|Fair Information Practice Principles|
© Cybertelecom ::
Derived From: NIST PII 2010 Sec. 2.3
"The Privacy Act, as well as other U.S. privacy laws, is based on the widely-recognized Fair Information Practices, also called Privacy Principles. The Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines are the most widely-accepted privacy principles, and they were endorsed by the Department of Commerce in 1981. The OECD Fair Information Practices are also the foundation of privacy laws and related policies in many other countries, (e.g., Sweden, Australia, Belgium). In 2004, the Chief Information Officers (CIO) Council issued the Security and Privacy Profile for the Federal Enterprise Architecture that links privacy protection with a set of acceptable privacy principles corresponding to the OECD's Fair Information Practices.
The OECD identified the following Fair Information Practices.
- Collection Limitation-There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Data Quality-Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
- Purpose Specification-The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
- Use Limitation-Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law.
- Security Safeguards-Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
- Openness-There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- Individual Participation-An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended.
- Accountability-A data controller should be accountable for complying with measures which give effect to the principles stated above."
"Privacy is much broader than just protecting the confidentiality of PII. To establish a comprehensive privacy program that addresses the range of privacy issues that organizations may face, organizations should take steps to establish policies and procedures that address all of the Fair Information Practices. For example, while providing individuals with notice of new information collections and how their personal information will be used and protected is central to providing individuals with privacy protections and transparency, it may not have a significant impact on protecting the confidentiality of their personal information. On the other hand, the Fair Information Practices related to establishing security safeguards, purpose specification, use limitation, collection limitation, and accountability are directly relevant to the protection of the confidentiality of PII."
Derived From: FTC Online Privacy Report June 1998: Fair Information Practice Principles
A. Fair Information Practice Principles Generally
Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" -- and the safeguards required to assure those practices are fair and provide adequate privacy protection. (27) The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices. (28) Common to all of these documents [hereinafter referred to as "fair information practice codes"] are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. (29) Moreover, three of the other principles discussed below -- choice/consent, access/participation, and enforcement/redress -- are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto. (30)
While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:
- identification of the entity collecting the data; (31)
- identification of the uses to which the data will be put; (32)
- identification of any potential recipients of the data; (33)
- the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information); (34)
- whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; (35) and
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data. (36)
Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; (37) whether the consumer has been given a right of access to the data; (38) the ability of the consumer to contest inaccuracies; (39) the availability of redress for violations of the practice code; (40) and how such rights can be exercised. (41)
In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.
The second widely-accepted core principle of fair information practice is consumer choice or consent. (42) At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e ., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. (43) Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. (44) Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.
In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules. (45)
Access is the third core principle. It refers to an individual's ability both to access data about him or herself -- i.e. , to view the data in an entity's files -- and to contest that data's accuracy and completeness. (46) Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients. (47)
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form. (48)
Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. (49) Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem. (50)
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. (51) Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles. Among the alternative enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory schemes enforceable through civil and criminal sanctions. (52)
a. Self-Regulation (53)
To be effective, self-regulatory regimes should include both mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (redress). (54) Mechanisms to ensure compliance include making acceptance of and compliance with a code of fair information practices a condition of membership in an industry association; (55) external audits to verify compliance; and certification of entities that have adopted and comply with the code at issue. (56) A self-regulatory regime with many of these principles has recently been adopted by the individual reference services industry. (57)
Appropriate means of individual redress include, at a minimum, institutional mechanisms to ensure that consumers have a simple and effective way to have their concerns addressed. (58) Thus, a self-regulatory system should provide a means to investigate complaints from individual consumers and ensure that consumers are aware of how to access such a system. (59)
If the self-regulatory code has been breached, consumers should have a remedy for the violation. Such a remedy can include both the righting of the wrong ( e.g. , correction of any misinformation, cessation of unfair practices) and compensation for any harm suffered by the consumer. (60) Monetary sanctions would serve both to compensate the victim of unfair practices and as an incentive for industry compliance. Industry codes can provide for alternative dispute resolution mechanisms to provide appropriate compensation.
b. Private Remedies
A statutory scheme could create private rights of action for consumers harmed by an entity's unfair information practices. Several of the major information practice codes, including the seminal 1973 HEW Report, call for implementing legislation. (61) The creation of private remedies would help create strong incentives for entities to adopt and implement fair information practices and ensure compensation for individuals harmed by misuse of their personal information. Important questions would need to be addressed in such legislation, e.g. , the definition of unfair information practices; the availability of compensatory, liquidated and/or punitive damages; (62) and the elements of any such cause of action.
