to industry self-regulation of consumer privacy protections. Of course, there is always room for implementing other specific requirements that are consistent with the policies embodied in Fair Information Practice. The success of a self-regulation program is ultimately judged by broad adoption by the relevant market sector. Minimizing government regulation while satisfying consumer expectations are powerful incentives for the wireless industry to move towards privacy compliance through a common self-certification approach.
The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.