[Senate Report 107-240]
[From the U.S. Government Publishing Office]
Calendar No. 551
107th Congress Report
SENATE
2d Session 107-240
_______________________________________________________________________
ONLINE PERSONAL PRIVACY ACT
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ON
S. 2201
together with
MINORITY VIEWS
August 1, 2002.--Ordered to be printed
__________
U.S. GOVERNMENT PRINTING OFFICE
99-010 WASHINGTON : 2002
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred seventh congress
second session
ERNEST F. HOLLINGS, South Carolina, Chairman
DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona
JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska
Virginia CONRAD BURNS, Montana
JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi
JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
RON WYDEN, Oregon SAM BROWNBACK, Kansas
MAX CLELAND, Georgia GORDON SMITH, Oregon
BARBARA BOXER, California PETER G. FITZGERALD, Illinois
JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada
JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia
BILL NELSON, Florida
Kevin D. Kayes, Staff Director
Moses Boyd, Chief Counsel
Gregg Elias, General Counsel
Jeanne Bumpus, Republican Staff Director and General Counsel
Ann Begeman, Republican Deputy Staff Director
Calendar No. 551
107th Congress Report
SENATE
2d Session 107-240
======================================================================
ONLINE PERSONAL PRIVACY ACT
_______
August 1, 2002.--Ordered to be printed
_______
Mr. Hollings, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
together with
MINORITY VIEWS
[To accompany S. 2201]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 2201) to protect the online
privacy of individuals who use the Internet, having considered
the same, reports favorably thereon with an amendment in the
nature of a substitute, and recommends that the bill as amended
do pass.
Purpose of the Bill
The purposes of this legislation, as reported, are to
create baseline privacy protections for individuals using the
Internet that promote privacy, boost consumer confidence, and
in turn promote e-commerce as more and more business is
conducted online. The privacy protections required in the bill
are designed to give individuals: notice of online entities'
privacy policies; chances to opt out or opt in to the
information practices described in those policies (depending on
the sensitivity of the personal information sought by the
online entities); reasonable access to personal information
collected by online entities; reasonable security for personal
information once collected; and a set of enforcement tools to
ensure compliance with this framework.
Background and Needs
CONSTITUTIONAL AND LEGAL PROTECTIONS OF PRIVACY
Government sanctioned protection of privacy has a long and
documented history in American legal and statutory
jurisprudence. Indeed, concerns about privacy protection date
back to the founding fathers, who evidenced their desire to
protect privacy in the Bill of Rights. The most notable example
in the U.S. Constitution resides in the Fourth Amendment's
prohibition of arbitrary searches and seizures of persons and
their property.
Recently, this doctrine was determined by the Supreme Court
to apply in a case where advanced technology enabled the police
to invade the privacy of an individual's home and conduct a
search without actually entering the premises. Specifically,
this matter was addressed in Kyllo v. United States, 533 U.S.
27, (2001), where the Supreme Court invalidated a search of a
suspect's home where the police used a thermal-imaging device
to search a suspect's residence for evidence that he was
growing marijuana.
In its 5-4 ruling, the Court declared that notions of privacy
must adapt as technology evolves noting that: ``It would be
foolish to contend that the degree of privacy secured to
citizens by the Fourth Amendment has been entirely unaffected
by the advance of technology. * * * The question we confront
today is what limits there are upon this power of technology to
shrink the realm of guaranteed privacy.'' 533 U.S. at 33-34.
Notably, the Court concluded that limits must exist on the
ability of technology to infringe upon citizens' privacy.
Although the decision related to government action, it
nevertheless was the first decision to lay down a broad
principle as it concerns the relationship of privacy with
modern technology. The court stated: ``[T]here is a ready
criterion, with roots deep in the common law, of the minimal
expectation of privacy that exists, and that is acknowledged to
be reasonable. * * * We think that obtaining by sense-enhancing
technology any information regarding the interior of the home
that could not otherwise have been obtained without `physical
intrusion into a constitutionally protected area' * * *
constitutes a search * * *. This assures preservation of that
degree of privacy against government that existed when the
Fourth Amendment was adopted.''. Id. at 34 (quoting Silverman
v. United States, 365 U.S. 505, 512 (1961)).
Aside from the Fourth Amendment and the Bill of Rights, the
notion of a distinct legal right to privacy arose at the
conclusion of the 19th Century, as journalism and photography
combined to generate a desire for common law privacy rights.
Prominent 19th Century judges and lawyers popularized one
familiar definition of the right to privacy: ``the right to be
let alone,'' a phrase made famous by Justice Brandeis in
Olmstead v. United States, 277 U.S. 438, 478, (1928).
U.S. STATUTORY PROTECTIONS OF PRIVACY
Toward the close of the 20th Century, as people's personal
information was increasingly collected, profiled, and shared
for commercial purposes, and as technology advanced to
facilitate these practices, Congress passed numerous statutes
designed to protect privacy. Taken as a group, existing privacy
laws demonstrate that Congress typically requires privacy
protections when new technologies or industries begin to
threaten privacy. These laws apply to the government,
telephones, cable television, e-mail, video tape rentals, and
the Internet (with respect to children). Taken together, these
laws appear designed not to limit technology or stifle a new
business, but rather to ensure that certain types of
information collection are fair, transparent, and subject to
law. Brief summaries of many of these statutes are set forth
below (if noted, the statute provides for a private right of
action):
The Federal Wiretap Act of 1968, 18 U.S.C. 2510 et. seq.,
limits the monitoring of private communications.
The Fair Credit Reporting Act of 1970, 15 U.S.C. 1681 et
seq., limits the disclosure of information contained in credit
reports, requires the credit reporting agency to ensure the
information is correct and timely, and affords individuals the
right to inspect and correct their credit report.
The Privacy Act of 1974, 5 U.S.C. 552 et. seq., established a
legal framework for records collected by the Federal government
and responded to the concern raised by monitoring and
government use of automated databases.
The Cable Act of 1984, 47 U.S.C. 551 et seq., is the most
comprehensive law protecting privacy across a technological
medium. Specifically, it allows cable companies to disclose
names and subscriber lists only after affording users notice on
an annual basis and an opportunity to opt out of such
disclosure. Moreover, it prohibits the sharing of viewers'
viewing habits unless they provide notice on an annual basis
and obtain prior written or electronic consent (i.e. an opt-
in). The Act also grants reasonable access to personal
information collected and a reasonable opportunity to correct
that information. In addition, the statute requires cable
operators to destroy personal information if it is no longer
necessary for the purpose for which it was collected. Finally,
it provides for a private right of action to recover statutory
damages in the event of a violation.
The Video Privacy Protection Act of 1988, 18 U.S.C. 2701 et.
seq., prohibits sharing or sale of customer lists, unless
notice and an opportunity to opt out has been granted, and
prohibits sharing or sale of specific video viewing habits
without notice and prior consent (i.e. an opt-in). Although the
Act does not afford a right of access to information collected
about consumers, it does create a private right of action to
recover statutory damages in the event of a violation.
The Telephone Consumer Protection Act of 1991, 47 U.S.C. 152
et. seq., which prohibits telemarketers from contacting
individuals once they have asked not to be contacted, and
entirely prohibits companies from faxing commercial
solicitations to individuals with whom they have no prior
relationship. This law also provides for a private right of
action in the event of a violation.
The Telecommunications Act of 1996's Customer Proprietary
Network Information (CPNI) rules, 15 U.S.C. 79 et. seq., which
prohibits telephone companies from sharing information about
their customers' telephone usage without their approval.
The Children's Online Privacy Protection Act of 1998 (COPPA),
15 U.S.C. 6501 et. seq., which prohibits companies on the
Internet from collecting and using personal information about
children under 13 years of age without notice, and obtaining
prior consent (opt in) from parents. Parents can access
information collected about their children, and enforcement is
conducted by the Federal Trade Commission (FTC) and the
Attorneys General.
The Financial Services Modernization Act of 1999 (commonly
referred to as Gramm-Leach-Bliley), 12 U.S.C. 24a et. seq.,
which requires financial institutions to provide customers
notice and the opportunity to opt out of industry practices of
sharing their financial information with third parties.
The Health Insurance Portability and Accountability Act
(HIPAA), 42 U.S.C. 1320d et seq., requires health care
providers who transmit health information in electronic
transactions, health plans and health care clearinghouses to
(i) provide notice of all uses and disclosures of individually
identifiable health information transmitted in any form or
medium, whether oral, written, or electronic; (ii) obtain
prior, written consent (i.e. an opt-in) before using or
disclosing protected health information, except in certain
circumstances; (iii) provide access to individuals to review
data, request corrections and get accounting of all uses and
disclosures; and (iv) limit most disclosures, other than for
treatment, to only the ``minimum necessary'' for information.
HIPAA also sets forth rules for business associates of any
covered entity hired for collection or processing of protected
health information. Covered entities may use or disclose
protected health information without a consent or authorization
only if the use or disclosure comes within one of the listed
exceptions, such as for public health reasons, law enforcement,
research or to facilitate organ transplants. Exceptions are
also made for certain marketing purposes, but individuals must
be given notice and an opportunity to opt out.
S. 2201 overlaps with these existing statutes to varying
degrees since they all, with the exception of COPPA, apply to
information collected both online or offline. For example, a
cable company providing Internet access service or a financial
institution with a commercial website--while covered by this
legislation--also fall under the Cable Act of 1984, and the
Gramm-Leach-Bliley Act, respectively. This legislation
addresses these overlapping statutory regimes differently,
depending on the level of privacy protection in the prior
existing statute. Therefore, this legislation either preserves
or is reconciled with the pro-privacy provisions in the Cable
Act, the Telecommunications Act's CPNI rules, the Fair Credit
Reporting Act, and the Children's Online Privacy Protection
Act. On the other hand, this legislation largely supersedes,
with some exceptions, the privacy rules in Gramm-Leach-Bliley
and HIPAA, as discussed below, as they apply to the Internet.
Testimony before the Committee by consumer organizations has
demonstrated that the opt-out notices distributed pursuant to
Gramm-Leach-Bliley have failed to help consumers make an
informed choice in protecting their sensitive personally
identifiable information. Specifically, that testimony stated
that in many instances financial institutions have sent cover
letters professing their commitment to protect privacy, while
simultaneously attaching confusing notices explaining their
intent to share people's personal financial information with
numerous third parties. In many of these notices, it is also
difficult to determine how to opt out. Evidence of this lack of
protection warrants corrective measures to at least ensure
adequate privacy for sensitive personal financial information
on the Internet. The legislation reported by this Committee
would provide such protection.
With respect to sensitive personally identifiable health and
medical information, the final HIPAA rules were published on
December 28, 2000, and first went into effect on April 14,
2001. All covered entities (except small health plans that have
until 2004 to comply) must be in full compliance with the HIPAA
rules by April 14, 2003. HIPAA expressly permits the U.S.
Department of Health and Human Services (HHS) to review and
propose modifications to the rules annually. On March 27, 2002,
HHS published proposed rule modifications, many of which were
identified by HHS in its guidance on the privacy rules issued
in July 2001 as a result of five years of deliberation with
interested parties, including industry representatives,
academics and consumer advocates. Some consumer privacy
advocates have expressed concern over the impact of the
proposed revisions on the privacy afforded individuals'
sensitive health or medical information. Although these
proposed changes have not yet been adopted, the HIPAA rules
published in 2000 are still in effect and the compliance
deadline is unchanged. It is the opinion of a minority of the
Committee members that many of the provisions of S. 2201, if
enacted into law, would be in direct conflict with the HIPAA
rules, and a covered entity would be unable to comply with both
laws.
Because the health privacy rules that derived from HIPAA are
currently under review and subject to revision, the majority of
the Committee cannot conclusively determine at this time the
extent to which to preserve or reconcile those rules in this
legislation. It is the Committee's intent in all instances,
however, to permit legitimate business activity that
necessarily involves sharing of personally identifiable
information so long as such sharing is tied--even indirectly--
to the purpose for which the information was initially
proffered by the individual.
With respect to those industries that criticize this
legislation because it imposes overlapping, or distinct privacy
regimes, the Committee notes that compliance with this
legislation as to specific activities involving the collection
of personally identifiable information, in most instances, will
also result in compliance with most existing privacy laws in
place today.
THE EUROPEAN UNION PRIVACY DIRECTIVE AND THE EUROPEAN UNION SAFE HARBOR
In contrast to America's sectoral approach to protecting
privacy, Europe recently adopted a comprehensive and
overarching privacy protection regime that governs the entire
marketplace regardless of whether collection, use or disclosure
is online or offline. In 1995, the European Union authored a
directive requiring its individual member states to adopt laws
reflecting the Directive's privacy protections. The Directive
became effective on October 24, 1998. A substantial majority of
the 15 member states have adopted laws atleast as strong as the
Directive, although Sweden, Germany, and Great Britain have each called
for simpler, more flexible, and less prescriptive rules than the
present Directive. At a minimum, those laws in compliance with the
Directive obligate companies, in both their online and offline
practices, to provide: (1) notice; (2) an opt-out with respect to non-
sensitive commercial marketing of personal information; (3) an opt-in
with respect to sensitive personal information; (4) a right of access
to personal information collected; and (5) reasonable security
protections for that information.
To address U.S. industries' concerns about the application of
the Directive to American companies--and in particular their
fear that they might have to comply with 15 different member
state interpretations of the Directive--the Department of
Commerce developed a ``safe harbor'' set of requirements which
U.S. companies can meet to comply functionally with the
Directive in the member states. The Safe Harbor was approved by
the European Union in July 2000. So far, over 200 American
companies have signed up for the Safe Harbor, including major
companies that collect and use personal information such as
Microsoft, Intel, and Hewlett Packard. It should also be noted
that Axciom, one of the largest data collection and marketing
companies in the world, has signed up for the Safe Harbor.
Axciom has over 160 million names in its marketing databases.
Under the European Union Safe Harbor, companies must give
notice of their data collection practices and give individual
citizens in Europe an opportunity to opt-out of the use of
commercial marketing of personal information. Individuals must
give their prior, opt-in consent before companies can collect
and use sensitive personal information relating to ``racial or
ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, * * * or medical or health
conditions, or the sex life of the individual.'' Individuals
are granted a right of access to their personal information,
along with the ability to correct, amend, or delete it, so long
as the burden on the company is not disproportionate to the
risks to the individual's privacy. Companies must also provide
reasonable security to the personal information they have
collected. The Safe Harbor also prohibits the onward transfer
of personal information to third parties unless those parties
also adhere to the Safe Harbor, to the Directive as implemented
in the Member states, or to an agreement that they are
providing an equivalent level of privacy protection. The
Committee notes that S. 2201 would largely provide protections
to U.S. citizens using the Internet that are similar to those
already provided in Europe.
STATE LAWS ON INTERNET PRIVACY
In recent years, the 50 States have begun considering
numerous bills and regulations to protect individuals' privacy,
both on the Internet and off. This trend is accelerating as a
few of these privacy proposals are becoming law or progressing
toward enactment. Two of the more prominent recent examples
include the States of Vermont and Minnesota: Vermont, which now
prohibits the sharing of individuals' financial and medical
information without first obtaining their prior consent (opt-
in); and Minnesota, which recently enacted legislation
requiring that Internet service providers obtain consent from
individuals before sharing their personal information.
As momentum grows in the State legislatures and agencies
across America to regulate privacy, some companies that
previously opposed Federal legislation, though divided on the
appropriate approach, now support a uniform standard that
clearly preempts these various, inconsistent State laws.
BACKGROUND ON THE INTERNET
The Internet represents one of the most significant
technological advancements of the 20th Century. On the
Internet, data about almost any subject can often be accessed
in a matter of seconds. And, unlike other informational
sources, the Internet is virtually unrestricted by boundaries,
from a functional and economical perspective. Because of its
capacity for direct communications, as well as fast, detailed
data transfers, the Internet has become a highly attractive
medium for commercial enterprises, marketers, and consumers.
Today, consumers can avail themselves to a wide range of retail
products, a variety of services, such as banking and investing,
and innumerable research tools. According to marketing experts,
the Internet often allows consumers to search for and purchase
goods more efficiently than in the traditional, offline
marketplace.
While the Internet provides these advantages, it also poses
distinct risks, including a threat to the personal privacy of
users. For example, the Internet provides companies a platform
from which they can more efficiently monitor and track
interests than is possible in the ``offline,'' traditional
marketplace. This Internet profiling, which is achieved via the
recording of ``click-stream'' data, often may occur without an
individual's knowledge or consent. People's personal
information that is collected and compiled may be turned into
commercial profit as companies share, sell, and trade that
information in the Internet marketplace, and beyond.
Individuals' personal information and Internet habits are also
used to ``personalize'' their Internet experience, as companies
analyze and utilize that information to target those
individuals with a proliferation of banner advertisements,
marketing pitches, discounts, and promotions. Such
personalization and customization unquestionably can enhance
the Internet experience of individual users, even as it
simultaneously provides remunerative benefits to the
corporation that practices such personalization. Indeed, the
technologies used on the Internet can dramatically facilitate
consumers' experiences. These practices, however, raise privacy
concerns to the extent they are occurring without the informed
consent of Internet users.
It is estimated that over 105 million people in the U.S. are
now using the Internet on a regular basis. According to the
FTC, total online retail sales for 2000 were almost $26
billion, and fourth quarter 2000 online retail sales were $8.7
billion, an increase of 67 percent from the fourth quarter of
1999. According to Forrester Research, online retail sales are
predicted to reach $184 billion by 2004. Finally, Forrester
Research reported that the Internet failed to realize almost
$15 billion in revenues in 1999 due to users' concerns over
threats to their privacy.
Direct marketing solicitations have been accorded
constitutional protection as commercial speech and are not
novel, nor are they confined to the Internet. Rather, it has
been present in different forms for decades, involving methods
such as door to door sales, and more modern approaches such as
telemarketing and direct mail marketing (i.e. sending
catalogs). The unique quality of the Internet, however,
facilitates direct contact with a vast market of consumers more
expeditiously and enables the collection of a far greater
catalog of information about individuals than is possible in
the ``offline'' traditional marketplace. In the traditional
marketplace, information gathering typically occurs when
individuals engage in transactions that personally identifies
them (e.g., purchasing an item in a store with a credit card,
ordering an item from a catalogue, or subscribing to a
magazine). On the Internet, however, an individual's every
step--or to be more precise, every click--may be observable,
recordable, and compilable into an online profile, regardless
of whether or not he or she ever engages in any commercial
activity (e.g., researching stocks, looking up health
information, or simply browsing for items without buying them).
This is commonly referred to as ``click-stream'' data.
Providers of goods and services describe this distinction as
an advantage that allows them to market items to consumers more
personally (allowing for tailoring of services to fit
consumers' personal interest and needs), and often at a reduced
cost. Moreover, they allege that the collecting and
commercializing of either aggregate or specific personal
information can even be the difference that maintains a
website's viability and keeps the Internet predominantly free.
Some privacy advocates and academics believe that these claims,
while perhaps accurate for some web operations, are exaggerated
in light of analyst predictions about the Internet's
proliferation in coming years. Regardless, other economic
analysis suggest that the Internet also forgoes significant
revenues due to fears over personal privacy. Moreover, privacy
and consumer advocates argue that these activities should only
be countenanced if individuals have consented to the collection
and use of their personal information.
PERSONAL INFORMATION COLLECTED ON THE INTERNET
Personal information collected on the Internet ranges from
home telephone numbers and addresses, consumers' names and e-
mail addresses, as well as information such as social security
numbers, medical records and financial data. Typically, this
information is supplied by the consumer to the website during a
transaction or in return for free services. Other personal
information that may be collected includes buying habits,
research interests, and personal lifestyle preferences (i.e.
places of travel, social activities). There are several
important questions that are raised with respect to personal
information collected on the Internet. For example, are
companies collecting more personal data than necessary for a
given transaction, and is the information being sought for
alternative and additional purposes? Is the personal
information being safeguarded, so as to prevent access by other
parties? Or, is the data being shared for internal marketing or
profiling purposes, or with third parties, and if so, is such
sharing done with the knowledge and consent of the individual?
Finally, are entities collecting personal data directly from
the individual or through other sources and means unbeknownst
to the individual? It should be noted, however, that according
to the most recent survey of online privacy practices, the vast
majority of the most commonly visited websites now post privacy
policies with respect to how they collect, use and disclose
personal information.
TECHNOLOGY USED TO COLLECT INFORMATION ON THE INTERNET
Personal information can be gathered on the Internet in a
variety of ways. The simplest method utilizes collection from
the individual directly. Often the consumer is asked to provide
data for the purpose of completing a transaction or receiving a
service. As noted above, however, even if the data is provided
voluntarily, issues may subsequently arise as to whether that
data is used for purposes beyond those for which the
information was voluntarily granted. Online businesses can also
collect data without the consumer's knowledge, by directly
collecting it or by acquiring it from a third party that has
already collected the information.
Personal information can be collected without the user's
knowledge by technological devices commonly known as
``cookies.'' A cookie is a text file placed on a consumer's
hard drive by a company that can perform a variety of
information collection functions. For example, it enables the
functionality of a commercial website, such as shopping carts,
wish-lists, and other features preferred by many Internet
users. In addition, cookies may be used to store information
about which sites the consumer has visited on the Internet.
That information is then recoverable by the company that placed
the cookie. This tool gives web site operators one mechanism to
track consumers' online activities and gather information about
their personal interests and preferences. For example, when a
consumer visits a site operated by a company that placed a
cookie, the company is able to identify the user in order to
provide personalized features, such as e-mail for that user.
Some companies may also use the identifier to keep track of the
user's activities on that site. The information that is
recorded may include the number of visits to a particular site
and information surveyed. For those companies that use cookies
in this fashion, this mechanism facilitates the compilation of
profiles through click-stream data about individuals'
commercial and non-commercial, and potentially sensitive,
activities on the Internet.
In addition, technology known as ``web bugs'' is increasingly
deployed by companies on the Internet including ``network
advertisers'' (the companies that place banner advertisements
on web sites) to collect information about Internet users on
sites that may not even display banner advertisements. Web bugs
collect information in much the same manner as do cookies, but
less transparently given that a company can place them on sites
on which it does not have a visible presence.
