As your journey continues down the open highway, you begin to reflect upon modern day technology and how much easier your life has become since the creation of cell phones, Palm Pilots, zip passes, On-star (an on-board navigational system) and other modern conveniences. You quickly remind yourself how impossible life would be without these modern day marvels, never for a moment considering the detailed trail of personal information being left behind by these modern conveniences. This treasure trail of information informs interested parties as to who we are, where we live and work, where we go, what routes we take when do go somewhere, what radio stations we listen to, and a lot of other detailed information about our lives. Today, many government and private agencies track and collect this information and have created sophisticated databases detailing all of our movements and habits. The existence and exploitation of such personal data becomes even more troubling to one’s privacy rights when this information is later sold to others for commercial purposes without our consent, or in many cases even our knowledge that this data is being collected in the first place.

Although such data collection in the real world is troubling, it pales in comparison to the personal information collected about us daily in the world of cyber space. In today’s cyber world, every transaction, website visited, purchases contemplated, and other surfing habits are collected and recorded in a variety of databases. These tidbits of personal information are then collated and organized into detailed customer profiles informing others as to who we are, what we buy, what our likes and dislikes are, how we buy things, along with any other tidbit of personal information that one may have revealed on the internet.

What makes the collection and dissemination of this personal data so troubling is that currently no adequate legal remedies exist to prevent or control commercial entities from gathering and exploiting this personal information. The only measures in place to protect consumers are a patchwork of self-regulation, and common law torts.

By collecting this information, these commercial entities are able to create extremely accurate and personalized profiles containing intimate details about our individual habits. As if this wasn’t troubling enough, internet companies such as Double Click have taken steps to consolidate one’s online profile with the profile that already exists in our everyday lives detailing our annual income, where we live, what we do, our credit history, and now where we go. Not surprisingly, this type of personal information has become an integral part of the business model of every Internet Company, and in the case of Yahoo!, such comprehensive personal data has been estimated to be worth in excess of $4 Billion dollars. It is surprising to think that we currently have laws protecting others from knowing the movies we rent, but we have failed to act in protecting the exploitation on one’s personal privacy on the Internet.

In this paper I will begin by discussing the invasive uses of cookies to collect personal data about each of us, and how such invasive techniques have resulted in class action lawsuits against some of the Internet leaders in commerce. In Part II I will analyze the 10th Circuit Court of Appeals recent decision in U.S. West v. Federal Communication Commission ruling that the “opt-in” approach was to restrictive and violated the Plaintiffs right to commercial speech. In Part III, I will analyze why the industry’s attempt at self regulation failed and the different approaches to privacy legislation being taken at both the federal and state governments. In concluding this paper, I will advocate that Congress must incorporate an “opt-in” approach since that is the only honest way to ensure an individual’s privacy, and how Congress can still employ “opt-in” provisions in light of the 10th Circuit Court of Appeal’s decision. I will also argue in favor of implementing a user friendly disclosure requirement similar to ones presently required of credit cards that briefly summarize the agreed to terms of disclosure.

Over the past ten years the Internet has grown into a powerful medium with over 168 million users worldwide and approximately seventy-five percent of those users reside in North America. It is this unlimited market potential that attracted businesses and the evolution of electronic commerce, leading to predictions that last year’s electronic commercial transactions over the Internet are expected to have exceeded $350 billion in sales.

Once businesses recognized the market potential of the Internet, it wasn’t long before technology was utilized in its efforts to capture a larger market share for their products and services. In order to better serve its potential customers, web sites began to employ the use of “cookies”, which are small bits of data stored on an online user’s hard drive that record a user’s preferences and reveal these predetermined preferences whenever specific sites are accessed. In order to acquire better information about its customers, web sites would frequently entice its users to create user profiles in exchange for free e-mail, or other related services. This personal information allowed web sites to identify its customers and enhance that user’s experience by tailoring and personalizing their web sites in order to appeal to a particular user’s tastes.

