Privacy & Public Policy

A Georgia seventh-grader created a fake Facebook profile that defamed a classmate, according to this Wall Street Journal story.   In middle school fashion (I am not looking forward to parenting through this period), a boy created a fake Facebook profile of a female classmate, used a “Fat Face” app to alter her appearance and posted “false, profane, and ethnically offensive information” on the page.

The school found out, punished the boy with in school suspension for two weeks and told his parents.  At home, the boy was grounded for a week.  Despite this punishment in school, the page stayed up for 11 months before Facebook finally took it down.

The girl’s family sued claiming the parents were negligent and contributed to the girl’s suffering.  Parents have money and insurance and make a better target than a seventh-grader in a lawsuit for damages.  The trial court dismissed the negligence claims against the parents in a summary judgment ruling.

On appeal, the court upheld the dismissal  of the claims related to the original creation of the fake profile, but wrote:

Given that the false and offensive statements remained on display, and continued to reach readers, for an additional eleven months, we conclude that a jury could find that the [parents’] negligence proximately caused some part of the injury [the girl] sustained from [the boy’s] actions (and inactions).

You can read the full opinion here.

The court noted:

During the 11 months the unauthorized profile and page could be viewed, the Athearns made no attempt to view the unauthorized page, and they took no action to determine the content of the false, profane, and ethnically offensive information that Dustin was charged with electronically distributing. They did not attempt to learn to whom Dustin had distributed the false and offensive information or whether the distribution was ongoing. They did not tell Dustin to delete the page. Furthermore, they made no attempt to determine whether the false and offensive information Dustin was charged with distributing could be corrected, deleted, or retracted.

Georgia law is similar to the law in many states — parents are not simply liable based on the parent-child relationship.  Usually, there has to be some liability based on the parents’ alleged failure to supervise or control their child where there is a foreseeability of harm. Applying this standard the court wrote:

The [parents] contend that they had no reason to anticipate that [son] would engage in that conduct until after he had done so, when they received notice from the school that he had been disciplined for creating the unauthorized Facebook profile. Based on this, they contend that they cannot be held liable for negligently supervising [son]’s use of the computer and Internet account. The [parents]’ argument does not take into account that, as [son]’s parents, they continued to be responsible for supervising [son]’s use of the computer and Internet after learning that he had created the unauthorized Facebook profile.

This appears to be the first published opinion dealing with parental liability for a child’s online behavior.  I have dealt with this issue at the trial court level, but usually resolve the issues rather than force minors to go through a public trial and discovery.  The unfortunate aspect is the case returns to the trial court and continues.  If only there were a teachable moment.

Stealing a theme from Morrison Foster’s Socially Aware blog post entitled “Forced to Cyber-Spy” about the case, when your kids complain that you don’t give them any privacy online – you can tell them that until they pay the homeowners’ premiums or the lawyers, you get to monitor their social media use.

The Texas Court of Criminal Appeals ruled in a 8-1 decision yesterday that the “Improper Photography and Visual Recording Act” is facially unconstitutional.  The case involved a guy who allegedly took pictures of kids at a water park.  You can read more here.

Before you say, you are not a creepy person taking pictures of random kids and therefore don’t agree or don’t care, if you believe photography is art protected by the First Amendment, you should care.

The Facts of the Case

The law provides, in relevant part:

 A person commits an offense if the person:

 (1) photographs or by videotape or other electronic means records . . . a visual image of another at a location that is not a bathroom or private dressing room: 

(A) without the other person’s consent; and

(B) with intent to arouse or gratify the sexual desire of any person.

Ronald Thompson was charged with twenty-six counts. Each count of the indictment alleges that appellant, “with intent to arouse or gratify the sexual desire of THE DEFENDANT, did by electronic means record another . . . at a location that was not a bathroom or private dressing room.”

We can all agree — creepy.

The Ruling

The first issue the court wrestled with was whether photography was conduct (subject to regulations) or speech protected by the First Amendment like other forms of art.  The court found that pictures, even bad ones, are expressive and therefore are subject to First Amendment scrutiny.   The court continued, “the process of creating the end product cannot reasonably be separated from the end product for First Amendment purposes” so the act of taking picture is also subject to First Amendment scrutiny.

