1999 Eric J. Sinrod, Jeffrey W. Reyna, and Barak D. Jolish

THE NEW WAVE OF SPEECH AND PRIVACY

DEVELOPMENTS IN CYBERSPACE

Eric J. Sinrod,(1) Jeffrey W. Reyna(2) & Barak D. Jolish(3)

INTRODUCTION

The Internet offers a myriad of new avenues for human interaction as varied as the people who are on line. The number of creative uses for the Internet has grown as the number of people on the Internet increases exponentially.(4) But, for all the people currently found on line, there are many who still view the Internet with a wary eye. Concerns over personal privacy and government censorship are often at the forefront of many Internet users' minds.(5) As with any other medium of information, the Internet has the potential to be used as a tool for businesses, individuals, and government to peer into people's personal lives. Conversely, many are concerned that the Internet can also be used to deliver objectionable or obscene information to minors. Caught in the balance is an ongoing debate over whether and how to regulate the Internet to protect the privacy and speech concerns implicated by its many uses.

The last half of 1998 and beginning of 1999 saw some important developments in the area of Internet regulation by government and the private sector. Much of the legislative activity related to the Internet has focused on protecting children from exposure to objectionable material and preventing unwanted invasions into children's on-line privacy. At the same time, Congress, the courts, the European Community, and a coalition of Internet industry members, took several decisive steps-usually in different directions-in an effort to focus the ever-changing policy implications related to privacy and speech in the Internet. The aim of this article is to provide a brief overview of these recent developments as they fit into the ongoing policy debate on speech and privacy issues on the Internet.

BLOCKING ACCESS TO CONTENT AND FILLING BANDWIDTH WITH SPAM

BLOCKING CONTENT

While many individuals have expressed a desire to keep the Internet an open marketplace of ideas subject to minimal censorship by the government,(6) they also advocate strong protections for children to shield them from exposure to objectionable material. The initial salvo in Congressional efforts to protect children from exposure to pronographic or sexually explicit material on the Internet was the Communications Decency Act (CDA).(7) The CDA sought to outlaw the transmission of "indecent" and other sexually explicit material to children over computer networks.(8) The Act further defined indecent as that which is "patently offensive" by "contemporary community standards."(9) In a 7-2 decision, the Supreme Court in Reno v. ACLU (Reno I)(10) struck down the Act's "indecency" provisions on the ground that they violated the First Amendment's guarantee of freedom of speech.(11)

After the Reno I decision, Congress returned to the drawing board and renewed its efforts to regulate Internet content by enacting the Child Online Protection Act (COPA)(12) (or "CDA II" as it is called by its opponents). COPA attached criminal and civil liability for the distribution "in interstate or foreign commerce by means of the World Wide Web . . . any communication for commercial purposes that is available to any minor and that includes any material that is harmful to minors."(13) The Act provided that a person would be considered to make a "communication for commercial purposes" "only if such person is engaged in the business of making such communication."(14) The Act further stated that a person was deemed to "engage in the business" if that person "devotes time, attention, or labor to such activities, as a regular course of such person's trade or business, with the objective of earning a profit," irrespective of whether a profit was actually made.(15) The Act than defines material that is "harmful to minors" as

any communication, picture, image, graphic image file, article, recording, writing, or other matter of any kind that is obscene or that-

Finally, the Act provided an affirmative defense for those individuals who, in good faith, restricted access to minors through the use of a credit card, adult access card, a digital certificate that verifies a user's age, or "any other reasonable measures that are feasible under available technology."(17)

Privacy groups, including the ACLU and the Electronic Privacy Information Center (EPIC), filed suit in the U.S. District Court for the Eastern District of Pennsylvania, challenging COPA on constitutional grounds.(18) We will refer to this case as Reno II for purposes of this discussion.(19) On February 1, 1999, the court issued a 50-page Memorandum and Order granting plaintiffs' motion for a preliminary injunction, effectively barring enforcement of the Act until the resolution of the case, either by appeal or by a trial on the merits. Though this Memorandum is not binding precedent and is subject to appellate review or modification in further trial proceedings, it is worth discussion as yet another step towards defining the constitutional parameters of regulation of Internet speech by the government.