Over time, businesses became more sophisticated in their exploitation of cookies and the personal data they could collect. By combining cookies and personal profiles, businesses were now able to record a user’s “click-stream,” informing them of the user’s surfing habits, how long a user visited a particular site, what the user looked at and for how long, how the user arrived at a particular site (i.e. from a hyperlink) and where the user lives. From this click-stream data an online profile can be created in a database and eventually “data mined” for more relevant information that might reveal even more additional information about a user’s interests. What becomes most troubling is the fact that all this information is collected systematically and at little cost to businesses. Ironically, the harmed user is often times the one responsible for having created their own personal profile in the first place when they registered with the web site in exchange for access to some service, or free e-mail.

Industry experts justify these practices by claiming that these techniques allow businesses to reduce their costs, better serve their customers, provides a better understanding of a particular customer’s needs, and allows more effective collection efforts. The practice of using cookies to collect such personal information has become so common place that nearly every company on the Internet collects at least one form of personal information from its web users. The real problem in collecting such personal information lies in the disclosure practices of the business collecting the information. In March 1999, a survey of commercial web sites and their privacy policies conducted by the McDonough School of Business at Georgetown University found that 93% of web sites collect personal information from consumers, but only 66% of these sites post disclosures about their information practices. This survey also found that only 10% of these commercial sites implemented all of the substantive fair information practice principles identified by the Federal Trade Commission. This data collection combined with more sophisticated software is allowing various companies to collect large amounts of personal information and assembling this information into comprehensive profiles of its users. The real problem today is that much of these techniques of collecting personal information is being done behind the backs of millions of consumers, and the current practice of self regulation by the industry has failed.

Recently, several high profile companies such as Yahoo!, Double Click, Amazon, GeoCities, Intuit, eToys, America Online and Real Networks have all come under fire for their deceptive practices involving the collection of personal information. Most disturbing is that many of these companies failed to follow their own stated privacy policies in the first place. Even though each of these cases is disturbing based on its own particular facts, privacy experts believe that the true test of one’s privacy on the internet will be decided in a class action suit against Double Click.

Double Click, one of the leading on-line advertisers responsible for delivering 1.5 billion banner ads a day on behalf of 1800 customers, recently came under fire for its invasive use of cookies on its servers to monitor and track users surfing habits throughout the Internet. This information was being used by Double Click to tailor its advertising content to specific users, and was allowing Double Click to compile an accurate profile of a consumer’s surfing habits. What is unique about this case is that by employing cookies on its server, rather then on a particular website (which is the traditional practice), Double Click was able to track a user’s visits to any one of its servers in the ad company’s domain, regardless of the type of browser being used or the website content being viewed. This practice allows Double Click the ability to collect all sorts of data about a particular user’s activities across a spectrum of different web sites.

How this case is ultimately resolved should have particular importance in shaping the privacy debate. The ultimate question for the courts to decide is whether its permissible for Double Click to unknowingly place a cookie on a user’s hard drive any time a user happens to visit a website displaying one of their banner ads. What’s unique about Double Click’s practice is that the industry typically implies a user’s consent to the use of cookies whenever a user clicks-on a website. However, Double Click has implied this same consent by the user, regardless of whether a user ever clicks on their advertisement, just by the presence of its advertisements on a particular web site. Privacy advocates are concerned that other companies will adopt Double Click’s practice of inserting intrusive tracking devices on one’s computer without their consent, or their knowledge.

As disturbing as these practices may appear, other prominent internet companies such as Real Networks, Amazon, Yahoo!, Intuit, and America Online are all currently involved in lawsuits accusing them of somehow violating one’s privacy rights by either enabling downloaded software to a user’s computer to relay information back to the company to assist in marketing products, or in some cases altering a user’s communication configuration and settings in order to cause interference with any of its competitors communications software. Not to be outdone by its competitors surreptitious data collection techniques, Double Click merged with Abacus Direct Corporation (a market research company that records and compiles an individuals off-line catalog purchase history) and immediately announced its intention to merge Abacus’ consumer off-line data history with its own on-line personal profiles. Although this effort has since been postponed by Double Click due to the consumer backlash, there currently is limited remedies available to consumers to challenge such actions by these companies. Instead, consumers are left to rely on a patchwork of laws that don’t adequately address one’s concern for protecting their privacy.