sax law office e-commerce * international law * competition law 1 privacy protection: collecting...

SAX LAW OFFICE e-Commerce * International Law * Competition Law www.saxlaw.com

1

Privacy Protection: Collecting And Transferring Data Electronically;

AN INTERNATIONAL PERSPECTIVE

Presented at the BAHAMAS BAR ASSOCIATION

LAW FORUM: 2000 AND BEYOND: AN ACTION PLAN FOR THE NEW MILLENNIUM: THE JUSTICE SYSTEM, THE LEGAL

PROFESSION AND THE ECONOMY.

Friday, February 18, 2000

Michael M. Sax

Speech Highlights

Michael M. Sax:Michael M. Sax:


2

Introduction

Visitors to websites want reassurances that privacy rights will be respected when they engage in eCommerce. It is part of the confidence-creating role that successful eCommerce businesses have to convey to the consumer. I will focus on issues relating to the collection, storage, accuracy and use of data provided by Netizens in the use of the world wide web.


3

What Type of Information Could Be Collected and How Is It Being Used?

Personally identifiable information (or individually identifiable information);

Or mass anonymous information


4

Personally Identifiable Information

Individually identifiable information can be defined as information that:

Can be used to identify an individual. Is elicited by the company's web site through

active or passive means from the individual; And.

Is retrievable by the company in the ordinary course of business..


5

Mass Anonymous Information

"Mass anonymous information" can be defined as information that:

A website or third party on its behalf aggregates and categorizes by demographic characteristics or established geographical areas, such as postal codes.

It contains non-consumer specific information created from anonymous transactions for use by merchants in better managing their businesses and conducting mass media advertising.

It is not information that would enable direct marketers to engage in telephone solicitation, direct mail, e-mail contact or any other form of direct marketing contact directly to consumers.


6

Cookies

The internet generates an elaborate trail of data every stop a person makes. "Cookies" are simply a piece of information [computer code] that is saved on your own computer or your browser. It contains information as to the personal preferences you exhibited when visiting a website. While cookies themselves are not gathering the data, they are used as tracking devices to help people who are collecting information. As information is gathered about you, it is associated with the value they keep in your cookie. A cookie cannot read your hard drive to find out who you are, your income or your place of residence. However, that information could end up in a cookie if you provided it to a site and that site saved it in a cookie.


7

Self-regulation Vs. Government Regulation

Throughout the '70s the Europeans were concerned with the rising quantity of data transfers and the effects on the personal information of their citizens.


8

Self-regulation Policies

Would Encompass the Following Main Beliefs:

Accountability Disclosure of reason

collecting Individuals consent Limit the collection, use or

revelation to declared purpose

Retain info only as long as necessary

Info should be accurate and up-to-date

Security Organizations collecting

personal data should be transparent in their policy and practice

Allow individuals access and the ability to rectify errors


9

OECD Guidelines On The Protection Of Privacy And Transborder Flows Of

Personal Data In 1980, above policy principles formed the basis of

the OECD voluntary guidelines. These guidelines could be built into national legislation.

The purpose was to prevent violations of fundamental human rights.

In addition the member countries were to endeavor to remove or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data I.E., Trade barriers.


10

Council of Europe, Convention on the Automatic Processing of Personal Data

(1981) Not a voluntary guideline. International convention, which required implementation by

the European member countries. Purpose was to secure for every individual, fundamental

freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").

This national implementation and enforcement resulted in differing regulations. No common mechanism was provided to resolve differences in interpretation.


11

Data Protection Directive

As a result of the shortcomings of the convention on the automatic processing of personal data the European union developed the data protection directive in 1995.

The united states perceived that the European union was attempting to erect trade barriers.


12

European Union

Historical need (Gestapo and KGB) to protect against abuses of data collection. Ironically individuals rely on government to protect them.

The Europeans have been quicker to attempt to enact legislation (Privacy Directive 95/46/EC discussed below ).

For an analysis of the legislation see the European Union Legal Advisory Board’s web site at http://www2.echo.lu/legal/en/lab/971006/minutes-text.html.


13

European Union Directive 95/46/EC of the European parliament and of

the counsel of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Protects individual privacy by prohibiting the improper collection, use and transfer of data relating to individuals.

