48 Pages Posted: 20 Aug 2009 Last revised: 1 Feb 2014
Date Written: August 18, 2009
Does law matter in the information environment? What can we learn from the experience of applying a particular legal regime to the online environment? Informational privacy (or, in European terms, data protection) provides an excellent illustration of the challenges faced by regulators who seek to secure rights and shape the behavior of online players.
A comprehensive study of Israeli websites’ compliance with information privacy regulation during 2003 and 2006 provides insight into some of these challenges. The study examined the Information Privacy Practices of 1360 active websites, i.e. the extent to which these sites comply with applicable legal requirements related to information privacy, and their other privacy-related practices. Information Practices were explored on three levels: first, we examined the legal requirements which apply to each Information Practice under current Israeli law (legal analysis); second, we analyzed the declared privacy policies posted on each website; and third, we studied the actual Information Practices executed by each website as to data security.
The findings show that websites perform poorly and have a low level of compliance with the legal requirements. Most websites do not provide privacy protection to users at the level required by the law. Websites routinely collect personal data from users, although the practice of collecting data is slightly lower among commercial and organizational websites than in other categories.
Among public and private sector websites compliance was relatively low, from 16% to 22% of the websites that collect personal data gave users some sort of notice. The popular and sensitive websites, commercially owned by large corporations, had substantially better levels of compliance, while the most popular websites had the lowest number of violations.
The overall picture that emerges from the findings is one in which the law seems to have only a relatively minor role in shaping users' privacy experience online, with other forces and factors clearly at play. The findings may further suggest that information privacy regulation is most effective with commercial enterprises, which are better able to acquire legal advice and respond to potential legal liability. It is less effective with small enterprises and/or individual users who operate websites, because they usually cannot afford the somewhat sophisticated legal counsel that is required for establishing and maintaining a data protection policy. This is a troublesome conclusion, given the increasing threats to the privacy of users in the Web 2.0 environment.
Subsequently, the findings suggest that data protection regulation may not create one legal measure that fits all. Regulating the online behavior of various players may require tailored regulatory measures.
Keywords: privacy, data protection, information, informational privacy, user generated content, israel
Suggested Citation: Suggested Citation
Birnhack, Michael and Elkin-Koren, Niva, Does Law Matter Online? Empirical Evidence on Privacy Law Compliance (August 18, 2009). Michigan Telecommunications & Technology Law Review, Vol.17, p. 337, 2011; TPRC 2009. Available at SSRN: https://ssrn.com/abstract=1456968