In granting plaintiffs' request for a preliminary injunction, the court in Reno II focused its analysis on plaintiffs' claim that COPA was unconstitutional on its face as a violation of the First Amendment rights of adults. The court stated that "as a content-based regulation of [nonobscene sexual expression], COPA is presumptively invalid and is subject to strict scrutiny."(20) According to the court, the content of such protected speech could be regulated only if such regulation is narrowly tailored as the least restrictive means to further a compelling government interest.(21) The court proceeded to analyze whether COPA met strict scrutiny by considering: the burden on speech it imposes, whether COPA furthers a compelling government interest, and whether COPA was narrowly tailored and the least restrictive means to achieve its goals.

The court concluded that COPA imposed a burden on speech for several reasons. The court used the discussion in Reno I(22) regarding the prohibitively high economic burden of implementing age verification systems, as one factor in the analysis of the burden COPA imposes on speech. However, the court held that, though the economic burden imposed on Web site operators who would incur out-of-pocket expense to comply with COPA's age verification provisions or lose revenue through decreased web site traffic was certainly real, other factors weighed in favor of a finding that COPA imposed an unconstitutional burden on speech. Namely, the court found that plaintiffs may self-censor the content of their Web sites based on the economic disincentives that COPA presented. The court also found that there is

no way to restrict access of minors to harmful materials in chat rooms and discussion groups, which the plaintiffs assert draw traffic to their sites, without screening all users before accessing any content, even that which is not harmful to minors, or editing all content before it is posted to exclude material that is harmful to minors. . . This has the effect of burdening speech in these fora that is not covered by the statute.(23)

As a result, the court found that plaintiffs were likely to prove that COPA imposed a burden on speech that was otherwise protected for adults.(24)

Next, while the court found that Congress has a compelling government interest in protecting minors from harmful materials, including material that may not be considered obscene by adult standards, it found that COPA failed to use the "least restrictive means" to achieve its goal.(25) The court pointed out that even with COPA in effect, minors might be able to access harmful material on foreign Web sites, non-commercial sites, and on-line using protocols apart from http such as ftp.(26) Moreover, the court found there was some evidence presented that Internet "filtering software" could be used as an alternate, and least restrictive means, for protecting minors from exposure to obscene material on the Internet.(27)

The decision in Reno II marks the second time in as many years that courts have struck down federal content-based restrictions on speech-both instances dealing with material deemed to be offensive and harmful to minors. This decision reaffirms the implication that any regulation affecting speech on the Internet, particularly any content-based prohibition on speech, must be narrowly tailored and use the least restrictive means in achieving its purpose.

STOPPING SPAMMERS

"Spam," also known as junk e-mail or unsolicited commercial e-mail, is an unsolicited and often unwelcome mass mailing to electronic bulletin boards, newsgroups, or lists of e-mail addresses harvested through a variety of means.(28) The vast majority of spam messages are used as a form of advertising products and services ranging from "get rich quick" schemes, to phone sex lines and adult web sites, and quack health products.(29) Despite its analogy to conventional junk mail, spam differs from junk mail in fundamental ways. First, mailers of conventional junk mail have to bear the cost of paper, printing and postage, whereas spammers bear negligible costs. The costs of spam are instead borne by the ISP, or Internet Service Provider, that has to accommodate the increased volume over its system. The costs and problems associated with spam can range from having to purchase additional bandwidth and devote employee time at a cost that can range into the millions of dollars for large ISPs, to disruptions in service caused by system crashes that affect paying customers.(30)

The problem is exacerbated by the fact that no centralized system exists for identifying and dealing with unsolicited spam. A recipient of a spam message cannot make a request to be removed from a spam mailing list, and making such a request via a return e-mail often only accomplishes verifying the validity of one's e-mail address to spammers for their future use. Finally, even if an individual is able to remove herself from an e-mailing list or effectively use rudimentary software to filter out spam messages, the ISP is still left with the burden and havoc spam creates on its servers.