Another recent phenomenon involves the use of software
installed on a user's personal computer, or downloaded by the
user off the Internet to track the user's activities online. In
such instances, the software has been transformed into
``spyware'' according to privacy advocates and is likely
tracking users and compiling a personal profile of them without
their knowledge or consent.
Indeed, individuals are generally unaware of the fact that a
third party, such as a network advertiser, may be reaching
through the website the individual has chosen to visit and
collecting information about their activities. Additionally,
even in situations where notices about cookies are provided to
users, some websites merely inform individuals that cookies are
harmless bits of data that help customize and personalize their
experience. While cookies themselves are not bad per se, and in
fact often improve a user's online experience, the use of
cookies to monitor individuals' activities across multiple
websites may undermine the efforts of consumers to protect
their privacy.
These collection technologies can amass, in addition to
personal information: the websites and web pages visited; the
time and duration of the visit; subjects researched as
evidenced through search terms typed in search engines, and
other queries; purchases made online; ``click-through''
responses to advertisements; and the previous page visited by
the particular individual. Once in possession of this
information, businesses may develop ``inferential'' or
``psychographic'' data--information that the business infers
about the individual based on the actual behavioral data that
has been captured. From this amassed data, elaborate inferences
may be drawn, and conclusions reached, that may or may not be
accurate with respect to the individual's interests, habits,
associations, and other traits.
A further concern is that even on those occasions when
information about the collection practices of network
advertisers is provided to individuals, this ``notice'' is
often supplied after data collection has begun. Thus, the
moment a user visits a website, multiple cookies could be
placed on the user's hard drive well before there has been any
chance to read a privacy policy and opt out of the collection
that has already begun. However, it should be noted that many
sites offer the user the ability to opt out of, and terminate,
previously-collected click-stream recordings.
Although technology is used to facilitate information
collection, the Committee recognizes that technology is also
used to create tools for consumers to protect their personally
identifiable information by allowing them to control whether,
and under what circumstances, they would permit its collection,
use, or disclosure. These technological tools are typically
software products or online services for consumers that provide
privacy protection in two general ways. One way is to prevent
the collection of personally identifiable information by
concealing, cloaking or decoupling the identity of the user
from their online activities. Consumers are increasingly taking
advantage of this kind of technology by installing software
such as ``personal'' firewalls on their home and laptop
computers to prevent harmful application downloads (like
information collection devices) and other intrusions from the
Internet, as well as to monitor and control the outflow to the
Internet of personal information stored on their computer.
Consumers also use software and online services (like
Anonymizer.com) to anonymously browse websites and new payment
mechanisms to purchase products and services online with cash-
like anonymity.
In addition to preventing personal information collection, a
second way privacy tools are used is to help consumers
understand and control how their information is used or shared
by the particular websites they visit. This approach takes
advantage of the increasing availability of ``machine-
readable'' privacy policies such as the Platform for Privacy
Preferences (P3P) format developed by the World Wide Web
Consortium. At its most basic level, P3P is a standardized set
of multiple-choice questions that websites answer about their
privacy policies and make available online in a computer-coded
format. These answers present a snapshot of how a website
handles personal information about its users. P3P-enabled
browsers, including the latest versions of both major web
browsers, can ``read'' this coded snapshot (if available at a
website) and automatically compare it to the privacy
preferences set by the consumer on the browser. The browser
warns consumers of any mismatch between their preferences and
the websites' policies and offers them choices on how to
proceed. Proponents of P3P assert that it enhances consumer
control of their personal information by putting privacy
policies where users can find them and in a form users can
easily understand. According to the Internet Education
Foundation, P3P is the leading machine-readable privacy policy
standard and has been implemented by approximately 40 of the
top 100 websites, all of the top web advertisers, and several
government agencies such as the FTC, the United States
Department of Commerce, and the United States Postal Service.
PUBLIC CONCERNS ABOUT PRIVACY
Numerous studies demonstrate that the misuse of personal
information that leads to a loss of privacy is the main concern
Americans have about using the Internet. A Harris Interactive
survey released in February 2002 listed the top three ``major
concerns'' that consumers expressed, with respect to privacy
and security on the Internet, as follows:
companies will provide their information to
other companies without their permission (75 percent);
online transactions may not be secure (75
percent); and
hackers could steal their personal data (69
percent).
Other analyses suggest that as many as 25 percent of all
Internet users give false personal information in order to
protect their identity and privacy online. In March 2000,
Business Week reported that 57 percent of Americans believe
that Congress should pass laws to govern how personal
information is collected and used on the Internet. And, in
August 2000, 86 percent of those surveyed by the Pew Research
Foundation voiced their support for opt-in protection as a
necessary component of any company's privacy policy. Perhaps
most surprisingly, a Harris Interactive survey commissioned by
Dell and the National Consumers League reported in October 2000
that ``more Americans are very concerned about their loss of
personal privacy (56 percent) than health care (54 percent),
crime (53 percent), and taxes (52 percent). * * * When asked
specifically about their online privacy,'' those polled ``were
most worried about websites providing their personal
information to others without their knowledge (64 percent) and
web sites collecting information about them without their
knowledge (59 percent). * * * 71 percent said it is absolutely
essential that companies ask consumers' permission before using
their personal information for any purpose other than the one
originally given.''
It should be noted, however, that despite professing concern
about online privacy, the percentage of people who bought
something online during the holiday season increased from 20
percent in 1998 to 55 percent in 2000, according to the
Competitive Enterprise Institute (CEI). Moreover, CEI noted
that while there were 4.9 million credit card transactions
online in 1997, this number had increased to 19.3 million by
the third quarter of 1999.
These concerns have not abated since the tragic terrorist
attacks of September 11, 2001. While Americans generally are
willing to forgo some privacy to assist law enforcement efforts
to monitor potential criminal and/or terrorist activities, that
willingness does not translate into a desire to allow increased
control over their personal information online so that
companies can collect, compile, commercialize and profit from
it. Some of the most prominent businesses on the Internet,
including Microsoft, Intel, Hewlett Packard, eBay.com,
Amazon.com, Alta Vista, Earthlink, the New York Times, and
Expedia, recognize this fact and offer consumers significant
privacy protections via opt-in consent regimes.
THE FTC AND INTERNET PRIVACY
The FTC is the Federal agency that possesses primary
jurisdiction over online privacy. This jurisdiction is derived
from the grant of authority to the Commission under section 5
of the Federal Trade Commission Act, which provides the FTC
authority over unfair and deceptive acts and practices
involving the marketing and sale of goods and services to
consumers in the U.S. marketplace. According to a 2000 report
by the FTC, matters concerning consumer privacy protection are
best governed by core ``Fair Information Practices'' principles
that have been in the discourse of the privacy debate for over
twenty years. They are: notice, choice, access, and security.
The FTC began its review of Internet privacy issues in April
1995. Since that time, the Commission has conducted several
major public workshops and hearings on the issue, including
summer workshops in 1996 and 1997. Based on the information
gathered through these sessions, and through independent
investigations, the Commission has produced three official
reports on online privacy. The first report, in 1998,
recommended self-regulation as a means of achieving consumer
privacy protection, while recommending legislation to protect
the privacy of children's information on the Internet. The
Children's Online Privacy Protection Act of 1998 (COPPA) was
Congress' response to this recommendation.
That legislation was enacted within four months of
introduction as part of the Omnibus Appropriations Act of 1998
[P.L. 105-277]. The Act requires companies to: (1) provide
parents notice of their information practices; (2) obtain prior
parental consent; (3) upon request, grant parents the option to
review the information; (4) provide parents the opportunity to
bar further use of information already collected; (5) limit
collection of personal data on a child to participation in a
game, or prize offer, and to information reasonably necessary
for the activity; and (6) establish procedures to protect the
security of the information. This law is in effect today and
was nearly unanimously supported by the Internet industry.
In 1999, the FTC issued its second Internet privacy report
and again urged industry to improve its performance in
voluntarily protecting consumer privacy on the Internet. The
FTC again called for self-regulation generally, but cautioned
that if industry did not dramatically improve upon its
performance, the Commission may recommend Internet privacy
legislation in the future. In May 2000, the FTC released its
third report on online privacy. For the first time, the
Commission concluded that self-regulation alone is not
sufficient to ensure adequate consumer privacy protection and
called for legislation that would codify the core ``Fair
Information Practices.'' Specifically, the FTC found that only
20 percent of a random sample of major commercial websites have
implemented all four fair information practices of notice,
choice, access, and security. And, even among the 100 most
popular U.S. commercial web sites, only 42 percent had
implemented these principles. The vote in favor of this
recommendation was 3-2. Commissioner Leary concurred in part
and dissented in part (recommending, among other things, more
narrow legislation that only requires notice but that covers
the online and offline marketplace). Commissioner Swindle
dissented on grounds that evidence existed showing consumers
were increasingly protected by industry self-regulatory efforts
and this process should not be inhibited prematurely by
regulation.
More recent figures obtained using the FTC's survey
methodology show significant improvement since the FTC's report
two years ago. A report of the Progress & Freedom Foundation,
released in March 2002, indicates that websites are collecting
less information (96 percent to 84 percent), using fewer third-
party cookies (78 percent to 48 percent), providing more
prominent and complete notices, providing consumers with more
choice in the use of personally identifiable information (77
percent to 93 percent), increasingly offering opt-in as opposed
to opt-out, and increasingly offering a combination of fair
information practice elements. Most importantly, it found that
99 percent of the 85 busiest websites had posted privacy
policies, and 80 percent of a random sample of websites had
done so as well. In fact, many prominent Internet industry
witnesses testified that their companies would already be in
compliance with this, or similar, legislation.
The 2000 FTC recommendation suggested setting forth: ``a
basic level of privacy protection for consumer-oriented
commercial websites. * * * Consumer-oriented commercial
websites that collect personal identifying information from or
about consumers online would be required to comply with the
four fair information practices by providing individuals: (1)
clear and conspicuous notice of their information practices;
(2) an ability to choose not to have their personal information
collected and used as described in that notice; (3) reasonable
access to information collected, including an opportunity to
correct or delete the information; and (4) reasonable security
to protect the information collected.''
While these were the legislative standards the FTC
recommended under former Chairman Pitofsky in its May 2000
report to Congress, these broad definitions would require
extensive FTC clarification in a rulemaking. The FTC has
considerable experiencein this complex area. For example, while
the FTC's Advisory Committee on Access and Security acknowledged, in an
internal report, that it could not reach a consensus on the extent to
which access and security requirements could or should be implemented,
in 2000, the FTC successfully implemented COPPA, and in the process
imposed reasonable access and security requirements on websites
collecting personal information from children online.
Following this recommendation, in July 2000, the FTC
concluded its two year survey of the Internet network
advertising industry (comprised of the companies that place
``banner advertisements'' on Internet sites). In doing so, the
FTC reached a settlement agreement with approximately 90
percent of the current members of the network advertising
industry. In that agreement, the network advertisers agreed to
provide notice of their profiling activities on the Internet.
Since the present Bush administration took office, the FTC
has departed from its pro-legislation stance. While
Commissioners Thompson and Anthony are on record supporting
varying degrees of legislation, FTC Chairman Muris and
Commissioner Swindle have publicly stated their opposition to
legislation at this time, preferring to focus on increased
enforcement of existing law. In a speech on October 4, 2001,
Chairman Muris laid out his view that: ``It is too soon to
conclude that we can fashion workable legislation to accomplish
[online privacy legislation's stated] goals. We need to develop
better information about how such legislation would work and
the costs and benefits it would generate. * * * I think there
is a great deal we can do under existing laws to protect
consumer privacy. * * * At this time we need more law
enforcement, not more laws.''
In letters dated April 24, 2002, each of the five FTC
Commissioners responded to an inquiry by Senator McCain asking
whether they believed privacy legislation was needed, and if
so, what it should contain. Senator McCain's inquiry also
requested their comments on the principal features of S. 2201.
The Commissioners' response letters were introduced into the
record at the April 25 hearing on the bill. Two of the five
Commissioners believe that legislation is needed at this time
and are supportive of the bill. Three Commissioners, including
Chairman Muris, express strong reservations about the
workability of the provisions of S. 2201 and whether any
legislation is needed in light of existing privacy law,
increased FTC enforcement, and industry efforts to improve
protections.
Although the Commissioners were not asked the question
specifically, each of their responses addressed the issue of
whether privacy legislation should apply only to online
businesses and information practices, or to both the online and
offline worlds equally. Four of the five Commissioners
concluded that any legislation addressing privacy should not
draw differences between online and offline privacy
protections. The majority of the Committee believes that S.
2201, as reported, responds to and addresses this fundamental
concern raised by the FTC.
POSITIONS OF CONSUMER PRIVACY ADVOCATES AS TO NEED FOR LEGISLATION
The primary consumer privacy advocacy groups include the
Consumers Union, the Center for Democracy and Technology, the
Electronic Privacy Information Center, and the Consumer
Federation of America. These groups support the contention that
legislation is needed to protect individuals' privacy on the
Internet. These groups argue that not all industry policies are
complete or reliable, which they assert is proven by recent
surveys and by a sampling of many online privacy policies.
Those consumer groups acknowledge that there are effective
self-regulatory efforts but believe those efforts are not
sufficient to prevent bad actors. Some of these groups also
argue that official uniform rules are needed to ensure industry
compliance with a core set of Fair Information Practices, which
can only be accomplished through legislation.
Legislative History
Senator Hollings introduced S. 2201, the ``Online Personal
Privacy Act,'' on April 18, 2002. The legislation was referred
to the Commerce Committee. The bill was originally cosponsored
by Senators Stevens, Inouye, Burns, Rockefeller, Kerry, Breaux,
Cleland, Carnahan, and Nelson. Senator Torricelli was
subsequently added as a cosponsor. This legislation represented
a compromised approach between three bills considered by the
Commerce Committee during the 106th Congress: S. 809,
introduced on April 15, 1999, by Senator Burns, and cosponsored
by Senators Wyden and Kohl; S. 2606, introduced on May 23,
2000, by Senator Hollings, and cosponsored by Senators Inouye,
Rockefeller, Breaux, Bryan, Cleland, Byrd, Kerrey, Edwards,
Feingold and Durbin; and S. 2928, introduced on July 26, 2000,
by Senator McCain and cosponsored by Senators Abraham, Kerry
and Boxer. The Commerce Committee also held four hearings on
the issue of Internet privacy in the 106th Congress to examine
the issue generally, as well as the three bills referenced
above. None of these bills were reported out of Committee.
On April 25, 2002, the Committee held a full Committee
hearing on S. 2201. Testimony was provided at the hearing by:
Marc Rotenburg of the Electronic Privacy Information Center;
Paul Misener, Vice President of Global Public Policy,
Amazon.Com; Barbara Lawler, the Chief Privacy Officer of
Hewlett-Packard; Frank Torres, of the Consumers Union; and John
Dugan, a law partner at Covington and Burling who testified on
behalf of the Financial Services Coordinating Council, the
association representing companies in the diversified financial
services industry. The Committee also received written
testimony from a number of other interested industry parties,
academics, consumer advocates, and the individual commissioners
at the FTC.
On May 17, 2002, the Committee ordered S. 2201 to be reported
favorably with an amendment in the nature of a substitute, and
three amendments thereto. The substitute amendment was offered
by the Chairman and contained the following major changes: (i)
incorporation of offline privacy provisions requiring the FTC
to recommend offline regulations and then implement those
regulationsif Congress fails to act to require a different
approach; (ii) incorporation of a safe harbor program to facilitate
compliance and enforcement of the legislation's requirements with
respect to operators and provide an affirmative defense for operators
in private litigation brought pursuant to the legislation; and (iii) a
revised right of action that provided for statutory damages only in the
event of violations involving sensitive personal information and either
fraudulent notice or disclosure of such information. Other clarifying
changes were included in the substitute amendment (some of which are
described below in the section-by-section analysis) to more accurately
reflect the intent of the legislation as introduced, and reconcile the
legislation with some existing privacy statutes to generally preserve
their existing pro-consumer privacy protections.
Two amendments were adopted to the substitute by voice votes
and one by unanimous consent. An amendment by Senator Brownback
was adopted to exempt from the legislation small businesses
that do not share personally identifiable information or
process such information. An amendment by Senator Nelson was
adopted that required operators covered by the legislation to
designate a privacy compliance officer. And an amendment by
Senator Allen was adopted, as amended by Senator Hollings, to
clarify that reasonable access requests by users should take
into account the need by operators to protect proprietary
information associated with the personal information they
possess about users.
Several amendments were defeated by roll call votes.
Senator McCain offered an amendment to ensure that equal
obligations were imposed on the collection, use and disclosure
of personally identifiable information both online and offline.
This online-offline amendment failed by a vote of 14-9.
Specifically, the amendment would have added a new section to
S. 2201 to clarify that nothing in the legislation could be
construed to impose different standards of care or obligations
on the collection, use or disclosure of personally identifiable
information online than were imposed offline. In order to
ensure that Federal regulations promulgated under the
legislation would meet this principle, the McCain amendment
would have suspended enforcement of the bill until online and
offline privacy regulations were imposed equally on all
persons. This amendment could have potentially postponed the
implementation and enforcement of the legislation indefinitely
because it might never be achievable for the FTC to implement
regulations covering both online and offline privacy to the
exact equivalent extent that would have been required by the
legislation had the McCain amendment passed.
An amendment offered by Senator Brownback that would have set
forth specific criteria by which operators could satisfy the
reasonable security requirements of title I failed by a vote of
14-9. Senator Brownback's amendment would have set out
parameters for companies to follow so that their security
procedures would be deemed to satisfy the bill's requirement of
reasonable security, ``without regard to whether such
procedures have prevented a breach of network security.''
An amendment offered by Senator Allen that would have
broadened the preemption provision in the legislation to
preempt State common law failed by a vote of 14-9. This
amendment would have eliminated common law rights of action for
individuals aggrieved by violations of the legislation where
the private right of action in the legislation would not
provide for recovery.
A second amendment offered by Senator Allen to eliminate the
private right of action failed by a vote of 15-8. The Committee
notes that the legislation only provides a private right of
action for individuals aggrieved by violations involving their
sensitive personally identifiable information in the cases of
disclosure of that information and/or fraudulent notice by
operators.
A third amendment offered by Senator Allen that would have
provided operators in compliance with any of 17 other Federal
privacy laws a safe harbor from inconsistent provisions of S.
2201 failed by a vote of 14-8.
Summary of Major Provisions
S. 2201 would provide a comprehensive approach to protecting
privacy on the Internet. The bill's approach would apply a core
set of Fair Information Practices principles which have been in
the public discourse about privacy for the better part of three
decades. These principles require a baseline of privacy
protection that includes providing individuals rights of
notice, consent, access, security and enforcement. The
legislation also would provide broad preemption of State
statutes, rules, or regulations that relate to the collection,
use, or disclosure of personally identifiable information
obtained through the Internet.
Title I of the legislation would set forth the rules
governing the collection and use of individuals' personally
identifiable information gathered online. These rules would
apply to Internet service providers, online service providers
or operators of commercial websites (hereinafter collectively
referred to as ``operators''), in addition to third parties
using such operators to collect information about users of an
Internet service or website. Specifically, the rules would
require operators to provide clear and conspicuous notice of
their collection and use practices with respect to personally
identifiable information. If the personally identifiable
information collected about the user is sensitive, operators
may not collect or use that information without first, or
contemporaneously, gaining the user's affirmative, opt-in
consent. If the personally identifiable information collected
about the user is not sensitive, operators may not collect or
use that information without first, or contemporaneously,
affording users robust notice of the intent to use the
information, and giving the user the opportunity to decline
consent via an opt-out mechanism. In addition, title I would
require operators to notify users if they make material changes
in their privacy policies or if their policy has been breached.
Title I also would provide for significant exceptions to the
legislation's notice and consent requirements in several
instances: (1) to protect the security or integrity of the
service or website, or ensure the safety, health, or life of
other people or property; (2) to conduct a transaction, deliver
a product or service, complete an arrangement for which the
user provided the information, or provide products, services,
or conduct activities integrally related to the transaction,
product, service, or arrangement sought by the user; and (3) to
comply with some of the Fair Credit Reporting Act's non-
marketing related provisions. Other exceptions include
appropriate disclosures to law enforcement entities, in court
proceedings, for emergency purposes to professional services
providers, and for some non-marketing business activities
permitted for financial institutions under the Financial
Services Modernization Act.
Finally, title I would require operators to grant users
reasonable access to their information once collected, and
provide users reasonable security for that information once
collected. The reasonableness of an access request shall be
based on balancing factors such as the sensitivity of the
information requested and the burden on the operator of
complying with the request. Operators would be permitted to
charge a small fee for such access not to exceed three dollars.
Title II would set forth the enforcement provisions in the
legislation, and generally allow enforcement by the FTC, the
State attorneys general, and individual rights of action.
First, it clarifies that any violation of title I is an unfair
or deceptive act or practice proscribed by section 5 of the
Federal Trade Commission Act. To the extent that operators
covered by the legislation are more typically regulated by
entities other than the FTC, title II grants those other
Federal authorities exclusive authority to enforce title I as
to those operators. To the extent a civil penalty is imposed on
an operator due to a violation of title I with respect to non-
sensitive personally identifiable information, the FTC is
authorized to hold the penalty in trust for distribution to
users aggrieve by the violation. Such payment could not exceed
$200 per user. This title also preserves the application of
section 222 of the Communications Act of 1934, and clarifies
that operators providing Internet services over cable
facilities are governed by this legislation with respect to
such services, rather than by the Cable Act of 1984. The
legislation would permit a State attorney general to bring a
civil action as parens patriae to enforce a violation of the
legislation on behalf of residents of the State in a district
court.
Title II would also create a process for the establishment of
safe harbor self-regulatory programs to provide operators with
some predictability as to their compliance with the
requirements of the legislation. The safe harbor provision
permits self-regulatory organizations and independent third
party verifiers to certify that operators are in compliance
with the Act. Such certifying entities will oversee companies'
compliance with the legislation, conduct random audits of those
companies, and alert the FTC of any non-compliance. In
addition, any company that is a member of a safe harbor program
will be entitled to an affirmative defense in a private right
of action permitted by this Act that is brought by individuals
aggrieved by a violation of the Act. A safe harbor will augment
FTC enforcement by enabling additional oversight of companies
subject to the requirements of the Act, while providing
companies greater certainty that their practices and procedures
are in fact compliant. A broader safe harbor is included for
small businesses, who are exempted from the requirements of the
legislation if they meet certain size requirements and do not
process personally identifiable information of consumers or
disclose such information for consideration to others.
