Does law matter in the information environment? What can we learn from the experience of applying a particular legal regime to the online environment? Informational privacy (or to use the European term, data protection) provides an excellent illustration of the challenges faced by regulators who seek to secure user rights and shape online behavior. A comprehensive study of Israeli website compliance with information privacy regulation in 2003 and 2006 provides insights for understanding these challenges. The study examined the information privacy practices of 1360 active websites, determining the extent to which these sites comply with applicable legal requirements related to information privacy and examining other privacy-related practices. Information practices were explored on three levels: first, we examined the legal requirements applicable to each information practice under current Israeli law (legal analysis); second, we analyzed the declared privacy policies posted on each website; and third, we studied the actual information practices of each website. The findings show that only a small minority of websites comply with legal requirements. Most websites do not provide privacy protection to users at the level required by the law. Websites routinely collect personal data from users, although the practice of collecting data is slightly lower among commercial and organization websites than in other categories. Among public and private sector websites, compliance was relatively low, with 16% and 22% of websites that collect personal data giving users some sort of notice. The popular and sensitive websites, generally owned by large corporations, had substantially higher levels of compliance, and the most popular websites had the lowest number of violations. The overall picture that emerges from the findings is one in which the law seems to have only a relatively minor role in shaping users' privacy experiences online, while other forces and factors are clearly at play. The findings further suggest that information privacy regulation is most effective among commercial enterprises, which are better able to acquire legal advice and respond to potential legal liability. It is less effective among small enterprises and individual users who operate websites, because they typically cannot afford the somewhat sophisticated legal counsel that is required for establishing and maintaining a data protection policy. This is a troublesome conclusion, given growing threats to user privacy in the Web 2.0 environment. As a whole, the findings suggest that data protection regulators may be unable to craft a single legal measure that fits the Internet. Regulating the online behavior of various players may require tailored regulatory measures.
Michael Birnhack & Niva Elkin-Koren,
Does Law Matter Online - Empirical Evidence on Privacy Law Compliance,
Mich. Telecomm. & Tech. L. Rev.
Available at: http://repository.law.umich.edu/mttlr/vol17/iss2/1