E-Commerce: Re-shaping the Landscape of Consumer Privacy

E-Commerce: Re-shaping the Landscape of Consumer Privacy

By Michael S. Yang

I. Introduction: The Internet and E-Commerce

The Internet is no infant, given its genesis in the electronic communication networks of government researchers and educational institutions in the late sixties and early seventies. No longer is the Internet just a way to send electronic messages and computer files to friends and colleagues, as it was at its inception. With the introduction in 1993 of a software program known as Mosaic, the predecessor to Netscape’s Navigator browser, public Internet users were suddenly introduced to a whole new electronic medium, one that in a few short years has completely changed the way much of the world operates. That medium is the World Wide Web (the “web”).

The Internet has been growing at an amazing pace. Today, the Internet has approximately 168 million users worldwide, with approximately 63 thousand new users being added daily three out of every four users lives in North America. In December 1993, there were around 600 websites in existence. In December 1999, that number had grown to around 9.5 million.

For many people, the web and the Internet have become synonyms, though one (the web) is really a subset of a much larger whole (the Internet). The proliferation of the Internet and the advent of the web have lead to a rapid and relentless commercialization of cyberspace, as companies, businesses, and individuals have rushed to capitalize on a new frontier full of possibilities (for making money). While still an extremely efficient means of communication, the Internet has become a forum where both seasoned and novice entrepreneurs can sell their goods and services, twenty-four hours a day, to a global audience.

Electronic commercial transactions over the web are commonly referred to as “e-commerce,” and these transactions are growing at an incredible rate. From being practically non-existent in 1993, e-commerce is estimated to exceed $350 billion in sales in the year 2000. E-commerce is currently growing at a rate of 30% per year, and will account for up to 10% of the world’s consumer sales within the next ten years. Many businesses see the Internet as a virtual “Wild West.” The analogy is an appropriate one, as the Internet represents a vast frontier without many sheriffs policing the territory.

There are at least two significant ways in which e-commerce transactions differ from conventional transactions such as retail store sales or catalog sales. First, the pace and timing of the e-commerce transaction is usually dictated by the buyer, the buyer may initiate the sale at any hour, as long as the website is operational. This allows a consumer to build a transaction over hours, days, or weeks, and also lets a consumer shop at his or her convenience. For consumers who may require more assistance than a computer can give them, such convenience comes at a price because most websites do not offer live customer service at all hours of the day and night.

Second, most e-commerce transactions give consumers access to much more information than a typical catalog or even retail showroom can provide. Online catalogs for e-commerce retailers are usually replete with information about everything from the product itself to other similar products to three-dimensional representations of the product. Prices are usually displayed prominently, and, if discounted, will usually inform the consumer of the percentage discount that the consumer is getting versus the retail price.
But here’s the rub: unlike retail stores, e-commerce websites have the capability of gathering data about a user as that user browses and shops. This ability has raised a number of issues relating to the use and collection of data, particularly personal information. The ability of a commercial website to track and cross-reference a potential customer’s background and personal information is akin to someone walking into a store, not necessarily intending to purchase anything, and the store clerk behind the counter knowing that person’s name, address, past purchasing history, and every item that that person examined while in the store on any particular visit. The privacy implications are significant.

II. The Convergence of Intellectual Property and Consumer Privacy Concerns

The Internet has raised many questions as to the protectability of intellectual property, for most content on the Internet may be classified as some sort of protectable intellectual property. Intellectual property includes a person’s image or likeliness, a list of customers, or a method of doing business. In certain situations, personal information may also be considered intellectual property, or may at least be protected under the law. For example, customer lists are protectable as trade secrets. Maryland laws exist to protect consumer information in specific situations such as when a credit report is generated (Md. Comm. Law Code Ann. 14-1209) or to protect the identity of video store customers and their rental history (Md. Ann. Code, art. 27, 583). With regard to bank records, a fiduciary institution may not disclose any financial records unless the customer has authorized disclosure or unless the records have been subpoenaed. Md. Fin. Inst. Code Ann. 1-302. Federal laws also provide protection to consumers who rent video tapes, protecting against the disclosure of the tapes a person borrows or buys, and permitting the disclosure of customer lists only if the consumer has the opportunity to prevent such disclosure. 18 U.S.C. 2710. In Maryland, a licensed driver or car owner may prevent the Department of Transportation from releasing data on mailing lists by submitting a written request to the Department. Md. Trans. Code Ann., 12-112. And under Maryland law, unsolicited “junk” faxes are prohibited. Md. Comm. Law Code Ann., 14-1313. In the appropriate situations, state legislatures and Congress have proven they will enact statutes to protect consumers, subject to the statutes passing Constitutional muster.