Title II would also create a private right of action for
users to enforce violations of title I involving sensitive
personally identifiable information. With respect to violations
involving fraudulent notice or disclosure associated with
sensitive personally identifiable information, aggrieved
individuals may bring an action in an appropriate court in a
State to enjoin the violation, recover actual monetary loss
from the violation, or receive up to $500 in statutory damages,
whichever is greater, or both actions. With respect to other
violations of title I involving sensitive personally
identifiable information, aggrieved individuals may bring an
action in an appropriate court in a State to enjoin the
violation or recover actual monetary loss from the violation,
or both actions. In any right of action brought by individuals
under this legislation against operators, defendants would have
an affirmative defense if they have established and implemented
with due care reasonable practices and procedures to ensure
compliance and are deemed to be in compliance by a self-
regulatory organization or certified independent verification
organization pursuant to the safe harbor provision referenced
above.
Finally, title II would provide for whistleblower protection
for employees who notify Federal enforcement agencies or State
attorneys general as to violations of title I of the
legislation.
Title III would apply the legislation to Federal agencies and
requires the Senate Sergeant at Arms to develop regulations
setting forth a privacy policy for U.S. Senate offices.
Title IV contains miscellaneous provisions for the
legislation. A provision on definitions defines pertinent terms
for the legislation as described more fully in the section-by-
section analysis below. A provision requires the FTC to
initiate and complete a rulemaking for regulations to implement
title I within one year of enactment. A provision establishes
an effective date for the legislation one day after publication
of the FTC's final rule. And a provision requires the FTC to
report to Congress 18 months after enactment, and annually
thereafter as to: whether the Act is accomplishing its intended
purposes; whether pro-privacy technology is being used in the
marketplace to facilitate compliance; whether additional
legislation is needed; and whether the government can
facilitate the development of standard online privacy notices.
Finally, title IV would require the National Institute of
Standards and Technology to encourage technologies such as P3P
for protecting privacy online.
Title V would require the FTC to submit recommendations to
Congress within 6 months of enactment as to proposed
regulations on offline privacy that would provide individuals a
level of protection similar to that provided by this
legislation for online privacy. If Congress does not enact
legislation within 12 months of receipt of the FTC proposed
offline rules, then the FTC is directed to promulgate those
rules within one month of Congress failing to act.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, June 18, 2002.
Hon. Ernest F. Hollings,
Chairman, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2201, the Online
Personal Privacy Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Ken Johnson
(for federal costs), Angela Seitz (for the state and local
impact), and Nathan Musick (for the private-sector impact).
Sincerely,
Barry B. Anderson
(For Dan L. Crippen, Director).
Enclosure.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
S. 2201--Online Personal Privacy Act
Summary: S. 2201 would impose several restrictions on the
collection of personal information over the Internet. For
example, Internet service providers, online service providers,
and operators of commercial websites would be required to
obtain users' consent before collecting sensitive data and
provide users the opportunity to ``opt out'' before gathering
nonsensitive data. Also, under the bill, the Federal Trade
Commission (FTC) would propose and implement similar
restrictions on the collection of personal information by means
other than the Internet. Finally, the National Institute of
Standards and Technology (NIST) would be required to support
the development of new software that gives Internet users
automatic access only to websites with the users' preferred
policies on privacy.
The restrictions on collecting personal information
contained in S. 2201 would be enforced primarily by the FTC.
However, agencies such as the Office of the Comptroller of the
Currency (OCC), the Board of Governors of the Federal Reserve
System, the Federal Deposit Insurance Corporation (FDIC), the
Office of Thrift Supervision (OTS), the National Credit Union
Administration (NCUA), the Securities and Exchange Commission
(SEC), and the Secretary of Transportation would enforce the
bill as it applies to the agencies' respective jurisdictions.
These agencies would punish violations with civil and criminal
penalties. Under the bill, any civil penalties collected by the
FTC would be distributed to the victims of the violations.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing this bill would cost the FTC $9
million and NIST $11 million over the 2003-2007 period. Because
S. 2201 would create new civil and criminal penalties and would
impose costs on federal banking regulators, we also estimate
that the bill would have negligible effects on both direct
spending and revenues. Therefore, pay-as-you-go procedures
would apply.
S. 2201 would impose intergovernmental mandates as defined
in the Unfunded Mandates Reform Act (UMRA). CBO cannot
determine whether the costs of complying with some of these
mandates would exceed the threshold established in UMRA ($58
million 2002, adjusted annually for inflation).
S. 2201 also contains private-sector mandates as defined in
UMRA. CBO cannot determine whether the direct cost of those
mandates would exceed the annual threshold set by UMRA for
private-sector mandates ($115 million in 2002, adjusted
annually for inflation). The mandate costs are difficult to
estimate because of uncertainties about (1) the number of
online firms affected by S. 2201, (2) the incremental costs the
bill would impose on any of those firms in light of existing
privacy statutes, and (3) how the Federal Trade Commission
would implement certain of the requirements of S. 2201 with
regard to online and offline personal privacy.
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 2201 is shown in the following table.
The costs of this legislation fall within budget function 370
(commerce and housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
--------------------------------------------
2003 2004 2005 2006 2007
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
FTC spending to enforce privacy restrictions: \1\
Estimated authorization level.................................. 1 2 2 2 2
Estimated Outlays.............................................. 1 2 2 2 2
NIST spending to develop internet software: \2\
Estimated authorization level.................................. 3 2 2 2 2
Estimated outlays.............................................. 3 2 2 2 2
Total changes:
Estimated authorization level.................................. 4 4 4 4 4
Estimated outlays.............................................. 4 4 4 4 4
----------------------------------------------------------------------------------------------------------------
\1\ The FTC received a gross 2002 appropriation of $156 million. This amount will be offset by an estimated $108
million in fees the FTC collects for merger reviews.
\2\ NIST received a total appropriation of $680 million in 2002.
Basis of estimate
Subject to the availability of appropriated funds, CBO
estimates that implementing S. 2201 would cost the FTC and NIST
a total of $20 million over the 2003-2007 period. We also
estimate that the bill would have an insignificant effect on
direct spending and revenues. For this estimate, CBO assumes
that the bill will be enacted by the end of fiscal year 2002
and that funds will be appropriated near the beginning of each
fiscal year.
Spending subject to appropriation
S. 2201 would require the FTC to develop and enforce new
regulations on the collection of personal information through
the Internet. The bill also would require the FTC to draft
regulations concerning the privacy of information collected by
entities by means other than the Internet. In the absence of
additional legislation, the FTC would implement those
regulations 19 months after enactment. Finally, the agency
would distribute any civil penalties collected for violations
of the bill's provisions to the victims of those violations.
Based on information from the FTC, CBO estimates that
implementing the bill would require the agency to hire about 20
additional staff that would cost about $2 million a year,
subject to the availability of appropriated funds. (First-year
costs--in 2003--are likely to be about $1 million.)
S. 2201 also would require NIST to undertake efforts to
promote and develop software that would enable Internet users
to access only those websites that employ the users' preferred
privacy policies. CBO expects that the agency would fulfill
this requirement research and testing on such software and the
development of relevant standards. Based on information for
NIST, CBO estimates that the new personal and equipment needed
to undertake these activities would cost about $2 million a
year over the 2003-2007 period, assuming the appropriation of
the necessary amounts. (We estimate costs of $3 million for
2003 because the agency would need to acquire new computers and
testing equipment.)
Direct spending and revenues
The OCC, NCUA, OTS, FDIC, and the Board of Governors of the
Federal Reserve System would enforce the provisions of S. 2201
as they apply to financial institutions. The OCC, NCUA, and OTS
charge fees to the institutions they regulate to cover all of
their administrative costs; therefore, any additional spending
by these agencies to implement the bill would have no net
budgetary effect. That is not the case with the FDIC, however,
which uses insurance premiums paid by all banks to cover the
expenses it incurs to supervise state-chartered banks. The
bill's requirement that the FDIC oversee financial
institutions' collection of personal information through the
Internet would cause a small increase in FDIC spending, but
would not affect its premium income. In total, CBO estimates
that S. 2201 would increase net direct spending of the OCC,
NCUA, OTS, and FDIC by less than $500,000 a year.
Budgetary effects on the Federal Reserve are recorded as
changes in revenues (governmental receipts). Based on
information from the Federal Reserve, CBO estimates that
enacting S. 2201 would reduce such revenues by less than
$500,000 a year.
Because those who violate the provisions of S. 2201 could
be subject to civil and criminal fines, the federal government
might collect additional fines if the bill is enacted.
Collections of civil and criminal penalties are classified in
the budget as revenues. However, based on information from the
FTC, CBO estimates that any such increase in collections would
be less than $500,000 per year.
Under the bill, any civil penalties collected by the FTC
for violations of the bill's provisions would be distributed to
victims of the violations. In addition, collections of criminal
fines are deposited in the Crime Victims Fund and spent in
subsequent years. Because any increase in direct spending would
equal the amount of fines collected (with some lag), the net
impact on spending also would be negligible.
Pay-as-you-go considerations: The Balanced Budget and
Emergency Deficit Control Act sets up pay-as-you-go procedures
for legislation affecting direct spending or receipts. Although
S. 2201 would affect both direct spending and receipts, CBO
estimates that the net effects would be insignificant.
Estimated impact on state, local, and tribal governments:
S. 2201 would preempt certain state laws regulating Internet
privacy and disclosure, thus imposing an intergovernmental
mandate as defined in UMRA. The cost of the preemption would
not be significant. To the extent that public entities fall
under the definition of online service providers (to be defined
by the Federal Trade Commission), the requirements of this bill
regarding the collection, use, and disclosure of certain
information also would constitute mandates, but CBO cannot
determine whether the cost of complying with the collection,
use, and disclosure requirements would exceed the
intergovernmental mandates threshold established in UMRA ($58
million in 2002, adjusted annually for inflation). It is
difficult to estimate these costs because uncertainties in
determining the total number of public entities that would be
affected.
In addition, because of the wide range of existing
practices regarding the collection of personally identifiable
information, we cannot establish a reliable baseline of costs
currently being incurred. Some states have a number of
protections already in place, but other public online services
have less-developed privacy policies and practices. Finally, we
cannot predict how the legislation would be interpreted by the
Federal Trade Commission (or in future legislation by the
Congress) for both online and offline personally identifiable
information collection, use, and disclosure.
Estimated impact on the private sector: S. 2201 would
impose several mandates on the private sector. The bill would
require Internet service providers, online service providers
and other parties (e.g., operators of a website or online
advertisers) to comply with a variety of privacy and disclosure
requirements for personal information that they collect online
and that allows them to identify individuals (defined in S.
2201 as ``Personally Identifiable Information''). In
particular, S. 2201 would require such businesses to:
Provide notice to users, either before or at
the point of information collection online, of the
types of personal information being collected, and of
the subsequent use and disclosure that will be made of
that information;
Provide users a choice of whether to allow
collection of their personal information, by enabling
them to opt-out from the collection of nonsensitive
personal information and opt-in to the collection of
sensitive personal information;
Update users and allow for their consent
whenever personal information is collected or disclosed
under a ``materially different'' policy from that
previously in effect, or notify all users when privacy
has been compromised by an unintentional act of the
information collector, (e.g., by a system malfunction
or security breach);
Designate a privacy compliance officer
responsible for insuring that online collection and
disclosure policies satisfy the requirements of the
bill;
Provide users with ``reasonable'' access to
their personal information and allow them to make
changes and deletions;
Ensure the security of collected personal
information; and
Provide whistle-blower protection to employees
who notify federal or state agencies of violations of
the bill's requirements.
S. 2201 would further require the Federal Trade Commission
to promulgate regulations for offline personal information, if
the Congress does not pass legislation regulating offline
personal information collection and disclosure which is similar
in intent and scope to the online provisions in S. 2201 within
18 months of enactment.
CBO cannot determine whether the direct costs of those
mandates would exceed the annual threshold established in UMRA
for private-sector mandates ($115 million in 2002, adjusted
annually for inflation). The mandate costs are difficult to
estimate because of uncertainties about (1) the number of
online firms affected by S. 2201, (2) the incremental costs the
bill would impose on any of those firms in light of existing
privacy statutes including the loss in revenue, if any, that
would result from not being able subsequently to use or sell
certain personal information; and (3) how the Federal Trade
Commission would implement certain of the requirements of S.
2201 with regard to online and offline personal privacy.
Estimate prepared by: Federal costs: Ken Johnson; impact on
state, local, and tribal governments: Angela Seitz; impact on
the private sector: Nathan Musick.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
S. 2201 would provide privacy protections for all individuals
using the Internet, and ultimately, for all individuals
engaging in the traditional, offline marketplace. As such, the
legislation would cover potentially all consumers and those
engaged online, as well as offline, and those companies that
operate in either or both spaces.
ECONOMIC IMPACT
This legislation would result in new or incremental costs for
companies to comply with its privacy protection requirements to
the extent they are not already doing so. Numerous studies have
estimated the cost of online privacy legislation, claiming
anywhere from several to tens of billions of dollars in added
costs to companies for compliance with such legislation. The
Committee also heard testimony from several witnesses
indicating that they already were in compliance with the
proposed provisions of this legislation, or with similar
requirements. While these cost studies have not specifically
examined the cost of offline privacy legislation similar to the
offline provisions in this bill, critics of these cost analyses
generally argue that they often do not take into account the
fact that some of these added costs have already been borne by
companies' previous compliance with existing online and offline
privacy legislation.
PRIVACY
The legislation would increase the personal privacy of all
individuals who use the Internet and would not have an adverse
impact on individual users.
PAPERWORK
S. 2201 would require the FTC to perform two rulemaking
procedures in order to implement the legislation, as well as to
report to Congress on a regular basis about several privacy
issues. As such, the legislation should generate similar
amounts of administrative paperwork to legislation requiring
multiple agency rulemakings and a report to Congress.
Section-by-section Analysis
Section 1. Short Title
This Act may be cited as the ``Online Personal Privacy Act.''
Section 2. Table of Contents
This section provides a table of contents for the bill.
Section 3. Findings
This section cites findings by Congress concerning the need
for Federal Internet privacy legislation to protect privacy,
boost consumer confidence and e-commerce, and provide business
certainty through broad preemption.
Section 4. Preemption of State Law or Regulations
This section states that the legislation supersedes any State
statute, regulation or rule regulating Internet privacy to the
extent that it relates to the collection, use, or disclosure of
personally identifiable information obtained through the
Internet.
TITLE I--ONLINE PRIVACY PROTECTION
Section 101. Collection, Use or Disclosure of Personally Identifiable
Information
This section would require that an Internet service provider,
online service provider or commercial website operator
(hereinafter collectively referred to as ``operators'') may not
collect, use, or disclose personally identifiable information
except in accordance with the provisions of this legislation.
This requirement also applies to any third party, including
advertising networks, that use an operator to collect
information about users of that operator's service or website.
Examples of such third parties would include entities that make
publicly available computer software that collects personally
identifiable information about users and discloses that
information to any person other than the user, as well as
companies that provide outsourced website hosting or other
technical services to maintain online operations for an
operator that collects or uses personally identifiable
information in the course of their business.
Section 102. Notice and Consent Requirements
This section would require operators that collect personally
identifiable information to provide users clear and conspicuous
notice as to the specific types of personally identifiable
information to be collected, the methods of collecting and
using the information collected, and all disclosure practices
for that information (including whether it will be disclosed to
third parties). The notice requirement imposed by this section
is not required with respect to personally identifiable
information collected by the operator prior to the effective
date of the legislation, except to the extent such information
is combined with personally identifiable information collected
after the effective date, at which point it would come under
the notice requirements of the legislation. Under such a
circumstance, notice of this combination would only be required
at the initial point of collection of personally identifiable
information after the effective date of the legislation. For
example, a statement in the privacy policy by an operator after
the effective date of the legislation that ``we may combine
your information with information collected previously,'' would
suffice. Regardless, the Committee does not intend that notice
would ever be required prior to the effective date. The
Committee contemplates that the FTC, in interpreting term
``clear and conspicuous notice'', should be guided to the
extent practicable by the meaning embodied in the FTC's
implementation of COPPA, which required children's websites to
provide parents clear and conspicuous notice of their
information collection practices with respect to children's
information. In otherwords, a link to a privacy policy,
prominently displayed would constitute clear and conspicuous notice. In
turn, that policy would have to meet the specific requirements of this
section as to the types of information collected, the methods of
collecting and using the information, and the disclosure practices
intended for the information.
Under section 102(b), an operator may not: (1) collect
sensitive personally identifiable information, as defined by
this legislation, online; or (2) disclose or otherwise use such
information collected online, unless the operator obtains that
user's consent to the collection and disclosure or use of that
information before, or at the time, the information is
collected, and that consent is evidenced by an affirmative act
in a written or electronic communication.
Under section 102(c), an operator may not: (1) collect
personally identifiable information that is not sensitive
online; nor (2) disclose or otherwise use such information
collected online from a user, unless the operator provides
robust notice as defined by this legislation to the user in
addition to clear and conspicuous notice, and has given the
user an opportunity to decline consent for such collection and
use before, or at the time, the information is collected. Under
section 102(d), robust notice is only required by a provider
upon its first collection of non-sensitive personally
identifiable information from a user, provided that a
subsequent collection of materially different non-sensitive
information would also require robust notice. The term
``materially different'' information would include materially
new or user-revised information as to a person's name, address,
phone number, e-mail address, or birth certificate number, but
would not include additional information such as that collected
via a user's click stream activity. ``Materially different''
information also would not include non-personally identifiable
information that is subsequently combined with collected non-
sensitive personally identifiable information.
The Committee notes that complying with some of the bill's
privacy protection requirements presents challenges for
wireless Internet service providers that their wired
counterparts do not face. In particular, the spatial and
functional limitations of handheld wireless devices make it
more difficult for wireless Internet service providers to
comply with the notice, consent, access, and other obligations
imposed by the bill. The Committee expects the FTC to take into
account these limitations and reflect them, as appropriate, in
the regulations it adopts to implement the bill.
Under section 102(e) the consent or denial of consent by a
user of permission to an operator to collect, disclose, or
otherwise use information about that user for which consent is
required under this Act shall remain in effect until changed by
the user and shall apply to commercial or legal successors to
the operator, without regard to the legal form in which such
succession occurred, including successor entities that collect,
use, or disclose such information as a result of a chapter 7 or
chapter 11 bankruptcy proceeding under title 11 of the United
States Code. The permanence of a user's consent or denial of
consent does not apply if: (1) the kind of information
collected by the successor entity about the user is materially
different from the information collected by the predecessor
entity; (2) the methods of collecting and using the information
employed by the successor entity are materially different from
the methods employed by the predecessor entity; or (3) the
disclosure practices of the successor entity are materially
different from the practices of the predecessor entity.
Section 103. Policy Changes; Breach of Privacy
Section 103(a) provides that operators who materially change
their privacy policies must provide notice to all users of that
material change and may not collect, disclose or use personally
identifiable information in accordance with the changed policy
unless the user has been afforded an opportunity to consent or
withhold consent, depending on the sensitivity of the
personally identifiable information in question. This section
is intended to require that an operator act in good faith and
take reasonable measures to provide notice to users of a
material policy change by, for example, electronic or postal
communications. The section is not intended to require an
operator to find each of its users or even research to confirm
the accuracy of each user's address or receipt of the notice of
policy change.
Under section 103(b), operators must provide notice of a
privacy breach to users relating to those users' personally
identifiable information. A breach includes disclosure of such
information by an operator in violation of the legislation or
the compromise of security, confidentiality, or integrity of
such information by a hacker or third party. The notice
provided must describe the nature of the privacy breach
committed and the steps taken by the operator to remedy it.
Such notice may be delayed for a reasonable period of time if
postponement would facilitate: (1) the detection of a person
responsible for the privacy breach (such as a hacker); and (2)
restoring the integrity of the service and preventing further
comprise of the security confidentiality and integrity of such
information. Similarly, notice may be delayed for a reasonable
period of time so as to restore the functionality of a service
after a system failure and to take steps to restore the
integrity of the service or website and prevent any further
compromise of the security, confidentiality, or integrity of
personal information due to that system failure or related
incidents.
Section 103(c) requires that every operator covered by the
legislation designate a privacy compliance officer responsible
for ensuring compliance with the requirements of this
legislation as well as the privacy policies of the operator for
which they work.
Section 104. Exceptions
Under section 104(a), the notice and consent requirements of
section 102 generally do not apply to collection, disclosure,
or use by an operator of information about a user when the
collection, disclosure, or use is necessary to fulfill the
request sought by the user. If, however, the information is
then used or disclosed for unrelated, or previously un-noticed,
purposes, such as for marketing, the exemption from section 102
notice and consent requirements is no longer applicable. The
Committee intends for the exception to operate so that an
operator is implicitly permitted in all instances to share a
user's personally identifiable information in order to fulfill
a user's request.
To protect the security of the service or safety of people or
property, section 104(a) provides that the notice and consent
requirements under section 102 do not apply to information
collected, disclosed, or used to: (1) protect the security or
integrity of the service or website; or (2) ensure the safety,
health, or life of other people or property. For example, if
use or disclosure of personal information could thwart an
attempt to hack the security of a website and obtain personal
information about users, an operator would not have to provide
notice or provide a consent mechanism with respect to such use
or disclosure to the hacker under surveillance. Similarly, if
collection, disclosure or use of personal information would
ensure the safety of people or property by averting harm, an
operator would be excused from the notice and consent
requirements of this section with respect to that information.
To fulfill the purposes for which the user provided the
information, there would be no notice and consent requirements
in instances in which the operator's collection, use, or
disclosure of personally identifiable information is necessary
to conduct a transaction, deliver a product or service, or
complete an arrangement for which the user provided the
information. For example, if a user purchases a book from
Amazon.com, his or her personal information necessarily may
need to be used and disclosed to a party responsible for
delivering the book to the user. No notice or consent would
need to accompany this use. If, however, the information were
also to be used for unrelated marketing or other purposes,
Amazon.com would be required to provide notice and seek opt-out
consent as required by section 102 with respect to that
information. With respect to onward transfer of information
that is only described by the operator for the purposes of
completing the user's request, the Committee contemplates
recipients of that information, such as United Parcel Service,
in the Amazon.com example, will only use the personally
identifiable information for purposes related to the user's
request (i.e. delivery).