c. Government Enforcement
Finally, government enforcement of fair information practices, by means of civil or criminal penalties, is a third means of enforcement. Fair information practice codes have called for some government enforcement, leaving open the question of the scope and extent of such powers. (63) Whether enforcement is civil or criminal likely will depend on the nature of the data at issue and the violation committed. (64)
B. Application of Fair Information Practice Principles to Information Collected From Children
The fair information practice codes discussed above do not address personal information collected from children. They are, however, applicable to parents, in light of the special status that children generally have been accorded under the law. This status as a special, vulnerable group is premised on the belief that children lack the analytical abilities and judgment of adults. (65) It is evidenced by an array of federal and state laws that protect children, including those that ban sales of tobacco and alcohol to minors, prohibit child pornography, require parental consent for medical procedures, and make contracts with children voidable. In the specific arenas of marketing and privacy rights, moreover, several federal statutes and regulations recognize both the need for heightened protections for children and the special role that parents play in implementing these protections. (66)
1. Parental Notice/Awareness and Parental Choice/Consent
It is parents who should receive the notice and have the means to control the collection and use of personal information from their children. The Commission staff set forth this principle in a July 15, 1997 letter to the Center for Media Education. (67) In addition, the letter identifies certain practices that appear to violate the Federal Trade Commission Act:
(a) It is a deceptive practice to represent that a site is collecting personal identifying information from a child for a particular purpose ( e.g . to earn points to redeem a premium), when the information will also be used for another purpose that parents would find material, in the absence of a clear and prominent disclosure to that effect; and
(b) It is likely to be an unfair practice to collect personal identifying information, such as a name, e-mail address, home address, or phone number, from children and to sell or otherwise disclose such identifying information to third parties, or to post it publicly online, without providing parents with adequate notice and an opportunity to control the collection and use of the information through prior parental consent.
This letter applies the Commission's Section 5 authority for the first time to the principles of notice and choice in the online collection of information from children. The principles set out in the staff opinion letter form an appropriate basis for public policy in this area.
To assure that notice and choice are effective, a Web site should provide adequate notice to a parent that the site wishes to collect personal identifying information from the child, (68) and give the parent an opportunity to control the collection and use of that information. Further, according to the staff opinion letter, in cases where the information may be released to third parties or the general public, the site should obtain the parent's actual or verifiable consent (69) to its collection. (70)
The content of the notice should include at a minimum, the elements described above, (71) but, in addition, should take into account the fact that online activities may be unique and unfamiliar to parents. Thus, a notice should be sufficiently detailed to tell parents clearly the type(s) of information the Web site collects from children and the steps parents can take to control the collection and use of their child's personal information. Where a Web site offers children interactive activities such as chat, message boards, free e-mail services, posting of home pages and key pal programs, it should explain to parents the nature of these activities and that children's participation enables others to communicate directly with them. Such notice empowers parents to monitor their children's interactions and to help protect their children from the risks of inappropriate online interactions.
2. Access/Participation and Integrity/Security
Since parents may not be fully aware of what personal information a site has collected from their child, the access/participation principle is a particularly important one with respect to information collected from children. To provide informed consent to the retention and/or use of information collected from their children, parents need to be given access to the information collected from their children, particularly if any of the information is collected prior to providing notice to the parent. The principle of integrity, which addresses the accuracy of the data, is also important for children's information. Parents have an interest in assuring that whatever information Web sites collect from children or have otherwise obtained about their children is accurate. This is particularly important in contexts that involve decisions that impact on the child or family, such as educational or health decisions. In addition, since children's information is considered to be a more sensitive type of information, sites should take the same steps identified above to assure that children's data is secure from unauthorized uses or disclosures.
27. Fair information practice principles were first articulated in a comprehensive manner in the United States Department of Health, Education and Welfare's seminal 1973 report entitled Records, Computers and the Rights of Citizens (1973) [hereinafter "HEW Report"]. In the twenty-five years that have elapsed since the HEW Report, a canon of fair information practice principles has been developed by a variety of governmental and inter-governmental agencies. In addition to the HEW Report, the major reports setting forth the core fair information practice principles are: The Privacy Protection Study Commission, Personal Privacy in an Information Society (1977) [hereinafter " Privacy Protection Study "]; Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) [hereinafter " OECD Guidelines "]; Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (1995) [hereinafter " IITF Report "]; U.S. Dept. of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) [hereinafter " Commerce Report "]; The European Union Directive on the Protection of Personal Data (1995) [hereinafter " EU Directive "]; and the Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996) [hereinafter " CSA Model Code "]. Other sources relied upon herein include the FTC Staff Report and FTC Report to Congress/Reference Services .
