|
| |
        
For Lawyers: State Cyberlaws
-Privacy and Contests Online
Attorneys for national corporations have long known that
they must be familiar with some of the laws of other states in order to properly
advise their clients. Fifty-state blue sky law surveys are commonplace for
securities issues. But with the growth of the Internet, whole new areas of laws
– both state and federal – must be surveyed to ensure that clients with
websites aren’t in violation of any laws.
This is particularly true of websites that request information from users, that
hold online contests, and that send e-mail – in other words, almost every
business site.
Privacy
The big issue for the Internet decade is privacy. People want to be consulted
before their personal information is taken from them, and they hate the “big
brother” feeling that websites are tracking their every online move.
But this can be in conflict with the business models of many sites. Most sites
are free – they get their revenue through advertising. Many also sell
demographic information about their users to marketers.
Increasingly, marketers want browsing information –
where did the user go, how long did he stay, where did he go next. Those sites
that require membership or otherwise have a way of identifying particular users
can gather such information and sell it to marketers. The more information
about the practices of a particular user, the more valuable it is to the
marketer – and the more objectionable it is to the user.
And no site wants to be the subject of an expose
claiming that they are secretly tracking where their users go.
If a website has a privacy policy, it must disclose accurately and completely
what information it collects and what it does with that information. The FTC
can take action against any unfair or deceptive disclosure. So attorneys must
thoroughly debrief both the business people and the website design team to
discover exactly what information (1) can be gathered. (2) is being gathered,
and (3) is being disclosed to third parties. Then that information must be
disclosed in the privacy policy.
This has the added virtue of keeping users from claiming they were unaware that
their habits were being tracked.
Right now, there is no federal law that prevents the collection and
dissemination of such information, except where children are concerned. (There
may be certain other website categories that are required to disclosure privacy
information (Parry calls these "Kids, Cash and Kidneys...standing for members of
the children's, financial and healthcare industries), but there is no federal
laws that mandate a website privacy policy.) But states are beginning to take
action, and several have proposed privacy laws that may curtail some of these
practices. California's new privacy legislation requires both that a website
have a privacy policy if personal information from any California resident is
collected and that any breach of security of that information is reported to the
people from whom it was collected.
Children and Privacy
Children under the age of 13 fall into a special protected category for privacy
purposes. The Children’s Online Privacy Protection Act (COPPA) prohibits the
online collection of personally identifiable information from children without
prior verifiable parental consent. Under COPPA, personal information includes
email addresses, and "collection" includes the use of any interactive elements
of websites, as well an online forms. Moreover, parents must be given the
option to prevent the disclosure of their children’s information to third
parties, while still permitting their children to use the website at issue.
Among other consequences, failure to comply with COPPA can result in the
bringing of an enforcement action by the FTC and the imposition of civil
penalties.
The statute applies both to websites directed at children as well as to general
audience sites that have actual knowledge that they are collecting information
from a child. Most children’s sites are aware of COPPA and the need to retain
knowledgeable counsel to make sure they are in compliance. But general audience
sites are by and large still not aware of the reach of this legislation.
Any general audience site that asks for information that will disclose the age
of its users, and also has interactive services such as chat, email or message
boards, must comply with COPPA as to users under 13. Any general audience site
that is informed by a parent that their child is using the site’s services must
comply with COPPA.
In addition, more general audience sites are building children’s areas, unaware
that knowledge they obtain about the identity of users in the children’s area is
chargeable to them in the operation of the general audience section. For
example, many general audience sites have message boards, where users can post
comments about the topic at hand. Under COPPA, a child cannot be permitted to
use a message board without prior parental consent. If the children’s area of a
site lets children sign up for a newsletter or a contest (which under COPPA
requires notice and an opt-out option for the parents), that site now has a list
of email addresses that are presumed to belong children – and the main site must
take action to either get full-blown verifiable parental consent or to bar those
email addresses from posting in the message boards. Administrative or
technological headache – take your pick.
Counsel should debrief their general audience and business internet clients
about their websites, see what information they are collecting from users – and
if any of it is age-related, know that COPPA applies.
Contests
In order to drive traffic to their sites (and increase advertising revenues),
many sites are offering contests. Win a t-shirt! Win a gift-certificate! Win
$10,000! Most web operators don’t realize that there are laws that apply to
even the most innocuous contest – and that, because of the reach of the
Internet, they must comply with all the myriad contest laws in the world.
Because that’s far too cumbersome to deal with, the first thing web operators
should know is to limit their contests to the United States. So now there are
only 50 different sets of laws to deal with. And the contest has to comply with
all of them – or make clear that residents of a particular state are not
eligible to participate.
The first rule is that there must be official rules for contests. Each state
has its own requirements for what those rules must contain. The site must
comply with all of them. If only one state requires that a particular
statement, such as “no purchase necessary” be in bolded-12 point capital
letters, then on the Internet, that statement better be in that form.
Some states require that if the prizes given away in aggregate total over
$5,000, the operator must register with the state and post a bond.
The main fear if website operators don’t retain knowledgeable contest counsel is
that they may end up not running a contest at all, but rather an illegal
lottery. Generally speaking, a lottery requires three elements: (1) prize, (2)
chance, and (3) consideration. Requiring someone to register at the site to
enter a contest may be deemed consideration. At a minimum, all internet
contests need to offer a free alternative method of entry.
Contests may be a great marketing tool, but we need to educate our clients about
the legal pitfalls and the need for counsel, even if they are simply giving away
T-shirts to every tenth registrant.
Again, as with privacy, you should be advising to use
the most restrictive states' laws as the baseline. It's the only way to avoid
liability.
This is truly an area where federal legislation is needed. But until such time
as it is enacted, counsel must be aware of the existence of the myriad state
laws that affect their clients’ online businesses.
|
Parry
Aftab, Esq., 
Marvel and
all character names and the distinctive likenesses thereof are trademarks of
Marvel Characters, Inc., and are used with permission. TM & © 2004 Marvel
Characters, Inc. All rights reserved. “Super Heroes” is a Co-owned registered
Trademark.