The revolutionary pace with which our communications infrastructures and technologies have grown has truly made global access to information easier and more efficient. Yet the enormous advantages provided by electronic networking also present unprecedented threats to personal security and privacy.

More than at any other time in our history, it is now possible with relative ease to gather, link and sell information about organizations and governments, and to compile profiles of millions of individuals that include their most sensitive and personal data. The NYCLU believes that the privacy of an individual is directly affected by the collection, maintenance, use and dissemination of personal information by government agencies and the private sector.

Every day millions of people give away private data -- from information about medical conditions, home addresses, mortgage borrowing, stock purchases, household incomes and social security numbers -- often providing such facts without understanding the consequences until it is too late.

Without sufficient safeguarding of such information, we are all vulnerable to unwarranted, annoying and potentially dangerous snooping -- by governments, businesses, nosy neighbors and thieves.

Privacy protections have not kept pace with the information revolution, and the government and industry have relied on the promise of self-regulation in the digital environment despite consistent disapproval by the public and privacy advocates.

We recognize that from a business perspective such self-regulatory initiatives are financially appealing and require less expenditure of time and resources. However, we remain unconvinced that self-regulation by itself can provide an acceptable answer.

Indeed, the Federal Trade Commission in a recent report to Congress found that “[s]elf-regulation alone has not adequately protected consumer online privacy, and as a result legislation is now needed to supplement self-regulatory efforts and guarantee basic consumer protections...”

The NYCLU agrees that government must provide a minimum baseline of protection for private information. There must be a safety net for the most sensitive information and vulnerable populations -- and that safety net must include remedies for the violation of law.

We believe that the single most important issue is where the appropriate balance lies between the freedom of information and privacy. We believe that the proper balance should allow for the collection and use of information only when the consumer has given informed consent to both, and has reasonable means to control the accuracy and security of that information. Accordingly, we recommend that the following principles be incorporated into legislation:

  • Notice. Personal information should never be collected or given out without knowledge and permission by the subject of such information. Consumers need to know the identity of the collector of their personal information, the intended uses of the information, and the means by which they may limit its disclosure. Users should be provided with a clearly articulated explanation of the site owner's privacy policy plainly stating the manner in which a site collects, uses, and protects data, and the choices they offer consumers to exercise rights in their personal information. This policy should be posted in a highly visible manner that is accessible before a user is required to disclose any information. The privacy policy should also explain whether the data will be shared with third parties or used for any purposes other than the stated purpose. The circumstances under which the most sensitive personal information, such as Social Security Numbers, can be collected should be limited, and that information should be non-transferable without express affirmative consent as to each such transfer.
  • Choice. Consumers should be given the opportunity to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. Consumers must be provided with simple, readily visible, available, and affordable mechanisms--whether through technological means or otherwise--to exercise this option. We believe that the best approach is to allow users to opt-in if they consent to third party sharing of their information or other secondary uses of the data. Organizations must inform users as to why they are collecting personally identifiable information and they may not reuse such information for any purpose other than the stated reason for which they receive user permission.
  • Security. Information that is collected with permission must be secure from intrusion and unauthorized browsing. Any information that is no longer being used for the stated purpose for which it is sought should not be retained. Companies creating, maintaining, using or disseminating records of identifiable personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, or alteration. The data should be accurate, complete, and current. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to their own.
  • Access. Users who provide consent to the collection of information must have the right to examine, copy, and correct their own personal information. Consumers should not have to pay to receive access to their information.
  • Enforcement. These principles should be enforceable by law. And no service, benefit or transaction should be conditioned on a user's waiving of his or her privacy rights.

Without a safety net for individual privacy the damage that may ensue from improper disclosure of information may wreak financial havoc, cause the loss of employment or inflict tremendous emotional harm on individuals. These harms may be irreparable.

Consumers must be provided with information about what may be collected and how it may be used in order to make informed decisions on how to protect their privacy. Government regulation can assure a minimum level of protection for consumers in this rapidly growing information network.

The legislature is currently considering a variety of bills related to the issue of Internet privacy. A.9401, for example, provides standards for voluntary participation by websites, even while acknowledging that industry self-policing has not worked.

The NYCLU encourages legislators to consider the issues set forth in this memorandum in crafting appropriate legislation to assure consumers of certain basic privacy protections when they venture into the new world of the internet.