The state reasoned, however, that the law regulates intent and therefore, even if considered speech, it can be regulated just like incitements to riot, threats or scams.  The court responded:

Sexual expression which is indecent but not obscene is protected by the First Amendment . . .  Of course, the statute at issue here does not require that the photographs or visual recordings be obscene, be child pornography, or even be depictions of nudity, nor does the statute require the intent to produce photographs or visual recordings of that nature. Banning otherwise protected expression on the basis that it produces sexual arousal or gratification is the regulation of protected thought, and such a regulation is outside the government’s power.

The court then found the law “penalizes only a subset of non-consensual image and video producing activity—that which is done with the intent to arouse or gratify sexual desire” meaning it was a content-based regulation.  As I can hopefully teach my Media Law students (hint for the test), when there is a content-based law, it is subject to a strict scrutiny analysis which means a regulation of expression may be upheld only if it is narrowly drawn to serve a compelling government interest.  A regulation is “narrowly drawn” if it uses the least restrictive means of achieving the government interest.

Like most other laws subject to a strict scrutiny test, this one failed, too.  It was not narrowly drawn.

The Takeaway

Although well-intentioned, the law simply covered too much.  This law would allow a police officer to ask every photographer taking pictures of people in the public what their intent was.  If I was taking pictures of my kids at the park, the police could ask me why.  If I am doing it to show how nice my city is, I am OK.  If I am doing it because I am creepy, it is against the law.

As the court noted:

The statutory provision at issue is extremely broad, applying to any non-consensual photograph, occurring anywhere, as long as the actor has an intent to arouse or gratify sexual desire. This statute could easily be applied to an entertainment reporter who takes a photograph of an attractive celebrity on a public street.

Having the police govern the intent of our photographs is not sustainable.

I am guessing our readers are not going to run out now and start taking creepy pictures because of this ruling.  But, it is comforting to know photographs are protected speech, the taking of photographs is subject to First Amendment analysis and the government does not have the right to ask me why I am taking pictures of people in public places.

With that said, we may not be thrilled this about this guy.  If he crosses the line, he could still get in trouble for child pornography, invasion of privacy, unauthorized use of likeness or other wrongs if he actually harmed any of the people he photographed or used them commercially.

Our Constitutional protections, however, often protect the people on the edges so the rest of us know we are secure.  Although the police may not be able to ask his intentions, if this guy is taping kids my kids at the park, I still can.

You can read the opinion here.

This weekend The Houston Chronicle reported Facebook did not turn over information requested by local authorities in response to death threats.  People have been criticizing social media companies for turning over data to government entities.  This time Facebook demanded a court order and now people are upset.  It shows how it is a difficult situation for online companies and sometimes they are damned if they do and damned if they don’t.

According to the article, a Facebook message said a user was “Going to kill everyone in Splendora on July 13th.”  Local officials asked Facebook for information, but the site told them to come back with a court order.  According to Facebook, the government officials never did.

A Facebook spokesperson is quoted as saying:

We promptly review and respond to all emergency requests. In this case, we reviewed the matter and asked to police to send us legal process or a court order for the requested information. The police have yet to send us any formal request.

 According to Facebook, on their Facebook and Law Enforcement page:

 We take the privacy of your information very seriously. If Facebook receives an official request for account records, we first establish the legitimacy of the request. When responding, we apply strict legal and privacy requirements. . . .

We work with law enforcement to help people on Facebook stay safe. This sometimes means providing information to law enforcement officials that will help them respond to emergencies, including those that involve the immediate risk of harm, suicide prevention and the recovery of missing children. We may also supply law enforcement with information to help prevent or respond to fraud and other illegal activity, as well as violations of the Facebook Terms.

This appears to be a Not In My Backyard situation online.  We all want Internet privacy, but when we perceive the threat is against our community, our principles get challenged.

I don’t believe the demand for a court order was out of line.  I am sure the law enforcement officials would have preferred just to be handed the information.  I stand to be corrected by those more familiar with criminal law procedure, but getting an appropriate order from a judge should not have been too onerous.  Although Facebook did not apparently turn over the information right away, I suspect this is not over and the investigation will continue.

UPDATE

A suspect has been taken into custody according to KHOU-TV11 after some unspecified cooperation from Facebook.  A 13-year-old girl is surely regretting her actions.

 

This morning, the U.S. Supreme Court ruled in a 6-3 decision that Aereo violates copyright law by retransmitting over-the-air programming without authorization.  This will shut down the controversial start-up or force them back to the drawing board to come up with a new system.  The sound you heard was a huge sigh of relief of all over-the-air networks, cable carriers and content creators because this would have caused everyone to re-evaluate how programming is broadcast, and more importantly, paid for.