The Committee is aware that businesses subject to the bill
may operate websites with partners as co-branded sites or may
offer the products or services of others on their websites or
other online media. In such instances, personally identifiable
information may need to be shared between partners in order to
complete the transaction, and for related purposes. Section 104
would allow the sharing of information for these purposes,
absent compliance with any notice or consent requirements of
section 102.
The exceptions in this section apply to information without
regard to its sensitivity. If a user applies for a loan online,
the lender by necessity must share sensitive personally
identifiable financial information about the user with several
parties, for example, to facilitate the loan request, to check
on the creditworthiness of the applicant, to contract
underwriters, and to ensure the identity of the applicant. Such
sharing is entirely appropriate and in fact necessary for the
transaction to proceed and is accordingly exempt from the
notice and consent requirements of the legislation, so long as
those uses of the personal information are limited to those
necessary to further the user's request--in this case for a
loan. Similarly, if a user seeks medical attention online and
the operator provides service such as, but not limited to,
treatment, recommendations, referrals, or prescriptions, any
sharing of the user's sensitive personally identifiable health
or medical information is permitted for these and related
purposes without triggering the legislation's notice and
consent requirements.
To provide other products and services or conduct activities
integrally related to the purposes for which the user provided
the information, section 104(a) also exempts the collection,
use, or disclosure of information from the notice and consent
requirements of section 102 when necessary to provide other
products and services or conduct activities integrally related
to the transaction, service, product, or arrangement for which
the user provided the information. This exemption should be
read expansively rather than in a limited fashion. For example,
if a user seeks medical attention online and seeks a desired
course of treatment, but is ultimately offered an unanticipated
alternative course of treatment, the sharing of sensitive
personally identifiable health information for the purpose of
providing that treatment would be permitted even though the
user did not specifically request such alternative treatment at
the outset. Or, if a person applies for a mortgage refinance
online but ultimately selects a home equity line instead, the
sharing of sensitive personally identifiable financial
information about that person for the purpose of completing the
home equity line of credit application will be permitted
without the imposition of any notice or consent requirements,
provided the use of the sensitive information is in fact
limited to the purpose of facilitating the user's loan request
and application. In addition, the language ``integrally
related'' is meant to capture any necessary sharing of
personally identifiable information, however attenuated, so
long as such sharing is necessary to complete the transaction,
service, arrangement, or deliver the product the user
requested. For example, a financial institution may provide a
consolidated account statement to a customer with multiple
account relationships, based on the fact that the customer has
established the accounts, without the additional requirement
that the customer consent before his or her personal financial
information is collected and/or disclosed to an affiliated
entity solely for such purposes. Finally, the ``integrally
related'' language is meant to capture the concept of an
ongoing relationship between the user and operator. For
example, if a purchased product were defective, the operator
that supplied the product could personally contact the user who
purchased it about a product recall without violating the
provisions of section 102. Or, if a product were improved (as
in the case of a software upgrade, or ISP service agreement
upgrade--e.g., as with AOL's periodic improvement of its ISP
service from AOL 5.0 to 6.0 to 7.0 and so on), the operator
that provided the product initially would be permitted to
contact the user about the possibility of obtaining the product
improvements without triggering the requirements of section
102.
To comply with the Fair Credit Reporting Act without regard
to section 603(d)(2) of that Act, section 104(a) also certifies
that the notice and consent requirements of section 102 do not
apply to collection, use, or disclosure of personally
identifiable information allowed under the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.) so as to permit the
sharing of information for credit check purposes and other
similar activities authorized by that legislation. However,
collection, use, or disclosure of personally identifiable
information is not excepted for the purposes of compliance with
section 603(d)(2) of the Fair Credit Reporting Act, which
relates to commercial marketplace transactions and experiences
of users, and necessarily implicates the very marketing privacy
concerns addressed by the robust notice and opt-out
requirements imposed in section 102.
Under section 104(b), an operator may not be held liable
under the legislation, any other Federal law, or any State law,
for disclosures made in good faith and following reasonable
procedures in responding to requests for: (1) disclosure of
personal information to the parent about his or her child as
permitted by COPPA; or (2) access to, or correction or deletion
of, information by users about themselves as permitted by
section 105 of this legislation. Accordingly, section
104(b)(1)(A) is intended to preserve the effect of the rules
adopted by the FTC pursuant to COPPA with respect to the right
of parents to review and delete personal information provided
by a child and the obligations of operators to permit such
review and deletion, including, among other things,
specifically the immunity from liability provided by 16 CFR
Sec. 312.6(b). Similarly, section 104(b)(1)(B) is intended to
afford operators immunity with respect to requests for access
to, or correction or deletion of, personally identifiable
information under section 105 of this legislation.
In addition, a financial institution as defined under section
509(3) of the Gramm-Leach-Bliley Act may not be held liable
under this legislation for any disclosure described in section
502(e) of that Act.
Under section 104(c), an operator may disclose personally
identifiable information about a user to a law enforcement,
investigatory, national security, or regulatory agency or
department of the United States in response to a request or
demand made under authority granted to that agency or
department by statute, rule, or regulation, or pursuant to a
warrant, court order, or properly executed administrative
compulsory process. Disclosure is also permitted in response to
a court order in a civil proceeding upon a showing of
compelling need for the information that cannot be accommodated
by any other means, provided there is reasonable notice to the
user and a reasonable opportunity afforded to the user to
appear and contest the order or try and narrow its scope. Any
such disclosure in a civil proceeding must be accompanied by
appropriate safeguards imposed by the court to protect against
subsequent unauthorized disclosure of the information.
The Committee does not intend, however, that the operator
shall have a responsibility to determine that the court that
has issued the order has provided the appropriate safeguards
referenced above. In addition, this subsection is not intended
to impose upon operators an unreasonable burden of determining
whether subpoenas, civil discovery devices, and other forms of
process seeking the compelled disclosure of personally
identifiable information operator comply with the requirements
of section 4(c)(1)(B).
Under section 104(d), an operator may disclose personally
identifiable information about a user or users to a law
enforcement officer, hospital, clinic, or other lawful medical
organization, or a licensed physician, or other health care
professional if : (a) disclosureis critical to the life,
safety, or health of the use or others; (b) it is not feasible to
obtain timely consent in a manner consistent with the purpose of
preserving life, safety, or health; and (c) the disclosure is no
greater than necessary to accomplish the purpose for which the
information is disclosed.
Under section 104(e), an operator may disclose personally
identifiable information about a user to a provider of
professional services or affiliate thereof, of which the user
is a client, patient or customer, and if the provider or
affiliate is subject to professional ethical standards,
regulations, rules, or law requiring the provider or affiliate
not to disclose confidential client information without the
consent of the client.
Section 105. Access
The access provisions of section 105 are intended to provide
users reasonable access to personally identifiable information
without unduly burdening the party that has collected and
retained that information. Operators must provide reasonable
access to a user to personally identifiable information
collected and retained from the user online, or that has been
combined with personally identifiable information collected and
retained from the user online, after the effective date of the
legislation. Accordingly, operators have no obligation to
retain information collected for the purpose of complying with
the legislation's access requirements. If an operator collects
personally identifiable information and no longer retains it,
then there is no access requirement under the legislation.
Moreover, the Committee wishes to clarify that the term
``access'' is not intended to require an operator to provide a
user the ability to query directly or otherwise establish a
physical or electronic connection to any database or other
system of maintaining personally identifiable information. Such
direct contact by the user could, while providing access,
endanger security of other information collected and maintained
by the operator. Rather, the term ``access'' contemplates that,
subject to the reasonableness test set forth in this section,
an operator shall provide a user a copy (electronically or
otherwise) of the information the operator has collected and
maintained from the user online. In addition, section 105 makes
clear that ``reasonable'' access does not require an operator
to disclose information that would compromise its ability to
protect proprietary information about how it collects and
stores its information.
Section 105 also requires operators to provide a reasonable
opportunity for a user to suggest a correction or deletion of
any personally identifiable information maintained by the
operator to which the user was granted access. In addition,
operators are required to make such a correction a part of the
user's maintained personally identifiable information, or make
the deletion requested, for the purposes of all future use or
disclosure of the information.
Section 105 is not intended to create opportunities for
access to personally identifiable information by impostors or
persons otherwise abusing the access rights granted by the
legislation. An operator may decline a suggested correction or
deletion if the operator reasonably believes that the suggested
correction or deletion is inaccurate or otherwise
inappropriate, notifies the user of the reasons for that
belief, and provides an opportunity for the user to refute
those reasons. An operator need not know with certainty that a
requested correction or deletion is inaccurate or
inappropriate. For example, if an operator reasonably believes
that the user making the request is not the actual user, the
operator may deny the request. Or if the operator reasonably
believes that the user's suggested correction or deletion would
create an inaccuracy in the personal information maintained and
collected, then the operator may deny the request.
Section 105(c) provides that reasonableness of access shall
be determined by taking into account such factors as the
sensitivity of the information requested to be examined,
corrected, or deleted, and the burden or expense on the
operator of complying with the request. However, the
enumeration of such factors is not intended to exclude from
consideration other factors relevant to the reasonableness of a
user's request. For example, the number of requests made by a
user in the past may factor into the reasonableness of a
particular subsequent request. Whether the operator actually
uses, or intends to use the personally identifiable
information, could be a factor as well as to the sensitivity of
the information requested. Or, it may be appropriate to deny
access in instances to protect the safety, privacy, or other
legitimate interests of third parties. Finally, the Committee
does not intend this requirement to result in the reconfiguring
of every operator's database so as to comply with every access
request. The effort required by, and the burden and expense on,
an operator in such instances should be part of the
``reasonableness'' analysis. The Committee must emphasize,
however, that many companies on the Internet and in the offline
marketplace today provide users access to their personally
identifiable information. For example, Amazon.com gives users
the ability to access their own personal information and edit
it at their discretion. Similarly, MSN allows its users to
visit the MSN Personal Information Center to view, edit or
delete their personal information from the MSN database. In
light of these voluntary best practices, the Committee expects
the ``reasonable'' access requirements of the legislation to at
least result in the same access by users to their personal
information, once collected.
Section 105(d) provides that an operator may impose a
reasonable charge for access not to exceed $3, except in
situations in which the user certifies financial hardship
pursuant to the factors set forth in section 104(d)(2).
Section 106. Security
This section would require operators to establish and
maintain reasonable procedures necessary to protect the
security, confidentiality, and integrity of personally
identifiable information maintained by the operator. This
section is virtually identical to language contained in COPPA
(15 U.S.C. Sec. 6501 et seq.), which was implemented by the FTC
and applies to operators (as defined therein) that collect
personally identifiable information from children online. The
specific FTC rule implementing this provision from COPPA
required operators to ``have adequate policies and procedures
for protecting children's personal information from loss,
misuse, unauthorized access, or disclosure.'' This section
contemplates a similar approach and anticipates the FTC will
implement its rules governing security as such.
TITLE II--ENFORCEMENT
Section 201. Enforcement by Federal Trade Commission
Section 201 states that, except as otherwise provided, this
legislation is to be enforced by the FTC.
Section 202. Violation is Unfair or Deceptive Act or Practice
Section 202(a) states that a violation of any provision of
title I will constitute an unfair or deceptive act or practice
proscribed under section 18(a)(1)(B) of the Federal Trade
Commission Act. (15 U.S.C. Sec. 57a(a)(1)(B).
Under section 202(b), operators that are more typically
regulated by other Federal and State agencies, boards, or other
oversight bodies shall have their compliance with title I of
this legislation enforced by those entities, under their own
authorizing Acts or laws, to the same extent as if the FTC were
enforcing the legislation as to those operators. Under section
202(c) for the purpose of the exercise by any agency referred
to in this section of its powers under any Act or law
specifically referred to in section 202(b), a violation of
title I of this legislation is deemed to be a violation of a
requirement imposed under that Act or law.
Under sections 202(d) and 202(e), the FTC shall enforce
violations of title I in the same manner, by the same means,
and with the same jurisdiction, powers, and duties as though
all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. Sec. 41 et seq.) were incorporated
into and made a part of this legislation. This extends to
penalties, privileges, and immunities provided for in the
Federal Trade Commission Act. In addition, if a civil penalty
is imposed on an operator in an action brought by the FTC for a
violation involving non-sensitive personally identifiable
information, the FTC shall hold the amount paid to the FTC in
trust for distribution to aggrieved users whose information was
the subject of the violation that file claims for compensation
for the violation. The amount of such payment to any user shall
not exceed $200 and the FTC is required to hold monies in trust
for a period of not less than 180 days. Any excess monies shall
be deposited into the United States Treasury no later than 12
months after payment to the FTC.
Section 202(f) states that nothing contained in this subtitle
shall be construed to limit the authority of the FTC under any
other provision of law. In addition, under section 202(f)(2),
nothing in title I of this legislation requires an operator to
take any action inconsistent with the requirements of section
222 of the Communications Act of 1934 (47 U.S.C. 222), the
provision governing the privacy of customer proprietary network
information (CPNI) held by all telecommunications carriers.
Finally, section 202(f)(3) amends section 631 of the
Communications Act of 1934 (47 U.S.C. 51), the provision
governing the privacy of cable television subscriber viewing
habits and transactions, so as to apply the provisions of this
legislation in place of those in section 631 when cable
operators (as defined in section 631) are providing online or
Internet services, or operating a commercial website (as
defined in this legislation). Section 202(f)(3) would also
place cable Internet services under the same privacy regime as
other online and Internet services without affecting the other
privacy restricitons of section 631. It harmonizes consumer
Internet privacy rights without regard to whether consumers
receive their Internet services over telephone lines, cable, or
any other platform.
The Committee notes that the amendment made by section
202(f)(3) does not affect the continued applicability of the
Electronic Communications Privacy Act, as amended by the USA
PATRIOT Act, to disclosures of personally identifiable
information to law enforcement entities by cable companies in
their provision of Internet services. These Acts, which were
made applicable to cable operators' disclosures to law
enforcement under section 211 of the USA PATRIOT Act (adding
631(c)(2)(D) to the Communications Act) remain applicable with
respect to cable Internet services under section 104(c) of the
bill.
Section 203. Safe Harbor Self-Regulatory Programs
This section incorporates one of the major changes made in
the substitute amendment that was reported by the Committee.
Generally, this section creates a ``safe harbor'' to allow
self-regulatory organizations and independent third party
verifiers to certify, under defined safe harbor programs, that
operators are in compliance with the Act. Generally, under this
section, such certification would create a presumption that the
operators are in compliance with the Act. Such certifying
entities are required to oversee operators' compliance with the
legislation, conduct random audits of those companies, and
alert the FTC of any non- compliance. In addition, any operator
that is a member of a safe harbor program would be entitled to
an affirmative defense in any private litigation brought by
individuals aggrieved by a violation of the Act. A safe harbor
will augment FTC enforcement by enabling additional oversight
of companies subject to the requirements of the Act, while
providing companies greater certainty that their practices and
procedures are in fact compliant.
Specifically, operators shall be presumed to be in compliance
with the requirements of the legislation if the operator: (1)
is a participant in a self-regulatory program approved by the
FTC under section 203(b); (2) has agreed in writing to meet the
program's requirements for participation; and (3) is deemed by
the self-regulatory program to be in full compliance with the
requirements of that program.
Under section 203(b), the FTC may approve a self-regulatory
program under this section only if:
(1) The program requires operators that participate
in the program, at a minimum, to provide privacy
protections to users that are substantially equivalent
to or greater than the protection afforded to users by
title I.
(2) The program reviews an operator's privacy
statement and policy for compliance prior to
determining its eligibility to participate in the self-
regulatory program, and reviews that statement and
policy no less than annually thereafter for continued
compliance. As an added measure of oversight, the self-
regulatory program is also required to obtain, prior to
determining an operator's eligibility to participate in
the self-regulatory program, and thereafter no less
than annually, a written certification from a senior
corporate officer or other responsible executive of the
actual or prospective participant that the
participanthas procedures in place designed to fulfill the
representations in the participant's privacy policy and satisfy, at a
minimum, the requirements of the self-regulatory program. Such
certification must also indicate that the participant is in compliance
with the policy and the self-regulatory program's requirements.
(3) The program requires each participant to obtain
written verification of each written certification
required from a certified independent verification
organization or provide sufficient information to the
program to enable the program reasonably to conclude
the certification is materially accurate. This
provision creates an added check on the credibility of
participants in the safe harbor and benefits compliance
by requiring an independent verification of an
operator's claim of compliance. In the absence of such
verification, the operator seeking to participate in
the self-regulatory program must provide ``sufficient''
(i.e. considerable and detailed) information so that
the program itself can determine the operator's
compliance.
(4) The program institutes a process to monitor, on
an ongoing basis, the continued eligibility of program
participants to ensure compliance and discover
violations of the self-regulatory program's
requirements. This process should include, but not be
limited to, random audits of participants.
(5) The program makes available to the public on the
Internet the results of audits, and violations of the
program's requirements, excluding information that
would reveal the identity of any complainant whose
privacy was violated. Under section 203(g), however, a
self-regulatory program may not be liable to any person
as a result of such publication unless it is found to
have acted with malice or recklessness.
(6) The program reports to the FTC as to violations
of the program requirements and any determination that
a participant has failed to comply with the program
requirements after being afforded a reasonable
opportunity to do so. This provision contemplates two
reporting requirements. Any violation of the self-
regulatory program guidelines would need to be
reported. In addition, if a participant is informed of
its non-compliance, and is given a reasonable
opportunity to come into compliance but does not, the
program would come under an obligation to report this
type of non-compliance as well.
(7) The program establishes requirements to assure
its determinations as to operators' eligibility and
compliance are made exclusively by persons who are
independent of the operator or participant.
Section 203(c) requires the FTC to publish a list of all
violations reported to it by self-regulatory programs and
independent verification organizations. In addition, the FTC is
required to re-evaluate its approval of each self-regulatory
program at least once every two years. The Committee intends
the FTC to exercise a common sense approach in this area. If a
self-regulatory program appears to be objectively and
effectively handling its responsibilities, the FTC might only
review its approval of that program every two years. If, on the
other hand, a self-regulatory program demonstrates difficulty
in complying with the requirements of this legislation, or with
overseeing compliance by participants with this legislation,
then the FTC may be more aggressive in its review of its
approval of that program.
Under section 203(d), the FTC may certify an entity as an
independent verification organization. In doing so, the FTC is
required to consider both the technical expertise and
experience of a prospective organization in providing assurance
services. Entities eligible for such certification may be an
approved self-regulatory program, provided that they are not
selected to be an independent verification organization for
participants that already participate in their self-regulatory
program. This provision creates an added check on the
credibility of participants in a safe harbor self-regulatory
program and benefits compliance by requiring an independent
verification of a self-regulatory program's determination that
a participant is in fact complying with the program and this
legislation. The FTC is also empowered by this subsection to
approve any other entity as an independent verification
organization provided the FTC is satisfied the entity provides
assurance services and demonstrates it has the ability and
knowledge to examine and evaluate the business practices of a
participant or prospective participant. For example, some
professional accounting firms today perform audits of
operators' privacy policies. Such experience could qualify as
satisfying the intent of this subsection.
Section 203(e) requires the FTC to set up an 120-day
application process, including an opportunity for public
comment on the application, for an entity seeking to become a
self-regulatory organization. Any FTC decision can be appealed
in district court.
Under section 203(f), an operator that willfully and falsely
represents to the public that it is a participant in an
approved self-regulatory program shall be liable for a civil
penalty of up to $50,000 for each such representation. The
civil penalty imposed by this section may be recovered in an
action brought by the FTC or any State attorney general.
Section 204. Small Business Safe Harbor
This section exempts from all the requirements of this
legislation any entity: with annual gross revenues under
$1,000,000; with fewer than 25 employees; that collects or uses
personally identifiable information from fewer than 1,000
consumers per year for purposes unrelated to a transaction with
the consumer; that does not process personally identifiable
information of consumers; and does not sell or disclose for
consideration such information to another person. This section,
offered as an amendment by Senator Brownback and adopted by
voice vote in Committee, provides a common sense exemption for
small businesses from the requirements of the legislation,
which might prove more burdensome for them, while providing
those businesses the incentive to avail themselves of the
exemption by not processing, selling, or disclosing for
consideration personally identifiable information. This section
supplements the section 104 exceptions which exempts operators
from the legislation's notice and consent requirements in those
instances generally where the use of a user's personally
identifiable information is solely to satisfy the request of a
user. Section 204 adds to those exceptions for small businesses
that only use information in such a fashion by further
exempting them from the notice of policychange, notice of
privacy breach, access, and security requirements of the legislation
found in sections 103, 105, and 106.
Section 205. Private Rights of Action by Users
This section supplements the enforcement of the provisions of
title I by the FTC and the State attorneys generals by
permitting users, in those instances in which a violation
occurred involving their sensitive personally identifiable
information, to pursue an action in court for both injunctive
and economic relief. The approach outlined in this section
tracks the approach utilized in the Telephone Consumer
Protection Act of 1991, which provides for a limited right of
action for consumers aggrieved by violations of that statute.
It will be difficult for the FTC and State attorneys general to
police all potential violations of the legislation given the
thousands if not millions of operators that will be covered by
the legislation. Accordingly, a majority of the Committee
believes it is essential for effective enforcement to
supplement those government-sponsored actions with individual
rights of action, which should serve as an added deterrent to
operators considering violating the statute with respect to
users' sensitive personally identifiable information. The
availability of a right of action for individual users will
also create a process that could benefit aggrieved citizens
directly, through the recovery of monetary damages.