With these problems in mind, ISPs have mounted increasing legislative lobbying efforts and court battles against spammers to try and alleviate the problem. In the area of litigation, the first notable victory in favor of ISPs and against spammers came in CompuServe v. Cyber Promotions, Inc.(31) Although the case ended with the parties reaching a consent decree wherein Cyber Promotions agreed to cease spamming targeted toward CompuServe's subscribers, the court noted that nothing in either the federal or applicable state constitutions required that a private property owner tolerate a trespass "whenever the trespasser is a speaker, or the distributor of written speech, who is unsatisfied with the fora which may be available on public property, and who thus attempts to carry his message to private property against the will of the owner."(32)

In late 1998, ISPs scored another victory against spammers in America Online, Inc. v. LCGM, Inc.,(33) (AOL). In this instance, AOL sued several spammers to stop a practice that the court found included the sending of over 300,000 unsolicited spam messages to AOL subscribers on a daily basis.(34) AOL based its case on several theories, including: false designation under the Lanham Act(35) where the spammers used the "aol.com" designation in their spam e-mail headers;(36) dilution of a service mark under the Lanham Act;(37) exceeding the terms or AOL's access agreement by harvesting AOL subscribers' e-mail addresses in violation of the Computer Fraud and Abuse Act;(38) impairing computer facilities by "intentionally accessing a protected computer without authorization . . . caus[ing] damage," which is also a violation of the Computer Fraud and Abuse Act;(39) in addition to violations of Virginia common law and statutory law.

Though the court declined to rule on the issue of the extent of damages suffered by AOL as a result of the spammers' actions, the court did immediately enjoin the defendants from "further distributing unsolicited bulk e-mail messages to AOL members," prohibited them from further using the "aol.com" header or harvesting the e-mail addresses of AOL members, and ordered them to terminate any outstanding AOL memberships.(40)

Though some of the spamming practices at issue in the AOL case are uncommon, particularly with respect to the unlawful appropriation of AOL's trade name, the case presents a prime example of the development of the law to deal with emerging problems presented by the Internet. Internet Service Providers are increasingly deploying a myriad of tools to combat what by all accounts is a potentially disruptive marketing practice that affects not only the ISP's business, but the subscribers' rights to unfettered access to the Internet without interruption or unsolicited advertising.

PRIVATE VS. PUBLIC REGULATION OF INFORMATION MINING: ADDRESSING INTERNET PRIVACY

Information about the habits, preferences, buying capacity, and other demographic data about Internet users is a hot commodity. How valuable is it? So valuable that on-line marketers have recently announced a program whereby they will give consumers for free a new personal computer and Internet service.(41) Well, not really free. In exchange for the $1000 PC and the Internet access usually valued at around $20 per month, the customer will provide a questionnaire full of detailed demographic data, including age, income, marital status, and information about personal tastes and interests.(42) In addition, the company will "monitor which Internet sites the users visit." (43)This enterprise is the latest spin on continuing efforts by Internet marketers to gather and disclose private information about Internet users (read: potential Internet consumers).

Web sites routinely gather data from visitors using on-line registration forms, mailing lists, surveys, user profiles, and other fulfillment forms.(44) In addition, Web sites have the ability to covertly collect information about the habits of its users. Any Web site can discover, for instance, visitors' e-mail addresses, from where and to where they link, which pages they view, how long they stay, and what they purchase on line.(45) The range of things done with this information is unclear, but at a minimum, this information has been collected, used and/or sold for purposes of targeted marketing. In 1998, the Federal Trade Commission investigated, and eventually settled with GeoCities, based on allegations of "unfair and deceptive practices" associated with the disclosure of information collected from individuals, including children.(46) Another well-documented case dealing with the gathering and disclosure of private information involved AOL's unauthorized disclosure of personal information about US Navy Petty Officer Timothy R. McVeigh (including information about a his stated marital status) to the Navy without a warrant.(47) This disclosure effectively terminated Officer McVeigh's illustrious Navy career based on the Navy's "don't ask, don't tell" policy on gays in the military.(48)

These examples illustrate the different ways an individual's privacy can be compromised in the Internet, by private and government entities alike. Policymakers from both US and foreign governments have undertaken various efforts to secure the privacy of Internet users through legislation aimed at protecting the on line privacy of both adults and children. At the same time, an Internet industry coalition, the Online Privacy Alliance, has recently released a "White Paper" outlining its positions on Internet privacy, with a heavy emphasis on industry self-regulation. These different approaches are discussed in turn.

