Information Privacy Individual Action Plan

______

United States (2006)

APEC Principle Privacy Protection Scheme Provision2 Sanction3 Results/ /Commentary (legislation, rules, codes, Status4 frameworks, and other) 1 A Is privacy a constitutionally The United States Constitution has U.S. Constitution, Amendments 4, protected right in your been interpreted to provide 14. economy? protections against government infringement of certain privacy rights of individuals.

B If not, what other available In the United States, there are

1 Note here the legislation, rule, code, framework or other privacy protection scheme. Where possible please provide the URL for the website where the legislation or arrangement is available. 2 Insert the full text or summary of the provisions of your privacy protection scheme(s) that correspond to the APEC Privacy Principles identified in the column titled “APEC Principle/ Commentary”. 3 Sanctions should include the nature of the remedies available, the means by which they are obtained, and by whom (for example, government, local law enforcement, private right of action, etc.). 4 Identify areas where the practice and the intent of the principle need further consideration; and identify the status of the economies’ practice, for example enacted, introduced, draft. If your legislation, rule, code, framework or other privacy protection scheme is at the drafting or proposal stage and has not yet been enacted or implemented, please indicate here and provide any other useful comments." APEC Principle Privacy Protection Scheme Provision Sanction Results/ /Commentary (legislation, rules, codes, Status frameworks, and other) legislation deals with federal and state statutes and privacy or confidentiality of regulations that deal with personal personal information. information privacy and data security, both generally and on an industry-sectoral basis. In addition, there are self-regulatory frameworks that reflect the APEC privacy principles. The primary federal statutes, regulations, and an example of a self-regulatory framework governing the private sector’s collection, use [handling and disclosure] of personal [consumer] information are identified below.

1 I Preventing Harm The Fair Credit Reporting Act The FCRA protects consumer The FCRA provides for civil liability (Ref. Para. 14) (FCRA), 15 U.S.C. § 1681 et seq. information collected by consumer for willful and negligent noncompli- reporting agencies such as credit ance. The remedies for willful Recognizing the interests of bureaus, medical information noncompliance are more stringent. the individual to legitimate companies and tenant screening 15 U.S.C. §§ 1681n, 1681o. The expectations of privacy, services. By limiting the use of FCRA also provides for criminal personal information such “consumer report” information sanctions for obtaining consumer protection should be to certain “permissible purposes,” report information under false pre- designed to prevent the by requiring furnishers of customer tenses. 15 U.S.C. § 1681q. The misuse of such information. information to consumer reporting Act is enforced by federal and state Further, acknowledging the agencies to take steps to ensure authorities as well as private risk that harm may result the accuracy of that information, by litigants. It allows courts to im-pose from such misuse of limiting the scope of such penalties of up to $2500 per personal information, information, by requiring consumer knowing violation in actions brought 2

In addition, the FCRA provides specific protections to limit harm to consumers victimized by identity theft. For example, such consumers are permitted to require nationwide credit bureaus to insert a “fraud alert” in their files, and to block reporting of information that results from identity theft. 15 U.S.C. §§ 1681c-1, 1681c. Moreover, creditors and depository institutions must implement policies and procedures to identify and mitigate against identity theft. 15 U.S.C. § 1681m(e).