The directive requires EU members to adopt laws to protect personal information, both the public and private sectors, and to block transfers of information to non-member states that did not provide an adequate level of protection.


14

European Union

The concept of "unambiguously consent”: agreed freely and specifically after being adequately informed, to allow personal data about him/her to be processed

Potential to make the protection of personal information a major non-tariff trade barrier.

From a practical point, it is difficult under EU legislation to collect cookies on an individual without their consent. This is important for web sites that hope to sell to Europeans and personalize their site for the customer


15

A Few Examples of Some of the Effects Could Be:

The inability to transfer personnel records between parent and subsidiaries or affiliates in and out of Europe or the inability to consolidate or process records at any location outside of Europe. This could frustrate human resource planning, administration and programmes. This would apply to independent HR companies and consultants.


16


The ability of a north American (Bahamian) to do direct marketing in Europe by purchasing from a European marketing company personally identifiable data that relates to its chosen market. The Europeans would have to be satisfied with the north American's data protection practices.


17


The inability to register cookies whenever a European visits your site might require you to modify your web site to filter to determine from where visitors are coming from. As cookies do not always allow the mechanism for notification prior to use, unambiguous consent may not be obtained. I am not sure whether it is technically possible to build this into your site.


18


The inability of Europeans to utilize data processing facilities in non-European countries if the data processing covers personally identifiable information of employees and customers, thereby denying non-Europeans access to that market.


19


Problems with the directive have been raised in litigation. An actual example was at the trial in Texas of Volkswagen of Germany [i] which was asked to produce the files of thousands of employees and refused on the basis that U.S. Didn't have adequate privacy protections. The supreme court in Texas upheld Germany's privacy laws which prohibit the parent and the U.S. Sub from releasing the data in response to a discovery demand.

[I] Volkswagen, A.G. V. The honorable Rogelio Valdez, judge: supreme court of Texas- no. 95 05 14;Nov. 1s.


20

Update on EU

The European commission is taking five EU member states to court for not implementing data protection rules.

France, Ireland, Germany, Luxembourg and the Netherlands will all go before the European court of justice. They are accused of not implementing an EU directive on protection of personal data, the commission said today.

This directive aims to build consumer confidence and bringing member states‚ data protection rules closer together.

Anyone who has suffered from the non-implementation of the directive can seek compensation from national courts, it said. 11/01/2000 http://www.theregister.Co.uk/index.Html


21

USA

The united states administration and the U.S. Federal trade commission is in favour of self-regulation in the area of privacy.

In 1998 annual report to congress, on the status of privacy self-regulation, the U.S. Federal trade commissioner presented a legislative model that congress could consider in the event that self-regulatory efforts did not result in widespread implementation of protections.


22

USA

As an incentive for continued industry participation, legislation would provide a safe harbor for industries that establish their own means of providing consumers privacy protections.

Federal privacy legislation would set out the basic standards of practice governing the collection of data online, as well as provide the implementing agency with the authority to enforce compliance with those standards.


23

USAWidely Accepted Fair Information

PracticesAll commercial web sites that collect personal identifying information would be required to comply with the four basic information practices required by the statute would be:

Notice/awareness Choice/consent Access/participation Security/integrity


24

USA FTC does not want to enact legislation to address privacy at

this time (July 1999 report) although this has changed in limited areas since September. The federal trade commission appointed an advisory panel on online privacy policy which had its first meeting last week. The US approach has never been blanket legislation but sector or problem area legislation. The dealt with obtaining information from children last year and enacted the new financial privacy law in November( Gramm-leach–Bliley act).

They are relying on industry groups and major companies (like IBM and Disney) that are taking the position that they will not advertise on sites that did not adhere to fair information practices.


25

USA “Seal Programmes” are also gradually

implementing enforcement mechanisms. In the next year the FTC will hold public

workshops; Convene task forces; Promote private sector business education; And examine the online privacy seal programmes (TRUSTe and BBBOnLine privacy seal programme).


26

USA On April 19, 1999, the US department of commerce

issued for review a revised safe harbor principles and a set of 11 frequently asked questions (FAQ's) in an effort to provide guidance to U.S. Organizations that must comply with the European union data privacy directive.

