Intellectual Property
October 2002 VOL. 42, NO. 1
Statements or expressions of opinion or comments appearing herein are those of the editors or contributors, and not necessarily those of the association or section.
(Notice to librarians: The following issues were published in Volume 41 of this newsletter during the fiscal year ending June 30, 2002: December, No. 1; January, No. 2; April, No. 3; June, No. 4.)
Contents
The law of privacy: past, present and future
By Aaron Brooks <abrooks@holmstrom-kennedy.com>
Copyright © Aaron Brooks 2002.
I. Introduction
Studies indicate that 92 percent of consumers are concerned about the misuse of their personal information online, and that concern is estimated to result in potential losses of up to $20 billion by 2002.1 If consumer confidence in electronic commerce is permitted to erode, we risk losing the most dramatic economic revolution of our time.2
Consumer concerns over online privacy are probably legitimate. Common sense dictates that when the practical barriers to conducting business online are reduced, the ability of criminals to steal our identities naturally increases. As stated by the Illinois Legislature:
The widespread availability and unauthorized access to personal identification information have led and will lead to a substantial increase in identity theft related crimes.3
In fact, victim reports bear out this concern; according to a recent report, the FTC processed over 97,000 identity theft complaints between November 1, 1999 and June 1, 2001.4
In short, there can be no doubt that technology and the ingenuity of criminals have outpaced the law of privacy. The time has come for every lawyer to gain a fundamental understanding of where privacy law stands today, and where it must stand tomorrow.
II. Existing privacy protection
The law of privacy has five distinct elements: traditional common law rules, state law, federal law, self-regulation, and administrative action by the Federal Trade Commission. The impact and limitations of each of these elements is detailed below.
A. Illinois common law privacy protection
The oldest and most fundamental form of privacy protection is the common law tort known as invasion of privacy. Leopold v. Levin5 was the first Illinois Supreme Court case to recognize invasion of privacy as a tort in Illinois. Summarizing the previous Illinois cases, as well as common law from other jurisdictions, the court stated:
There should be recognition of a right of privacy, a right many years ago described in a limited fashion by Judge Cooley with utter simplicity as the right "to be let alone." Privacy is one of the sensitive and necessary human values and undeniably there are circumstances under which it should enjoy the protection of law.
Since Leopold, Illinois courts have expanded the right of privacy considerably. In Midwest Glass Co. v. Stanford Development Co.6, the Court focused upon Prosser's analysis of the right of privacy, which has also been adopted by the Second Restatement of Torts. Under Prosser's analysis and Midwest Glass, the "right of privacy" actually encompasses four distinct situations: (1) an unreasonable intrusion upon the seclusion of another; (2) the appropriation of another's name; (3) a public disclosure of private facts; and (4) publicity which unreasonably places another in a false light before the public. It is well recognized that these four situations define the common law right of privacy in Illinois.7
1. Unreasonable intrusion upon seclusion of another. Prior to 1986, Illinois courts rejected causes of action for unreasonable intrusion upon the seclusion of another. 8 Melvin v. Burling9 was the first Illinois case to break this trend. Later, in Dwyer v. American Express Co.,10 the First District applied the Melvin test without acknowledging its validity, noting that the Illinois Supreme Court had not yet recognized intrusion upon seclusion as a tort in Illinois.
Under Dwyer and Melvin, the tort of intrusion upon seclusion has four factors: (1) an unauthorized intrusion or prying into the plaintiff's seclusion; (2) the intrusion must be offensive or objectionable to a reasonable person; (3) the matter upon which the intrusion occurs must be private; and (4) the intrusion must cause anguish and suffering. Given the past reluctance of courts to accept this tort, there is very little case law to flush out the meaning of each factor. In Melvin, the court found that a complaint stated a prima facie case of intrusion upon seclusion where the defendant had intentionally ordered merchandise in the plaintiff's name. Defendant's behavior caused plaintiff to receive numerous items through the mail which he had not ordered, together with later demands for payment. By contrast, in Dwyer, the court held that a plaintiff failed to state a cause of action where a credit card company sold a list of the names and addresses of its customers to a third party. The court held that the first element of the tort was not met because the plaintiff voluntarily gave the information to the credit card company.