Disclaimer: This document does not purport to provide a complete picture of privacy protections available to consumers in the United States, as it does not include state laws; nor does it include all of the private sector-based regulatory mechanisms (such as enforced public declaration) that could apply in electronic commerce. In addition, the summaries included in this document are not necessarily comprehensive; nor do they include all applicable exceptions to general rules. They are not intended to be relied on as legal advice and should not be used as statements of law in the context of legal proceedings. Instead, readers should use these summaries as a starting point for determining how the U.S. approach to privacy reflects or corresponds to the APEC privacy principles or components thereof. APEC Principle Privacy Protection Scheme Provision Sanction Results/ /Commentary (legislation, rules, codes, Status frameworks, and other) The Gramm-Leach-Bliley Act The GLBA requires the FTC, along The GLBA is enforced by the (GLBA) , Subchapter I (Disclosure with the Federal banking agencies, respective governmental authorities of Nonpublic Personal Information) the National Credit Union responsible for oversight of the 15 U.S.C. § 6801 et seq. and Administration, the Securities and financial institutions, with residual Subchapter II, (Fraudulent Access Exchange Commission, the jurisdiction to the FTC. In enforcing to Financial Information) 15 U.S.C. Commodity Futures Trading their respective rules, the agencies § 6821 et seq., and implementing Commission and State Insurance may obtain a range of civil regulations at 16 C.F.R. Parts 313 Commissioners to issue regulations remedies, including, in the case of and 314 (FTC). (We only include ensuring that financial institutions the FTC, the full range of relief the citations to the FTC rule by way protect the privacy of consumers' available under Section 5 of the of an example. Citations to the personal financial information. Due FTC Act, including injunctive relief, comparable and consistent rules of to the sensitive nature of monetary remedies in the forms of each of the banking agencies and consumers’ financial information consumer redress and other regulators that enforce GLBA and the potential for significant disgorgement of illicit gains, and are not included. In addition to harm resulting from misuse of such other appropriate monetary relief. these rules, the four banking information, the GLBA and its 15 U.S.C. § 53(b); 15 U.S.C. §§ agencies issued additional implementing regulations protecting 6805, 6822. In addition, obtaining interagency guidance interpreting consumers’ financial information customer information by false the information security rules to reflect the “Preventing Harm” pretenses may carry criminal require banks to notify customers principle. 15 U.S.C. § 6801. penalties. 15 US.C. § 6823. The of information security breaches federal banking agencies may use involving their personal information. any remedy available under See Interagency Guidance on Section 8 of the Federal Deposit Response Programs for Insurance Act, 12 U.S.C. § 1818, Unauthorized Access to Customer including cease and desist orders, Information and Customer Notice, restitution, and civil money 70 Fed. Reg. 15736 (March 29, penalties. 2005).

The Federal Trade Commission Section 5 of the FTC Act conveys For violations of Section 5 of the Act (FTC ACT), 15 U.S.C. § 41 et. broad authority to the FTC to FTC Act, the FTC may obtain seq. combat “unfair and deceptive” injunctive relief, monetary remedies business practices. The FTC uses in the form of consumer redress this broad authority to protect and disgorgement of illicit gains, consumer privacy interests where and other appropriate equitable deceptive and unfair business relief. 15 U.S.C. § 53(b). The practices result in harmful privacy federal banking agencies also may violations. 15 U.S.C. § 45. enforce section 5 with respect to the entities they regulate under section 8 of the Federal Deposit Insurance Act. 12 U.S.C. § 1818.

Health Insurance Portability and HIPAA applies to “covered entities” Accountability Act (HIPAA, Pub. that are providers of care, payers of L. 104-191 §§ 262 & 264) claims, or clearinghouses that support those functions who engage in electronic claims transactions. HIPAA is implemented by several rules, including a Privacy Rule that permits disclosure of individually identifiable information for treatment, payment, and health care operations, but otherwise prohibits disclosures except as authorized by the Rule. Such disclosures must be limited to the 6

Communications Act of 1934 (as The Communications Act, as Under the Communications Act, a amended by the Cable enforced by the Federal person whose privacy rights were Communications Policy Act of Communications Commission violated by a telecommunications 1984 (CCPA) and the (FCC), protects the privacy of carrier may file a complaint with the Telecommunications Act of consumer information collected by FCC, 47 U.S.C. § 208, or seek 1996), 47 U.S.C. § 151 et seq. telecommunications carriers. It damages in federal court, 47 imposes a duty on every U.S.C. §§ 206, 551(f), but may not telecommunications carrier to pursue both remedies, 47 U.S.C. § protect the confidentiality of 207. The FCC has the power both customers’ personal information, to issue injunctions against 47 U.S.C. § 222(a), and limits the telecommunication carriers for power of such carriers to use or violations of the Communications disclose that information, 47 U.S.C. Act, and to fine them for failure to §§ 222(b)-(d), 551. obey such orders. 47 U.S.C. § 205. Moreover, any person who willfully and knowingly violates a provision of the Communications Act may be both fined and sentenced to imprisonment, 47 U.S.C. § 501. Finally, any person who willfully and knowingly violates a regulation made pursuant to the Communications Act may be fined.