Under these principles, it is expected that data transmissions to U.S. Companies that complied with the principles, would not be subject to interference from the 15 European commission member states. It is still unclear after 1 ½ years of negotiations whether it is acceptable by the EU.


27

Safe Harbor Principles NOTICE: inform individuals about:

The purposes for which it collects, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

In clear and conspicuous language before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party.

Choice: Where use is incompatible with the purpose for which it was

originally collected or disclosed, opt out. For especially sensitive info (medical or religious) the individual would have to give explicit consent.

Onward transfer: An organization may only disclose personal information to third

parties consistent with the principles of notice and choice or it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement.


28

Safe Harbor Principles Security:

Must take reasonable measures. Data integrity:

An organization may only process personal information relevant to the purposes for which it has been gathered and, take reasonable steps to ensure that data is accurate, complete, and current.

Access: Depends on the nature and sensitivity of the information collected,

its intended uses, and the expense and difficulty of providing the individual with access to the information.

Enforcement: Must include mechanisms for assuring compliance with the safe

harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed.


29

Canada A discussion paper released January 26, 1998 by industry

Canada and the federal department of justice, stated that “its directive has the potential to make the protection of personal information a major non-tariff trade barrier with Canada. Failure to provide adequate protection for personal information may put Canada at risk of having data flows from the European union blocked. Without comprehensive data protection legislation, Canadian businesses may be forced to undertake individual contractual negotiations to show compliance with the EU rules. This process will be fraught with uncertainty and could become lengthy and expensive.”


30

Canada Canada’s federal privacy legislation only applies to

federal government departments, federal agencies and some federal crown corporations and does not apply to either the private sector or the provinces.

In order to not be affected by the privacy directive it was necessary for the federal government to enact legislation.

It is based on the Canadian standards associations model code for the protection of personal information which sets down principles for the protection of personal information in the private sector.


31

Canada

The Canadian house of commons has passed bill C-6 on October 26, 1999 (formerly C-54). The bill, based on the Canadian standards association's model code for the protection of personal information that set down principles for the protection of personal information in the private sector, received its third reading in the senate on December 3, 1999. Because of concerns expressed by the health care sector regarding the definition of personal information, the senate has introduced amendments to clarifying the definition in respect to personal health information[1]. The amended bill should go back for in the house of commons on February 7, 2000. For more information pertaining to the amendments made by the senate, see http://ecom.ic.gc.ca/english/documents/amend.pdf.


32

Canada

Attempt to recreate in cyberspace the same expectations of trust, confidence, and reliability that now exists in everyday commerce. A company will have to comply with the 10 principles set out in schedule 1.

They relate to accountability, identifying purposes, consent, limiting collection, limiting use, disclosure & retention, accuracy, safeguards, openness, individual access, and challenging compliance.


33

Seal Programmes

Dedicated to building global trust and confidence in the internet through a third-party oversight "seal" programme.

The seal is awarded to web sites that adhere to established privacy principles and agree to comply with its oversight and consumer resolution process.

TRUSTe, BBBOnLine privacy seal programme, Webtrust not widely used outside USA or even N.A.


34

What Businesses Should Do Don’t Wait!!!

Familiarize themselves with the EU directive and any other legislation in US and Canada.

Evaluate their data collection and transmission practices.


35

What Businesses Should Do Don’t Wait!!!

With a moderate amount of employees you can get specific consents signed now although they cannot be compelled. Employees can select which data can be transferred.

Entities able to demonstrate objective, verifiable and effective mechanisms to ensure data protection are more likely to be allowed to engage in data transfers, and will be better positioned to challenge determinations of inadequacy if they occur.

Some categories of data transfers, may be permitted because they fit within one of the directive's exceptions to article 25.


36

What Businesses Should Do

Modify everyday data processing practices to reduce the risk of inadvertent violations.

Where practical, incorporate the directive's notice provisions into business practices.

Consider allocating risk between Bahamian and European entities contractually.

Existing contracts should be examined and supplemented or modified as appropriate.