Specifically, this section bifurcates the nature of
violations and the statutory redress available to users
aggrieved by violations of the legislation. First, in section
205(a), with respect to the more serious violations involving
sensitive personally identifiable information--fraudulent
notice or disclosure of that information--a user may bring an
action in an appropriate State court where permitted by the
laws or rules of a court of that State: (1) to enjoin the
violation; (2) to recover actual monetary loss from the
violation or receive up to $500 for each such violation,
whichever is greater; or (3) both such actions. Second, under
section 205(b), if a person is aggrieved by any other violation
of title I not described above (e.g., unreasonable access or
unreasonable security procedures not involving disclosure),
that person may have the same recourse except may not recover
statutory damages of up to $500. In such an instance, a user
could bring an action, if otherwise permitted by the laws or
rules of a court of a State, in an appropriate court of that
State: to obtain injunctive relief or actual monetary loss with
respect to the violation, or both such actions.
Subsection 205(c) provides operators an affirmative defense
in any action brought under this section provided the defendant
either: (1) has established and implemented with due care
reasonable practices and procedures to ensure compliance with
the requirements of title I; or (2) is a participant in and is
deemed by a self-regulatory program or certified independent
verification organization to be in compliance with a self-
regulatory program under section 203.
Under section 205(d), the court is granted the discretion to
increase an award to a user to not more than 3 times the amount
otherwise available under this section if the court finds that
the defendant willfully or knowingly violated title I.
Section 206. Actions by States
Section 206(a) permits any State attorney general to bring a
civil action on behalf of residents of their State in a
district court of the United States of appropriate jurisdiction
with respect to any violation of title I that the State
attorney general has reason to believe threatened or adversely
affected an interest of residents of that State. The action may
seek to: enjoin the violation; enforce compliance with the
legislation; obtain damage, restitution, or other compensation
on behalf of residents; or obtain such other relief as the
court may consider to be appropriate. This section requires an
attorney general to provide prior written notice to the FTC and
a copy of the complaint filed for any action brought pursuant
to this section, unless the attorney general determines it is
not feasible to provide the notice before filing. In such an
instance, the attorney general shall provide contemporaneous
notice to the FTC at the time of filing the action.
Section 206(b) grants the FTC, upon receiving a notice of an
action under section 206(a), the right to intervene in the
action, to be heard with respect to any matter that arises in
the action, and to file a petition for appeal in the action.
Section 206(c) clarifies that nothing in this subtitle should
be construed to prevent an attorney general of a State from
exercising State conferred powers to conduct investigations,
administer oaths or affirmations, or compel the attendance of
witnesses or the production of documentary and other evidence.
Under section 206(d), in any case in which the FTC institutes
an action for violation of title I, no State may during the
pendency of that action institute an action under section
206(a) against any defendant named in the complaint for
violation of that rule.
Under section 206(e), any action brought under section 206(a)
may be brought in a United States district court that meets
appropriate venue requirements, and process may be served in
any district in which the defendant is an inhabitant or may be
found.
Section 207. Whistleblower Protection
This section provides whistleblower protection for employees
discriminated against for reporting a violation of this
legislation. The Committee believes generally that many privacy
violations may occur without much awareness as people's
personal information may be shared without their consent, and
without their knowledge. By providing whistleblower protection,
the legislation would allow those in a better position to
identify violations to report those violations and not suffer
discrimination as a result.
Generally, this section prohibits an operator from
discharging, or otherwise discriminating against, an employee
because that employee provided information to any Federal or
State agency or to the Attorney General of the United States or
any State regarding a violation of title I. An employee or
former employee who believes he has been discharged or
discriminated against in violation of this section may file a
civil action in the appropriate U.S. district court, and is
required to file a copy of that complaint with the appropriate
Federal agency. If the court determines a violation has
occurred, it may order the operator to reinstate the employee,
pay compensatory damages, or take other appropriate actions to
remedy any past discrimination. No employee may recover under
this sectionwho deliberately caused or participated in the
alleged violation or knowingly or recklessly provided substantially
false information in alleging the complaint.
Section 208. No Effect on Other Remedies
The remedies provided by sections 205 and 206 are in addition
to any other remedy available under any provision of law.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
Section 301. Senate
This section requires the Senate Sergeant at Arms to develop
regulations setting forth an information security and
electronic privacy policy governing use of the Internet by
officers and employees of the Senate that meets the
requirements of title I of this legislation.
Section 302. Application to Federal Agencies
This section clarifies that this legislation applies to each
Federal agency that is an operator to the extent provided by
section 2674 of title 28, United States Code. However, this
legislation does not apply to any Federal agency to the extent
application would compromise law enforcement activities or the
administration of any investigative, security, or safety
operation conducted in accordance with Federal law.
TITLE IV--MISCELLANEOUS
Section 401. Definitions
This section contains fifteen definitions necessary to
implement and interpret the legislation. The legislation
defines the following terms: (1) collect; (2) Commission; (3)
cookie; (4) disclose; (5) Federal agency; (6) internal
operations support; (7) Internet; (8) Internet service
provider, online service provider, website; (9) online; (10)
operator of a commercial website; (11) personally identifiable
information; (12) release; (13) robust notice; (14) sensitive
financial information; and (15) sensitive personally
identifiable information. While it is unnecessary to restate in
this report each of the definitions included in the
legislation, some clarification of the Committee's intent is
provided below.
(1) Collect.--With respect to the definition of
``collect'' in section 401, the Committee intends that
this term will generally be interpreted consistent with
the meaning of the term embodied in the FTC's
implementation of COPPA. However, as further reflected
in the legislation, the Committee also intends that the
temporary collection or storage of information by
operators of public messaging services, such a message
board, chat room, e-mail server, or instant messaging
service, if temporarily collected and stored for the
sole purpose of operating such public messaging
service, shall not be deemed to represent a collection
of personal information under this legislation.
(2) Online.--With respect to the definition of
``online'' in section 401(9), the legislation defines
``online'' to refer to any activity regulated by this
legislation or 18 U.S.C. 2710 that is ``effected by
active or passive use of an Internet connection.'' The
use of the term ``passive'' to refer to an Internet
connection is intended to capture only passive methods
of data collection that occur while a subscriber is
actually online. Thus, the term does not include
services that provide access to content cached from the
Internet that do not afford a live connection between
the user and the Internet, and thus no opportunity for
an operator to collect personally identifiable
information about the user. For example, interactive
television services that do not involve such a live
connection between a user and the Internet are not
subject to the requirements of this legislation.
(3) Operator of a commercial website.--While this
term is defined as ``any person with a commercial
website'', it is the Committee's intent that the FTC
shall not apply the provisions of the statute to non-
commercial activities of the States or Territories of
the United States, or to the District of Columbia.
(4) Personally identifiable information.--Section
401(11) sets forth categories of individually
identifiable information about an individual such as: a
first and last name; a physical address; an e-mail
address; a telephone number; a birth certificate
number; any other identifier the FTC finds that would
create a substantial likelihood of permitting the
online or physical contacting of a specific individual;
or information an operator combines with any of these
prior identifiers. This subsection excludes, however,
``inferential information'' from the definition of
personally identifiable information, meaning that
information an operator infers or derives about an
individual from data collected online is not within
this legislation's definition of personally
identifiable information. For example, if a user
purchases a series of books about diabetes, or visits a
health site and researches diabetes, this does not
create personally identifiable information that the
user has diabetes, nor personally identifiable
information that the user has any specific interests in
diabetes, medicine, or health. Such information would
be inferential only, and only the fact that the user
examined these books or websites would be personally
identifiable information. Thus, if the user provided
his or her name and mailing address for purchasing
books and processing research about diabetes, that name
and address information by itself would be deemed
``personally identifiable information'' but the request
would not be deemed to reveal ``individually
identifiable health information'' under section
401(15)(A). Rather, an online admission, statement, or
communication that a user has diabetes would constitute
such information.
(5) Robust Notice.--Section 401(13) defines ``robust
notice'' to mean actual notice at the point of
collection of the personally identifiable information
describing briefly and succinctly the intent of the
operator to use or disclose that information for
marketing or other purposes. The Committee intends for
this notice to provide a user a general level of
information about the manner in which his or her
personal information will be processed, if at all.
Facts pertinent to such notice would include whether
information will be shared with others for marketing or
other purposes unrelated to the purpose for which it
was provided. Such notice should also include whether
the operator itself intends to use the information for
marketing or other purposes unrelated to the purpose
for which it was provided. One example of such notice
is found at the website 1800flowers.com and is
excerpted below:
``As a registered member of 1-800-FLOWERS.COM you
will be receiving promotional offers and materials from
us and sites and companies we own. Please check the box
below if you DO NOT want to receive such materials in
the future and do not wish us to provide personal
information collected from you to third parties * * *
In the alternative, you can utilize the procedures set
forth in our Privacy Policy'' (at which point a link to
the complete policy is provided).
Section 402. Effective Date of Title I
This section states that title I of this legislation takes
effect on the day after the date on which the FTC publishes a
final rule under section 403.
Section 403. FTC Rulemaking
This section requires the FTC to initiate a rulemaking within
90 days after enactment to develop regulations to implement
title I. The FTC is required to complete the rulemaking within
270 days after its initiation. The Committee believes that a
rulemaking by the expert agency is required on an issue as
complex as Internet privacy. Such a proceeding will afford all
interested parties--industry operators, potential self-
regulatory organizations, consumer groups, privacy advocates,
academics, etc.--to participate and help craft governing rules
to protect privacy online and provide business certainty as to
what those rules will mean in practice. The Committee also
notes that this mechanism was successfully utilized in
implementing COPPA, which has been in effect for several years.
Section 404. FTC Report
This section requires the FTC to report to the Congress on
outstanding issues unresolved by the legislation which may
require future government action. The FTC is required to report
to Congress 18 months after the effective date of title I, and
annually thereafter. These reports are to focus on: (1) whether
the legislation is accomplishing the purposes for which it was
enacted; (2) whether pro-privacy technology is being used in
the marketplace to facilitate compliance with and
administration of title I; (3) whether additional legislation
is needed to accomplish those purposes or improve the
administration of the legislation; (4) whether and how the
government could assist industry in developing standard online
privacy notices that substantially comply with the notice
requirements of section 102(a); and (5) whether additional
legislation is necessary or appropriate to regulate the privacy
of personally identifiable information collected online before
the effective date of title I. This section requires the FTC to
initiate a notice of inquiry, within 90 days after enactment,
seeking public comment on these issues in preparation of its
report.
Section 405. Development of Automated Privacy Controls
This section requires the National Institute of Standards and
Technology to encourage and support the development of one or
more computer programs, protocols, or other software, such as
the P3P program, capable of being installed on computers or
computer networks with Internet access that would reflect the
user's privacypreferences for protecting personally
identifiable information, without requiring user intervention once
activated.
TITLE V--OFFLINE PRIVACY
Section 501. Collection, Use and Disclosure of Personally Identifiable
Information Collected Offline
This title, added to the bill in the Hollings amendment, in
the nature of a substitute, is the cosponsors' response to the
concerns raised by many, primarily in the Internet industry,
that it is unfair to regulate Internet privacy without
requiring exactly the same rules for offline merchants and
other marketplace participants that collect and trade in
personally identifiable information. While this argument was
not conclusive with respect to some prior statutes regulating
privacy as new technologies emerged or discrete types of
information warranted protection, there is some validity to the
argument given the confluence of the online and offline
marketplaces. However, the majority of the Committee believes
that the two marketplaces are different, and the exact same
approach to regulate privacy would not be feasible in each. For
example, it may be more cumbersome to provide robust notice and
an opportunity to opt out--exactly at the point information is
collected--offline than it is online. Accordingly, this section
requires the FTC to recommend, and ultimately develop, offline
privacy rules similar to those required in this legislation for
the Internet, but also provides the FTC the flexibility to
implement rules that reflect the differences in the two
marketplaces. Thus the FTC would be required to develop rules
that provide notice, opt-out and opt-in opportunities
(depending on the sensitivity of the personally identifiable
information collected), and reasonable access and security
requirements. But the FTC's offline rules would not need to
mirror precisely those it promulgates for the Internet.
Specifically, section 501(a) requires the FTC to propose to
Congress detailed recommendations and proposed regulations for
offline privacy no later than six months after enactment. Those
recommendations and regulations are to apply to entities that
engage in the collection of personally identifiable
information, or employ methods involving, or other actions
involving, the collection of personally identifiable
information, that are not covered in this legislation.
Moreover, those recommendations and regulations are to seek a
level of protection for personally identifiable information
collected offline similar to the level of protection provided
by this legislation for personally identifiable information
collected online.
Section 501(b) requires the FTC recommendations and proposed
regulations to address at least: how the fair information
practices of notice, choice, access, security, and enforcement
should apply to offline uses and disclosure of personally
identifiable information; and the fines that should be
established for violating requirements set forth under such
proposed regulations.
Section 501(c) provides Congress at least 12 months upon
receipt of the FTC proposed rules to enact a law that
establishes standards for offline privacy. However, if Congress
fails to act within 18 months after enactment of this
legislation, then the FTC is required to promulgate final
regulations within one month. Any regulation promulgated in
such fashion shall supersede State law to the same extent as
this legislation provides for preemption of State and local
Internet privacy statutes, rules, and regulations.
Rollcall Votes in Committee
In accordance with paragraph 7(c) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following description of the record votes during its
consideration of S. 2201:
Senator McCain offered an amendment, to the amendment (in the
nature of a substitute) offered by Senator Hollings, to ensure
that equal obligations are imposed by law on the collection,
use, and disclosure of personally identifiable information
online and by any other means and to suspend enforcement of the
Act until such time. By rollcall vote of 9 yeas and 14 nays as
follows, the amendment was defeated:
YEAS--9 NAYS--14
Mr. McCain Mr. Hollings
Mr. Lott\1\ Mr. Inouye\1\
Mrs. Hutchison\1\ Mr. Rockefeller\1\
Ms. Snowe Mr. Kerry\1\
Mr. Brownback Mr. Breaux
Mr. Smith Mr. Dorgan
Mr. Fitzgerald\1\ Mr. Wyden
Mr. Ensign\1\ Mr. Cleland
Mr. Allen Mrs. Boxer
Mr. Edwards
Mrs. Carnahan\1\
Mr. Nelson
Mr. Stevens
Mr. Burns
\1\By proxy
Senator Brownback offered an amendment, to the amendment (in
the nature of a substitute) offered by Senator Hollings, to
provide for reasonable network security procedures. By rollcall
vote of 9 yeas and 14 nays as follows, the amendment was
defeated:
YEAS--9 NAYS--14
Mr. McCain Mr. Hollings
Mr. Lott Mr. Inouye\1\
Mrs. Hutchison Mr. Rockefeller\1\
Ms. Snowe Mr. Kerry\1\
Mr. Brownback Mr. Breaux\1\
Mr. Smith Mr. Dorgan
Mr. Fitzgerald\1\ Mr. Wyden
Mr. Ensign\1\ Mr. Cleland
Mr. Allen Mrs. Boxer
Mr. Edwards\1\
Mrs. Carnahan\1\
Mr. Nelson
Mr. Stevens
Mr. Burns
\1\By proxy
Senator Allen offered an amendment, to the amendment (in the
nature of a substitute) offered by Senator Hollings, to revise
the private right-of-action provisions. By rollcall vote of 8
yeas and 15 nays as follows, the amendment was defeated:
YEAS--8 NAYS--15
Mr. McCain Mr. Hollings
Mr. Lott Mr. Inouye\1\
Mrs. Hutchison Mr. Rockefeller\1\
Ms. Snowe Mr. Kerry\1\
Mr. Brownback\1\ Mr. Breaux\1\
Mr. Fitzgerald\1\ Mr. Dorgan
Mr. Ensign\1\ Mr. Wyden
Mr. Allen Mr. Cleland
Mrs. Boxer
Mr. Edwards\1\
Mrs. Carnahan\1\
Mr. Nelson
Mr. Stevens
Mr. Burns
Mr. Smith
\1\By proxy
Senator Allen offered an amendment, to the amendment (in the
nature of a substitute) offered by Senator Hollings, to provide
that it is not a violation of title of the Act to collect, use,
or disclose personal information in compliance with other
Federal laws governing privacy. By rollcall vote of 8 yeas and
14 nays as follows, the amendment was defeated:
YEAS--8 NAYS--14
Mr. McCain Mr. Hollings
Mr. Lott Mr. Inouye\1\
Mrs. Hutchison Mr. Rockefeller\1\
Ms. Snowe Mr. Kerry\1\
Mr. Brownback\1\ Mr. Breaux
Mr. Smith Mr. Dorgan
Mr. Ensign\1\ Mr. Wyden
Mr. Allen Mr. Cleland
Mrs. Boxer
Mr. Edwards\1\
Mrs. Carnahan\1\
Mr. Nelson
Mr. Stevens\1\
Mr. Burns
\1\By proxy
Senator Allen offered an amendment, to the amendment (in the
nature of a substitute) offered by Senator Hollings, to broaden
the pre-emption of State laws, rules, and regulations. By
rollcall vote of 9 yeas and 14 nays as follows, the amendment
was defeated:
YEAS--9 NAYS--14
Mr. McCain Mr. Hollings
Mr. Lott\1\ Mr. Inouye\1\
Mrs. Hutchison Mr. Rockefeller\1\
Ms. Snowe Mr. Kerry\1\
Mr. Brownback\1\ Mr. Breaux
Mr. Smith Mr. Dorgan\1\
Mr. Fitzgerald\1\ Mr. Wyden
Mr. Ensign\1\ Mr. Cleland
Mr. Allen Mrs. Boxer
Mr. Edwards\1\
Mrs. Carnahan\1\
Mr. Nelson
Mr. Stevens\1\
Mr. Burns
\1\By proxy
By rollcall vote of 15 yeas and 8 nays as follows, the bill
was ordered reported with an amendment in the nature of a
substitute:
YEAS--15 NAYS--8
Mr. Hollings Mr. McCain\1\
Mr. Inouye Mr. Lott\1\
Mr. Rockefeller Mrs. Hutchison\1\
Mr. Kerry Ms. Snowe\1\
Mr. Breaux Mr. Brownback\1\
Mr. Dorgan\1\ Mr. Fitzgerald\1\
Mr. Wyden Mr. Ensign\1\
Mr. Cleland Mr. Allen
Mrs. Boxer
Mr. Edwards\1\
Mrs. Carnahan
Mr. Nelson
Mr. Stevens
Mr. Burns
Mr. Smith
\1\By proxy
MINORITY VIEWS OF SENATORS McCAIN, BROWNBACK, AND ALLEN
We strongly support the right of American consumers to
protect their personal information from misuse and unauthorized
disclosure by businesses and other organizations that collect
such information, whether they collect and use it online or in
the traditional offline marketplace. Over the past five years,
the market has produced impressive advances in technology that
help protect consumer privacy. These technological advances are
all evidence of a burgeoning market for pro-privacy solutions
in response to consumer demand. We continue to support
investment and innovation in this competitive marketplace for
better privacy protections, and encourage industry efforts to
develop more advanced privacy tools that benefit consumers.
We also commend the Federal Trade Commission's increased
efforts during this Congressional session to protect the
privacy of the American consumer. Chairman Muris's newly
created Privacy Task Force, the FTC's commitment of 50% more
resources this fiscal year to enforcing existing Federal
privacy laws, and the Commission staff's continued daily
monitoring and pursuit of unfair and deceptive practices
demonstrate the FTC's conviction to strictly enforce the myriad
of privacy laws under its jurisdiction.
While we support the FTC's efforts to improve the protection
of consumer privacy, commend advances in industry self-
regulation and encourage the development of technological
tools, we also believe that legislation in this area may be
warranted. However, we cannot support S. 2201 as reported by
the Committee. Although the cosponsors of S. 2201 may share
some of our privacy goals, we fundamentally disagree with their
legislative approach and oppose passage of the bill over a
number of important principles.
While well-intentioned, S. 2201's approach is over-
regulatory, its disparate impact on online businesses is
unjustified, and its failure to reconcile its provisions with
existing Federal privacy laws renders it administratively
unworkable. If enacted as reported, this bill would endorse
discriminatory treatment of one segment of industry by first
requiring the FTC to implement privacy regulations only for
those entities that have an online presence. The cosponsors
amended S. 2201 during the executive session to call for
``similar'' regulation of offline businesses at a later date.
We believe, however, that in any privacy legislation, Congress
must simultaneously impose equal obligations on entities
wherever their collection of personal information and potential
misuse or unauthorized disclosure may occur, whether online or
offline. Finally, the private right of action created in this
legislation is an unnecessary enforcement mechanism that would
create a greater risk of abuse to be borne by industry--
particularly where S. 2201 would present conflicting
obligations for companies that must comply with other Federal
privacy laws--without providing any proven, increased consumer
protection.
Three of the five Federal Trade Commissioners, including
Chairman Muris, agree that S. 2201 is unworkable. Chairman
Muris cautions that Congress needs better information about
crafting effective legislation to accomplish its privacy goals,
and better analyses of the costs and benefits such legislation
would produce. Additionally, four of the five Commissioners
question the fairness and practicality of S. 2201's limited
application to online information practices, simply based on
the medium used to collect information, when the collection and
use of personally identifiable information is also widespread
offline. The comments of each of the five FTC Commissioners on
the principal features of S. 2201 were provided in separate
letters dated April 24, 2002, in response to an inquiry by
Senator McCain. The Commissioners' letters are reprinted
(without attachments) at the end of these Minority Views.
Although the cosponsors of S. 2201 claim that the manager's
amendment adopted in the executive session addressed the
concerns raised by members of the Committee and the FTC, we
respectfully disagree. The bill's amendments adopted at the
executive session fall far short of addressing its fundamental
problems. Were it to be enacted as reported, S. 2201 would
impose enormous costs on American industry, and with it the
national economy, without ensuring equal or greater offsetting
benefits to American citizens.
BACKGROUND: CONSUMER PRIVACY IN 2002
This Committee Report provides a detailed history of the
online privacy debate, beginning with the foundations of
privacy rights in our courts and surveying the movement of the
issue over the past five years. It summarizes consumer polls,
e-commerce statistics, FTC surveys and reports to Congress,
some dating back to 1997, as well as the legislative history
beginning with the 106th Congress. This background may be
important to a thorough understanding of the issue, however,
the sheer breadth of this history overemphasizes the past state
of privacy issues by limiting discussion of the most recent
data on consumer privacy. This may leave the impression that
the issues concerning consumer privacy legislation today, in
2002, are the same as they were in 1997.