TRUSTe Web Seal, EU Safe TRUSTe is an independent Prospective TRUSTe licensees are All of Harbor Seal, and Children’s California nonprofit that enables subject to a rigorous certification TRUSTe’s Privacy Seal Programs trust based on privacy for personal process that includes a privacy information on the Internet. comprehensive self-assessment, seal TRUSTe programs are intended to and review of their information programs prevent the collection and use of practices and Privacy Statement by are fully personal information without TRUSTe. Once licensed to post a operational appropriate notice and consent, TRUSTe privacy seal, companies . and thus to enhance consumer are subject to ongoing monitoring confidence in online commerce by by TRUSTe compliance staff. elevating the stature of companies TRUSTe thoroughly investigates that engage in best practices for consumers’ privacy complaints collection, use and sharing of against Licensees, as well as personal information. program violations TRUSTe uncovers through its compliance TRUST certifies and monitors web monitoring efforts. When site privacy policies and email violations are discovered, TRUSTe policies, monitors licensees’ imposes requirements to bring information practices, and Licensees back into compliance. addresses thousands of consumer Failure to meet those requirements privacy complaints every year. results in termination from the TRUSTe certifies companies to

TRUSTe’s Children’s Privacy Seal program is approved by the Federal Trade Commission as a Children’s Online Privacy Protection Act safe harbor program. TRUSTe also offers a safe harbor program under the U.S-E.U. Safe Harbor Framework that embodies all of the Framework’s Privacy Principles. TRUSTe’s Email Privacy Seal Program enables companies that engage in permission-based email marketing to post a seal on Web forms where they collect email addresses, assuring consumers they will not receive unsolicited

This summary focuses on the Program Requirements for the TRUSTe Web Seal, TRUSTe’s flagship program. All other TRUSTe seal programs reflect the Web seal Program Requirements and include additional requirements tailored to those respective Programs.

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

2 II Notice The Fair Credit Reporting Act Consumer reporting agencies (Ref. Para. 15-17) (FCRA), 15 U.S.C. § 1681 et seq. obtain their information from creditors and other third parties and Personal information are not generally required to notify controllers should provide consumers beforehand. However, clear and easily accessible the FCRA provides for extensive statements about their consumer disclosures upon request practices and policies with by consumers. 15 U.S.C. § 1681g. respect to personal information that should include: 10

Disclaimer: This document does not purport to provide a complete picture of privacy protections available to consumers in the United States, as it does not include state laws; nor does it include all of the private sector-based regulatory mechanisms (such as enforced public declaration) that could apply in electronic commerce. In addition, the summaries included in this document are not necessarily comprehensive; nor do they include all applicable exceptions to general rules. They are not intended to be relied on as legal advice and should not be used as statements of law in the context of legal proceedings. Instead, readers should use these summaries as a starting point for determining how the U.S. approach to privacy reflects or corresponds to the APEC privacy principles or components thereof. APEC Principle Privacy Protection Scheme Provision Sanction Results/ /Commentary (legislation, rules, codes, Status frameworks, and other) Businesses that use consumer a) the fact that personal reports for employment purposes information is being must notify the consumer and collected; obtain authorization in advance. 15 U.S.C. § 1681b(b)(2). Creditors b) the purposes for which must provide a written notice personal information is advising consumers if they plan to collected; report negative information to credit bureaus. 15 U.S.C. § 1681s-2(a) c) the types of persons or (7). Risk-based pricing notices are organizations to whom required to consumers who receive personal information might credit on materially less favorable be disclosed; terms than a creditor’s other customers. 15 U.S.C. § 1681m(h). d) the identity and location All consumer report users must, of the personal information when they take adverse action controller, including based on a consumer report, information on how to provide the consumer with a notice contact them about their that identifies the consumer practices and handling of reporting agency. 15 U.S.C. personal information; §1681m. Before a company shares certain consumer e) the choices and means information with an affiliate, it must the personal information notify the consumer about the controller offers individuals sharing and give the consumer an for limiting the use and opportunity to opt out. 15 U.S.C. § disclosure of, and for 1681a(d)(2)(A)(iii). accessing and correcting, their personal information.

It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information. The Gramm-Leach-Bliley Act The GLBA requires that financial (GLBA), Subchapter I (Disclosure institutions provide consumers with of Nonpublic Personal Information) notice of their privacy policies and 15 U.S.C. § 6801 et seq. the opportunity, generally, to opt out of the sharing of their information with third parties for marketing purposes. 15 U.S.C. § 6803; 16 C.F.R. 313.4, 313.5, 313.6; 313.13.

The Children’s Online Privacy The COPPA requires operators to Protection Act (COPPA), 15 post notice of their information U.S.C. § 6501 et seq; 16 C.F.R. practices on their Web site and 12

Health Insurance Portability and The HIPAA Privacy Rule requires Accountability Act (HIPAA), Pub. that covered entities provide L. 104-191 §§ 262 & 264) Privacy individuals with adequate notice in Rule, 45 C.F.R. Parts 160 & 164 plain language of the uses and disclosures of protected health information that the covered entity may make, the individual’s rights, and the covered entity’s legal duties with respect to protected health information. 45 C.F.R. § 164.520.

