by CIO Staff

Ask the Expert: Attorney Joel Rothman Answers Internet Privacy Law Questions

Mar 15, 20016 mins

Joel Rothman, an attorney with Seiden, Alder, Rothman, Petosa & Matthewman, P.A., in Boca Raton, Fla., answered your questions regarding Internet privacy laws and what companies that collect data through the Internet should do to protect themselves. Henry Cooper, LLM, associate at Seidman, Alder, Rothman, also contributed to these answers.

Q: What liability do Web hosts have as a result of the Children’s Online Privacy Protection Act (COPPA)? Specifically, does a website operator have an obligation to block click-through ads to prevent kids’ data from being passed from their site to the advertiser? Could this new rule be interpreted to mean that anyone who receives e-mail from a person who declares his age as 13 or younger would have to contact the kid’s parents or risk a fine from the Federal Trade Commission?

A: Web hosts are exempt from liability under subsection (b) of COPPA. This provision exempts “Carriers and Other Service Providers” for liability for communications that are unlawful under this Act. A “Carrier and Other Service Provider” is defined as “a telecommunications carrier engaged in the provision of a telecommunications service; a person engaged in the business of providing an Internet access service; a person engaged in the business of providing an Internet information location tool; or similarly engaged in the transmission, storage, retrieval, hosting, formatting or translation (or any combination thereof) of a communication made by another person, without selection or alteration of the content of the communication.” Under this subsection, it is not considered an “alteration or selection” for a Web-hosting company or ISP to delete a particular communication or material made by another person in a manner consistent with subsection (c). A Web-hosting company has no obligation to remove or block the unlawful communication unless specifically ordered to do so by a U.S. court.

Q: An employee of mine has asked for a letter of indemnification from our organization. He is a network engineer who, in the duty of his job, has been asked to investigate and track down hackers or inappropriate behavior (for example, copyright infringement). As people’s privacy is at stake, he does not want to be held personally liable for doing his job and finger-pointing. There is always the possibility that the accused individual could take legal action on the engineer. What is the best course of legal action to protect both the organization and the engineer?

A: It is very important that your company institute an acceptable use policy for computers that states what kind of access is permitted on the company’s computer system, and that the employer has the right to monitor and restrict access to those resources. Also, a detailed privacy policy should be instituted so that the employee understands how much privacy he can reasonably expect in the workplace. The acceptable computer use policy should contain provisions outlining the company’s rules regarding access to online pornography, trademark and copyright issues, e-mail rules and other online activities that the company wants to restrict. The policy should be read and signed by each employee. Under the Electronic Communication Privacy Act, an employer has the right to investigate and view employee’s electronic communications for maintenance and security reasons. Under the Computer Fraud and Abuse Act, it is lawful for an organization to take measures to ensure the protection of its computer system. At your discretion, you may have an attorney draft an indemnification agreement between the network engineer and your company. The indemnification agreement would contain provisions that describe the specific situations in which your company will indemnify him from liability for his job duties.

Q: In Canada, is it legal to monitor what employees look at on the Internet, and are there particular rules?

A: An employers’ right to monitor and control both access to the Internet and the company’s e-mail system may raise concerns over an employee’s right to privacy. In the United States, the issue of privacy invasion is determined by balancing employees’ reasonable expectation of privacy against employers’ concerns in protecting their computer systems and minimizing the risk of liability. In Canada, the issue of employee privacy is the subject of a new law passed last year called the Personal Information Protection and Electronic Documents Act (PIPEDA). The Act applies whenever an employer collects, uses or discloses an employee’s personal information in connection with the operation of its business. Under PIPEDA, an employer may collect, use and disclose an employee’s personal information without the knowledge or consent of the employee–if the collection, use and disclosure of the personal information is to investigate a breach of a company agreement or policy, fraud or other violation of Canadian law. An employee who believes his rights were violated under the Act may seek damages against the employer by filing a complaint with the Privacy Commissioner of Canada.

Q: I work in the health-care industry, and I’m looking for a reference guide to online privacy laws by country (or region, like the European Union). Alternatively is there a listing that would show what you need to have in your privacy policy to meet requirements everywhere?

A: A standard, all-inclusive privacy policy does not exist because each privacy policy is tailored to the organization’s specific needs and the laws of the country where it is located. To my knowledge, there is no resource, whether offline or online, that contains a tabular reference indicating the online privacy laws by coutry or region. However, there are two websites that are extremely informative. FindLaw’s CyberSpace Law Center provides a comprehensive database containing information regarding online privacy. It is located at The website has hyperlinks to resources regarding online privacy law involving the health-care industry as well as the general workplace environment. Another website, Privacy and Human Rights: An International Survey of Privacy Laws and Practice (, contains a hyperlinked table of 50 countries. Each country’s hyperlink leads to a general discussion of that country’s online privacy law with footnotes to the legal authority.