37

What Businesses Should Do Investigate the potential benefits and costs

associated with establishing mainframes to archive information in Europe. This will allow disclosure of mass results that are not identifiable.

Self regulation codes of conduct - may serve as objective benchmarks to European officials assessing the security of data transfers.

Utilize the international chamber of commerce ICC model clauses for use in contracts involving transborder data flows.


38

Creating a Privacy Policy Itemize the type of information

collected. How will the information be

used? List the ways in which the

information will not be used. State how the information

collection benefits the customer (faster service for example).

What options does the user have about how their information will be used?

State how the customer can change or update their info.

Identify events that may precipitate a notification to the customer by the enterprise (court subpoenas for example).

Name the person who is assigned as the “data steward” in charge of adhering to company’s privacy policies.

State any situation in which your company denies or accepts liability.

Provide a procedure that allows the customer to order you to stop

collecting data about him. E&o.E.

http://www.privacyexchange.org/legal/nat/omni/nol.html

AustraliaCommonwealth Privacy Act

Austria Data Protection Act

Belgium Belgium Data Protection Act

Canada Access to Information & Privacy Act

Czech Republic Act on Protection of Personal Data in Information Systems

Denmark Private Registers Act & Public Registers Act

Finland Personal Data File Act

France Act on Data Processing Data Files and Individual Liberties

Germany Federal Data Protection Act

Greece Data Protection Act

Hong Kong See State/Provincial Omnibus laws

Iceland Act Concerning the Registration and Handling of Personal Data

Ireland Data Protection Act

Isle of Man Data Protection Act

Page 1 0f 2

http://www.privacyexchange.org/legal/nat/omni/ausum.html

http://www.privacyexchange.org/legal/nat/omni/austriasum.html

http://www.privacyexchange.org/legal/nat/omni/belgiumsum.html

http://www.privacyexchange.org/legal/nat/omni/canadasum.html

http://www.privacyexchange.org/legal/nat/omni/czechsum.html

http://www.privacyexchange.org/legal/nat/omni/denmarksum.html

http://www.privacyexchange.org/legal/nat/omni/finlandsum.html

http://www.privacyexchange.org/legal/nat/omni/francesum.html

http://www.privacyexchange.org/legal/nat/omni/germanysum.html

http://www.privacyexchange.org/legal/nat/omni/greecesum.html

http://www.privacyexchange.org/legal/spl/omni/spol.html

http://www.privacyexchange.org/legal/nat/omni/icelandsum.html

http://www.privacyexchange.org/legal/nat/omni/irelandsum.html

http://www.privacyexchange.org/legal/nat/omni/mansum.html

http://www.privacyexchange.org/legal/nat/omni/nol.html

Israel Protection of Privacy Law

Italy Processing of Personal Data Act

Japan Law for the Protection of Computer Processed Data Held by Administrative Organs

Luxembourg Act Regulating the Use of National Data in Data Processing

The Netherlands Data Protection Act

New Zealand Privacy Act

Norway Personal Data Registers Act

Portugal Law for the Protection of Personal Data with Regard to Automatic Processing

Russia Information Computerization and Protection of Information, Participation in International Information Exchange

Spain Data Protection Act

Sweden Personal Data Protection Act

Switzerland Federal Law on Personal Data

Taiwan Computer Processed Personal Data Protection Law

United Kingdom Data Protection Act 1998, July 1998.

Page 2 of 2

http://www.privacyexchange.org/legal/nat/omni/isrealsum.html

http://www.privacyexchange.org/legal/nat/omni/italysum.html

http://www.privacyexchange.org/legal/nat/omni/japansum.html

http://www.privacyexchange.org/legal/nat/omni/luxemsum.html

http://www.privacyexchange.org/legal/nat/omni/nethersum.html

http://www.privacyexchange.org/legal/nat/omni/nzsum.html

http://www.privacyexchange.org/legal/nat/omni/norwaysum.html

http://www.privacyexchange.org/legal/nat/omni/portugalsum.html

http://www.privacyexchange.org/legal/nat/omni/russiasum.html

http://www.privacyexchange.org/legal/nat/omni/spainsum.html


41

Technological Solutions

Platform for privacy preferences (P3P)