Communications Act of 1934 (as The Communications Act requires amended by the Cable that a telecommunication carrier Communications Policy Act of provide notice to its customers of 1984 (CCPA) and the their personal information privacy Telecommunications Act of rights prior to soliciting them for 1996), 47 U.S.C. § 151 et seq. approval in using that information to market services to them unlike those they already have. 47 C.F.R. § 64.2007(a), (f).

Moreover, the Act requires that cable operators in particular clearly 13

Controlling the Assault of Non- CAN-SPAM requires unsolicited Under CAN-SPAM, many federal Solicited Pornography and commercial e-mail messages to be agencies, including the FTC and Marketing Act (CAN-SPAM), 15 identified as solicitation and to the Department of Justice, certain U.S.C. §§ 7701-7713, applicable to include opt-out instructions and the law enforcement authorities, and commercial electronic e-mail sender's physical address. It Internet service providers, may file messages. prohibits the use of deceptive civil suits to halt unlawful 14

TRUSTe Web Seal License TRUSTE requires its A licensee’s failure to abide by its Agreement 9.0, Schedule A Licensees to maintain and Privacy Statement is a material (Program Requirements), abide by a comprehensive breach of the TRUSTe license Section III.D.1. web site Privacy Statement agreement, and may result in that is approved by termination (and publication of the Note: The License Agreement TRUSTe. The Privacy termination on the TRUSTe Web and Program Requirements are Statement must disclose site) and/or referral by TRUSTe to available at www.truste.org.) the Web site’s information appropriate law enforcement practices, including at a agencies. minimum:  What Personally Identifiable Information is collected through the site  The identity (including name, address and e-mail address) of the organization(s) that is collecting Personally Identifiable Information through the site;  How Personally Identifiable Information collected through the site is used;  With whom Personally Identifiable Information collected through the site is

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

3 III Collection Limitation The Fair Credit Reporting Act Although the FCRA does not limit (Ref. Para. 18) (FCRA), 15 U.S.C. § 1681 et seq. collection, it limits what information may be included in a consumer The collection of personal report and furnished to users of information should be such reports. For example, certain limited to information that is dated information may not be relevant to the purposes of included in certain consumer collection and any such transactions. 15 U.S.C. § 1681c(a). information should be Also, the FCRA requires obtained by lawful and fair businesses that obtain any means, and where compilation of consumer

The Gramm-Leach-Bliley Act Under the GLBA, financial (GLBA), Subchapter I (Disclosure institutions must disclose in their of Nonpublic Personal Information) privacy notices each category of 15 U.S.C. § 6801 et seq. information collected from and about consumers. Financial institutions must follow their stated practices and may only disclose the information they collect as stated in the notice or as permitted by specified exceptions in the rule. 16 C.F.R. §§ 313.13- 313.15. In addition, companies that receive consumers' personal information from a financial institution may only use or disclose that information consistent with the purposes for which they received it. 16 C.F.R. §§ 313.11.

The Children’s Online Privacy COPPA prohibits conditioning a Protection Act (COPPA), 15 child’s participation in an activity on U.S.C. § 6501 et seq; 16 C.F.R. the child disclosing more personal 18

Health Insurance Portability and HIPAA does not generally limit Accountability Act (HIPAA), Pub. what information a covered entity L. 104-191 §§ 262 & 264) Privacy may collect from an individual. Rule, 45 C.F.R. Parts 160 & 164 However, it does require that when requesting protected health information from another covered entity, it must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard also applies to using or disclosing, protected health information. 45 C.F.R. § 164.502.

Electronic Communications ECPA requires that any person, ECPA imposes civil liability. Court Privacy Act (ECPA), 18 U.S.C. § with certain exceptions, is may award damages, attorneys’ 2510 et seq. prohibited from intercepting fees and costs. Certain violations electronic communications without 19

TRUSTe Web Seal License TRUSTe requires that collection of Violation of the TRUSTe Program Agreement 9.0, Schedule A personally identifiable information Requirements may result in (Program Requirements), be transparent and fully disclosed termination (including revocation of Section III.D.2.b. in the Privacy Statement, and that privacy seal) and/or referral by individuals be given Opt-Out choice TRUSTe to appropriate for any uses of that information that government authorities. are unrelated to the purpose for which it was originally collected. The scope of the original purpose of collection must be reasonable to consumers.