Much has changed, however, in the last five years. Congress
has passed new privacy legislation regulating, among other
things, health, medical and children's information. The FTC has
stepped up enforcement efforts and increased funding and
technological capabilities to aid these efforts. Websites have
overwhelmingly adopted privacy policies and improved consumer
protections. Technological tools such as firewalls and
anonymous browsing services have been developed and are now
readily available to consumers. The widespread collection and
use of personal information offline has become better known to
the public and, in many ways, has remarkable similarities to
online information practices. Most importantly, our national
economy and way of commerce has changed dramatically, as
evidenced by the growth of e-commerce and the public's
widespread use of the Internet. We must understand the privacy
debate and review the goals and provisions of S. 2201 within
today's commercial environment, and S. 2201 must be justified
on grounds applicable in 2002, not 1997.
Many consumer surveys on information collection practices
have been conducted over the past several years, and most
Americans responding to them have indicated their concerns
about the privacy of their personal information. Until
recently, however, the results of these polls were often
unclear about the exact nature of consumers' concerns and what
they believed should be done to address them. A February 2002
survey conducted by Harris Interactive, entitled ``Privacy On
and Off the Internet: What Consumers Want,'' was designed to
more closely explore consumers' attitudes regarding the
handling of consumer information online and offline. The Harris
poll found that consumers are most concerned about companies
sharing their personal information with other companies without
asking permission. However, the poll also found that more than
half of those surveyed (58 percent) stated that, if they were
confident that a company--whether offline or online--really
followed its privacy policies, they would be likely to
recommend that company to friends and family.
Increasingly, online and offline companies are responding to
this growing consumer demand for better privacy protections.
Although industries collecting and using consumer information
online have, more often than not, opposed online privacy
legislation, they argue that enforcement of existing privacy
laws, coupled with self-regulatory measures, increased customer
pressures and technological advancements have dramatically
improved privacy protections for consumers.
In an effort to determine the necessity of online privacy
legislation and the adequacy of private industry efforts to
protect consumer privacy, the FTC began surveying Internet
websites in 1995 to determine the extent to which they posted
privacy policies informing consumers how they collected and
used their information. As described in further detail in this
Committee Report, the FTC completed two website surveys, in
1998 and 2000, and reported the results of these surveys and
its conclusions to Congress in three annual reports during that
time.
In order to provide current data comparable to the FTC's
earlier studies, the Progress & Freedom Foundation (PFF)
conducted a new survey in December 2001 which duplicated the
previous methodology used by the FTC. The results of this
extensive online survey were released in March 2002 and remain
the most current data available on the status of privacy
protections online. Compared to the FTC's 2000 survey, this
latest survey found that the most popular websites are:
collecting less personally identifiable information (decreasing
from 96 percent in 2000 to 84 percent in 2001); using fewer
third-party cookies to track surfing behavior across multiple
websites (decreasing from 78 percent to 48 percent); providing
more prominent and complete notices (nearly 100 percent of
those surveyed); providing consumers with more choice over the
sharing of personally identifiable information with third
parties (increasing from 77 percent to 93 percent); and
increasingly offering a combination of fair information
practice elements, such as notice, choice, and security (sites
providing all 3 rose from 63 percent to 80 percent). Most
importantly, the PFF survey found that 99 percent of the 85
busiest websites had posted privacy policies, and 80 percent of
a random sample of websites had done so as well. Once a website
has a stated privacy policy, the FTC can enforce a company's
compliance with it under the FTC's traditional unfair and
deceptive practices enforcement authority.
S. 2201 FAILS TO CREATE EQUAL OBLIGATIONS FOR ONLINE AND OFFLINE
INFORMATION PRACTICES
The most significant problem with S. 2201 is its disparate
treatment of information based on whether it is collected
online or offline. Under this legislation, online providers of
goods and services would be subject to more restrictive notice,
consent, access, and security requirements than their offline
counterparts when using similar consumer information for
marketing and customer relationship management.
Information collection is not limited to the online world,
and polls show that consumers are concerned about the privacy
of their information regardless of where or how it is
collected. Consumers are right. There is no justification for
treating consumer information collected online differently from
the same information collected through other means, such as
through offline credit card transactions or mail-in warranty
registration cards. Commenting on S. 2201, FTC Chairman Muris
explained that the ``sources of information that lead to our
number one privacy complaint--ID theft--are frequently
offline.'' Commissioner Swindle further noted that, ``Perhaps
the most glaring cost associated with the bill, and with any
online-specific privacy legislation, is that it discriminates
in favor of offline commerce. It is important to remember that
electronic commerce currently constitutes a very small portion
of all commercial activity.'' Imposing different obligations,
and therefore different costs, on entities that do business
online may very well inhibit the growth of e-commerce, thereby
hurting consumers rather than helping them.
Moreover, imposing unequal standards for online and offline
information would create confusion for companies that collect
personal information from both online and offline sources and
then merge that data together in a single consumer data file.
These companies would be left with inconsistent legal
obligations with respect to identical types of information and
uncertainty as to which notice, consent, access, and security
requirements may apply to the merged data file. Disparate
obligations based on the method of collection could therefore
require companies with any online presence to create and
administer a two-tier privacy regime for the collection and
maintenance of separately regulated data--an offline system
subject to any applicable Federal or State privacy regulations
(such as financial or healthcare privacy laws that typically do
not discriminate on the basis of the medium over which such
information is collected, used, or disclosed) and an online
system subject to the conflicting privacy requirements
contained in S. 2201.
Such a two-tiered system would be extremely costly and
burdensome to design, implement, and manage. As Commissioner
Leary noted, businesses attempting to comply with S. 2201 and
other laws applying different offline standards ``would be
required to differentiate between online and offline
information, as well as any possible differences between the
notice, choice, and security requirements in the two regulatory
schemes.'' Indeed, the costs would undoubtedly force some
companies to discontinue their online operations altogether.
The potential impact to consumers of such costs would be great.
Higher costs to businesses would likely be passed on to
consumers in the form of more expensive goods and services, and
e-commerce in general would suffer from less competition and
the loss of valuable online services if companies cease or
limit their online operations. Therefore, an ironic, unintended
consequence of S. 2201 is that it provides a disincentive,
rather than an incentive, for companies to increase online
services and consumers to use the Internet and works against
Congress's efforts to promote the growth of the Internet and e-
commerce.
In light of the significantly higher administration and
compliance costs associated with maintaining separate
databases, some companies may consider whether maintaining any
online presence at all means having one privacy compliance
regime, as opposed to two. This would require these companies
to subject all of their data collection practices to S. 2201's
more restrictive notice, consent, access, and security
requirements (in those instances where it's actually possible
to comply with S. 2201 and the other laws' requirements). A
study released by Columbia University in January 2002, however,
concluded that the increased costs imposed by a more
restrictive opt-in consent requirement on financial industries
alone (as would be required by S. 2201) ``would take the form
of higher interest rates for credit cards and mortgages, lost
efficiencies in non-store retailing, lost donations to
charitable organizations, and higher premiums for personal
insurance policy-holders.'' Such results may lead these
companies to conclude there are competitive advantages to
abandoning their online efforts entirely and under- pricing
those who continue to maintain online presences under more
restrictive information collection and use practices.
In the background section of this Committee Report, the
majority contends that Congress typically adopts medium-
specific privacy laws when new technological media threaten
consumers' privacy. However, with the exception of the
Children's Online Privacy Protection Act of 1998 (COPPA), all
other existing Federal privacy laws apply different standards
based on the nature of the information collected, not on the
nature of the medium. For example, the Cable Communications
Policy Act of 1984 restricts some sharing of customers'
personally identifiable information, including their cable
viewing habits, regardless of how it is collected. It is true
that cable companies with ``two-way'' interactive systems could
obtain viewing habit information through their cable medium,
but the bill applies equally to ``one-way'' non-interactive
cable programming providers that have no way of using the cable
medium to collect viewing habits. While COPPA specifically
addresses information collected over the Internet, it is a
narrow exception that we are willing to tolerate to protect
children online where, unlike the offline world, it is not
apparent whether their parents are accompanying them.
The substitute amendment adopted by the Committee added title
V to the bill, which would set in motion a process to adopt
rules at a later time that would provide protection ``similar
to that provided under this Act'' to information collected
offline. Requiring only that the FTC ensure that the privacy
standards for online and offline collection be ``similar,''
however, is insufficient to ensure nondiscrimination. Moreover,
the new title establishes a separate proceeding subject to a
separate schedule for separate implementation. A process that
considers online and offline information separately is purely
cosmetic, and destined to lead to unequal results. In order to
implement privacy regulations equally online and offline,
regulators must simultaneously analyze and determine which
notice, consent, access, and security requirements can be
effectively implemented in both settings. By separating the
implementation schedules, however, S. 2201 would require the
FTC to implement online regulations without knowing whether or
how those same regulations could later be implemented offline,
thereby ensuring disparate treatment of information collected
online for at least some time, and potentially until previously
adopted online regulations that will not work offline are later
repealed or rewritten.
Unfortunately, attempts to resolve the inequities of S. 2201
through adoption of a manager's amendment fell far short.
Although we are not anxious to delay the enforcement of any
privacy protections for American consumers, we are not willing
to let unfair and unequal application of the law be the price
we pay for our haste.
S. 2201 PERMITS PRIVATE RIGHTS OF ACTION THAT MAY RESULT IN FRIVILOUS
CLASS-ACTION LAWSUITS
As reported, S. 2201 permits private rights of action for
collection, use or disclosures of sensitive personal
information in violation of any provision of title I of the
bill, even in the case of inadvertent disclosures where no harm
has resulted. The bill would award successful plaintiffs the
greater of any actual monetary harm or $500 for each violation.
This private right of action, particularly the threat of class
action law suits from it, would prove enormously costly for the
industries it affects--a result that would be bad for
businesses and bad for consumers who, as a result, would face
higher prices for goods and services from passed-on legal
costs.
The potential for abuse of the private right of action is
greatly enhanced by the uncertain interaction between this
legislation and other Federal privacy laws. S. 2201 fails to
harmonize many of its privacy provisions with a myriad of
existing Federal privacy laws, particularly the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
and the Financial Services Modernization Act of 1999 (commonly
referred to as the Gramm-Leach-Bliley Act or GLBA), which cover
the healthcare and financial services industries, respectively.
For example, healthcare and financial services companies
complying in every way with the notice, consent, access, and
security requirements of HIPAA and GLBA may nonetheless be in
violation of S. 2201's differing requirements in those areas.
Additionally, many provisions of S. 2201 would directly
conflict with provisions in HIPAA and GLBA, leaving healthcare
and financial services companies that are subject to both S.
2201 and their own industry-specific privacy law unable to
legally comply with both. Legal ambiguity coupled with a
private right of action is a trial lawyer's dream. Given the
conflicting obligations this bill would create for these
industries, S. 2201's private right of action would virtually
ensure that class-action litigation would come down on multi-
billion dollar corporations that would face inconsistentlaws
and therefore be subject to privacy violations on the very day that
rules became effective under this Act.
Proponents of private rights of action claim that they are
necessary for their deterrent effect on bad actors. It is
likely, however, that they do nothing to stop bad actors, but
do everything to put at risk good actors who might happen to
have deeper pockets. Bad actors are those that deliberately
choose to violate the law, and may include disreputable
companies operating outside the country or intentionally
disguising their whereabouts to avoid detection. Threats of
lawsuits in the United States will not deter such actors
operating on a global stage that are intentionally skirting our
and other nations' privacy laws.
Congress has passed many Federal privacy laws without private
rights of action, including HIPAA, COPPA, and GLBA, three of
the most significant privacy statutes passed in recent years.
If Congress found it unnecessary to include a private right of
action in legislation dealing directly with classes of highly
sensitive information such as detailed healthcare and financial
records, then it is unclear why a private right of action
should be included in S. 2201 for broader-based regulation of
health and financial information. The Committee has seen no
evidence indicating that the enforcement mechanisms mandated by
these privacy laws are so inadequate for ensuring compliance
with their provisions that they must be supplemented with
private rights of action. We should not forget that many of the
most egregious examples of privacy abuses often mentioned in
our debates--such as Eli Lilly and Company's inadvertent e-mail
disclosure of several hundred Prozac customers' identities are
already illegal acts under section 5 of the FTC Act, which
makes ``unfair or deceptive acts or practices in or affecting
commerce,'' including breaches of corporate privacy policies,
unlawful. As it demonstrated in its vigorous investigation of
Eli Lilly, the FTC should continue to aggressively pursue
privacy violations under our extensive framework of existing
federal privacy laws. Unless it is shown that the FTC and State
attorneys general are unable to properly enforce S. 2201, we
should avoid opening the door to potential abuses such as
frivolous class-action lawsuits.
Ironically, the private right of action included in this bill
may encourage more consumer data collection than would
otherwise occur. Companies will be forced to record and retain
information on every consumer interaction to prepare themselves
to defend against potentially frivolous law suits. The record
for each such interaction would have to include proof that the
company offered notice to the consumer, offered an opt-in or
opt-out, and responded to each access request.
Another unintended consequence of S. 2201's private right of
action is that it could increase the complexity of consumer
notices. Some consumer advocates have argued that the notices
distributed pursuant to GLBA were confusing and inadequately
informed consumers of their choices regarding the sharing of
their financial information. Yet, these notices were not even
written with a defense to private rights of action in mind. As
Commissioner Swindle explained, some of the difficulty in
complying with GLBA's notice requirements was due to the
``challenge of communicating complex information to
consumers,'' and the same challenge would also apply to S.
2201's notice and consent provisions. While it is very
important that consumers have clearer and more concise notices,
if companies must put their privacy policies to a jury, we can
be sure that lawyers will draft them with an eye toward
litigation and not intelligibility. S. 2201 may therefore
exacerbate the very consumer confusion regarding notices that
it seeks to remedy.
The majority of businesses covered under S. 2201's private
right of action, including all financial services institutions
and healthcare entities, are already subject to separate
privacy regulations and separate enforcement regimes of GLBA
and HIPAA. Passing S. 2201 into law would therefore create a
huge and unnecessary new source of class-action litigation with
no corresponding privacy benefits to consumers.
S. 2201 CONFLICTS WITH EXISTING FEDERAL PRIVACY LAWS
The bill leaves unanswered the complex policy question of how
to superimpose a new, broad-based law for privacy practices on
top of the sector-by-sector Federal privacy regime that exists
today. Many industries' information practices are now
separately regulated by one or more of over 20 Federal privacy
laws, such as the healthcare industry under HIPAA, the
financial services industry under GLBA, and the credit
reporting industry under the Fair Credit Reporting Act of 1970
(FCRA). Any attempt to superimpose broad privacy regulations
that would apply to only the online information practices of
all industries is an extraordinarily complicated task. To be
done effectively, it would require the coordination and
cooperation of many Federal agencies to implement identical
rules, each within its own regulatory schemes, in order to
create a single Federal standard across the industries over
which the agencies have jurisdiction. The bill fails to do
this.
Because S. 2201 does not provide complete harmonization with
the numerous Federal privacy laws that already protect the
privacy of individuals, there remain very significant practical
challenges to implementing S. 2201 in its current form. Care
must be taken to consider the effects of this bill on existing
laws, particularly if its enactment would create ambiguous or
conflicting requirements for businesses and greater confusion
for consumers. Unfortunately, the record in Committee
illustrates the numerous ways in which S. 2201 creates
inconsistent obligations for healthcare and financial services
companies.
A healthcare provider or health plan subject to both HIPAA
and S. 2201 would be required by S. 2201 to make available
information to users under circumstances in which HIPAA does
not entitle an individual to access such information, such as
when the information is reasonably likely to endanger the life
or safety of the individual or a third party. Additionally, S.
2201 allows a consumer to revoke consent for the use and
disclosure of personal information. Yet in implementing HIPAA,
regulators eliminated a similar provision after discovering
that such a rule was unworkable and potentially harmful to
patient care. For example, a patient's prescription drug
information may be needed in the future to warn that individual
about a potentially fatal adverse drug reaction. Yet, patients
that revoke consent over the downstream uses of their
prescription drug information (as would be permitted under S.
2201)may endanger their lives by preventing healthcare
providers from using the information in their records to warn them of
life-threatening drug interactions.
With respect to financial information, S. 2201 applies
entirely different consumer consent requirements than GLBA. S.
2201 requires affirmative prior consent, or an opt-in, for the
collection, use, or disclosure of information, whereas GLBA
requires an opt-out. Such a result leaves companies no choice
but to knowingly violate one of the laws to which they are
subject. Even where S. 2201 and GLBA appear on their face to
require similar consumer notices, there are significant
inconsistencies between the online notice requirements of this
bill and the requirements applying both online and offline
under GLBA. As a result, industry representatives contend that
it's not clear that a single notice sent by a financial
institution could satisfy both requirements. Financial services
companies would therefore be left with choosing the lesser evil
of either incurring the costs of sending two separate and
differently worded notices to the same customer (an exercise
likely to lead to increased consumer confusion), or risk
potentially more- costly litigation for technically violating
S. 2201's notice provisions despite their good faith efforts to
comply with two inconsistent and conflicting laws.
S. 2201 FAILS TO ADQUATELY PREEMPT STATE PRIVACY LAWS
A fundamental function of Federal privacy legislation should
be preemption of multiple and inconsistent State privacy laws
in order to create more regulatory certainty for businesses and
correspondingly less confusion for consumers. S. 2201 fails to
do this. By not preempting State common law, S. 2201 does not
adequately preclude private lawsuits based on existing State
common law rights of action, which may impose duties upon
companies not contemplated by S. 2201 or even at odds with
those mandated by the bill.
As reported, S. 2201 requires that its provisions supersede
any State statutes, regulations, or rules regulating ``Internet
privacy.'' It does not mention State privacy laws that may
cover businesses in both their online and offline information
practices. The effect of S. 2201's preemption provisions on
these other laws is therefore unclear. In particular, financial
services and healthcare providers may face potentially
inconsistent privacy provisions in States with financial
services and medical privacy laws that do not distinguish
between online and offline collection of information.
S. 2201 FAILS TO DEFINE REASONABLE ACCESS AND SECURITY STANDARDS
S. 2201 would create broad standards by which companies
collecting personal information online must give users
``reasonable access'' to that information and establish
``reasonable procedures necessary'' to ensure the security and
integrity of consumer information they maintain. While these
undefined terms would require extensive FTC clarification in a
rulemaking, S. 2201 fails to provide any legislative guidance.
As Chairman Muris explained, ``The statute is silent, for
example, on how to balance the benefits of convenient customer
access to their information with the inherent risks to security
that greater access would create. The FTC has no answer to this
conundrum.'' Indeed, the FTC had previously assembled numerous
privacy experts, including industry representatives, consumer
advocates and academics, to specifically examine how to
implement access and security requirements in privacy
legislation. This Advisory Committee on Access and Security
reported to the FTC in 2000 that it could not reach consensus
on how to craft workable rules to implement such provisions.
S. 2201's extensive access requirements could cause companies
that traditionally do not provide access to incur significant
data system restructuring costs in order to provide that
information to consumers who request it. This is particularly a
concern for the financial services industry where sensitive
account and transactional information is decentralized across
multiple databases, some of which is constantly being processed
for transactions. Likewise, others have raised security
concerns particularly with respect to companies that would not
otherwise create or retain consumer profiles searchable by name
or other types of personal information. As noted above, S.
2201's access obligations may even conflict with existing
restrictions on access in other privacy laws, such as HIPAA.
Additionally, since the private right of action would apply to
violations of the access and security provisions of S. 2201,
some industry representatives have suggested that a company
acting in good faith may still not easily escape liability as
it sought to find the right balance between access and
security.
While the benefits of information security practices have
never been the subject of debate, there remains a question of
whether we need to legislate specific standards for them.
Strong business incentives already exist for companies to
provide heightened security for information they collect,
particularly in their online operations. If a company's online
systems were infiltrated or ``hacked,'' and personal
information held by them stolen, consumers would lose
confidence in their business services and these companies would
likely have difficulty staying in business if such lapses in
security were significant or persistent. The difficulty in
defining reasonable online security standards in legislation is
that often the definitions of ``reasonable'' turn on the fact
of whether a security system prevented an intrusion or not,
regardless of how much effort and cost was expended by the
company designing and maintaining state-of-the-art security for
its website.
Recognizing the difficulties in creating security standards,
S. 2201 at the very least should provide better guidance to the
FTC on what is ``reasonable.'' A proposed solution that failed
during the executive session would be to define reasonable
according to the best of current industry practices on
security. This approach would base reasonableness on the level
of internal security mechanisms maintained by a company rather
than the fact of whether a breach in a company's online system
has occurred. As the discussion in the executive session
illustrated, if reasonable is merely determined on the basis of
whether a breach in security could occur, this would make
companies strictly liable for the slightest of security
breaches, regardless of the level of security mechanisms
maintained, since any breach would be considered
``unreasonable.'' Such a standard would ultimately result in
endless litigation every time a hacker seeks to prove that the
latest in security technology has met its match.
CONCLUDING MINORITY VIEWS
Protecting the privacy of Americans is of the highest
importance, but S. 2201's approach to achieving that important
goal is significantly flawed. S. 2201 will never achieve its
intended purposes of improving consumer privacy protection if
its major problems are left unresolved.
John McCain.
Sam Brownback.
George Allen.
Letters of Federal Trade Commissioners
Federal Trade Commission,
Washington, DC, April 24, 2002.
Hon. John McCain,
Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Senator McCain: Thank you for your letter of April 19,
2002, requesting my views on S. 2201, the Online Personal
Privacy Act.
Personal privacy issues are a key priority at the
Commission. Because a variety of practices can have negative
consequences, consumer concerns about privacy are strong and
justified. Avoiding these consequences requires a strong law
enforcement presence, and we have increased by 50 percent FTC
resources targeted to addressing privacy problems. Our agenda
includes:
A proposed rulemaking to establish a national, do not
call registry;
Greater efforts to enforce both online and offline
privacy promises;
Beefed up enforcement against deceptive spam;
A new emphasis on assuming information security;
Putting a stop of pretexting;
Increased enforcement of the Children's Online
Privacy Protection Act; and
New initiatives to both help victims of I.D. theft
and assist criminal prosecution of this crime.