For those not familiar with Aereo, it essentially allowed users to “rent” an antennae that would pick up a signal at a certain point.  Aereo would then take that over the air signal and send it to the user’s phone so they could stream the content from their phones.

The issue was whether this was a “public performance” of the copyrighted works.  Aereo said it was not because the users could receive the same content for free if they had antennas attached to their TV at home.  Aereo merely re-transmitted the same content to allows users to access it on their phone privately.

The networks sued Aereo almost as soon as it launched in 2012.  They argued the simultaneous broadcasts to thousands of paying customers represented an illegal retransmission of protected works — even if you called it renting an antenna.

Actually, everyone can give a sigh a relief.  Had Aereo won, the broadcast networks said they would stop providing content.  The cable companies pay the networks a lot of money to retransmit the over the air channels and this would have changed everything.

While this is a blow to Aereo and possibly innovation – at least through this specific model – the world as we knew it before Aero will continue.

 

I’ll admit, General Mills did not go that far.  What they did, according to The New York Times was notify customers that if they downloaded a coupon, joined a forum or entered a sweepstakes, the customer would waive their right to sue in court and would have to go through an online “informal negotiation” or arbitration.

Since the story broke, General Mills is trying to backtrack.  For example, General Mills admitted it would not apply if you interacted with the company on Facebook or simply purchased one of its products at a store, but that the company could enforce it if you interacted on the company’s website.

However, there was a pop-up notice on the company’s home page that “require[s] all disputes related to the purchase or use of any General Mills product or service to be resolved through binding arbitration.”  Consumer watchdogs were concerned General Mills was trying to escape all liability for mislabeling claims or damages related to product recalls just because you “liked” a Facebook page or purchased a product at your local grocery.

In two recent cases, the Supreme Court has held related clauses to be enforceable.  In June 2013, in American Express v. Italian College Restaurant, the Court enforced an arbitration clause between AmEx and the merchandisers.  Two years before that in AT&T Mobility vs. Concepcion, the Court upheld a class action waiver.

Yet, there is still, and always will be, the issue of consent.  When I buy Lucky Charms for my kids (I know, Dad of the Year), I am not consenting to a long list of terms of conditions.  I am buying cereal.  A court would be hard-pressed to find I consented to a long list of terms and conditions on the General Mills website.  That would not be magically delicious in the least bit.

On the other hand, if I download a coupon, or enter a sweepstakes, I would not be surprised to have a pop-up that requires me to agree to terms and conditions no one reads. I might waive my rights to file a class action or a jury trial as it relates to that particular transaction.  In fact, I would not be surprised if this practice becomes more prevalent.

There may be some issues as to whether downloading a Cheerios coupon means I agreed to waive claims against Haagen Dazs in an unrelated transaction.

Despite the fact social media and the internet have made things a little more complicated and hard to keep up with, the basics of contract law still apply.  To bind a consumer, you need to show they consented to the terms which is why a click-wrap agreement is preferred over a browse-wrap agreement.  On top of that, especially when it comes to jury and class action waivers, you need to satisfy both procedural and substantive conscionability.

 

A frequent question we get is what can we do about the online posting about me?  Often times, the answer is not much.  Lawyers can only help when the online conduct crosses the line into a cognizable cause of action.  Figuring that out is the hard part.

The Threatening or Harassing Post

Is there an ex spewing hate against you on Facebook?  Is a disgruntled fan or customer telling the world what they would like to do you?  Many times, the First Amendment will protect their conduct.  Sometimes, however, the law can help.

Take for example, a “fan” of the New York Knicks who suggested the owner of the team needed to die with posts that included naked pictures of the poster with a gun.  The police arrested him.

Sports often bring out the worst.  I’ve seen some of it with my own sports teams with the Michael Sam story and the question of whether the Houston Texans will use the first pick on Johnny Football.

Most fan rants are protected by the First Amendment, but threats of immenint harm or immediate calls to illegal actions are not.   Jack Greiner of the Graydon Head Out of the Box Blog blog breaks down the law on threats versus free speech in this case here.  The oversimplification is that if a reasonable person would believe the speaker has an intent to cause actual harm, then it can become a threat and not mere protected speech.   Moreover, when the target of the threat is a sport figure or politician, it may not be realistic to think the person would actually act it out, but there are enough crazy people out there for law enforcement to take a close look at some of these cases.