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

4 IV Use of Personal The Fair Credit Reporting Act The FCRA limits the use of Information (FCRA), 15 U.S.C. § 1681 et seq. consumer report information to (Ref. Para. 19) certain “permissible purposes” unless the consumer consents to Personal information different uses. 15 U.S.C. § collected should be used 1681b(a). Users of consumer

The Children’s Online Privacy The COPPA provides for use Protection Act (COPPA), 15 limitations in that it requires U.S.C. § 6501 et seq; 16 C.F.R. operators to send notice of and Part 312. obtain parental consent for the types of information collected and how it will be used or shared with third parties. The representations in an operator’s notice and the scope of parental consent are binding on the operator. 15 U.S.C. § 6502(b)(1); 16 C.F.R. §§ 312.3, 312.4, 312.5.

The Federal Trade Commission Under Section 5 of the FTC Act, the Act (FTC ACT), 15 U.S.C. § 41 et. FTC may hold companies to any seq. use limitations established by their privacy notices. Failing to abide by the representations made in a privacy notice is a “deceptive” business practice. Also, it is an “unfair” practice to change a privacy policy and then retroactively apply the new policy to information collected under the

The Drivers Privacy Protection The DPPA limits the use of Act of 1994 (DPPA), 18 U.S.C. § individuals’ information to certain 2721 et seq. “permissible purposes” unless the individual consents to different uses. 18 U.S.C. § 2721

Health Insurance Portability and The HIPAA Privacy Rule is mostly Accountability Act (HIPAA), Pub. a use limitation rule. While uses L. 104-191 §§ 262 & 264) Privacy and disclosures of protected health Rule, 45 C.F.R. Parts 160 & 164. information are permitted without consent for treatment, payment, or health care operations, other uses are divided into three categories: those for which authorization is required (opt in), those for which an opportunity to agree or object is required (opt out), and those for which an authorization or opportunity to object is not required. For those disclosures requiring authorization, the form and content of authorizations is specified. 45 C.F.R. § 164.506-14.

Communications Act of 1934 (as Under the Communications Act, a amended by the Cable telecommunications carrier may Communications Policy Act of only use or disclose the personal 1984 (CCPA) and the information of customers in order to 23

Controlling the Assault of Non- CAN-SPAM requires unsolicited Solicited Pornography and commercial e-mail messages to be Marketing Act (CAN-SPAM), 15 identified as solicitation and to U.S.C. §§ 7701-7713, applicable to include opt-out instructions and the commercial electronic e-mail sender's physical address. Senders messages. must honor requests to opt-out within 10 business days. 15 U.S.C. §7704.

Electronic Communications ECPA requires that any person, Privacy Act (ECPA), 18 U.S.C. § with certain exceptions, is 2510 et seq. prohibited from disclosing electronic communications without the consent of at least one party to the communication. 18 U.S.C. § 2511

Family Educational and Privacy With certain limited exceptions, Entities that violate FERPA are not Rights Act (FERPA), 20 U.S.C. § schools cannot disclose a student’s eligible for funding from the 1232g, applicable to all schools information without the student’s applicable program. that receive funds under an consent (or the parent’s consent if applicable program of the U.S. the student is a minor). 20 U.S.C. Department of Education. § 1232g(b).

TRUSTe Web Seal License TRUSTe requires that Violation of TRUSTe Program Agreement 9.0, Schedule A Licensees use Personally Requirements may result in (Program Requirements), Identifiable Information in termination (including revocation of Sections III.D.2.a-b,d. accordance with the privacy seal) and/or referral by Privacy Statement in TRUSTe to appropriate effect at the time the government authorities. information was collected. Licensees must give consumers “opt-out” choice (1) before Personally Identifiable Information collected through the site may be used for a purpose that is not related to the primary purpose for which it was collected and (2) before that information may be disclosed or distributed to third parties other than service providers the scope of use, disclosure or distribution deemed related to the primary 26

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

5 V Choice The Fair Credit Reporting Act The FCRA allows the use of (Ref. Para. 20) (FCRA), 15 U.S.C. § 1681 et seq. consumer report information for employment purposes only with the Where appropriate, written authorization of the individuals should be consumer. 15 U.S.C. § 1681b(b) provided with clear, (2). In addition, it provides for the prominent, easily disclosure and use of consumer understandable, accessible report information other than for a and affordable mechanisms “permissible purpose” if the to exercise choice in consumer gives his or her consent. relation to the collection, 15 U.S.C. § 1681b(a)(2). The 27

The Gramm-Leach-Bliley Act The GLBA, generally, allows (GLBA), Subchapter I (Disclosure consumers to opt out of the sharing of Nonpublic Personal Information) of their information with third 15 U.S.C. § 6801 et seq. parties for marketing purposes. 15 U.S.C. § 6802(b); 16 C.F.R. 313.7, 313.10, cf. 313.13 (providing for a joint-marketing exception).