While an online business certainly may maintain and own its proprietary customer lists, consumers may not approve of the methods the business uses to gather those lists, the information contained in those lists, or how the information is used. When personal information is gathered, used, and disseminated without a consumer’s knowledge or control, intellectual property issues give way to privacy issues, which are often closely tied together in situations relating to e-commerce.

A. The Right to Privacy

There is no inherent right to privacy in e-commerce transactions. Consumers complaining of privacy concerns have based their claims on traditional common law invasion of privacy tort principles. The common law invasion of privacy torts include the unreasonable intrusion upon the seclusion of another, the unreasonable publicity given to another’s private life, publicity that unreasonably places another in a false light before the public, and misappropriation of another’s name or likeness. These common law principles of right to privacy are also recognized in Maryland. In challenging practices of websites and advertisers for gathering personal information, consumers have relied upon the intrusion upon seclusion tort as the basis for their complaints.

The Internet is a great tool for the acquisition of knowledge and information, but the acquiring party is not always only the user. Other websites, advertisers, and businesses may have access to the information. The ease of sending Internet e-mail has opened up the floodgates for advertisers and businesses eager to market to a new and ever growing audience. While the Internet offers users a way to escape the physical world, sometimes the virtual world can be even more intrusive when it comes to unwanted communications.

III. Cookies: The Gathering of Personal Information

“Cookies” are bits of data stored in web browsers to facilitate net surfing. The use of cookies has been hotly debated as privacy advocates argue that the insidious nature of these innocuous-seeming files may be used to invade the privacy of unsuspecting users. Cookies are information placed as text in the directory of a web browser such as Netscape Navigator or Internet Explorer by a web site. This information is stored for future use, and is typically used to record preferences when using a particular site. Cookies are necessary in order for web sites to recognize and store individualized information such as the items in a shopping cart or what a user’s name is. Without cookies, websites would be completely blind to the user on the other end, and e-commerce would not operate as efficiently as possible. Cookies are also very useful tools for businesses and advertisers, allowing websites to, among other things, target advertisements and recommendations to specific users based on their interests.

A. The DoubleClick Firestorm

Cookies have raised concern among users who believe that cookies can, and are, being abused by websites and advertisers to track consumers and invade their privacy. In particular, leading Internet advertiser DoubleClick has been accused of unlawfully obtaining and selling consumers’ private information. DoubleClick acquired Abacus Direct in 1999, a company with databases containing personal information on millions of consumers gathered by major direct-mail marketers. With their new wealth of information, DoubleClick could not only use cookies to track a person’s habits, but they could also cross-reference those habits with an actual database including information such as a person’s name, location, and past purchases. In Decorse v. DoubleClick, a Marin County, California woman filed suit seeking class-action status in California Superior Court in January alleging that DoubleClick uses cookies to identify Internet users and collect personal information without their consent. The complaint seeks damages and injunctive relief. DoubleClick has since been named as a defendant in other class action lawsuits in California and other states, and includes actions in federal court.

Because DoubleClick’s advertisements run on so many commercial websites, DoubleClick can use its cookies to actually track an individual across thousands of websites within its advertising network. This raises further privacy concerns because, instead of only gathering discrete bits of data about a consumer (e.g., a single interest), DoubleClick can now gather a full spectrum of data about a consumer (e.g., all of the interests that a person has), giving the advertiser a much fuller composite of a consumer. This information is very valuable to DoubleClick because it can compile and process the information and then use it to create focused reports to sell to advertisers.

With significant media attention focused on DoubleClick, in February 2000, DoubleClick acknowledged that it was under a Federal Trade Commission investigation concerning its practice of collecting dossiers on consumers. The Electronic Privacy Information Center (“EPIC”), a public research organization based in Washington, D.C., has also filed a complaint with the FTC alleging that DoubleClick had engaged in unfair and deceptive trade practices and asked that, among other things, DoubleClick be prohibited from collecting personal information using cookies without an individual’s informed consent. EPIC also asked that DoubleClick be assessed significant civil penalties.

In the wake of the lawsuits and investigations, DoubleClick backtracked and decided to postpone any plans for merging consumer data with its tracking data. DoubleClick also admitted that it had made a mistake by planning to merge names with anonymous user activity across the Internet in the absence of the establishment of government and industry privacy guidelines and standards. In an effort to ease consumer concerns, DoubleClick has created a website, PrivacyChoices.com, to educate the public and provide consumers with information about available online privacy resources including EPIC, the FTC, and a number of other organizations and privacy groups. In conjunction with this educational effort, DoubleClick is also spending $2 million on an advertising campaign to help rebuild its battered public image.

