Joel Rothman, an attorney with Seiden, Alder, Rothman, Petosa & Matthewman, P.A., in Boca Raton, Fla., answered your questions regarding Internet privacy laws and what companies that collect data through the Internet should do to protect themselves. Henry Cooper, LLM, associate at Seidman, Alder, Rothman, also contributed to these answers.
Q: What liability do Web hosts have as a result of the Children’s Online Privacy Protection Act (COPPA)? Specifically, does a website operator have an obligation to block click-through ads to prevent kids’ data from being passed from their site to the advertiser? Could this new rule be interpreted to mean that anyone who receives e-mail from a person who declares his age as 13 or younger would have to contact the kid’s parents or risk a fine from the Federal Trade Commission?
A: Web hosts are exempt from liability under subsection (b) of COPPA. This provision exempts “Carriers and Other Service Providers” for liability for communications that are unlawful under this Act. A “Carrier and Other Service Provider” is defined as “a telecommunications carrier engaged in the provision of a telecommunications service; a person engaged in the business of providing an Internet access service; a person engaged in the business of providing an Internet information location tool; or similarly engaged in the transmission, storage, retrieval, hosting, formatting or translation (or any combination thereof) of a communication made by another person, without selection or alteration of the content of the communication.” Under this subsection, it is not considered an “alteration or selection” for a Web-hosting company or ISP to delete a particular communication or material made by another person in a manner consistent with subsection (c). A Web-hosting company has no obligation to remove or block the unlawful communication unless specifically ordered to do so by a U.S. court.
Q: An employee of mine has asked for a letter of indemnification from our organization. He is a network engineer who, in the duty of his job, has been asked to investigate and track down hackers or inappropriate behavior (for example, copyright infringement). As people’s privacy is at stake, he does not want to be held personally liable for doing his job and finger-pointing. There is always the possibility that the accused individual could take legal action on the engineer. What is the best course of legal action to protect both the organization and the engineer?
Q: In Canada, is it legal to monitor what employees look at on the Internet, and are there particular rules?
A: An employers’ right to monitor and control both access to the Internet and the company’s e-mail system may raise concerns over an employee’s right to privacy. In the United States, the issue of privacy invasion is determined by balancing employees’ reasonable expectation of privacy against employers’ concerns in protecting their computer systems and minimizing the risk of liability.
In Canada, the issue of employee privacy is the subject of a new law passed last year called the Personal Information Protection and Electronic Documents Act (PIPEDA). The Act applies whenever an employer collects, uses or discloses an employee’s personal information in connection with the operation of its business. Under PIPEDA, an employer may collect, use and disclose an employee’s personal information without the knowledge or consent of the employee–if the collection, use and disclosure of the personal information is to investigate a breach of a company agreement or policy, fraud or other violation of Canadian law. An employee who believes his rights were violated under the Act may seek damages against the employer by filing a complaint with the Privacy Commissioner of Canada.