2. Appropriation of another's name. Originally, the tort of appropriation constituted the entire cause of action for invasion of privacy in Illinois. According to the Illinois Supreme Court, the first appellate court case to recognize the tort of appropriation, as well as the common law right of privacy in general, was Eick v. Perk Dog Food Co.11 In that case, a plaintiff alleged that the defendant used her photograph without permission in an advertisement promoting the sale of dog food. The plaintiff alleged that such use caused her to suffer humiliation and mental anguish. The court upheld the claim because, in Illinois, one cannot use another's image for commercial purposes without that person's consent.12
Under the Restatement of Torts (Second), '652(c), the elements of appropriation are: (1) appropriation, (2) without one's consent; (3) of one's name or likeness; (4) for another's use or benefit. In the Dwyer decision, discussed above, the court held that a credit card company which sold the names of its customers as a list could not be sued for appropriation because, although the aggregate list of names was valuable to the company, a single, random cardholder's name had little or no intrinsic value. Thus, according to the Dwyer court, the use or benefit derived must be due to the specific appropriation, not the aggregate result of multiple appropriations.
Note that courts do not necessarily focus on the literal meaning of the words "name or likeness"; rather they focus on whether the plaintiff's identity has been appropriated for commercial use. For example, in Carson v. Here's Johnny Portable Toilets, Inc.,13 Johnny Carson sued a toilet manufacturer for appropriation of the phrase "Here's Johnny." The defendant argued that the elements of appropriation were not met because the phrase "Here's Johnny" did not constitute Johnny Carson's "name or likeness." The court dismissed the defendant's objection, stating that "all that is required is that the name clearly identify the wronged person." Similarly, in White v. Samsung Electronics America, Inc.,14 the court held that a robot resembling Vanna White clearly identified her, and therefore, appropriated her likeness.
3. Public disclosure of private facts. Miller v. Motorola, Inc.15 is the seminal case in Illinois defining the tort of public disclosure of private facts.16 Under Miller, a plaintiff must allege the following elements to state a cause of action: (1) the defendant published facts about the plaintiff; (2) the published facts were private prior to the publication; and (3) the matter published was such that the publicity would be highly offensive to a reasonable person. In Miller, an employee sued her employer because he told the employee's co-workers that she had undergone mastectomy surgery. In holding for the plaintiff, the court flushed out two important aspects of this tort. First, the court clarified that the term "public" must be judged in light of the relationship between the plaintiff and the people to whom the disclosure is made. In other words, the disclosure need not be widespread, it need only be made to those who stand within the plaintiff's sphere of privacy. Second, the question of whether the disclosure would be highly objectionable to a reasonable person must be decided by the finder of fact and not as a matter of law. Thus, the third element of the tort cannot be rejected in a dispositive motion.
4. Publication in a false light. In Kolegas v. Heftel Broadcasting Corp.,17 the Illinois Supreme Court defined the elements of the tort of publication in a false light as follows: (1) the plaintiff must have been placed in a false light before the public as a result of the defendant's actions; (2) the false light would be highly offensive to a reasonable person; and (3) the defendant acted with actual malice, that is, with knowledge that the statements were false, or with reckless disregard for the truth or falsity of the statements. This tort is similar to a cause of action for defamation; in fact, the Kolegas court found that the plaintiff's actions satisfied both the elements of defamation and publication in a false light. The difference between the two actions is the focus of the harm. The principle focus of the false light tort is the creation of a false impression in the mind of third parties, which is frequently not enough to support defamation. Thus, the false light tort provides an alternate remedy for unreasonable and highly objectionable publicity which would not be actionable under an action for defamation.18
B. Illinois state law
The statutory law of privacy in Illinois consists of a group of eight laws designed to provide very specific protection over certain kinds of information or activities. There is no law in Illinois which is designed to comprehensively address consumer privacy concerns outside these specific scenarios.
