Privacy Policy
History
In 1995 the European Union (EU) introduced the Data Protection Directive[6] for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year, the U.S. Federal Trade Commission (FTC) published the Fair Information Principles[7] which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies. The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act[8] and the Online Privacy Protection Act of 2001,[9] but none have been enacted. In 2001, the FTC stated an express preference for “more law enforcement, not more laws”[10] and promoted continued focus on industry self-regulation. In many cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices.[11] The FTC’s powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA),[12] and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).[13] In some cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgments. However, such lawsuits are often not an option, due to arbitration clauses in the privacy policies or other terms of service agreements.[14]Applicable law
United States
While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:- The Children’s Online Privacy Protection Act (COPPA)[15] affects websites that knowingly collect information about or targeted at children under the age of 13.[16] Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions[17] COPPA includes a “safe harbor” provision to promote Industry self-regulation.[18]
- The Gramm-Leach-Bliley Act[19] requires institutions “significantly engaged”[20] in financial activities give “clear, conspicuous, and accurate statements” of their information-sharing practices. The Act also restricts use and sharing of financial information.[21]
- The Health Insurance Portability and Accountability Act (HIPAA) privacy rules[22] requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.[23]
- The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.[24]
- The California Privacy Rights Act of 2020 (CPRA) expands the privacy and information security obligations of most employers doing business in California.[25]
European Union
The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.[30] In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Co-operation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”.[31] The seven principles governing the OECD’s recommendations for protection of personal data were:- Notice—data subjects should be given notice when their data is being collected;
- Purpose—data should only be used for the purpose stated and not for any other purposes;
- Consent—data should not be disclosed without the data subject’s consent;
- Security—collected data should be kept secure from any potential abuses;
- Disclosure—data subjects should be informed as to who is collecting their data;
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.[32]
Effective 25 May 2018, the Data Protection Directive is superseded by the General Data Protection Regulation (GDPR), which harmonizes privacy rules across all EU member states. GDPR imposes more stringent rules on the collection of personal information belonging to EU data subjects, including a requirement for privacy policies to be more concise, clearly-worded, and transparent in their disclosure of any collection, processing, storage, or transfer of personally identifiable information. Data controllers must also provide the opportunity for their data to be made portable in a common format, and for it to be erased under certain circumstances.[35][36]
Instructions for deleting your account from SiriusVPN are available at https://siriusvpn.com/how-to-delete-your-siriusvpn-account/.