Through their own analyses or the help of online advertising agencies, online businesses can track users’ buying, what they look at, how long they look at it, what the referring site was, what other sites were visited, the time of day they browse, and where they live, not to mention the detailed information the browser supplies voluntarily through registration and purchases. Indeed, the browsing public knows the threat of websites gathering their personal information. PriceWaterhouseCoopers found that nearly 77% of those surveyed said that the disclosure of personal details was a barrier to purchasing online. Another 48% stated they do not shop online because they do not trust web retailers. Twenty-seven percent of Internet users surveyed by CyberDialogue said they had abandoned an online purchase because of privacy concerns regarding the abuse of personal data. This apprehension and mistrust have not gone unnoticed by lawmakers. As a result, online businesses must now pay careful attention to an array of privacy laws.

Several federal laws affect privacy issues for online businesses. The Federal Trade Commission (FTC) Act, 15 U.S.C. 41 et seq., has only limited effect on online businesses. The FTC’s power under the FTC Act is generally to ensure that a website follows its own stated privacy policy. The FTC Act gives no power to the FTC to demand any specific privacy policy be followed or that any policy even be posted. The FTC does, however, use its wide-ranging power under Section 5 of the FTC Act to take action against “deceptive acts or practices.” It should be noted, though, that the FTC Act provides no right of legal action for individual consumers wishing to obtain damages for privacy policy violations by a website.

The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. 6501 et seq., enacted in 1998, applies only to web sites that target children under 12 years old as users or have actual knowledge that information is being collected from a child. COPPA requires that such a web site post privacy policies describing what personal information it collects and what it may do with such information. The law further requires that the online operator get prior “verifiable parental consent” before collecting, maintaining, or disclosing information about the child. The law also provides a “safe harbor” for those web sites that act in compliance with a self-regulatory program approved by the FTC. Any online business that may be marketing toward children must be aware of COPPA and its requirements.

The Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2510 et seq. and 2701 et seq., also has application to certain web site practices. The ECPA prohibits the interception or disclosure of electronic communications. Although the ECPA provides an exemption for those who are parties to a communication, a web site that considers collecting or distributing information obtained via emails to its site or through monitoring forum or chat-room services it provides should be wary of the prohibitions of the ECPA. Merely posting a privacy policy that explains that users of the service implicitly consent to collection and disclosure of their communications may not be enough. To be certain, web sites should obtain specific consent from those parties involved directly with the communications.