Open profiling standard, or "OPS," developed by Netscape, firefly and Verisign

Anonymizers and Infomediaries

Secure electronic transfer transaction (SET)

Secure socket layer (SSL)

Some information that is collected about you when visiting a web site.(Please wait for analysis to complete, it may take 2 or 3 minutes)

Your IP address:***.***.***.***

Your computer name (if it has one):*****.****@.***

The system attempted to place the following persistent cookies on your system. Reload to see its value if it was accepted. (To view all the cookies on your system you can use Window's Magazine free 'Cookie Crumbs' software.):

Consumer.Net = (Expires on January 1, 2038), Visit date: (Expires = January 1, 2038).

No Cookie from this site is on your system from prior visits.

You linked from here (if you linked from another web page):

Your Browser Type and Operating System: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

Your Screen Resolution:

Your screen width is : 800 pixelsYour screen height is : 600 pixelsYour viewable Width is : 740 pixelsYour viewable Height is : 462 pixels

Is JavaScript, VBScript, or JAVA enabled? Text will appear if these features are enabled. The JAVA window may not appear until the page finishes loading.

VBScript is enabled and working.

JavaScript is enabled and working.

JavaScript monitor information:

Screen resolution is 800x600Screen available height is 600Screen available width is 760Screen color depth is 16

You have visited this many web pages this session in this window: 2

The date/time on your computer and time zone is: Wed Aug 18 11:55:14 EDT 1999Time/date in your locale format: 08/18/1999 11:55:14

JAVA is not enabled.

You accept files of type (example: image/gif, '*' is wildcard): application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*.

TraceRoute from 100.000.000.000 (johndoe.net) to 100.000.00.000 (jd01-106.tor.does.ca)

IP Time TTL Host

1 ***.***.***.* 0 0 Valid name, no data record of requested type.

2 ***.***.***.* 10 92 ****.**********.**.**.**.psi.net

3 ***.**.* 191 92 ** ***..psi.net

4 **.*.*.* * 92 Request timed out.

5 ***.***.***.* 180 108 ****.******.******.net

6 ***.***.*.** 190 108 *****.***.*****.ca

7 ***.***.*.** * 108 Request timed out.

8 ***.***.*.* * 108 Request timed out.

9 ***.***.***.*** 391 122 ****-**.***.*****.ca

Does your browser give out your e-mail address?

Your FTP information was not captured in time or a proxy was used that uses a different IP address than the one that downloads this web page.

All information sent by your web browser when requesting this web page:

Accept: application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us Connection: Keep-Alive Host: www.privacy.net User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) Accept-Encoding: gzip, deflate

Who registered your domain? (if computer name has a 'fully qualified' Internet name ending in .com, .net, .org, .uk, ... see list. For other domains look it up here):

Canada Whois web interface contacted: http://www.cdnnet.ca/regs/

Subdomain: *****.ca

Date-Received: 1995/10/03

Date-Approved: 1995/10/10

Date-Modified: 1999/03/03

Organization:*************

Type: For-Profit Corporation, Federally Incorporated

Description: **************Admin-Name: *********Admin-Title:*************

Admin-Postal:********************

Admin-Phone: Admin-Fax:Admin-Mailbox: Tech-Name:Tech-Title: Tech-Postal:Tech-Phone: Tech-Fax:Tech-Mailbox: NS1-Hostname:NS2-Hostname: How is your domain configured?: Who owns your network? Netname: Netnumber: Coordinator: Domain System inverse mapping provided by: * * *..* * * *.CA ***.***.*** * * *.* * *.CA ***.***.**.* **************.CA ***.***.*.* Record last updated on 04-May-99. Database last updated on 17-Aug-99 16:18:17 EDT.The ARIN Registration Services Host contains ONLY InternetNetwork Information: Networks, ASN's, and related POC's.Please use the whois server at rs.internic.net for DOMAIN relatedInformation and nic.mil for NIPRNET Information.

Related pages: How this analysis works

Network-Tools.com - Run a trace on any computer on the Internet.


47

Privacy Policy Statements

A Few Examples

Scholastic’s Online Privacy Policy

The following policy applies to the SCHOLASTIC.COM and SCHOLASTIC NETWORK sites.