The concerns about privacy that motivate our enforcement
agenda have led others, including many members of Congress, to
propose new laws, such as S. 2201, the Online Personal Privacy
Act. There are potential benefits from general privacy
legislation. If such legislation could establish a clear set of
workable rules about how personal information is used, then it
might increase consumer confidence in the Internet. Moreover,
federal legislation could help ensure consistent regulation of
privacy practices across the 50 states. Although we should
consider fully alternative methods to protect consumer privacy
and to reduce the potential for misuse of consumers'
information, enactment of this of general legislation is
currently unwarranted.\1\
---------------------------------------------------------------------------
\1\ There may be areas in which new legislation is appropriate to
address a specific privacy issue. This letter addresses my concerns
about broad, general legislation governing online privacy issues.
---------------------------------------------------------------------------
Five points underscore my concern about general, online
privacy legislation:
1. Drafting workable legislative and regulatory standards
is extraordinarily difficult.
The recently-enacted Gramm-Leach-Bliley Act (``GLB''),
which applies only to financial institutions, required the
multiple mailings of over a billion privacy notices to
consumers with little current evidence of benefit.\2\ Our
experience with GLB privacy notices should give one great pause
about whether we know enough to implement effectively broad-
based legislation, even if it was limited to notices.
---------------------------------------------------------------------------
\2\ I am unaware of any evidence that the passage of GLB increased
consumer confidence in the privacy of their financial information. In
contrast to GLB's notice requirements, certain GLB provisions targeting
specific practices have directly aided consumer privacy. For example,
the law prohibits financial institutions from selling lists of account
numbers for marketing purposes, and makes it illegal for third parties
to use false statements (``pretexting'') to obtain customer information
from financial institutions in most instances.
---------------------------------------------------------------------------
Unlike GLB, the proposed legislation deals with a wide
variety of very different businesses, ranging from the websites
of local retailers whose sales cross state lines to the largest
Internet service providers in the world. Thus, implementation
of its notice requirement will likely be even more complicated.
Moreover, the legislation adds requirements for access not
found in GLB. The recommendations of the FTC's Advisory
Committee on Online Access and Security make clear that no
consensus exists about how to implement this principle on a
broad scale.\3\ Perhaps reflecting these same concerns, S. 2201
grants the FTC broad rulemaking authority. The only legislative
guidance is the requirement that the procedures be reasonable.
The statute is silent, for example, on how to balance the
benefits to convenient customer access to their information
with the inherent risks to security that greater access would
create. The FTC has no answer to this conundrum. We do not know
how to draft a workable rule to assure that consumers' privacy
is not put at risk through unauthorized access.
---------------------------------------------------------------------------
\3\ The Committee's Final Report is available at www.ftc.gov/acoas/
papers/finalreport.htm.
---------------------------------------------------------------------------
The inherent complexity of general privacy legislation
raises many difficulties even with provisions that are
conceptually attractive in the abstract. For example, the
proposed legislation imposes different requirements on
businesses based on whether they collect ``sensitive'' or
``nonsensitive'' personal information. Although this may be a
conceptually sound approach, we have no practical experience in
implementing it, and attempting to draw such distinctions
appears fraught with difficulty, both in drafting regulations
and assuring business compliance. Under the statute, for
example, the fact that I am a Republican is considered
sensitive, but a list of books I buy and websites I visit are
not.
Similarly, the broad state preemption provision would
provide highly desirable national uniformity. Questions about
the scope of preemption would inevitably arise, however. How
would the preemption provision affect, for example, state laws
on the confidentiality of attorney/client communications for
attorneys using websites to increase their efficiency in
dealing with their clients? Moreover, what are the implications
for state common law invasion of privacy torts when the
invasion of privacy occurs online?
Another problem is that, except for provisions reconciling
the provisions of this bill with the provisions of the
Children's Online Privacy Protection Act and certain provisions
of the Federal Communications Act, there are no provisions
reconciling the proposed legislation with other important
Federal privacy legislation. For example, it is unclear how S.
2201's requirement of notice and ``opt-in'' choice for
disclosure of financial information collected online would be
reconciled with GLB's notice and ``opt-out'' requirements for
the same information. Nor is it clear whether a credit
reporting agency's use of a website to facilitate
communications with its customers would subject it to a
separate set of notice, access, and security requirements,
beyond those already in the Fair Credit Reporting Act.
I want to emphasize that I note these examples, not to
criticize the drafting of the proposed legislation, but to
illustrate the inherent complexity of what it is trying to
accomplish.
2. The legislation would have a disparate impact on the
online industry.
Second, I am concerned about limiting general privacy
legislation to online practices. Whatever the potential of the
Internet, most observers recognize that information collection
today is also widespread offline. Legislation subjecting one
set of competitors to different rules, simply based on the
medium used to collect the information, appears discriminatory.
Indeed the sources of information that lead to our number one
privacy complaint--ID Theft--are frequently offline. Of course,
applying the legislation offline would increase the complexity
of implementation, again underscoring the difficulties inherent
in general privacy legislation.
3. We have insufficient information about costs and
benefits.
Third, although we know consumers value their privacy, we
know little about the cost of online privacy legislation to
consumers or the online industry. Again, the experience under
GLB indicates that the costs of notice alone can be
substantial. Under S. 2001, these costs may be increased by the
greater number of businesses that must comply, by uncertainty
over which set of consent procedures apply, and by the
difficulty of implementing access and security provisions.
4. Rapid evolution of online industry and privacy programs
is continuing.
Fourth, the online industry is continuing to evolve
rapidly. Recent surveys show continued progress in providing
privacy protection to consumers.\4\ Almost all (93 percent) of
the most popular websites provide consumers with notice and
choice regarding sharing of information with third parties.
Some of the practices of most concern to consumers, such as the
use of third party cookies, have declined sharply. Moreover
fewer businesses are collecting information beyond email
address. These changes demonstrate and reflect the more
important form of choice: the decision consumers make in the
marketplace regarding which businesses they will patronize.
Those choices will drive businesses to adopt the privacy
practices that consumers desire.
---------------------------------------------------------------------------
\4\ The Progress and Freedom Foundation recently released the
results of its 2001 Privacy Survey, available at www.pff.org/pr/
pr032702 privacy online.htm.
---------------------------------------------------------------------------
Perhaps most important for the future of online privacy
protection, 23 percent of the most popular sites have already
implemented the Platform for Privacy Preferences (P3P). This
technology promises to alter the landscape for privacy
disclosures substantially. Microsoft has incorporated one
implementation of P3P in its web browser; AT&T is testing
another, broader implementation of this technology. By the time
the Act's disclosure regulations might reasonably take
effect,\5\ the technological possibilities for widespread
disclosure may differ substantially. Although S. 2201
anticipates this development by requiring the National
Institute of Standards to promote the development of P3P
technology, legislation enacted now cannot take advantage of
such nascent technology. Moreover, it may inadvertently reduce
the incentives for businesses and consumers to adopt this
technology if disclosures are required using other approaches.
---------------------------------------------------------------------------
\5\ Again, GLB is instructive. It was almost two years between the
enactment of the statute and the effective date of the privacy rules
promulgated thereunder.
---------------------------------------------------------------------------
5. Diversion of resources from ongoing law enforcement and
compliance activities.
Finally, there is a great deal the FTC and others can do
under existing laws to protect consumers privacy. Indeed, since
1996, five new laws have had a substantial impact on privacy-
relatedissues.\6\ We should gain experience in implementing and
enforcing these new laws before passing general legislation.
Implementation of yet another new law will require both industry and
government to focus their efforts on a myriad of new implementation and
compliance issues, thus displacing resources that might otherwise
improve existing privacy protection programs and enforce existing laws.
Simply shifting more resources to privacy related matters will not, at
least in the short term, correct this problem. The newly-assigned staff
would need to develop the background necessary to deal with these often
complex issues. The same is likely true for business compliance with a
new law. Without more experience, we should opt for the certain
benefits of implementing our aggressive agenda to protect consumer
privacy, rather than the very significant effort of implementing new
general legislation.
---------------------------------------------------------------------------
\6\ Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 (amended 9/30/
96); Health Insurance Portability and Accountability Act, 42 U.S.C.
Sec. 1320 (enacted 8/21/98); Children's Online Privacy Protection Act,
15 U.S.C. Sec. 6501 (enacted 10/21/98); ID Theft Assumption &
Deterrence Act, 18 U.S.C. Sec. 1028 (enacted 10/30/98); GLB, 15 U.S.C.
Sec. 6801 (enacted 11/12/99). Moreover, since 1996, the FTC has been
applying its own statute to protect privacy.
---------------------------------------------------------------------------
Conclusion.--We share the desire to provide American
consumers better privacy protection and to ensure that American
businesses face consistent state and Federal standards when
handling consumer information. Nonetheless, we believe that
enactment of this general online privacy legislation is
premature at this time. We can better protect privacy by
continuing aggressive enforcement of our current laws.
Sincerely,
Timothy J. Muris,
Chairman.
------
Federal Trade Commission,
Washington, DC, April 24, 2002.
Re S. 2201 (The Online Personal Privacy Act).
Hon. John McCain,
Ranking Member, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Senator McCain: I am pleased to provide my views on S.
2201, the Online Personal Privacy Act, which was introduced by
Chairman Hollings on April 18, 2002. Although I share the view
of the sponsors of this legislation that privacy is important
to American consumers, there has been no market failure that
would justify the passage of legislation regulating privacy
practices concerning most types of information. Even if such a
market failure exists, I am not persuaded that the benefits of
such legislation, including the proposed Online Personal
Privacy Act, exceed its costs.
Indeed, the best means of protecting consumer privacy
without unduly burdening the New Economy is through a
combination of industry self-regulation and aggressive
enforcement of existing laws that are relevant to privacy by
the FTC and other appropriate regulatory agencies. This
approach is flexible enough to respond rapidly to technological
change and to the tremendous insight we are gaining from the
ongoing dialogue among government, industry, and consumers on
privacy issues.
You have asked for my assessment of whether legislation is
needed. I believe legislation should be reserved for problems
that the market cannot fix on its own. To my knowledge, there
is no evidence of a market failure with respect to online
privacy practices, nor are there signs of impending market
failure that would warrant burdensome legislation. As a result
of a continuing and energetic dialogue among industry,
government and consumer representatives, industry is stepping
up to the plate and leading the way toward enhancing consumer
privacy online. Flexible and efficient privacy tools are
increasingly addressing consumer concerns. Indeed, the evidence
indicates that the market is responding to consumers' concerns
and demands about privacy.
A recent Progress and Freedom Foundation study \1\ tells us
that there has been a significant decline in the amount of
personal information that websites are collecting from
visitors.\2\ At the same time, there has been an increase in
the voluntary adoption of privacy practices. The study
indicates that privacy policies have become more common and
more consumer-friendly over the past year. In addition, the
percentage of the most popular sites offering consumers a
choice whether their information can be shared with third
parties increased from 77% in 2000 to 93% in 2001. The privacy-
enabling technology, Platform for Privacy Preferences (P3P), is
being deployed rapidly, and industry has generally become more
responsive to the privacy concerns of consumers.
---------------------------------------------------------------------------
\1\ Adkinson, William F. Jr., Jeffrey A Eisenach, Thomas M. Lenard,
Privacy Online: A Report on the Information Practices and Policies of
Commercial Web Sites. Washington, D.C.: Progress & Freedom Foundation
(2002). Available at: .
\2\ Among the most popular 100 sites, the proportion collecting
personal information fell from 96% in 2000 to 84% in 2001. Similar to
this finding, the proportion of those firms employing ``cookies'' fell
from 78% to 48% in the past year.
---------------------------------------------------------------------------
These trends clearly demonstrate that the online
marketplace is dynamic, and that firms are working hard to find
the ``right'' pattern for information management practices. In
addition, the survey results show that the most frequently
visited websites (and much of the Internet as a whole) have
clearly recognized that information management policies and
privacy practices are necessary parts of everyday business on
the Internet. Consumers expect privacy protection and firms
realize that it is to their competitive advantage to respond to
customer expectations. To the extent that consumers have
demanded privacy, these results show that the market had
provided it.
Contrary to arguments by proponents of legislation that
consumers' privacy concerns are retarding the growth of
electronic commerce, electronic commerce is growing rapidly
without new privacy legislation. Online transaction have
roughly doubled each year between 1997 and 1999, and annual
consumer purchases have risen from roughly $5 billion in 1998
to $32 billion in 2001. Recent data on online holiday shopping
are even more dramatic, rising from roughly $1 billion in 1997
to nearly $14 billion in 2001--a 1300% increase. E-commerce
thus is growing rapidly in the absence of new privacy
regulation.\3\
---------------------------------------------------------------------------
\3\ It is interesting to compare the growth of electronic commerce
to the growth in the use of debit cards. Between 1988 and 1996, debit
transactions slowly rose from virtually nothing to less than $50
billion annually. As consumers' experience with these cards increased,
however, debit card spending jumped to $300 billion in 2000. This
massive growth in debit card transactions was not caused by federal
regulatory action, but resulted from consumers' positive experiences
with the cards.
---------------------------------------------------------------------------
For many years now, it has been my understanding that
Congress seeks to weigh the costs and benefits of new
legislation, with the goal of avoiding doing more harm than
good. To my knowledge, there is no evidence concerning the
costs associated with the proposed legislation, nor an
assessment of whether those costs are outweighed by the ill-
defined economic benefits that might follow. I do not believe
legislation should be adopted without careful consideration of
the problem it may create.
Perhaps the most glaring cost associated with the bill, and
with any online-specific privacy legislation, is that it
discriminates in favor of offline commerce. It is important to
remember that electronic commerce currently constitutes a very
small portion of all commercial activity. It is difficult to
understand drawing a distinction between offline and online
privacy. I would suggest that it is likely that consumers share
similar concerns in both situations. I believe it is essential
to consider the costs and benefits of regulating both online
and offline privacy before any legislation is enacted.
To evaluate other costs associated with the notice and
choice requirements of the Online Personal Privacy Act, the
Commission's experience with the Gramm-Leach-Bliley Act (GLB
Act) is instructive. The GLB Act requires that financial
institutions issue privacy notices to their customers and, in
certain circumstances, provide them with the opportunity to opt
out of disclosures of nonpublic personal information to
nonaffiliated third parties. To comply with the GLB Act last
year, firms incurred great expense in disseminating privacy
notices, yet very few consumers opted out. Among the
difficulties encountered in complying with GLB Act was the
challenge of communicating complex information to consumers.
Industry would face these same challenges in communicating
notice and choice in the online context, and a requirement to
provide ``robust'' notice to consumers does little to solve
these problems. It also would be difficult for static
regulation to keep pace with technology. For example,
regulation mandating notice provided on a website may be
inapplicable to Web-enabled handheld devices, such as cell
phones.
A requirement to provide ``reasonable access and security''
is difficult to define. In its May 2000 report, the
Commission's Advisory Committee on Online Access and Security
was unable to reach consensus as to the amount and type of
access that should be provided to consumers.\4\ Given the
complexity of this issue, I do not believe that it is a
suitable topic for broad-based legislation or regulation. More
important, the Commission already has the ability to address
security breaches through the enforcement of existing
statutes.\5\
---------------------------------------------------------------------------
\4\ In 1999, the Commission established an Advisory Committee on
Online Access and Security to provide advice and recommendations to the
Commission regarding implementation of reasonable access and adequate
security by domestic commercial websites. The Committee's final report
to the Commission on May 15, 2000, described options for implementing
reasonable access to, and adequate security for, personal information
collected online and the advantages and disadvantages of each option.
\5\ See In the Matter of Eli Lilly and Co., FTC File No. 012 3214
(consent agreement accepted, Jan. 17, 2002) (alleging that Eli Lilly
unintentionally disclosed personal information collected from consumers
by not taking appropriate steps to protect the confidentiality and
security of that information).
---------------------------------------------------------------------------
In addition, I am not aware of reliable information about
the likely costs associated with providing access and, in
particular, the costs of maintaining a clickstream database
that could be easily accessible to consumers and easily
altered.\6\ I therefore question whether the $3.00 fee allowed
by S. 2201 for consumers to obtain access to their information
would be sufficient to cover the expense. Although some firms--
obviously the larger ones--might be able to absorb the costs
associated with this access mandate, other firms might be
unable to provide the service for a minimal fee and would be
unable to continue business with their current model. This
possibility seems terribly unfair to small business and harmful
to competition in electronic commerce.
---------------------------------------------------------------------------
\6\ Under the proposed legislation, clickstream data, as collected
by third-party cookies, are considered to be personally identifiable
information to which consumers should have access.
---------------------------------------------------------------------------
Finally, in an attempt to empower consumers, this
legislation gives them a private right of action. While this
measure is aimed at increasing compliance with the law, I fear
that a private right of action may result in unintended
consequences. More specifically, increased private litigation
over information management policies may chill further
innovation on the part of businesses that may fear that any
change in their information management practices will be met
with lawsuits.
In summary, the electronic marketplace is still evolving.
Industry and government have been working diligently to address
consumers' privacy concerns. Businesses have made admirable
progress over the past several years and have no intention of
standing down. Industry leaders are directly involved in
seeking solutions to meet consumer demands and concerns. From a
business standpoint, it just makes good sense. Now is not the
time for the federal government to legislate and effectively
halt progress on these self-regulatory efforts. New,
complicated, and ambiguous laws will force innovation and
investment to take a back seat to compliance and bureaucratic
process. At the end of the day, we will have made far less
progress in finding solutions to privacy concerns than we would
have if we had simply relied on government and private sector
cooperation and market forces.
Thank you for the opportunity to offer my views on these
issues. I look forward to working with you in the future.
Sincerely,
Orson Swindle,
Commissioner.
------
Federal Trade Commission,
Washington, DC, April 24, 2002.
Hon. John McCain,
Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Senator McCain: You have asked that members of the
Federal Trade Commission provide their individual views on a
privacy bill, ``The Online Personal Privacy Act,'' S. 2201, and
I am pleased to respond.
It is important to express one important reservation up
front. This statement of my individual views is constrained by
my understanding of the context of your request. Like any other
citizen, I have personal views on fundamental issues in the
privacy debate (e.g., the question of whether it is appropriate
to speak of a ``right to privacy'' in the context of private
consensual transactions as opposed to intrusions by government;
the balance between any privacy rights of one party and the
First Amendment rights of another; and the question of whether
it is realistic to expect that most barriers to disclosure will
prove effective in the long term). However, there is no reason
why you or any other lawmaker should be particularly interested
in my opinions about these value-laden issues, so I understand
that you are asking for my views in the context of the
responsibilities and capabilities of the Federal Trade
Commission. In other words, this response is constrained by an
appreciation of the limitations of our institutional
expertise.\1\
---------------------------------------------------------------------------
\1\ My previous statement on privacy issues are enclosed with this
letter.
---------------------------------------------------------------------------
To be blunt, I do not believe it is my place to advise
Congress on the bottom line issue of whether it is or is not a
good idea to legislate on privacy issues. (To the extent I
presumed to do so in the past, I have changed my mind.) The
Federal Trade Commission, in my view, functions best as a
facilitator, which attempts through law enforcement and
education \2\ to ensure that consumers are not misinformed
about the goods and services that they buy and that sellers are
not disabled by illegal private constraints. But, in the
absence of Congressional direction to the contrary, we are
neutral about the terms of sale that are freely determined. We
have strong institutional confidence in the ability of
adequately informed consumers to make their own choices about
what they want (including, presumably, varying levels of
privacy protection) without interference from government. We
are good at specifying what is adequate disclosure of the terms
of sale but we are not good at devising rules for what the
terms of sale should be.
---------------------------------------------------------------------------
\2\ The Commission also provides a forum for the exchange of views
among outside individuals and groups.
---------------------------------------------------------------------------
With this awareness of our limitations, I join with those
colleagues who express serious reservations about the ``Online
Personal Privacy Act,'' S. 2201. I generally concur in their
conclusions, but write separately to emphasize my particular
perspective. I simply do not believe that S. 2201 can be
enforced in a coherent way. The following is a summary list of
the reasons:
1. I do not believe it is workable or reasonable to treat
privacy differently in the online world than in the offline
world to the extent that the information collected is the same,
regardless of the site of collection or the means of
dissemination. It is obvious that different modes of disclosure
might be required, but it is illogical to regulate one medium
and not the other.
2. Congress may, in its judgment, determine that it is
appropriate to mandate some form of ``notice'' to consumers
about what will happen to their personal information. For one
thing, mandated notice would eliminate the present awkward
situation whereby a company that volunteers information about
it privacy policy \3\ risks prosecution if the information is
inaccurate, but one that volunteers nothing risks nothing.\4\
Recent experience with mandated notice, however, suggests that
it is not enough for Congress simply to require that it be
done.\5\ Businesses have to be given more precise guidance
about the forms of notice that will be useful to consumers.
This is something the Federal Trade Commission, as an
institution, knows something about. It might be appropriate to
direct the Commission or some other appropriate body to survey
the quality of notices that are either voluntarily provided or
mandated today, and then recommend a template for notice that
would be meaningful. This project would inform the policy
debate and ultimately, perhaps, provide the framework for
legislation.
---------------------------------------------------------------------------
\3\ And, apparently, an overwhelming majority do, according to the
most recent evidence. William F. Adkinson, Jr., Jeffrey A. Eisenach and
Thomas Lenard, Progress & Freedom Foundation, ``Privacy Online: A
Report on the Information Practices and Policies of Commercial
Websites'' .
\4\ The vendor may, of course, incur marketplace risk.
\5\ Gramm-Leach-Bliley Act, 15 U.S.C. Sec. Sec. 6801-6810; and
Interagency Public Workshop: Get Noticed: Effective Financial Privacy
Notices (December 4, 2001) .
---------------------------------------------------------------------------
3. The issue of ``choice'' or ``consent'' is much more
complex than the bill seems to recognize. At first glance, it
seems obvious that the whole purpose of notice is to
enableconsumers to make informed choices. It is necessary, however, to
think about the consequences of choice. If there is no cost or reduced
benefit associated with the choice to opt-out (or failure to opt-in)
then the added expense of accommodating these choices will be borne by
consumers less tender of their privacy. (No one suggests that people
who do not want to use their supermarket charge cards because of the
information disclosed should be entitled to the discount anyway.) On
the other hand, if privacy-conscious consumers are disadvantaged too
much, their only practical ``choice'' is to seek another provider, and
mandated ``opt-outs'' or ``opt-ins'' become essentially meaningless.
