The European Union has ordered its member states to implement a cookie law. This directive on internet privacy, which required websites to provide user opt-in before they could install cookies on any user’s computer, was approved in November 2009.

After two years of its implementation, the specific requirement for cookie opt-out has yet to be clarified. Those who have implemented this directive are confused themselves over what would really constitute an opt-out requirement. A meeting was held among the group members in an attempt to clarify things. Members say that the user’s decision to visit the website is in itself an indication that he or she agrees with the website’s practices. However, those who are directly involved with the implementation believe that there should be a clear opt-in process.

The main reason why some are not resolved to the idea of the directive is that it will cause a little disruption to users. Nowadays, websites have sponsors that automatically store cookies on a person’s computer. When the directive is implemented, pop-up windows would repeatedly appear on the user’s screen. These windows would be asking for the user’s permission to store cookies. This means that if a website is sponsored by nine companies, there would be nine pop-up windows that would all ask the same question. This would happen every time a user opens a website.

Privacy concerns were heightened after another breach against patients’ hospital records was committed. It was found that thousands of emergency room patients’ information was posted on an internet site. A New York Times confirmed report said that the data belonged to Stanford Hospital in California. Still, it cannot be determined how this data was stolen or who stole it.

It was only last month when the breach was discovered, but the information has been on a commercial website for almost a year already. It was also confirmed that the information first appeared on that website on September 9, 2010. Consequently, it is not easy for hospital officials to tell precisely who committed the crime. Because there are many third parties who can actually have access to this hospital data, an investigation has to be conducted.

There are already laws that require companies to publicly disclose any data breach. In the hope that the laws would be effective, heavy fines are also imposed. Experts on medical security blame the incident on the presence of too many outside contractors that gain access to private hospital information.

Many internet users do not know that they could be put in jail for faking their personal information on the internet. With this information, Facebook users may have to think many times before providing any false information on their account. This may sound ridiculous, but there have been several cases where users were penalized for violating the “terms of use” of the websites that they visit.

The U.S. Congress is now bent on expanding the scope of laws that pertain to “cybersecurity”. There is already in place the so-called Computer Fraud and Abuse Act passed in 1986. It mainly deals with the laws that pertain to computer hacking. Ever since, its provisions have been periodically broadened, and it now extends far beyond hacking.

At present, the law considers it a criminal act for any user to exceed “authorized access”. This means that users are limited within the terms and conditions stipulated by the website’s owner. Beyond these, the user faces a criminal liability, especially if the violations are committed within a workplace environment.

With the increase in data breach cases, businesses have to do something when their customers’ email addresses are stolen or lost. Such incidents might involve legal obligation to immediately inform their customers about the data breach. This new development in the privacy arena is a kind of wake-up call to businesses and CIOs.

Policies are changing in the way businesses are held liable for the protection of personal information. There is an extended range for the requirement of public disclosure for data breaches. It is happening so fast that it seems difficult for many businesses to keep up. They are one in raising the question about which kind of data breach legally needs public disclosure.

Some time ago, businesses and CIOs were only concerned with “personally identifiable information”. This means that if a company does not collect information that can identify or be traced back to a person, it has no obligation to disclose any loss of customer data. But when a business gathers customer data such as bank account number, Social Security number, medical information and more, that company has the duty to notify the owner of the information of any data breach.

In the course of their daily work, employees cannot avoid using their company’s IT facilities to send and receive private emails. These are aside from the business-related ones which are considered official. Emails received by employees might stay in their inbox for an indefinite period of time, but being private, it is understood that only the concerned employee is entitled to read them.

The issue with this situation arises when an employer needs to access an employee’s email account during the employee’s prolonged unavailability or absence. Legal implications have been associated with employers opening their employee’s emails. Early this year, the German Higher Labor Court ruled that employers have the right to access and review an employee’s work-related email correspondence. It said that the provisions of the “secrecy of telecommunications” do not apply in this case. The employer cannot be considered a “provider of telecommunication services” although the employee was permitted to use the employer’s email facilities.

One case involved an employee who was absent from work due to a long-term illness. The employer, despite repeated attempts, was unable to obtain the employee’s consent. The employer then opened the employee’s email account, but did not open those emails marked “private”. The employer did this in the presence of two qualified witnesses, and only the employee’s emails that were business-related were read and printed.

MSN decided to reassess its use of “supercookies” as a new tracking tool. Actually, the company announced that it has stopped its secret tracking of users’ online behavior. The company investigated the code immediately after researchers brought the matter to its attention, as announced by Microsoft’s Associate General Counsel.

Findings were disclosed by researchers at Stanford University, identifying a “supercookie” that is capable of resurrecting users’ cookies after these were deleted. The results explained that the cookies persist even after a user deliberately deleted them. Users’ online behavior can still be monitored without their awareness. They presume that after they delete the cookies, everything is “safe”. Unfortunately, it is not so.

Users’ protests prompted MSN to respond quickly by disabling the code. Its remedial measures went further by giving reassurance to users about the company’s promise to uphold users’ privacy. It made clear that whatever users’ information was collected by using the code was made exclusive only to the company.

Today’s school curriculum includes some amount of internet access to students as part of the learning experience. To make sure that children stay within the safe parameters, each school issues an Internet Acceptable Use Policy. Parents and students, at the beginning of the school year, are required to sign this document. It contains and explains what the school expects of its students regarding internet use. It also enumerates the rules on how students should behave online along with the corresponding consequences of abuse.

Aside from the rules, the rights of staff members and students in using the school’s internet facilities might also be included. As a rule, all Acceptable Use Policies recognize the rights of students to benefit from technology and prevent issues of privacy. Parents need to play an important role to strengthen its implementation. They should know what goes on in school and how children are going to use the internet. To avoid unfounded fears, they should recognize that children are using it within the bounds of safety.

Parents should take time to talk about the policy with their children. Some students do not possess the maturity to fully grasp the meaning of these policies by themselves. Special attention should be given to those that might seem safe but are actually prohibited. Are there special rules when it comes to using emails? What constitutes a violation falling under harassment? Are students allowed to visit file-sharing sites or download music? What punishment would students face for cyber-bullying using the school’s computers? Parents should compare their children’s typical use of the internet at home against those things that are banned at school.