The Children’s Online Privacy The COPPA allows parents to Protection Act (COPPA), 15 withhold or withdraw consent for U.S.C. § 6501 et seq; 16 C.F.R. the collection, use or maintenance Part 312. of information about their child and a parent may give consent to the collection and use but withhold consent to the disclosure of information to third parties. 15 U.S.C. § 6502(b)(1); 16 C.F.R.

The Drivers Privacy Protection The DPPA provides for the Act of 1994 (DPPA), 18 U.S.C. § disclosure and use of individuals’ 2721 et seq. personal information other than for a “permissible purpose” if the individual gives his or her consent. 18 U.S.C. § 2721.

Health Insurance Portability and While the HIPAA Privacy Rule Accountability Act (HIPAA), Pub. permits disclosure for treatment, L. 104-191 §§ 262 & 264) Privacy payment, health care operations Rule, 45 C.F.R. Parts 160 & 164 and in certain other exigent circumstances without an individual’s consent, it also provides that individuals must opt- in to disclosure of psychotherapy notes and marketing, and affords an opportunity to opt-out of facility directories, disclosure to caregivers, and certain other uses. All other uses require individual consent.

Communications Act of 1934 (as Under the Communications Act, the amended by the Cable customer may consent to the Communications Policy Act of additional disclosure of his 1984 (CCPA) and the personal information by the Telecommunications Act of telecommunications carrier beyond 1996), 47 U.S.C. § 151 et seq. whatever disclosure is already 29

Video Privacy Protection Act Restricts businesses from (VPPA), 18 U.S.C. § 2710), disclosing personally identifiable applicable to businesses that rent, video rental or purchase records sell or deliver pre-recorded videos. without the consumer’s written consent. 18 U.S.C. § 2710(b).

TRUSTe Web Seal License TRUSTe requires that Violation of TRUSTe Program Agreement 9.0, Schedule A consumers be given “opt- Requirements may result in 30

Licensees must also include a valid postal address, and a functioning 31

Licensees that operate on-line directories or similar services must provide a process that individuals may use to opt out of having their Personally Identifiable Information posted there.

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

6 VI Integrity of Personal The Fair Credit Reporting Act The FCRA includes accuracy Information (FCRA), 15 U.S.C. § 1681 et seq. requirements that apply to both (Ref. Para. 21) consumer reporting agencies and 32

State defamation laws. (Statutory Generally, state laws provide for and common law) tort claims for defamation -- an intentional false communication, either published or spoken, that injures another’s reputation or good name.

TRUSTe Web Seal License TRUSTe requires Violation of TRUSTe Program Agreement 9.0, Schedule A Licensees to take Requirements may result in (Program Requirements), reasonable steps when termination (including revocation of Section III.D.2.d. collecting, creating, privacy seal) and/or referral by maintaining, using, TRUSTe to appropriate disclosing or distributing government authorities Personally Identifiable Information to assure that this information is accurate, complete and timely for the purposes for which it is to be used.

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

7 VII Security Safeguards The Fair Credit Reporting Act The FCRA mandates strong strong (Ref. Para. 22) (FCRA), 15 U.S.C. § 1681 et seq. 34

The Gramm-Leach-Bliley Act As required by the GLBA, relevant (GLBA), Subchapter I (Disclosure regulatory authorities have of Nonpublic Personal Information) promulgated standards for 15 U.S.C. § 6801 et seq. administrative, technical and physical safeguards to protect the security and confidentiality of 35

The Children’s Online Privacy Under the COPPA, operators must Protection Act (COPPA), 15 establish and maintain reasonable U.S.C. § 6501 et seq; 16 C.F.R. procedures to protect the Part 312. confidentiality and security of children’s personal information. 15 U.S.C. § 6502(b)(1)(D); 16 C.F.R. 312.8.

The Federal Trade Commission The FTC Act prohibits deceptive Act (FTC ACT), 15 U.S.C. § 41 et. data security practices, including seq. the failure to provide reasonable security for consumer information, in violation of a privacy policy or 36

The Drivers Privacy Protection The DPPA’s permissible purposes Act of 1994 (DPPA), 18 U.S.C. § provisions necessitate strong 2721 et seq. security safeguards. 18 U.S.C. § 2721.