ONLINE PRIVACY FOR CHILDREN

The protection of children has always been of paramount concern in the public policy debate on government regulation of the Internet. In addition to the series of Congressional proposals meant to protect minors from access to obscene content on the Internet, Congress has recently enacted legislation aimed at protecting children's on line privacy. The Children's Online Privacy Protection Act (COPPA) was enacted by Congress in October of 1998.(49)

In essence, COPPA strictly governs the circumstances under which Internet marketers or web sites gather and use data from children(50) The Act requires that the FTC promulgate regulations that "require the operator of any website or online service directed to children that collects personal information from children or the operator of an online service that has actual knowledge that it is collecting personal information form a child" provide notice of the nature of such data collection, the uses for the data, and the data disclosure practices.(51) The Act further requires that such online service or website obtain "verifiable parental consent for the collection, use, or disclosure of personal information from children."(52) Such parental notification and consent must be obtained before the information is collected from the child.(53)

The Act has wide-ranging implications for the privacy interests of children who use the Internet. For example, if a web site does not first obtain "verifiable parental consent," it cannot set any information-gathering "cookies" on the child's computer, nor can the site ask the child any questions about his or her toy or video game preferences. Though the Act only applies to the gathering and disclosure of information about children by commercial web sites,(54) it nevertheless provides both children and parents a strong line of defense against the unwanted gathering and disclosure of information about children who are using the Internet.

Contrasted with this narrow approach to privacy protection, the European Community has taken a much broader approach toward protecting the on line privacy of all individuals in its member states.

EUROPEAN COMMUNITY PRIVACY DIRECTIVE AND U.S. RESPONSE

The European Community has taken aggressive steps toward safeguarding the privacy rights of individuals with respect to the processing of personal data. With this objective in mind, the European Parliament and the Council of the European Union enacted the "European Community Privacy Directive," which became effective on October 25, 1998.(55) The Directive treats the protection of personal privacy with respect to personal data a "fundamental right."(56) To achieve the goal of protecting personal data, the Directive provides:

Member States shall provide that personal data may be processed only if:

Therefore, unless the Internet user "unambiguously" gives consent for the use of personal data, or another narrow exception applies, the Web site is barred from using or collecting that data.(58) Given the global nature of the Internet, this Directive could have wide-ranging implications for American Internet companies. Article 25 of the Directive explicitly restricts the transfer of data to third countries unless that country guarantees "an adequate level of protection" is afforded to personal data.(59) Based on the current state of American privacy law, it is uncertain whether the transfer of personal data between the U.S. and the European Community would satisfy the requirements of Article 25.

In an effort to comply with the European Community Privacy Directive, and in particular Article 25, the U.S. Commerce Department, pursuant to discussions with the European Commission, has promulgated a set of "safe harbor" principles that would apply to American companies that choose to voluntarily comply.(60) The safe harbor provisions essentially state that, in order to comply, an organization must:

Whether or not these self-regulatory principles governing the transmission, accumulation and storage of personal information will be effective in protecting the privacy of Internet users' personal data is yet to be seen. If the Internet industry adheres to these principles, they would become a substantial first step toward safeguarding privacy in personal data collected from individuals on the Internet. At a minimum, adherence to these "safe harbor" provisions is likely to minimize any liability under Directive 95/46/EC for American companies who are in voluntary compliance and transact business with European consumers over the Internet.

THE RESPONSE FROM PRIVATE INDUSTRY

In response to both the public's concern over Internet privacy, and increasing Congressional willingness to enact regulatory legislation in this arena, the Online Privacy Alliance (OPA) has promulgated several on-line privacy proposals.(62) OPA takes a decidedly self-regulatory approach to protecting individuals' online privacy.(63) The Alliance has released two primary policy statements regarding self-regulation of online privacy by its member organizations. The first of these calls for Web sites to use a third-party licensing program or a membership association to monitor company compliance with company privacy policies. Among the third-party monitoring organizations the OPA named are BBBOnLine(64) and TRUSTe.(65) Both sites provide a version of a privacy seal that can be placed on a website, and which indicates that the website adheres to each respective organization's privacy guidelines. The alliance released its second major policy statement on November 19, 1998, which is a broad analysis of the OPA's positions regarding a multi-layered approach to online privacy, where self-regulation takes the helm, while governmental regulation and private civil actions take a secondary role.(66)

Such efforts at industry self-regulation have faced strong skepticism from privacy and civil rights organizations. For example, the Electronic Privacy Information Center has noted that, even in the midst of enforcement actions by the FTC against GeoCities based on its information disclosure practices, GeoCities was a member of TRUSTe.(67) The question of on-line self-regulation remains very much contingent on the ability of the Internet industry to persuade its members to follow robust privacy guidelines. In addition, the on-line industry must also convince consumers concerned about Internet privacy, and the government, that it is protecting the privacy rights of all individuals.