B. The Childrens Online Privacy Protection Act

While state and federal statutes exist to protect consumers from the unauthorized distribution of personal information including their bank records, video rental history, and private, personal facts, the Childrens Online Privacy Protection Act, 15 U.S.C. 6501 et seq., passed in 1998 and set to go into effect in April 2000, protects against the collection and use of personal information from children up to the age of thirteen. Website operators both commercial and non-commercial would be required, by law, to post their privacy policies providing notice of the information collected, how that information is used, and how it is disclosed. Website operators also would be required to obtain parental consent for the collection, use, or disclosure of personal information prior to the collection of that information from children. The Act would thus require operators to take reasonable precautions to ensure the confidentiality, security, and integrity of collected information. This is the first piece of federal legislation specifically designed to offer broad protection for online privacy, and is consistent with state and federal policy of protecting children, who are at special risk due to the ease with which personal information may be gathered about them online.

IV. Spam

Electronic mail also has the significant potential to invade a user’s privacy. Through conventional methods (such as purchasing e-mail address lists) to unconventional methods (such as using computer programs to harvest e-mail addresses from service provider computers), Internet advertisers and e-commerce websites may obtain the e-mail addresses of Internet users. Electronic mailboxes may then be bombarded with mail; millions of pieces of junk e-mails are sent every day across the Internet. While in some instances, users may opt-out of receiving such junk mail, in most cases the junk mail is unwanted and unavoidable. One of the first and most famous cases of Internet “spam,” bulk quantities of unsolicited electronic messages, was the widely publicized case of the Arizona husband and wife attorneys Canter & Siegel who, in 1994, deluged Internet news groups with notices regarding a green card lottery. Canter & Siegel’s actions have earned them much ire in the Internet world as the first large-scale spammers.

Commercial spam e-mail is much like physical junk mail. But because for most people an e-mail address is more personal than a physical mailbox, many Internet users feel that spam impinges on their seclusion and privacy. However, no statutes or court decisions have declared any right of privacy in e-mail.

Though it is a very inexpensive vehicle for commercial advertisers to reach many potential customers, spam has a definite, significant aggregate cost to users and service providers in terms of both time and money. Users must spend time reading and deleting the messages, costly if the user is on a time-based service provider, and service providers must use a portion of their network resources to process the deluge of messages. If enough messages are sent, the computer networks carrying he messages may even crash, costing consumers usage time and damaging the reputation of service providers. Because service providers are private entities, they have prevailed against First Amendment challenges to their denial of access to senders of unsolicited bulk e-mails. See the leading case of Cyber Promotions, Inc. v. America Online, Inc., 948 F.Supp. 436 (E.D. Pa. 1996).

A. State and Federal Responses to Spam

While state and federal statutes exist to prohibit the delivery of unsolicited faxes, state and federal governments have not been as quick to act on spam. Currently, only five states, including Maryland, have passed laws that restrict the transmission of unsolicited commercial e-mail, and others, including New York, have proposed Internet privacy legislation. See Md. Code Ann. Art. 27, 555C. These statutes generally prohibit fraudulent messages, which include both messages that contain deceptive content and messages that are technically fraudulent, with false domain names or return e-mail addresses. By and large, the statutes also set requirements as to the form of the advertisements.

Maryland’s anti-spam law is primarily an anti-obscenity law, different than the laws in the other states that have enacted anti-spam legislation (California, Nevada, Virginia, and Washington). Maryland’s law criminalizes e-mail sent with an intent to harass, or the sending of lewd, lascivious, or obscene material. The law may also be interpreted to cover the bombardment of commercial advertisement e-mails, but there have not yet been any reported decisions under Maryland’s anti-spam law.

State anti-spam statutes were dealt a blow in court when, on March 14, 2000, a state court judge ruled that Washington state’s anti-spam law violates the U.S. Constitution in the case of Gregoire v. Heckel. The Washington law was held to violate the interstate commerce clause of the Constitution because it is “unduly restrictive and burdensome,” hurting legitimate businesses more than it helps consumers. The law was enacted in 1998 as a result of service provider and consumer complaints, and it banned commercial e-mail that contains either fraudulent content or is technically fraudulent.