Health Insurance Portability and The HIPAA Privacy Rule requires Accountability Act (HIPAA), Pub. covered entities to have in place L. 104-191 §§ 262 & 264) Privacy appropriate administrative, Rule, 45 C.F.R. Parts 160 & 164 technical, and physical safeguards to protect the privacy of protected health information. It specifically requires safeguards that reasonably protect the health information from intentional or unintentional use of disclosure in violation of the rule, and that limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 45 C.F.R. § 164.530. Communications Act of 1934 (as The Communications Act requires amended by the Cable that telecommunications carriers Communications Policy Act of have training and disciplinary 37

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog 39

8 VIII Access and The Fair Credit Reporting Act The FCRA requires consumer Correction (FCRA), 15 U.S.C. § 1681 et seq. reporting agencies to disclose to (Ref. Para. 23-25) consumers all their file information upon request. 15 U.S.C. § Individuals should be able 1681g(a). In many cases, the to: disclosure is without charge. 15 U.S.C. § 1681j. In cases of a) obtain from the personal disputed accuracy, the FCRA information controller requires consumer reporting agen- confirmation of whether or cies to reinvestigate information not the personal information challenged by the consumer. 15 controller holds personal U.S.C. §1681i information about them; The Children’s Online Privacy COPPA provides parents with the Protection Act (COPPA), 15 right to review and delete the b) have communicated to U.S.C. § 6501 et seq; 16 C.F.R. personal information provided by a them, after having provided Part 312. child. 15 U.S.C. § 6502(a)(2) and sufficient proof of their (b)(1)(B); 16 C.F.R. 312.3(c) and identity, personal 312.6. information about them; Health Insurance Portability and The HIPAA Privacy Rule grants an Accountability Act (HIPAA), Pub. individual the right to access, L. 104-191 §§ 262 & 264) Privacy inspect, and obtain a copy of Rule, 45 C.F.R. Parts 160 & 164. protected health information about themselves in a designated record set with narrow exceptions. The custodian is permitted to charge a reasonable fee. An individual has

Disclaimer: This document does not purport to provide a complete picture of privacy protections available to consumers in the United States, as it does not include state laws; nor does it include all of the private sector-based regulatory mechanisms (such as enforced public declaration) that could apply in electronic commerce. In addition, the summaries included in this document are not necessarily comprehensive; nor do they include all applicable exceptions to general rules. They are not intended to be relied on as legal advice and should not be used as statements of law in the context of legal proceedings. Instead, readers should use these summaries as a starting point for determining how the U.S. approach to privacy reflects or corresponds to the APEC privacy principles or components thereof. APEC Principle Privacy Protection Scheme Provision Sanction Results/ /Commentary (legislation, rules, codes, Status frameworks, and other) i. within a reasonable time; the right to request amendment of protected health information held ii. at a charge, if any, that is by a covered entity in a designated not excessive; record set with certain exceptions. The individual has the right to a iii. in a reasonable manner; timely written denial, and has the right to submit a statement of iv. in a form that is generally disagreement that must be placed understandable; and, in the record and disclosed with the record. The covered entity may c) challenge the accuracy of include a rebuttal. information relating to them Communications Act of 1934 (as For cable operators in particular, and, if possible and as amended by the Cable the Communications Act provides appropriate, have the Communications Policy Act of for access to, and correction of, information rectified, 1984 (CCPA) and the personal information by customers. completed, amended or Telecommunications Act of 47 U.S.C. § 551(d). These deleted. 1996), 47 U.S.C. § 151 et seq. requirements also apply to open video systems. 47 C.F.R. § Such access and 76.1510. opportunity for correction should be provided except where: Family Educational and Privacy With certain limited exceptions, Rights Act (FERPA), 20 U.S.C. § schools must allow a student (or (i) the burden or expense of 1232g, applicable to all schools the parent if the student is a minor) doing so would be that receive funds under an the opportunity to review and unreasonable or applicable program of the U.S. challenge or correct school disproportionate to the risks Department of Education. records. 20 U.S.C. § 1232g(a). to the individual’s privacy in the case in question; TRUSTe Web Seal License TRUSTe Licensees must Violation of TRUSTe Program Agreement 9.0, Schedule A implement reasonable Requirements may result in 41

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

9 IX Accountability The Fair Credit Reporting Act The FCRA provides for limited (Ref. Para. 26) (FCRA), 15 U.S.C. § 1681 et seq. accountability by requiring prospective users of consumer 42