1. The Right of Publicity Act. The Illinois Right of Publicity Act19 is essentially a codification of Eick v. Perk Dog Food Co., described above. Under this Act, one's right of publicity is described as "the right to control and to choose whether and how to use an individual's identity for commercial purposes."20 This statutory right is fully transferable, even by will or intestate succession. Certain activities are outside the scope of the statute; for example, an individual may be portrayed in a film or musical without violating the Act, so long as the film or musical is not itself a commercial advertisement. One who violates the Act may be liable for either actual damages or a flat fine of $1,000, whichever is greater. The Act also provides plaintiffs with a chance to receive punitive damages, attorney fees and injunctive relief.
2. The Right To Privacy in the Workplace Act. Despite its comprehensive-sounding title, the Illinois Right To Privacy in the Workplace Act21 has a very limited scope. It prohibits employers from doing two things: (1) discharging or refusing to hire an employee because of his or her use of lawful products, such as alcohol or tobacco; and (2) asking potential employees whether they have ever filed a claim for benefits under the Workers' Compensation Act or Workers' Occupational Diseases Act. With respect to use of lawful products, the Act does not apply if the employer is an organization whose primary purpose is to discourage use of the lawful product. The Act also does not apply to use of lawful products that impair an employee's ability to perform his or her duties.
3. Section 2-123 of the Illinois Vehicle Code. Section 2-123 of the Illinois Vehicle Code22 was amended, effective July 1, 2001, in response to the federal Drivers Protection Act.23 This amendment prevents the Secretary of State from disclosing to any person or entity any personally identifying information obtained by the Secretary of State in connection with a driver's license, vehicle or title registration record, unless the information is disclosed under one of 13 limited exceptions. The Act defines "personally identifying information" as any information that identifies an individual, including his or her photograph, social security number, driver identification number, name, address, phone number and medical or disability information. This statute signifies an important trend in privacy law which requires information gatherers to convince consumers to opt-in to the gathering program, rather than the traditional approach of requiring consumers to opt-out.
4. Financial Identity Theft and Asset Forfeiture Law. The Illinois Financial Identity Theft and Asset Forfeiture Law24 attempts to secure privacy through deterrence, rather than secrecy. It defines "financial identity theft" as the use of any personal identifying information of another person to obtain credit, money, goods, services or other property in the name of the other person. "Personal identifying information" can include virtually any kind of private knowledge or possession, such as a phone number, social security number, PIN, or maiden name of the person's mother. The punishment for identity theft under the Act depends upon the value of the benefit received by the perpetrator. For example, if the value received is less than $300, the crime is a Class A misdemeanor, but if the value received is more than $100,000, the crime is a Class 1 felony.
5. The Medical Patient Rights Act. The Illinois Medical Patient Rights Act25 provides a limited amount of protection for medical treatment information. Section 3(d) of the act requires each physician, health care provider, health services corporation and insurance company to "refrain from disclosing the nature or details of services provided to patients." The Act provides exceptions for various disclosures, such as those necessary to comply with the Abused and Neglected Child Reporting Act or the Illinois Sexually Transmittable Disease Control Act. The Act also permits patients to waive their privacy rights, but health care providers cannot condition treatment upon such a waiver. As discussed in more detail below, this Act will soon be vastly overshadowed by the complex and comprehensive "Administrative Simplification Regulations" under the Health Insurance Portability and Accountability Act.
6. The Genetic Information Privacy Act. The Illinois Genetic Information Privacy Act26 was written to eliminate any deterrence to an individual seeking testing to discover abnormalities or deficiencies in a genetic structure. The Act prevents such information from being released to any party, even under a court order to release such information. The Act provides an exception for genetic evidence obtained by a peace officer in a criminal investigation or for judicial proceedings under the Illinois Parentage Act of 1984; however, each exception limits the use of such information to that necessary for identification purposes.
7. The Communications Consumer Privacy Act. The Illinois Communications Consumer Privacy Act27 makes it unlawful for a communications company to (1) install visual or aural surveillance equipment in the home of a subscriber; (2) distribute a list containing the name of a subscriber without first giving notice to the subscriber; (3) disclose the television viewing habits of a subscriber; or (4) install or maintain a home-protection scanning device in the home of a subscriber. The Act permits a subscriber to waive these prohibitions. The maximum fine for violation of the Act is $10,000. The Act also includes a private right of action for subscribers.