28. Such principles can be either procedural or substantive. Procedural principles address how personal information is collected and used by governing the methods by which data collectors and data providers interact. These principles ensure that consumers have notice of, and consent to, an entity's information practices. Substantive principles, by contrast, impose substantive limitations on the collection and use of personal information, regardless of consumer consent, by requiring that only certain information be collected and that such information only be used in certain ways. Most of the principles discussed below are procedural in nature. One substantive principle widely adopted by the fair information practice codes, but not discussed below, is the collection limitation principle, which states that entities should only collect personal information necessary for a legitimate business purpose. See Privacy Protection Study at 513-15; IITF Report § II.A; CSA Model Code ¶ 4.4.
29. See, e.g. , OECD Guidelines , Explanatory Memorandum ¶ 52; see also FTC Staff Report at 9.
30. While notice of a Web site's policies with respect to data integrity and security is critical to making an informed decision to reveal personal data, such notice is not a prerequisite to the implementation of security measures. The implementation of security measures lies solely in the hands of the entity collecting the information and requires no active participation from the consumer. Implementation of the principles of choice and access, by contrast, require consumer involvement and, therefore, are dependent on notice to be meaningful.
31. OECD Guidelines , Openness Principle & ¶ 12; FTC Staff Report at 9-10; EU Directive art. 10; CSA Model Code ¶ 4.8.2.
32. HEW Report at 62; Privacy Protection Study at 514; OECD Guidelines , Purpose Specification Principle & ¶ 9; IITF Report § II.B.; Commerce Report at 21; EU Directive art. 10; CSA Model Code ¶ 4.2; FTC Staff Report at 9-10. The corollary to identifying the purposes for data collection is that the data not be used for other purposes without the data subject's consent. See HEW Report at 61-62; OECD Guidelines , Use Limitation Principle & ¶ 10 and Explanatory Memorandum ¶ 55; IITF Report § II.D; EU Directive arts. 6-7; CSA Model Code ¶ 4.5.
33. EU Directive art. 10.
34. Commerce Report at 21.
35. HEW Report at 59; IITF Report § II.B; EU Directive art. 10. Several of the fair information practice codes recognize that a consumer's refusal to allow the further unrelated use of his or her personal information, beyond that which is necessary to complete the transaction at issue, should not form the basis for the denial of access to the good or service in question. See, e.g. , Commerce Report at 25; CSA Model Code ¶ 4.3.3.
36. Privacy Protection Study at 514; IITF Report § II.B. As noted in endnote 30, notice of this type is not a prerequisite to insuring the confidentiality, integrity, and quality of data. However, when dealing with data considered by consumers to be particularly sensitive, information about the steps taken by the data collector is important to the consumer and may determine whether the consumer is willing to provide such data.
37. See FTC Staff Report at 9-10.
38. HEW Report at 58; CSA Model Code ¶ 4.8.2; EU Directive art. 10.
39. HEW Report at 58; EU Directive art. 10.
40. IITF Report § II.B.
41. Cf . CSA Model Code ¶ 4.8.2 (organizations should make available identity of individual accountable for organization's policies and to whom complaints can be forwarded).
42. Virtually every set of fair information practice principles includes consumer choice or consent as an essential element. HEW Report at 41, 61; OECD Guidelines , Collection Limitation Principle & ¶ 7 and Use Limitation Principle & ¶ 10; Commerce Report at 23-27; EU Directive arts. 7, 14; CSA Model Code , ¶¶ 4.3, 4.5; see also FTC Report to Congress/Reference Services at 22-23; FTC Staff Report at 10-11.
43. As noted in the FTC Staff Report, commentators have taken different views of the efficacy and wisdom of opt-in versus opt-out regimes. FTC Staff Report at 10-11; see also Commerce Report at 24-27 (proposing opt-in regimes for "sensitive information" and opt-out regimes for other information).
44. Indeed, technological innovations soon may allow consumers and collectors of information to engage in "electronic negotiation" regarding the scope of information disclosure and use. Such "negotiation" would be based on electronic matching of pre-programmed consumer preferences with Web sites' information practices. The World Wide Web Consortium ("W3C") is currently in the final stages of developing its Platform for Privacy Preferences Project ("P3P"), which will allow implementation of such technology. Consumers may have access to P3P by early 1999. For general information on P3P, see the W3C's Web site ( http://www.w3.org/P3P ).
45. A system requiring consumers to specify privacy preferences before visiting any Web sites can be built into Internet browsers. See supra note 44 (discussing technological developments). The absence of default rules, and the concomitant requirement that consumers decide how they want their personal information used, help ensure that consumers in fact exercise choice.