Scholastic is committed to protecting the privacy and security of its online visitors. This policy statement provides our visitors (e.g., parents, teachers and children) with an overview of the measures we have taken to provide a safe environment for everyone.

PERSONALLY IDENTIFIABLE INFORMATION

We only collect personally identifiable information from our visitors when our visitors voluntarily submit such information and we always request that children ask their parents or teachers for approval before sending us any personally identifiable information. We may request such personally identifiable information in connection with our contests, sweepstakes, games, surveys, forums, subscription registrations, content submissions, chats, bulletin boards, requests for suggestions, visitors’ requests for free products or services (such as our magazines), and visitors’ requests for additional information. For example, we may collect the following personally identifiable information: the visitor’s name, e-mail address, age, and town.

In addition to Scholastic’s request that children ask their parents or teachers for approval before sending personally identifiable information to us, we also recommend that parents and teachers become involved in monitoring and supervising their children’s online activities, and recommend that parents and teachers become sophisticated in the availability and use of commercially available software and other tools that may enhance children’s online experiences in manners that reflect the preferences of parents and teachers.

Unless we indicate otherwise, personally identifiable information will be used solely by Scholastic or its agents for internal purposes, and will not be sold or otherwise transferred to third parties.

NON-PERSONALLY IDENTIFIABLE INFORMATION AND THE USE OF COOKIE TECHNOLOGY

We collect non-personally identifiable information through the use of a software technology called "cookies", and through our visitor’s voluntary submissions to us and/or upon our request. By non-personally identifiable information, we are referring to information about our visitor’s browser (e.g., Netscape Navigator or Internet Explorer), operating systems (e.g., Windows or Macintosh), Internet service providers (e.g., AOL or

NET.COM) and other similar information which we track in aggregate

form. This means that the non-personally identifiable information that we track is anonymous and will never be identified with or lead us back to any of our visitors. Cookie technology also helps us to know how many people visit us and where visitors go on our sites. Among other things, this non-personally identifiable information allows us to know which areas are favorites, which areas need a bit of improvement, or what technologies and Internet services are being used by our visitors so that we may continually improve our visitor’s online experiences.

SECURITY

Scholastic ensures that all information, personally and non-personally identifiable information, that it receives via the Internet is secure against unauthorized access. This information is kept in a safe and secure system isolated from direct connection to the Internet. This means that no eyes but ours will ever see the information that our visitors send to us, unless we indicate otherwise.

LINKS TO OTHER SITES

Visitors will find links from SCHOLASTIC.COM and SCHOLASTIC NETWORK to independently owned, controlled and/or managed World Wide Web sites whose content we have found of possible interest to our visitors. In many cases, the links represent cooperative projects or mutual links established with the organizations connected with these sites. While we initially visit these sites to which we directly link, please note that we do not control the content that appears on these sites and such content may be constantly changing. We recommend that children check with their parents or teachers before clicking off to any new sites.

Please note that we may revise our above policy as the content on our sites continue to change.

We hope that you enjoy and feel comfortable exploring our sites.

Return to Scholastic.com Home Page

TM & © 1999-97 Scholastic Inc. All rights reserved.

Procter & Gamble Privacy Statement

Privacy Statement

GeneralProcter & Gamble respects the privacy of every individual who visits our websites or responds to our interactive advertisements. This Privacy Statement outlines the information Procter & Gamble will collect and how we will use that information. This Statement will also instruct you on what to do if you do not want your personal information collected or shared when you visit Procter & Gamble websites or respond to our advertisements.

Personally-Identifiable InformationProcter & Gamble will not collect any personally-identifiable information about you (that is, your name, address, telephone number, or email address) unless you provide it to us voluntarily.

If you do not want your personally-identifiable information collected, please do not submit it to us. If you have already submitted this information and would like for us to remove it from our records, please contact us at the Web site, listed at the bottom of this Statement. We will use reasonable efforts to delete your information from our existing files.

When you do provide us with personally-identifiable information, we may use that information in the following ways, unless stated otherwise: we may store and process that information to better understand your needs and how we can improve our products and services; we may use that information to contact you; and we may provide that information to third parties.