Currently, there are no federal statutes which directly address the issue of spam. H.R. 2162, introduced in the House on June 10, 1999, and known as the “Can Spam Act,” prohibits the use of the equipment of an electronic mail service provider to send unsolicited commercial electronic mail in contravention of the provider’s posted policy. This act puts the burden on Internet service providers to draw the line as to what uses will trigger the prohibition. The Act also contains a provision prohibiting the “unauthorized use of Internet domain names.” This section provides a criminal penalty for e-mail that is technically fraudulent and causes damage to a network. If enacted, this Act, by its terms, would preempt any state law regarding the fraudulent use of the domain name of another in sending e-mail.

B. Protecting Consumers Against Spam

In the absence of any new federal law on the subject of spam, courts have applied existing federal laws to restrict the transmission of fraudulent, unsolicited commercial e-mail. Section 5(a) of the Federal Trade Commission Act makes it unlawful for one to engage in “unfair or deceptive acts or practices in or affecting commerce.” The FTC has been active in prosecuting those sending fraudulent unsolicited commercial e-mail, filing its first lawsuit against a spammer in 1998. The Lanham Act, 15 U.S.C. 1125(a), permits a cause of action for false designation of origin, which could apply to technically fraudulent e-mail. The Computer Fraud & Abuse Act, 18 U.S.C. 1030, may also apply to spam, prohibiting the knowing transmission of harmful data to another computer without authorization and prohibiting the intentional access of a protected computer (e.g., to prevent the harvesting of e-mail address from service providers).

V. Self-Policing

A. The Ubiquitous Privacy Policy

The most successful actions in promoting consumer privacy on the Internet have taken the form of self-policing. Commercial websites have taken to using two tools to demonstrate their interest in protecting consumer privacy: the privacy policy and third-party privacy seals. Privacy policies, a prominent part of all major commercial websites, describe how a website gathers data, including personal information, and what the website does with that data. By reading a website’s privacy policy prior to giving any personal information, a consumer can make an informed choice with regard to what they can expect from a particular website. Third-party privacy seals represent to the public that a trusted, third party, such as the Better Business Bureau or Trust-e, has reviewed the website and its policies, to give assurance that the site has an acceptable privacy policy and is abiding by that policy. Ultimately, for sites with posted privacy policies and third-party privacy seals, the consumer’s knowing and voluntary disclosure of personal information may constitute an agreement between the consumer and the website on acceptable terms of use. This is especially true in cases where a consumer must click a button to accept the terms of a written privacy policy, much like shrink-wrap or click-wrap licenses, the validity of which have been upheld in court and are validated in the Uniform Computer Information Transactions Act (UCITA).

B. The Power of Market Forces

There has been significant debate over who should be policing the Internet. While some argue that the government should administer and oversee the Internet, most Internet users feel that the Internet should be self-policing and self-regulating. When the Internet was a small community of a few thousand users, self-policing was not a problem; when the Internet is a community of a few hundred million, self-policing is much more difficult. If DoubleClick’s experience is any lesson, for the time being, consumers may still exert considerable influence upon privacy decisions through market forces. Similarly, a feature to be introduced in Intel’s Pentium III processor, unveiled in 1999, to allow websites to track users by real world identities met with a very negative reaction from the consumer public and privacy advocates. The feature was disabled by Intel, requiring users to opt-in to the feature for it to work. Market forces still play a significant role in shaping the constantly developing technology landscape.

The Clinton Administration’s Framework for Global Electronic Commerce, announced by President Clinton on July 1, 1997, is based upon principles that are intended to increase private sector leadership and reduce undue government restrictions on electronic commerce in an attempt to foster global e-commerce. This Framework endorses self-regulation with regard to privacy issues, and promotes the American market-driven approach to privacy. The FTC has been aggressive in trying to educate consumers and businesses about the importance of personal information privacy. In its most recent report dated July 13, 1999 entitled Self-Regulation and Privacy Online: A Report to Congress, the FTC concluded that, due to the self-regulatory initiatives of e-commerce industry leaders, legislation to address online privacy was not appropriate at the time of the report.

VI. Conclusion

There is no question that if America Online, for example, wanted to track and record every movement of every one of its twenty million-plus subscribers within its own system, it could! In the absence of statutes to prohibit and provide penalties for such practices, market forces will be the only deterrent that consumers wield against Internet-based invasions of privacy. Ultimately, it may be up to the lawmakers and courts to impose privacy protections in certain specific online business activities in the same way that they have addressed consumer privacy issues in the real world. The addition of discrete laws may be necessary to fill in the holes where market forces are insufficient to protect consumer privacy in specific situations. E-commerce has shown that it reacts swiftly to market forces, and in the long run, it will certainly play a key role in shaping the future of Internet standards for consumer privacy.


2000 Maryland State Bar Association, Inc. Originally published in the July/August 2000 issue of the Maryland Bar Journal. Reprinted with permission.