46. See HEW Report at 41, 59, 63; Privacy Protection Study at 508-13; OECD Guidelines , Individual Participation Principle & ¶ 13; IITF Report § III.B; EU Directive art. 12; CSA Model Code ¶ 4.9; FTC Report to Congress/Reference Services at 21-22. See also Fair Credit Reporting Act ("FCRA") §§ 609-11, 15 U.S.C. §§ 1681g-1681i (providing for consumer access to, and the right to correct inaccuracies in, consumer credit reports).
47. See HEW Report at 63; IITF Report § III.B; CSA Model Code ¶ 4.9; OECD Guidelines , Individual Participation Principle & ¶ 13 and Explanatory Memorandum ¶ 61; EU Directive art. 12; see also FTC Report to Congress/Reference Services at 21-22; FCRA § 611, 15 U.S.C. § 1681i.
48. HEW Report at 56-57; Privacy Protection Study at 521; OECD Guidelines , Data Quality Principle & ¶ 8 and Explanatory Memorandum ¶ 53; IITF Report § I.C; EU Directive art. 6; CSA Model Code ¶¶ 4.5.3, 4.6; see also FCRA §§ 605, 607(b), 15 U.S.C. §§ 1681c, 1681e(b).
49. OECD Guidelines , Security Safeguards Principle & ¶ 11 and Explanatory Memorandum ¶ 56; IITF Report §§ I.B, II.C; EU Directive art. 17; CSA Model Code ¶ 4.7; FTC Staff Report at 12. Physical security measures, such as guards, alarms, etc., may also be necessary in certain circumstances.
50. In implementing security measures, companies should be aware that security breaches directed at stored data -- i.e. , information already received by the data collector -- often constitute greater threats to privacy than those breaches occurring during the transmission of sensitive data, such as credit card numbers, over the Internet. See, e.g. , Linda Punch, The Real Internet Security Issue , Credit Card Management, Dec. 1997, at 65.
51. See HEW Report at 50 (calling for Code of Fair Information Practices that includes civil and criminal penalties, the availability of injunctive relief, and individual rights of action for actual, liquidated, and punitive damages); OECD Guidelines , Accountability Principle & ¶14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); EU Directive arts. 22-23 (judicial remedy and compensation).
52. Cf . Privacy Protection Study at 33 (identifying voluntary compliance, statutorily-created rights enforceable through individual or government action, and centralized government mechanisms as means of implementing compliance).
53. The European Union ("EU") has recognized that self-regulation may in certain circumstances constitute "adequate" privacy protection for purposes of the EU Directive's ban on data transfer to countries lacking "adequate" safeguards. See EU Directive art. 25. The EU has noted, however, that non-legal rules such as industry association guidelines are relevant to the "adequacy" determination only to the extent they are complied with and that compliance levels, in turn, are directly related to the availability of sanctions and/or external verification of compliance. See European Commission, Directorate General XV, Working Document: Judging Industry Self-Regulation: When Does it Make a Meaningful Contribution to the Level of Data Protection in a Third Country? (1998) available at http://www.europa.eu.int/comm/dg15/en/media/dataprot/wp7.htm [hereinafter " Judging Industry Self-Regulation "].
54. Discussion Draft: Elements of Effective Self-Regulation for Protection of Privacy (1998) available at http://www.ecommerce.gov/staff.htm [hereinafter "Elements of Effective Self-Regulation "] (identifying consumer recourse, verification, and consequences as elements of an effective self-regulatory regime).
55. Id . Commission staff recently responded to a request from the Direct Marketing Association ("DMA") for an advisory opinion concerning whether the antitrust laws would permit it to require three things of its members: (1) to use the DMA's Mail Preference and Telephone Preference Services to honor consumers' requests to not be contacted by direct marketers; (2) to disclose to consumers how members sell or otherwise transfer personal information about those consumers to others; and (3) to honor consumers' requests that the members not sell or transfer their personal information. FTC Bureau of Competition staff advised the DMA of its conclusion that these requirements, as the DMA described them, would not harm competition or violate the FTC Act. Letter from Bureau of Competition Assistant Director to Counsel for the DMA, Sept. 9, 1997, available at http://www.ftc.gov/os/9710/dma.htm .
56. See Elements of Effective Self-Regulation .
57. FTC Report to Congress/Reference Services at 25-33. It is still too early to assess the success or efficacy of this plan, because its provisions are not mandatory on its signatories until the end of the year.
