Q. I’m running a web based business.  What privacy issues should I be concerned about?

A. Lots.  More and more regulations are being enacted each year to protect the privacy of consumer information, touching upon every aspect of business.  Privacy rules may be governed by a patchwork of state, federal and international legal norms, and may be specific to the industry you are operating in.  A review of the applicable requirements in your jurisdiction is critical.  Below is a non-exhaustive list of privacy related laws.

  • Website privacy policy.  If you operate a commercial website or online service that collects personally identifiable information from consumers, you may be subject to Federal Trade Commission regulations as well as various state laws such as California’s Online Privacy Protection Act of 2003 (Cal. Bus. & Prof. Code §§ 22575 – 22579).
  • Minors.  If you operate a commercial website or online service that collects personal information of children under the age of 13 online, you may be subject to the requirements of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. § 6501–6506 (Pub.L. 105-277, 112 Stat. 2581-728, enacted October 21, 1998).
  • SPAM.   Commercial email is regulated by the CAN-SPAM Act, (15 U.S.C.A. §§ 7701 to 7713).  Various state laws governing SPAM may potentially apply as well.  See, e.g., Cal. Bus. & Prof. Code § 17538.45.
  • Security breaches.  Various state laws may regulate the destruction of personal information no longer to be retained, and notification of personal information that has been acquired due to a breach of security of a computer system.  See, e.g., Cal. Civil Code §§  1798.80-1798.84. 
  • Inappropriate disclosure of personal information.  The privacy rights of individuals may be protected from disclosure at common law under theories such as false light privacy, public disclosure of private facts, intrusion upon seclusion, misappropriation of name or likeness, and right of publicity.
  • Monitoring of electronic communications.  Wire, oral, and electronic communications while in transit may be protected under the Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848) (18 U.S.C.A. §§ 2510 to 2522, 2701 to 2710), as well as various state laws.  See, e.g., California Invasion of Privacy Act (Cal. Penal Code § 631 et seq). 
  • Unauthorized computer access.  Unauthorized access of a computer to obtain information may be prosecuted under the Computer Fraud and Abuse Act (18 U.S.C.A. § 1030, as amended by the USA PATRIOT Act), as well as various state laws.  See, e.g., California Computer Crime Law (Penal Code § 502).
  • Social security numbers.   The use of social security numbers may be regulated under various state laws.  See, e.g., Cal. Civil Code §§ 1798.85-1798.86. 
  • Health and medical information.  If you collect health or medical information from consumers, you may be potentially be subject to a host of regulations such as the Health Insurance Portability Act (42 U.S.C.A. § 1320) and the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C.A. § 2000ff), among others.
  • Financial information.  If you collect financial information about individuals, you may be subject to laws such as the Fair Credit Reporting Act (15 U.S.C.A. § 1681), the Computer Fraud and Abuse Act (18 U.S.C.A. § 1030), the Federal Right to Financial Privacy Act of 1978 (12 U.S.C.A. § 3401), and the Gramm-Leach-Bliley Act (15 U.S.C.A. § 6801).
  • Employment data.  Information such the amount of money employees are placing into retirement accounts, salary information, results of random drug tests, and job performance evaluations of may be covered under both state and federals laws in specific arenas, such as the Americans with Disabilities Act (42 U.S.C.A. § 12112(c)) (limiting disclosure of information on an employee’s HIV status or other disability).
  • Video tapes.   The disclosure of a consumer’s video tape rental information may be regulated by the Video Privacy Protection Act (18 U.S.C.A. §§ 2710 to 2711).
  • Cable subscriber information.  The collection and use of personal information from cable subscribers may be regulated under the Cable Communications Policy Act (47 U.S.C.A. § 551).
  • Credit Card Transactions. If you accept credit card payments, there may be laws governing what information you can request, collect or record in connection with accepting a credit card payment. Internet companies in particularly should be wary of separating requests for personal information from the actual credit card transaction. (Cal. Civil Code § 1747-1748.95).


Last updated March 17, 2011.

Allen M. Lee  Mr. Lee’s practice focuses on business, corporate and intellectual property matters, including the creation, protection and exploitation of intellectual property assets.  He counsels clients on business formation, general corporate matters, trademark, copyright, trade secret, patent, licensing, internet and domain name issues, among other things.  For more information contact: Allen M. Lee, a Professional Law Corporation, Tel: (650) 254-0758, Fax: (650) 967-1851, Email: allen@allenmlee.com, Internet: www.allenmlee.com.





 Copyright © 2010 Allen M. Lee, A Professional Law Corporation.  All rights reserved.