CONCLUSION

The incredible and continuing growth of the Internet has led to many new and innovative ways to share information across national borders. The growth of this information exchange has brought with it the ability for individuals, governments and corporations to collect, use and even sell personal information about Internet users. It has also led to growing willingness on the part of parents and government to implement measures intended to block minors' access to objectionable content-often running head-on into constitutional limitations. Recent legal and policy developments in the search to address these concerns merit continued attention in a manner that is mindful of the Internet's promise and potential perils.

1. Eric J. Sinrod, a partner in the San Francisco office of Hancock Rothert & Bunshoft LLP, practices commercial litigation and Internet, information and communications law, and can be reached at ejsinrod@hrblaw.com or eric@sinrodlaw.com.

2. Jeffrey W. Reyna, an associate in the San Francisco office of Hancock Rothert & Bunshoft LLP, practices commercial litigation and Internet law, and can be reached at jwreyna@hrblaw.com.

3. Barak D. Jolish is a third-year student at the University of California Hastings College of the Law and will be joining Hancock, Rothert & Bunshoft LLP as an associate in 1999. He can be reached at JolishB@uchastings.edu.

4. A 1998 survey by Network Wizards shows that the number of hosts tabulated in the Internet Domain Name System grew from roughly 25,000,000 in mid-1997 to nearly 37,000,000 by July of 1998. See Network Wizards, Internet Domain Survey, July 1998 (visited Feb. 9, 1999) <http://www.hrblaw.com/artdocs/<http://www.nw.com/zone/www/report/html>. With some variation, one host = one computer connected to the Internet. In recent years however, "virtual hosting" has necessitated the modification of this definition, since one computer can, in turn, have multiple domain names and IP addresses. See Network Wizards, Internet Domain Survey FAQ (visited Feb. 9, 1999) <http://www.hrblaw.com/artdocs/<http://www.nw.com/zone/WWW/faq.html>. "An IP address is a set of four numbers (each between 0 and 255, with some restrictions) separated by periods that uniquely identify that address on the Internet." See Web Sites, Hostnames and IP Addresses, Oh my (visited Feb. 5, 1999) <http://www.hrblaw.com/artdocs/<http://www.mit.edu/people/mkgray/net/terminology.html>.

These figures only count the number of computers connected to the Internet. An estimate of the number of people using the Internet is more difficult to come by. According to one estimate, 108 million adults in the U.S. alone used the Internet during the last three months of 1998. See Web Hits Growth Spurt in Q4, Cyberatlas (visited Feb. 9, 1999) <http://www.hrblaw.com/artdocs/<http://www.cyberatlas.com/big_picture/demographics/q4.html>.

5. See 8th WWW User Survey, Graphic, Visualization & Usability Center (GVU), Dec. 12, 1997, <http://www.hrblaw.com/artdocs/<http://www.gvu.gatech.edu/user_surveys/survey-1997_10>; A Little Net Privacy, Please, Business Week Online, Mar. 16, 1998 <http://www.businessweek.com/199811/b3569104.htm>.

6. See e.g. Credit Card Security Greatest Internet-Related Concern Concludes Lycos Web User Study, Cyber Dialogue (March 5, 1998) <http://www.hrblaw.com/artdocs/<http://www.cyberdialogue.com/frame.html>.

7. The Communications Decency Act, 47 U.S.C. 223(a), (d) (1996), was signed into law by President Clinton as part of omnibus legislation that addressed the entire landscape of American communications law. See The Telecommunications Act of 1996, Pub. L. 104-104, 110 Stat. 56.

8. Id.

9. Id.

10. 521 U.S. 844 (1997).

11. While the scope of the Reno I opinion has been discussed at depth in other fora, a brief summary is useful here. Specifically, the Court held that material published over the Internet deserves the same high level of constitutional protection as books or magazines, as opposed to the lower level afforded to broadcast media. Id. at 895-897. The Court went on to state that the Internet is "the most participatory for of mass speech yet developed," and is entitled to "the highest protection from governmental intrusion." Id. at 892. From this perspective, the Court viewed the CDA as a content-based blanket restriction on speech that did not to provide any definition of 'indecent' and omitted any requirement that 'patently offensive' material lack socially redeeming value. Id. at 898-899. The Court also expressed concern that the decentralized nature of the Internet made it particularly difficult to apply the "community standards" test of obscenity law. Id.