Disclaimer: This document does not purport to provide a complete picture of privacy protections available to consumers in the United States, as it does not include state laws; nor does it include all of the private sector-based regulatory mechanisms (such as enforced public declaration) that could apply in electronic commerce. In addition, the summaries included in this document are not necessarily comprehensive; nor do they include all applicable exceptions to general rules. They are not intended to be relied on as legal advice and should not be used as statements of law in the context of legal proceedings. Instead, readers should use these summaries as a starting point for determining how the U.S. approach to privacy reflects or corresponds to the APEC privacy principles or components thereof. APEC Principle Privacy Protection Scheme Provision Sanction Results/ /Commentary (legislation, rules, codes, Status frameworks, and other) A personal information report information to certify the controller should be purpose for which they seek to accountable for complying acquire the consumer report with measures that give information and that they will use effect to the Principles the information only for that stated above. When purpose, and by prohibiting the personal information is to release of consumer report be transferred to another information by a consumer person or organization, reporting agency when information whether domestically or is sought for a non-permissible internationally, the purpose. 15 U.S.C. § 1681e. personal information controller should obtain the The Gramm-Leach-Bliley Act The GLBA creates accountability consent of the individual or (GLBA), Subchapter I (Disclosure for covered entities by requiring exercise due diligence and of Nonpublic Personal Information) them to ensure that their own take reasonable steps to 15 U.S.C. § 6801 et seq. affiliates as well as any third-party ensure that the recipient service providers with access to person or organization will customer information maintain protect the information appropriate safeguards. 16 C.F.R. consistently with these 314.2, 314.4. Principles. The Federal Trade Commission Under Section 5 of the FTC Act, Act (FTC ACT), 15 U.S.C. § 41 et. a business that shares consumer seq. information with a service provider is responsible for ensuring that the service provider treats the information in accordance with the laws applicable to the company that is sharing the information. 15 U.S.C. § 45. 43

The Drivers Privacy Protection The DPPA provides for limited Act of 1994 (DPPA), 18 U.S.C. § accountability by prohibiting state 2721 et seq. motor vehicle departments from disclosing an individual’s personal information outside of a permissible purpose and by requiring state motor vehicle departments to obtain a waiver from the individual before releasing the individual’s personal information for requests outside of the permissible purposes. Further, authorized recipients of personal information may not resell or redisclose the personal information outside of the permissible purposes except when the individual has consented and must keep records regarding any such resale or redisclosure. 18 U.S.C. §§ 2721(c), 2721(d).

Health Insurance Portability and Under the HIPAA Rule, a covered Accountability Act (HIPAA), Pub. entity must enter into agreements L. 104-191 §§ 262 & 264) Privacy with its business associates to Rule, 45 C.F.R. Parts 160 & 164. whom protected health information is disclosed requiring appropriate safeguards. Covered entities may be criminally and civilly liable for disclosures in violation of the 44

Controlling the Assault of Non- CAN-SPAM requires unsolicited Solicited Pornography and commercial e-mail messages to be Marketing Act (CAN-SPAM), 15 identified as solicitation and to U.S.C. §§ 7701-7713, applicable to include opt-out instructions and the commercial electronic e-mail sender's physical address. It messages. prohibits the use of deceptive subject lines and false headers in such messages. Senders include the originator of the message and the person whose product, service or website is promoted by the advertisement. 15 U.S.C. § 7702(16).

TRUSTe Web Seal License TRUSTe requires Licensees to Violation of TRUSTe Program Agreement 9.0, Schedule A obtain consumers’ Opt-Out consent Requirements may result in (Program Requirements), before Personally Identifiable termination (including revocation of Section III.D.2.b.2 and Program Information may be disclosed or privacy seal) and/or referral by Requirements Generally distributed to third parties other TRUSTe to appropriate than service providers. government authorities.

More generally, TRUSTe holds its Licensees strictly accountable for their disclosed information practices and for their actions related to TRUSTe Program Requirements. All Licensees are subject to rigorous ongoing 45

Note: The detailed Program Requirements for all TRUSTe Programs, and a complete description of the Watchdog Dispute Resolution Process, are available at www.truste.org.

C Network point of contact Federal Trade Commission: arrangements5 Markus Heyder, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580, U.S.A. Tel: 202 326-2644, [email protected];

Department of Health and Human Services: Maya Bernstein,

5 Please provide contact details such as name and/or title, address, telephone and email contacts. This information will not be published but will be made available to economies. 46

TRUSTe: Martha Landesberg, Director of Policy and Counsel, 1750 K Street, NW, Suite 1218, Washington, DC 20006. Tel: (202) 835-9751, [email protected];

Fran Maier, Executive Director & President, 685 Market Street, Suite 270, San Francisco, CA 94105. Tel: (415) 520-3418, [email protected].

-- // -