Privacy Statement

ChildrenProcter & Gamble has no intention of collecting any personally-identifiable information (that is, name, address, telephone number, or email address) from individuals under thirteen years of age. Where appropriate, Procter & Gamble will specifically instruct children not to submit such information on our websites or advertisements. If a child has provided us with personally-identifiable information, a parent or guardian of that child should contact us at the email address or phone number listed at the bottom of this Statement if they would like this information deleted from our records. We will use reasonable efforts to delete the child's information from our existing files.

Non-Personally-Identifiable Information Collected AutomaticallyIn some cases, we may collect information about you that is not personally-identifiable. Examples of this type of information include the type of Internet Browser you are using, the type of computer operating system you are using, and the domain name of the website from which you linked to our site or advertisement.

Information We May Place Automatically On Your Computer's Hard DriveWhen you view one of our websites or advertisements, we may store some information on your computer. This information will be in the form of a "Cookie" or similar file and will help us in many ways. For example, Cookies allow us to tailor a website or advertisement to better match your interests and preferences. With most Internet Browsers, you can erase Cookies from your computer hard drive, block all Cookies, or receive a warning before a Cookie is stored. Please refer to your Browser instructions or help screen to learn more about these functions.


Privacy Statement

Who to Contact

If you have submitted personally-identifiable information through a Procter & Gamble website or interactive advertisement, and would like that information deleted from our records, please select this Delete Personal Information link and provide us with the requested information. We will use reasonable efforts to delete this information from our existing files.

Further questions? Contact us at our email address, [email protected], or call us toll-free at 1-800-331-3774.

Return to last page

P&G Home Page

The McGraw-Hill Companies Customer Privacy Policy

The McGraw-Hill Companies recognizes the importance of protecting the privacy of Personally-Identifiable Information collected about you, our customers and prospects. Personally-Identifiable Information includes your e-mail address, employment status, and "click stream" data which tracks how you use an online service. We have adopted a corporate-wide Customer Privacy Policy that guides how we collect, store and use this Personally-Identifiable Information about our customers and prospects. Our intent is to balance our legitimate business interests in collecting and using this Information against your reasonable expectations of privacy. This Policy includes the following:

1. Notice. We will notify you as to the types of Personally-Identifiable-Information we are collecting about you as well as the uses we intend to make of that Information. For example, we need to collect and store your name, address, and other basic Personally-Identifiable Information to provide you with the service or product you requested and for billing purposes. This Information also enables us to develop and customize products to better meet your needs and preferences and to offer you products from both The McGraw-Hill Companies and other sources that may be of interest to you.

2. Collection and Security. We will only collect this type of Personally Identifiable Information to the extent deemed reasonably necessary to serve our legitimate business purposes and we will maintain appropriate safeguards to ensure the security, integrity and privacy of the Information.

3. Opt-Out. From time to time, we are approached by companies and organizations that produce a product or service that we believe may be of interest to you. We see this as a value-added service helping you to find products or services to help you work or play smarter. We will offer you the opportunity to "opt-out" of having your Personally-Identifiable Information shared with parties outside of The McGraw-Hill Companies.

The McGraw-Hill Companies Customer Privacy Policy

4. Sensitive Data. If your relationship with us includes providing one of the Corporation's business units with Personally-Identifiable Information which is particularly "Sensitive", we will protect that information with extra care. We define Sensitive Data as including Social Security numbers, mother's maiden name, personal financial data such as salary-specific information, specific stock holdings and net worth, information regarding someone's specific medical condition and most information about children. There will be no external distribution of this Sensitive Data outside of The McGraw-Hill Companies. In addition, you may "opt out" of having this information shared among business units within the family of The McGraw-Hill Companies.

5. Questions and Concerns? Each business unit is in the process of designating someone to implement privacy protection for that unit's customers and prospects. You soon will find a contact name listed on each Web site and in many of our print products.

6. Review and Correction. In the near future, you will be able to request a copy of the Personally-Identifiable Information a business unit has collected about you, and request changes if you find it inaccurate.

sax law office e-commerce * international law * competition law 1 privacy protection: collecting...

Documents