58. There may, alternatively, be a role for mechanisms to address practices affecting consumers as a group, such as industry or trade association ethics or screening committees that can resolve broader disputes.
59. See Elements of Effective Self-Regulation .
60. Several fair information practice codes suggest compensation for injuries as an important element of fair information practice. See HEW Report at 50 (calling for Code of Fair Information Practices that provides for actual, liquidated, and punitive damages); OECD Guidelines , Accountability Principle & ¶ 14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); see also Judging Industry Self-Regulation at 5.
61. HEW Report at 50 (calling for Code of Fair Information Practices that includes civil and criminal penalties, the availability of injunctive relief, and individual rights of action for actual, liquidated, and punitive damages); OECD Guidelines , Accountability Principle & ¶ 14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); EU Directive arts. 22-23 (judicial remedy and compensation).
62. Two sectoral privacy acts provide for the recovery of actual, liquidated, and punitive damages for violations. See Video Privacy Protection Act of 1988, 18 U.S.C. § 2710(c) (providing for award of actual damages or liquidated damages of not less than $2,500, punitive damages, attorney's fees, and equitable relief); Cable Communications Policy Act of 1984, 47 U.S.C. § 551(f) (providing for recovery of actual damages or liquidated damages of not less than $1,000, punitive damages, and attorney's fees).
63. HEW Report at 50; IITF Report § III.C (discussing regulatory enforcement and criminal prosecution as redress options); OECD Guidelines , Explanatory Memorandum ¶ 62 (referring to accountability supported by legal sanctions); EU Directive art. 24 (unspecified sanctions for violations of directive); see also CSA Model Code ¶ 4.10.3 (discussing regulatory bodies receiving complaints of violations of fair information practice).
64. IITF Report § III.C (redress should be appropriate to violation).
65. The Commission's Deception Policy Statement recognizes that children can be unfairly exploited due to their age and lack of experience. See Deception Policy Statement, appended to Cliffdale Associates, Inc. , 103 F.T.C. 110, 179 n.30 (1984), citing Ideal Toy , 64 F.T.C. 297, 310 (1964). For example, the Commission's actions regarding the marketing of pay-per-call 900 number services to children recognize children as a vulnerable group in the marketplace. See Audio Communications, Inc. , 114 F.T.C. 414 (1991) (consent order); Teleline, Inc. , 114 F.T.C. 399 (1991) (consent order); Phone Programs, Inc. , 115 F.T.C. 977 (1992) (consent order); Fone Telecommunications, Inc. , Docket No. C-3432 (June 14, 1993) (consent order). The Telephone Disclosure and Dispute Resolution Act of 1992 prohibits advertising of such services to children under the age of 12, unless the service is a bona fide educational service. 15 U.S.C. §§ 5701 et seq.
66. The Federal Educational Rights and Privacy Act of 1974 (FERPA), gives parents of minor students the right to inspect, correct, amend, and control the disclosure of information in education records. 20 U.S.C. § 1232g (1988). The Department of Health and Human Services Policy for Protection of Human Research requires parental/guardian written consent for all DHHS-funded research that involves children as subjects. 45 C.F.R. §§ 46.401-46.409 (1995). The Telephone Disclosure and Dispute Resolution Act of 1992 expressly prohibits advertising of pay-per-call ( e.g ., 900) services, except bona fide educational services, to children under 12.
15 U.S.C. §§ 5701 et seq . (Supp. IV 1992). The Children's Television Act of 1990, among other things, requires television stations and cable operators to limit the amount of advertising during children's television programming. 47 U.S.C. § 303a(b) (Supp. V 1994).
67. See Letter from Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Center for Media Education, July 15, 1997, available at http://www.ftc.gov/os/9707/cenmed.htm [hereinafter "staff opinion letter"]. Commissioner Azcuenaga did not endorse all of the analyses and conclusions in the staff opinion letter.
68. Providing notice to parents raises some implementation issues, but where the child and parent have separate e-mail addresses, notice could be provided to the parent by e-mail.
69. Mechanisms for obtaining actual or verifiable parental consent include having the parent: mail or fax a signed form downloaded from the site; provide a credit card number; or provide an electronic (digital) signature. An e-mail message submitted without a digital signature may not be adequate to assure parental consent, since a site operator has no means of knowing whether the message is from a parent or a child. This is particularly true because most children do not currently have their own e-mail addresses and instead share their parents' e-mail addresses. While electronic signatures may be the best solution in the future, they may not be widely available at this point. In the meantime, children's Web sites may need to adopt traditional consent mechanisms, such as written consent forms and credit card numbers.
71. See supra Section III.A.1.