In addition to threats, may states, like Texas, have online harassment laws.  Perhaps, your ex knows better than to make a physical threat, but continuously harasses you. In Texas, a person commits an offense if the person “uses the name or persona of another person to create a web page on or to post one or more messages on a commercial social networking site: (1) without obtaining the other person’s consent; and (2) with the intent to harm, defraud, intimidate, or threaten any person.”

It is also crime to: “send[] an electronic mail, instant message, text message, or similar communication that references a name, domain address, phone number, or other item of identifying information belonging to any person: (1) without obtaining the other person’s consent; (2) with the intent to cause a recipient of the communication to reasonably believe that the other person authorized or transmitted the communication; and (3) with the intent to harm or defraud any person.”

Revenge Porn

The American Bar Association recently wrote an excellent article on revenge porn you can read here. For the uninitiated, revenge porn is when the ex publishes what were supposed to be private nude pictures for the world to see often including full names, addresses, phone numbers and links to social media profiles. There is a whole cottage industry bubbling up of websites who encourage posters to provide this information.

As a victim, you can bring civil claims like invasion of privacy, intentional infliction of emotional distress and copyright claims if you took a selfie because the copyright usually belongs to the photographer and not the subject. But, these claims are expensive to bring and there are no guaranties because a lot of people blame the victim for having nude pictures in the first place.

Meanwhile, it is hard to sue the websites where these pictures are downloaded because Section 230 of the Communications Decency Act gives immunity to websites based on claims related to user generated content.

California passed a law last month that seeks to punish “Any person who photographs or records by any means the image of the intimate body part or parts of another identifiable person, under circumstances where the parties agree or understand that the image shall remain private, and the person subsequently distributes the image taken, with the intent to cause serious emotional distress, and the depicted person suffers serious emotional distress.”

Professor Goldman on his Technology and Marketing Law Blog points out the faults of the law which include: (i) it does not apply to selfies; (ii) it does not apply to redistribution or websites which could have Section 230 issues; and (iii) the difficulty in proving beyond a reasonable doubt the parties’ expectations of privacy or the intent of the accused.

While there are some class action lawsuits against some of the sites that encourage this behavior that we will keep an eye on, one of the best weapons may be to shine the light on the scum who engage in revenge porn using the same social media tools and the let the markets take care of the websites.

Civil Claims

Most of the examples so far deal with criminal complaints.  To do that, you need to get the D.A.’s attention.  What about a civil lawsuit?  What can you do if the police or the D.A. won’t act?

You can follow the lead of a woman who is suing Sprint for invasion of privacy, infliction of emotional distress and identity theft after a Sprint employee posted explicit pictures of the customer who turned in a phone for an upgrade.  You can read more about the case here.

Intentional infliction of emotional distress can be a tough case to prove and the invasion of privacy of laws differ in each state.

Parents are also taking to the civil courts to address cyberbullying.

Related Posts

For tips on handling consumer reviews, go here and here.

There has not been much activity on the blog because we have been engaged in a long copyright and misappropriation of trade secrets trial.  So, we share with you some of the articles we have been reading, but just haven’t had time to write about:

Bloggers entitled to same protections as journalists under the First Amendment.  The Ninth Circuit recently applied libel defense protections normally reserved to the “institutional press” to bloggers reasoning the First Amendment applies to all citizens and there has been a blurring of the lines between who and who is not a journalist.  You can read more about this important decision here.

We have our first Twibel verdict – no defamation in 140 characters.  In three hours, the jury returned a defense verdict saying Courtney Love did not libel her lawyers with a tweet that suggested her prior lawyers had been “bought off.”  The bad news is that during the trial Love stayed off of Twitter, and now, she is apparently back.  More here.

Yelp ordered to disclose identity of reviewers.  A court ordered Yelp to review the identify of seven “anonymous” reviewers who criticized a dry cleaning business in Virginia. The business claimed the reviews are fakes and do not match any of their records.  This is another example of how courts are trying to balance the interests of anonymous speech and a plaintiff’s right to combat defamatory speech.  More here.

Parents take to the court to combat cyberbullying.  Locally, there has been a lot of attention about a lawsuit filed by one set of parents against seven minors and their parents for libel and negligence.   More here.

Will there be more transparency regarding government requests for online data?   The Justice Department is relaxing the rules for technology companies like Google and Microsoft to disclose, in broad terms, the number of requests these companies receive from the government and the amount of data provided.  Tech companies have long reported the number or requests from state and non-national security related requests from the federal government, but this will be the first time they can release general information related to national security letters.  If the numbers are surprising, this could lead to even more push back against the government surveillance programs.  More here.