8. The eavesdropping statute. Section 14-1 of the Illinois Criminal Code28 sets forth a detailed prohibition on eavesdropping. An "eavesdropping device" is defined as:
Any device capable of being used to hear or record oral conversation or intercept, retain, or transcribe electronic communications whether such conversation or electronic communication is conducted in person, by telephone, or by any other means; provided, however, that this definition shall not include devices used for the restoration of the deaf or hard-of-hearing to normal or partial hearing.
An "eavesdropper" is defined simply as any person who uses an eavesdropping device contrary to the provisions of the Act. The offense of eavesdropping, therefore, occurs whenever a person knowingly and intentionally uses an eavesdropping device to hear or record all or any part of any conversation. The first offense of eavesdropping is a Class 4 felony.
C. Federal law.
More than a dozen statutes define the federal law of privacy; however, like Illinois state law, there is no comprehensive federal law which protects the privacy of consumers. Nonetheless, four federal statutes are illustrative of a new way of thinking about privacy, and represent a fundamental expansion and redefining of the "right to be left alone."
1. The Electronic Communications Privacy Act of 1986. The Electronic Communications Privacy Act (ECPA)29 was originally enacted in response to perceived limitations in previous federal wiretapping legislation.30 ECPA applies to wire, oral and electronic communications, and prohibits both the interception and unauthorized access to stored communications. The distinction (and the importance of the distinction) between interception and unauthorized access was thoroughly discussed in Steve Jackson Games, Inc. v. U.S. Secret Service,31 where the court found that e-mail would generally be analyzed under the stored communications provisions of the Act. Steve Jackson Games has made ECPA the foundation for e-mail privacy issues in the workplace.32
2. The Health Insurance Portability and Accountability Act of 1996. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)33 may be the most sweeping influence on the medical community since Y2K. One provision of HIPPA required Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. Since Congress did not enact legislation by 1999, the default provisions of HIPAA required the Department of Health and Human Services to issue detailed health privacy regulations. As of this writing, the HIPAA regulations must be complied with by April 14, 2003.34
The HIPAA regulations are divided into two basic parts: security requirements and privacy standards. Both sets of standards apply to "individually identifiable health information." The security requirements regulate the administrative, physical and technical efforts a covered entity must make to protect the integrity of health information stored in a database or transmitted over a network. By contrast, the privacy standards regulate the ability of a covered entity to disclose health information.
While they are specific to medical privacy, the HIPAA regulations set forth an important concept for privacy theory in general, known as "De-Identified Information." Under the regulations, Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is known as De-Identified Information and is not subject to the privacy standards under HIPAA. In order to create De-Identified Information, a covered entity must remove 18 specific identifiers, the totality of which illustrate a new paradigm for what constitutes private information.35 In other words, the concept of De-Identified Information illustrates how the burden of defining what is private has moved from the individual to the information collector, illustrating a major philosophical shift between the traditional American notion of privacy ("the right to be left alone") and the European notion of privacy, which focuses on the protection of personal data.36 It is this author's opinion that the latter view must be adopted in a comprehensive federal legislative package to meaningfully secure privacy for consumers in the Information Age.
3. The Gramm-Leach-Bliley Act. Enacted on November 12, 1999, the Gramm-Leach-Bliley Act (the GLB Act)37 establishes rules for financial institutions to deal with the private information of their customers. A "financial institution" is any entity which is significantly engaged in "financial activities," as that term is defined in the Bank Holding Company Act.38 Mortgage lenders, collection agencies, check cashers, and auto dealers that lease or finance are some examples of entities which are engaged in financial activities. However, determination of who is and who is not significantly engaged in financial activities will require a court to apply a flexible standard that takes in all the facts and circumstances.
Institutions that are subject to the Act must provide a privacy notice to their customers at the time the customer relationship is established, and annually thereafter for the life of the relationship. Subject to specific exceptions, they must also give the customer an opportunity to opt-out of any sharing of their nonpublic personal information with non-affiliated third parties. Essentially, the GLB Act prevents financial institutions from disclosing nonpublic information about their customers without first giving notice of the disclosure and allowing the customer to opt-out of the disclosure. The official compliance date for the GLB Act was July 1, 2001.