Privacy and the law
A handful of privacy laws, fairly narrow in scope, already are on the books:
Children's Online Privacy Protection Act (COPPA):
This 1998 law, which went into effect in April, prohibits Web sites from collecting, using or disclosing personal information from children under 13 without parental consent. Prior to enactment, the Federal Trade Commission conducted a study of children's Web sites and found that 89 percent collected personal information, but only 24 percent posted privacy policies and just 1 percent required parental consent.
Health Insurance Portability & Accountability Act (HIPAA):
HIPAA, signed into law in 1996, includes a provision calling for security standards to protect the confidentiality of "individually identifiable" health-care information. The Department of Health and Human Services drafted a proposed standard last year but has yet to issue a final rule regarding health-care information privacy. Heath-care organizations, employers and other organizations handling personal health-care data have two years to comply with the security standard, once the final rule is published.
Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act:
This law requires financial institutions to disclose their privacy policies regarding the sharing of personal information with other parties. Financial institutions must comply next year.
Meanwhile, more comprehensive privacy legislation is brewing in Congress, with many observers expecting action next year. Here are a couple of pending developments:
The Consumer Internet Privacy Enhancement Act
requires Web sites to post descriptions of how they plan to use personal information, including a statement on whether the information may be sold, disclosed or otherwise made available to third parties for marketing purposes. The bill also directs Web sites to describe "the means by which a user may elect not to have the user's personally identifiable information used ... for marketing purposes."
The Online Privacy Protection Act.
calls for Web sites to provide a notice regarding the nature of personal information collected and how the information will be used or shared. The bill also would require Web sites to provide (upon the consumer's request) descriptions of the specific types of personal information sold or transferred to an external company.
