Online Privacy Is a Business Issue

Online privacy is just a consumer and Web surfer issue. Right? Actually, that's absolutely wrong. It's a major issue for your business.

To the extent that your business has an online presence, you need to focus on online privacy issues to insure that your customers and potential customers are happy campers who trust you with their private information.

In Europe, it's a fair generalization to say that they take privacy issues a bit more seriously than Americans do. They seem to see it as a fundamental human right akin to the way we see free speech. American companies doing business in Europe certainly need to be extremely sensitive to European sensibilities and laws relating to privacy.

In the United States, we give lots of lip service to privacy issues, but the fact is that there are few laws regulating privacy. While financial services and health care have laws that directly impact them, most businesses don't. Still, I think there's a certain inevitability to more privacy laws in the U.S.

I know that I have conflicting feelings on the issue. As a business lawyer, I want to help my clients maximize the value of the customer information they have without breaking the law or finding themselves on the front page of a newspaper with an article telling the world that they have "misused" personal information.

I put "misused" in quotes to help make the point that it's not just about "illegal" use. After all, there aren't many ways to break American privacy law because we have so little law to break. Still, "misuse" as I'm using it can simply mean "offend your customer's sensibilities." You always want to be a good guy when it comes to privacy.

I don't know about you, but if I bought a personal item at an online pharmacy, I wouldn't be too happy knowing that my buying habits were being bought and sold like pork bellies.

Ultimately, privacy begs for comprehensive Federal legislation. The thought of the Internet having 50 differing laws on privacy is a potential regulatory nightmare for companies who have an Internet presence. The costs of compliance could be astronomical and it might even be impossible depending on what these 50 laws say.

I would hate to see a day when Web sites have to exclude potential customers from certain states because they can't or won't comply with the privacy laws of that particular state.

For years, many of us who have followed legislative developments in this area have thought that Federal legislation was just around the corner. With the change in administrations, it now looks increasingly less likely.

In an environment where Congress won't act, states have historically taken the lead with legislation that sometimes becomes the model for Federal legislation if it works or a failed test that other states or Congress improve upon when they do act.

Minnesota (I will be good here and avoid all Governor Ventura jokes although it is a tempting target for at least some sarcasm) recently passed an interesting privacy law. As a state law, it only directly affects Minnesota, but it does increase the visibility of the privacy debate.

One of the things this new law regulates is what it calls "Personally identifiable information (PII)." PII includes things like physical and e-mail addresses, telephone number, what goods and services you may have bought, and the online sites you have visited. It provides some detailed rules about how this information can be used.

The law also regulates commercial e-mail, which is often called "spam." This new law does things like prohibit a false return address on an e-mail. Personally, I find it hard to conjure up an argument in favor of a false return address. It's sort of like favoring pollution.

The law also requires that spam include "ADV" as the first characters of the subject line. Further, if the material is of a sexual nature (I don't know about you, but I hate it when my kids get that junk), then the subject line must start with "ADV-adult." These subject line requirements will make it easy for filters to discard this junk before you even see it. It's the e-mail equivalent of throwing out all your "bulk rate" mail without opening the envelope.

There are common sense (let's not forget that "law" is "common sense" as modified by the courts and legislature") exceptions to the subject line "ADV" rules. They include that the receiver consented to the message, and the sender and the receiver have a business or personal relationship.

One of the many interesting implications of a state law regulating the Internet is that businesses that aren't located in Minnesota may have to comply to the extent that they send e-mail into Minnesota. Now, what if you don't know where your receiver is located. After all, Joe8724@earthlink.net could be anywhere.

So, does that mean that you have to comply with Minnesota law for all your e-mail or risk penalties under Minnesota law? It's a good question without a clear answer. Some day courts will provide answers to the many questions raised by this new law. Let the litigation begin.

Research assistant is Patricia Echeverri.