12. 47 U.S.C. 231 (1998).

13. 47 U.S.C. 231(1).

14. 47 U.S.C. 231(e)(2)(A).

15. 47 U.S.C. 231(e)(2)(B).

16. 47 U.S.C. 231(e)(6).

17. 47 U.S.C. 231(c). Age verification on adult web sites was also promoted by the drafters of the Internet Tax Freedom Act. The Act used age verification as an incentive by subjecting Web sites to potential Internet taxation if they do not adequately block access to adult content by minors through the use of age verification programs. See Internet Tax Freedom Act, Section 1101(2) et seq. The act was passed as part of the 1998 Omnibus Consolidated Appropriations Bill.

18. American Civil Liberties Union, et al. v. Janet Reno, 98-5591 (1998), United States District Court for the Eastern District of Pennsylvania, available at <http://www.hrblaw.com/artdocs/<http://www.paed.uscourts.gov/opinions/99D0078P.htm>.

19. For a sampling of the reaction to the COPA injunction, see Declan McCullagh, Judge: COPA Went Too Far, WIRED NEWS, Feb. 2, 1999 <http://www.hrblaw.com/artdocs/<http://www.wired.com/news/news/politics/story/17670.html>; Trial Possible on Web Porn Law, CNN Interactive, Feb. 2, 1999 <http://www.cnn.com/US/9902102/internet.decency>.

20. Id. (citing Sable Communications of California, Inc. v. FCC, 492 U.S. 115, 126 (1989) and R.A.V. v. City of St. Paul, 505 U.S. 377, 381 (1992)).

21. Id. (citing Sable, 492 U.S. at 126, which states that "[i]t is not enough to show that the Government's ends are compelling; the means must be carefully tailored to achieve those ends.").

22. Reno I, 117 S.Ct. at 2347.

23. Reno II, at Part A1.

24. Id.

25. Id., see also Reno I, 117 S.Ct. at 2349.

26. "Ftp" stands for "file transfer protocol," and describes a way of accessing information from the Internet by downloading files from indexes, rather than loading a Web page, which is in turn normally written in the computer language "html." For a more detailed description of these and other Internet-related terms see visit <http://www.cnet.com/Resources/Info/Glossary/Terms>.

27. Reno II at Section A4. Interestingly, some in the Internet industry do not favor the alternative of using filtering software because such software has the potential to block access to a wider range of content than that prohibited by COPA. See Neil Munro, The Web's Cornucopia, The National Law Journal, Jan. 9, 1999, at 38.

28. See CNET Glossary, CNET.COM (visited June 26, 1998). <http://www.hrblaw.com/artdocs/<http://www.cnet.com/REsources/

29. "About the Problem," Coalition Against Unsolicited Commercial e-mail (visited July 27, 1998) <http://www.hrblaw.com/artdocs/<http://www.cauce.org/problem.html>.

30. See Chris Oakes, Well-Done Spam Cooked Pac Bell's Email, Wired News, April 15, 1998 <http://www.hrblaw.com/artdocs/<http://www.wired.com/news/news/technology/story/11684.html>.

31. 962 F.Supp. 1015 (S.D. Ohio 1997).

32. Id. at 2027.

33. 1998 U.S. Dist. LEXIS 20144.

34. Id. at *7.

35. 15 U.S.C. 1125(a)(1) of the Lanham Act makes it unlawful to use in commerce:

any false designation of origin . . . which . . . is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities by another person.

Other courts have held that the sending of spam constitutes a violation of this section of the Lanham Act. See America Online, Inc. v. IMS, 24 F.Supp.2d 548 (E.D. Va. 1998); Hotmail Corp. v. Van Money Pie, Inc., 1998 U.S. Dist. LEXIS 10729 (N.D. Cal. 1998).

36. AOL, at *11.

37. 15 U.S.C. 1125(c)(1).

38. 18 U.S.C. 1030(a)(2)(c).

39. 18 U.S.C. 1030(a)(5)(C).

40. AOL, at *23.

41. See Web entrepeneur to give away PCs, make money on ads, CNN Interactive, Feb. 8, 1999 <http://www.hrblaw.com/artdocs/<http://cnn.com/tech/computing/9902/08/freepc.reut/>; see also Craig Bicknell, For Sale: Your Tastes, Interests, WIRED NEWS, June 24, 1998 <http://www.wired.com/news/news/politics/privacy/story/13212.html> (outlining plans to sell/trade information gathered from Internet user's habits on-line).