Supreme Court to consider online re-broadcasting case.  The U.S. Supreme Court will weigh in on the rights to re-transmit broadcast programs via the internet.  Aereo receives over the air broadcasts the old fashion way in a warehouse and then sends them to paid subscribers devices.  The broadcasters are arguing that Aereo is violating the “public performance” copyrights to the programming.   Aereo says what they are no different than the users receiving the digital signals on their own devices.  Both sides wanted guidance from the high court and this is one worth watching.  More here.

There is a new California privacy law that goes into effect January 1, 2014, that you need to know about.  It requires you to disclose how you respond, if at all, to do not track requests.  Because it applies to any website used by California consumers, you should make sure you are in compliance.

Earlier this year, California passed an amendment to the California Online Privacy Protection Act (CalOPPA) that will require online and mobile websites to disclose how they respond “do not track” requests.

What are the new requirements for my relatively basic website?

If you have a basic website that merely retains IP addresses and basic information, it is not clear whether you need to change your policy.  Rather than live with the doubt, it makes sense to go ahead and comply with the new disclosures.

The ambiguity is there because the law only applies to use of personally identifiable information (PII).  If you aren’t keeping PII, then no need to worry.

So, what is PII?

The law defines PII as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”

The California Attorney General says she defines PII as “any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.”

If the AG enforces the law in a way broader than the definition in the statute, an IP address would be covered by the statute.  Therefore, we are recommending that almost all websites should add the required disclosures than live with the ambiguity.

What do I have to disclose?

The amendment is about disclosure and not action.  You do not have to change your behavior and honor do not track requests — you simply have to disclose what you do about it.  It’s a middle ground that requires disclosures, but does not prevent advertisers from tracking or targeting ads or retaining and using any PII.

There is no magic language.  Although we recommend a more thorough review, you could add something like, “We do not currently respond or otherwise take any action with regard to Do Not Track requests.”

But I rely upon on my outside marketing firms. . . 

The new law also applies if your site allows third parties such as ad networks to collect PII. You have “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”  It means you also need to know what your marketing firms are doing.  If you have Google AdSense ads on your site or use the service yourself to place ads on other sites, you have to make the disclosure–not your outside marketing firm.

So, what if I don’t change?

If you violate CA OPPA, even if you are not based in California, the California Attorney General can bring a civil action against you or someone in California can bring a class action lawsuit against you.  Granted, you will receive a notice of noncompliance and have 30 days to fix it, but why wait for the notice of non-compliance?  Amend your privacy policies now disclosing what you do, if anything, about do not track requests.

One of our more popular posts of the year was the recent Online Marketers’ Guide to Online Privacy.  It focuses mostly on U.S. law with some mention of of the E.U. Safe Harbor issues.   The purpose of this post is to host information regarding international online privacy issues.  If you know a good resource for a country not listed, let me know and I will update this periodically.

E.U. Regulations and Reforms

Reforms to the transfer of data from the E.U. to the U.S. may be coming.  You can also read here.

The importance of E.U. regulations for online business cannot be understated.  We will monitor these developments.  In the meantime, know the basics and check out the Department of Commerce’s Safe Harbor website.

Other Countries

Brazil

Kazakhstan

Malaysia

Mexico

South Korea

Other valuable resources

Hunton & Williams’ Privacy and Information Security Law Blog

Baker Hostetler’s Data Privacy Monitor

The Electronic Frontier Foundation’s Deeplinks Blog

Hogan Lovells Chronicle of Data Protection

Let me know if I missed something and check back here later for details.

 

I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking).  I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites.  If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here.  COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think.  Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement.  The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information.  If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.”  If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information.  Again, the analysis is not that simple.  See here.  You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer.  If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals.  The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Several years ago, the FTC urged private organizations to make some proposals.  I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here.  For now, there is no Do Not Track law.  You can still do it – as long as you disclose what you are doing and don’t mislead people.  That was Google’s $17 million mistake.

You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start.  For mobile, check out the NAI Code of Conduct.

In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching.  The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.

Cal-OPPA

That’s where California comes in and strikes a middle ground.  California did not ban tracking.  But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests.  I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.

EU-Safe Harbor

Finally, there is the EU requirements on privacy.  Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

4. Provide users access to the data you have about them.

5. Initiate adequate security, data integrity and enforcement procedures.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question.  Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.