42. Id.

43. See Over 500,000 apply for free PCs, MSNBC.COM, Feb. 10, 1999 <http://www.hrblaw.com/artdocs/<http://www.msnbc.com/news/239946.asp>.

44. A 1997 study by the Electronic Privacy Information Center (EPIC) found that 49 of the top 100 most visited Web sites collect personal information through such methods. See Surfer Beware: Personal Privacy and the Internet, EPIC, June 1997 <http://www.hrblaw.com/artdocs/<http://www.epic.org/reports/surfer-beware.html>.

45. To get a demonstration of the types of information a Web site may discover about its visitors, visit the Center for Democracy and Technology's "Who's Watching You?" page, at <http://www.hrblaw.com/artdocs/<http://www.13x.com/cgbin/cdt/snoop.pl>.

46. See GeoCities Form S-1 Registration Statement under the Securities Act of 1933, Securities and Exchange Commission, June 12, 1998 <http://www.sec.gov/Archives/edgar/data/1062777/000101706298001328.txt>.

47. McVeigh v. Cohen, 983 F.Supp. 215 (D. D.C. 1998).

48. Id.

49. The Children's Online Privacy Protection Act (COPPA) was enacted as Title XIII, sections 1301 through 1308, of the 1999 Omnibus Appropriations Bill.

50. COPPA defines "child" as "an individual under the age of 13." COPPA 1302(1).

51. COPPA 1303(b)(A)(i).

52. Id. at 1303(b)(A)(ii). The Act defines "verifiable parental consent" as:

any reasonable effort (taking into consideration the available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclousre, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.

COPPA at 1302(9).

53. Id.

54. Id. at 1302(2)(A) (website must be maintained for a "commercial purpose" in order to be covered by the Act).

55. The full title of the directive is "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data." The complete text of the Directive is available at <http://europa.eu.int/comm/dg15/media/dataprot/law/dir9546.htm>.

56. See Directive 95/46/EC, Article 1.

57. Directive 95/46/EC, Article 7.

58. An exception is provided if the processing of data is done solely in the interests of "journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression." Directive 95/46/EC, Article 9.

59. Directive 95/46/EC, Article 25.

60. See "International Safe Harbor Privacy Principles," U.S. Department of Commerce, International Trade Administration, Nov. 11, 1998 draft. The text of this draft is available at <http://www.hrblaw.com/artdocs/<http://www.epic.org/privacy/intl/doc-safeharbor-1198.html>.

61. Id.

62. The Online Privacy Alliance is an industry group describing itself as "an alliance of global companies and associations committed to promoting privacy online." See Online Privacy Alliance, Privacy Guidelines, Nov. 19, 1998. The text of the guidelines is available at <http://www.hrblaw.com/artdocs/<http://www.privacyalliance.org>.

63. See Online Privacy Alliance Mission Statement, id.

64. BBBOnLine is a wholly-owned subsidiary of the Better Business Bureau, and features a privacy "seal" program which "incorporates the pertinent guideposts and self-regulation requirements outlined by the Federal Trade Commission and the Department of Commerce." BBBOnLine Privacy Program Created to Enhance User Trust on the Internet, BBBOnLine, June 22, 1998, <http://www.bbbonline.org/bolprivacy.shtml>. It is important to note that not all Better Business Bureau members will be required to comply with the program, only those members who sign up with BBBOnLine.

65. TRUSTe has been running its "trustmark" seal program since 1997. A "trustmark" signifies that a Web site has made a commitment to disclose its privacy practices. See TRUSTe, (visited June 27, 1998) <http://www.hrblaw.com/artdocs/<http://www.truste.org/users/program.html>.

66. See Legal Framework White Paper, Submitted with the Comments of the Online Privacy Alliance On the Draft International Safe Harbor Principles, Nov. 19, 1998, available at <http://www.hrblaw.com/artdocs/<http://www.privacyalliance.org>.

67. See Industry Floats Plan on Privacy, CNET News.com, July 21, 1998 <http://www.hrblaw.com/artdocs/<http://www.news.com/News/Item/o,4,24434,00.html?st.ne.ni.lh>.