There would have to be some regulatory regime to determine what is a
reasonable in-between position in these circumstances, and I have no
idea how this could be done across-the-board.
4. Under the bill, further refinements of ``access'' and
``security'' would presumably need to be spelled out in
rulemaking proceedings.\6\ As I have said before, ``[i]t is not
appropriate to defer all the tough issues for future rule-
making.'' \7\ I personally believe, for example, that there is
a vast disparity between the costs and the minuscule benefits
of an access regime in most situations, and I further believe
that the costs of merely developing and enforcing across-the-
board rules would also vastly exceed the benefits. Congress may
want to consider whether any tailored expansions of present
rights is necessary,\8\ but a blanket mandate of ``access''
right is unlikely to result in significant benefits overall.
---------------------------------------------------------------------------
\6\ S. 2201, Section 403
\7\ Federal Trade Commission, ``Online Profiling: a Report to
Congress'' (Part 2) (Statement of Commissioner Thomas B. Leary,
Concurring in Part and Dissenting in Part) (July 2000), .
\8\ The Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., and the
Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et
seq. are among the federal laws that grant access rights.
---------------------------------------------------------------------------
These are major objections, but the following issues are
also significant:
5. S. 2201 distinguishes ``sensitive'' from ``non-
sensitive'' personal information.\9\ These categories seem
arbitrary. For example, as Chairman Muris points out in his
letter to you of this date, some might feel that information
about the books they read is a lot more sensitive than their
political affiliation. Moreover, information that is merely,
``inferred'' from data \10\ may be just as sensitive as
information ``about'' \11\ certain aspects of an
individual.\12\
---------------------------------------------------------------------------
\9\ S. 2201, Sections 102 and 401.
\10\ S. 2201, Section 401.
\11\ S. 2201, Section 401.
\12\ See, In the Matter of Eli Lilly and Co., FTC File No. 012-3214
(January 18, 2002), . This
case involved the improper disclosure of the identify of people who had
regularly obtained information about a certain psychotropic medication,
but did not disclose whether they actually took the medication.
---------------------------------------------------------------------------
6. The distinction between ``clear and conspicuous'' notice
and ``robust'' notice \13\ seems unworkable as a legal mandate.
Articulation of the latter undercuts the significance of the
former. If some form of notice is ever mandated by Congress, it
should be both.
---------------------------------------------------------------------------
\13\ S. 2201, Sections 102 and 401.
---------------------------------------------------------------------------
7. The bill is silent about the extent to which privacy
protections travel with consumers' personal information. In
general, Gramm-Leach-Bliley's privacy provisions require
downstream recipients of covered data only to use the
information in a fashion that is consistent with the consumers'
stated privacy preferences or only for uses that are exempted
from the notice and choice requirements (such as credit
reporting). In this sense, the protections flow with the
information. I seriously question whether this concept can be
applied across the economy, but without it, the privacy
protections of the bill may be nullified.
8. As Chairman Muris notes, some of the provisions of S.
2201 attempt to reconcile the legislation's privacy protections
with other federal statutes that allow limited but beneficial
information sharing. However, as currently drafted, S. 2201
might limit a variety of legitimate and beneficial information
sharing which covered entities engage in and which Congress
would like to continue. It is not clear, for example, whether
information about transactions completed online could be
communicated to credit bureaus. Without appropriate exclusions,
any proposed privacy rules could have a serious anti-consumer
impact.
9. This bill would add to the emerging patchwork of federal
privacy regulations that apply to personal information \14\ and
may ultimately result in ambiguous, conflicting, or impractical
requirements for businesses, and greater confusion for
consumers as well. For example, S. 2201 provides that
``sensitive'' and ``non-sensitive'' information would be
subjected to different levels of protection. Dissemination of
``sensitive'' information would be subject to consumer notice,
opt-in choice, access and security. ``Non-sensitive''
information would be protected by ``robust'' notice, opt-out
choice, access and security. The specifics of these
requirements would all be defined in a future rulemaking. At
the same time, ``non-public'' personal information collected by
financial institutions (whether online or offline) would be
subjected to Gramm-Leach-Bliley's distinct notice, choice and
security standards.
---------------------------------------------------------------------------
\14\ Among the many federal privacy laws are: Gramm-Leach-Bliley
Act, 15 U.S.C. Sec. Sec. 6801-6810 (covers financial institutions, non-
public personally identifiable information and requires notice of
information practices and an opt-out for sharing information with third
parties); Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501
(covers Web site operators, prohibits collection, use and disclosure of
children's online information without verifiable parental consent and
provide for parental access rights and imposes security requirements);
Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 (1970) (covers credit
bureaus and providers and users of credit data and grants consumers
with access rights and opt-out rights for certain uses of credit data);
and Health Insurance Portability and Accountability Act of 1996, Pub.
L. No. 104-191, 262(a), 110 Stat. 1936 (1996) (codified as amended in
scattered sections of 18, 26, 29 and 42 U.S.C.A.); 42 U.S.C.A. 1320d to
1320d-8 (West Supp. 1998) (covers a variety of health-related entities
and health information and requirements that include notice, varying
degrees of choice, access, and security).
---------------------------------------------------------------------------
Businesses that seek to comply with both of these
regulations would be required to differentiate between online
and offline information as well as any possible differences
between the notice, choice, and security requirements in the
two regulatory schemes. Additionally, our experience to date
with Gramm-Leach-Bliley suggests that consumers may need less
rather than more complex privacy disclosures in order to
understand and execute their rights. It is unrealistic, at this
point, to assume that consumers will comprehend the various
categories of information as well as the protections that are
attached to each category of information.
10. The bill provides that ``penalties'' would be imposed
for a violation of the statute, and that ``redress'' would be
distributed to consumers in an amount not to exceed $200 (for
breaches involving non-sensitive personal information). This
confuses two separate concepts. Penalties are calculated
without regard to consumer injury or ill-gotten gains, and are
paid to the Treasury. Redress is intended to make consumers
whole.
11. Wholly apart from the burden issues identified above,
the bill does not seem to recognize the potential conflict
between access and security. Broad access rights will lead to
the centralization of data which could result in very
significant security breaches. This is a highly technical
subject, where there is no consensus among experts.\15\
---------------------------------------------------------------------------
\15\ Final Report of Federal Trade Commission Advisory Committee on
Online Access and Security, published as Appendix D of Privacy Online:
Fair Information Practices in the Electronic Marketplace: A Federal
Trade Commission Report to Congress (May 2000).
---------------------------------------------------------------------------
I appreciate the opportunity to provide these comments and
would be pleased to respond to any further questions.
Sincerely,
Thomas B. Leary.
------
Federal Trade Commission,
Washington, DC, April 24, 2002.
Hon. John McCain,
Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Senator McCain: In anticipation of the Senate Commerce
Committee's April 25, 2002 hearing on S. 2201, the Online
Personal Privacy Act (``OPPA''), you have asked each
Commissioner of the Federal Trade Commission to comment on
whether legislation is needed and, if so, what such legislation
should contain. As you know, the FTC has long been involved
with the issue of consumer privacy and I have also personally
devoted a great deal of time and thought to this matter.
Accordingly, I appreciate the opportunity to offer my views
about privacy legislation and comment on the principal features
of the OPPA.
In the past, a particular area of focus for me has been the
question of whether federal legislation is necessary. In the
Commission's May 2000 Congressional Report, ``Privacy Online:
Fair Information Practices in the Electronic Marketplace,'' a
majority of the FTC recommended that Congress enact online
privacy legislation. In my accompanying statement and written
testimony, I expressed my support for thoughtful and balanced
online privacy legislation that is coupled with meaningful
self-regulation and enforcement of existing laws.\1\ I also
stated that such privacy legislation should incorporate the
well-established fair information practice principles of
notice, choice, access and security and should provide for
federal preemption of inconsistent state laws. Further,
legislation should be organic and sufficiently flexible to take
into account the type and sensitivity of the date at issue.
---------------------------------------------------------------------------
\1\ This position represented a change from my prior opinion which
did not support legislation but, instead, called for industry self-
regulatory measures. Compare Statement of Commissioner Mozelle W.
Thompson Before Senate Comm. On Commerce, Science and Transp. (May 25,
2000), with Statement of Commissioner Mozelle W. Thompson Before Senate
Comm. On Commerce, Science and Transp. (July 13, 1999).
---------------------------------------------------------------------------
My conclusion has not changed and, as discussed below, I
believe that today's market conditions make an even more
compelling case for legislation. Moreover, I support the OPPA
because it contains the above described elements and represents
a thoughtful, balanced and well-reasoned approach to the
privacy issue.
On-line Privacy Legislation Is Needed
Consumer confidence is one of the most important features
of American economic strength and, as demonstrated by recent
declines in dot-com industries, emerging markets and young
industries are particularly vulnerable to consumers
uncertainty. It is not surprising then, that those industries
involved in the developing electronic marketplace, or ``e-
commerce,'' have begun to direct greater attention and more
resources to strategies that address consumer confidence.
Members of this industry are asking what is needed to allow e-
commerce to reach its potential and fully develop into a stable
and robust market? One answer is data privacy.
Studies continue to indicate that consumers' foremost
concern with respect to e-commerce is the privacy of their
personal data. Indeed, last year Forrester Research estimated
that consumers' online privacy concerns cost $15 billion of
potential e-commerce revenue. Also, 73% of online consumers who
refused to purchase online did so because of privacy concerns.
Moreover, one need only compare the stock prices of those
companies engaged in online profiling, before and after
settling complaints about their business practices, to find a
clear example of the value to consumers of certainty and
confidence in a new market.
To date, the FTC has provided a strong privacy foundation
by way of the agency's law enforcement regime combined with our
efforts in promoting industry self-regulation. Although
consumers and businesses involved in e-commerce have benefitted
from these efforts, they are no longer sufficient because there
are still online companies that fail to protect consumer
information. Without a legislative backdrop, too much of the
risk of e-commerce is shifted to the consumer at a time when
consumer confidence is critical. Law enforcement measures are
by their nature retroactive, focusing on events that have
already occurred. Once a consumer has lost his or her privacy--
be it through identity theft, the creating of an unauthorized
profile based upon the consumer's online activities or by some
other means--it is generally impossible to make that consumer
whole again.
This condition is made more serious because the Internet
allows instantaneous, inexperience and unlimited transmission
of data while computer databases permit storage and
unprecedented manipulation. Moreover, it is difficult for the
consumer to even know that his or her privacy has been violated
until, in some cases, years after the fact.\2\ Consequently,
without legislation, e-commerce will remain an uncertain
marketplace in which only those consumers on the fringe will
participate.
---------------------------------------------------------------------------
\2\ These features, coupled with technology that allows websites to
surreptitiously collect consumer information, distinguish the on-line
consumer environment from the off-line world.
---------------------------------------------------------------------------
The absence of legislation also forces the Commission into
the unusual position of going after the good actors that have
strong privacy policies, while the bad remain largely
unreachable by agencies like the FTC, thus leaving these
businesses free to violate consumer trust. Without the type of
legislation backdrop that the Commission called for in 2000,
and which OPPA provides. I am afraid there will continue to be
many free riders and companies with inadequate information
practices.
Necessary Elements for Effective Privacy Legislation
I believe that the OPPA addresses many of the most delicate
problems associated with a legislative privacy framework.
First, it contains the fair information principles and allows
for flexibility and change. The OPPA avoids a ``one size fits
all'' approach to the notice requirements and provides a
reasonableness test for access. The OPPA is also more
reflective of a ``real world'' consumer environment because it
employs a sliding scale that affords more protection to more
sensitive information.
Second, by preempting state law, the OPPA will prevent the
possibility of multiple standards that could ``Balkanize'' e-
commerce and prove overly burdensome to business and too
confusing for consumers. Finally, in granting the FTC
rulemaking authority, the OPPA will permit strong enforcement,
with special sensitivity to industry and consumer needs, while
also providing a means for state participation.
Thank you again for providing me with this opportunity to
discuss privacy legislation and the OPPA. I also hope that you
will continue to consider the FTC a resource as your work
progresses on this important issue.
Sincerely yours,
Mozelle W. Thompson.
------
Federal Trade Commission,
Washington, DC, April 24, 2002.
Hon. John McCain,
U.S. Senate, SROB,
Washington, DC.
Dear Senator McCain: Thank you for your letter of April 19,
2002 asking me to comment on Chairman Hollings Senate Bill
2201, ``The Online Personal Privacy Act.'' Your letter asked
two questions: First, whether I believe legislation is needed,
and if so, what it should contain. Second, you asked for my
comments on the principal features of S. 2201.
I. IS LEGISLATION NEEDED?
Yes, legislation is needed to protect consumers' privacy.
Absent federal standards to be followed by all persons and
entities that collect private information, it is unlikely that
consumers will be adequately protected from identity theft,
commercial harassment, and hucksterism. In addition,
dissatisfaction with and mistrust of online business practices
by the American people will continue to grow; an uneven
patchwork of state laws will proliferate; and consumer
confidence in e-commerce will be undermined.
Industry has not been able or willing to effectively self-
regulate. While some responsible companies have stepped up to
the plate, the financial incentives work against a universal
commitment by e-business to provide effective privacy
protection for consumers. Business interests will undoubtedly
point to a recent Progress and Freedom Foundation survey as
evidence that federal legislation is not necessary because
websites are collecting less personally identifiable
information and privacy notices are prevalent, more prominent,
and more complete. These arguments completely miss the mark.
First, the survey reveals that nearly all sites surveyed
continue to collect personally identifiable information.\1\
Second, the mere posting of a privacy policy does not ensure
effective consumer protection and often is only pretty
packaging of empty content.
---------------------------------------------------------------------------
\1\ The survey indicated that 90 percent of the random sample, and
96 percent of the most popular sites, collect personally identifiable
information compared with 97 percent and 99 percent in 2000. This is
hardly a statistically significant decline. In fact, an April 11, 2002,
New York Times article (attached) chronicled how some of the Internet's
most frequently visited sites are expanding their collection and
commercial use of personally identifiable information.
---------------------------------------------------------------------------
Just any legislation is not enough. In my view, strong
privacy legislation should:
preempt inconsistent or weaker state law;
incorporate effective notice and choice, adequate
access, reasonable security, and strong enforcement
remedies;
be free from exceptions created for special interests
or industries;
require affirmative consumer consent before sensitive
personally identifiable information is collected
through any means either online or offline; and
avoid tactics that unduly delay the effective date of
the Act.
II. SENATE BILL 2201
Senate Bill 2201 provides long-awaited, strong protection
measures for consumers in the online world. My only concern
with this proposed legislation is its limited reach. In my
view, federal legislation is necessary to protect the privacy
of personally identifiable consumer information in the offline
as well as online commercial realms. These marketplaces are
often intertwined and indistinguishable. In fact, I believe
that the wired world facilities the effective, constant
aggregation of endless variety of real-time ``surfer''
information and combines it with commercial information
gathered through traditional ``offline'' means. I would
strongly support the expansions of this Bill's consumer
protections--to the ``offline'' collection of personally
identifiable consumer information.
That said, Senate Bill 2201 is a balanced, comprehensive
approach to protecting consumer privacy online. By
incorporating the concepts of notice, choice, access, security,
and enforcement, it creates a level playing field for both
consumers and industry. However, I offer the following comments
Preemption
I believe that federal legislation should preempt
inconsistent and weaker state privacy laws which do not
effectively protect consumers and tend to frustrate the
development of e-commerce. On the other hand, I generally
support the power of states to enact legislation that offers
their citizens stronger consumer protections than federal law
where the federal law merely establishes a ``floor'' of minimum
protection standards. However, if passage of a federal law
``with teeth,'' is feasible. I believe that both consumers and
industry would value the uniformity and predictability that
federal preemption offers.
Title I--Online Privacy Protection
Section 101
I applaud Title I's coverage of personally identifiable
information that is collected, used or disclosed. Previous
bills focused only on the ``collection'' of information, yet
many privacy breaches occur when information is used or
disclosed without the consumer's knowledge or consent after
collection.
Notice and Consent
I strongly support the inclusion of Section 102(b) which
requires a consumer's affirmative consent (``opt-in'') before,
or at the time that, certain sensitive information is
collected. An opt-in consent requirement guarantees consumer
notice and meaningful choice, and compels the collector to
clarify its practices in order to entice the consumer to agree
to them. It effectively equalizes the bargaining position of
consumers and e-merchants in the market for personal
information.
While I prefer an opt-in standard for the collection of all
personally identifiable information, the Bill's requirement of
robust notice and opt-out consent for nonsensitive personally
identifiable information improves on the level of notice and
choice currently provided by many websites. Also, I support the
permanence of consent provision found in Section 102(e), which
essentially provides that a consumer's privacy preferences stay
with the user despite corporate changes.
Section 103's requirement that changes in privacy policies
or the existence of privacy breaches be communicated to
consumers is particularly commendable. Many websites place the
privacy protection burden on consumers to keep track of changes
in a website's privacy policy. Section 103 appropriately places
that responsibility on the internet service provider, online
service provider, or operator of a commercial website.
Likewise, the Bill's provision requiring user notification of
material changes in the privacy policy allows consumers to
utilize updated, relevant information when deciding how or
whether to protect their own personal information. Section 103
illustrates the balanced approach of this Bill to the extent it
acknowledges that there may be situations where delayed
consumer notifications is appropriate.
The exceptions contained in Section 104 seem reasonable and
again reflect the Bill's inherent respect for the need to
balance the vital privacy interests of consumers with the
economic and financial interests of e-business.
Access
The access provision of Section 105 appropriately enables
consumers to suggest corrections or deletions of personally,
identifiable information that the provider or operator has
collected or combined with personally identifiable information
gathered from other sources. The reasonableness test
incorporated in this section strikes an appropriate balance
among the competing interests of consumer privacy, the relative
sensitivity of different types of personal information, and the
burdens and costs imposed on the website operator.
Security
The security provision in Section 106 is consistent with
the approach taken by the Commission in its Gramm-Leach-Bliley
Act Security Rulemaking. Rather than dictate a one-size-fits-
all solution, it is up to the website to establish and maintain
reasonable procedures necessary to protect the security,
confidentiality, and integrity of the data it maintains.
Title II--Enforcement
I am impressed with the range of remedies included under
this Title, including the authority to impose civil penalties
and establish redress funds for consumers for violations of
Title I. In addition, this Title allows private rights of
action as well as state actions.
Title III--Application to Congress and Federal Agencies
To my knowledge, the federal agencies do not trade in
private consumer information for commercial purposes.
Therefore, I see no justification for Section 302. However, I
do believe that federal agencies should provide notice to
consumers about their information collection practices
consistent with applicable federal law.
Title IV--Miscellaneous
Section 402 provides that the effective date of the Act
will be the day after the date the Commission publishes a final
rule under Section 403. While I am pleased that there is no
``grace period'' for compliance with this Title, I am
disappointed that data collectors will be free from liability
for data they collected without consumer consent before the
Act's effective date. I also hope that Congress will resist
obvious delaying tactics, such as proposals for additional
studies.
Technical concerns
Section 403 may need technical modifications to achieve the
Bill's goals. Our staff would be pleased to assist you in these
efforts. Specifically, Section 403 should reflect that the
rulemaking contemplated by the Act is to be conducted pursuant
to the Administrative Procedures Act rather than through a
Magnuson Moss Rulemaking.
I appreciate the opportunity to express my views, and I
hope they are helpful.
Sincerely,
Sheila F. Anthony,
Commissioner.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the Standing
Rules of the Senate, changes in existing law made by the bill,
as reported, are shown as follows (existing law proposed to be
omitted is enclosed in black brackets, new material is printed
in italic, existing law in which no change is proposed is shown
in roman):
Communications Act of 1934
SEC. 631. PROTECTION OF SUBSCRIBER PRIVACY.
[47 U.S.C. 551]
(a) Notice to Subscriber Regarding Personally Identifiable
Information; Definitions.--
(1) At the time of entering into an agreement to
provide any cable service or other service to a
subscriber and at least once a year thereafter, a cable
operator shall provide notice in the form of a
separate, written statement to such subscriber which
clearly and conspicuously informs the subscriber of--
(A) the nature of personally identifiable
information collected or to be collected with
respect to the subscriber and the nature of the
use of such information;
(B) the nature, frequency, and purpose of
any disclosure which may be made of such
information, including an identification of the
types of persons to whom the disclosure may be
made;
(C) the period during which such information
will be maintained by the cable operator;
(D) the times and place at which the
subscriber may have access to such information
in accordance with subsection (d); and
(E) the limitations provided by this section
with respect to the collection and disclosure
of information by a cable operator and the
right of the subscriber under subsections (f)
and (h) to enforce such limitations.
In the case of subscribers who have entered into such
an agreement before the effective date of this section,
such notice shall be provided within 180 days of such
date and at least once a year thereafter.
(2) For purposes of this section, other than
subsection (h)--
(A) the term ``personally identifiable
information'' does not include any record of
aggregate data which does not identify
particular persons;
(B) the term ``other service'' includes any
wire or radio communications service provided
using any of the facilities of a cable operator
that are used in the provision of cable
service; and
(C) the term ``cable operator'' includes, in
addition to persons within the definition of
cable operator in section 602, any person who
(i) is owned or controlled by, or under common
ownership or control with, a cable operator,
and (ii) provides any wire or radio
communications service.
(b) Collection of Personally Identifiable Information Using
Cable System.--
(1) Except as provided in paragraph (2), a cable
operator shall not use the cable system to collect
personally identifiable information concerning any
subscriber without the prior written or electronic
consent of the subscriber concerned.
(2) A cable operator may use the cable system to
collect such information in order to--
(A) obtain information necessary to render a
cable service or other service provided by the
cable operator to the subscriber; or
(B) detect unauthorized reception of cable
communications.
(c) Disclosure of Personally Identifiable Information.--
(1) Except as provided in paragraph (2), a cable
operator shall not disclose personally identifiable
information concerning any subscriber without the prior
written or electronic consent of the subscriber
concerned and shall take such actions as are necessary
to prevent unauthorized access to such information by a
person other than the subscriber or cable operator.
(2) A cable operator may disclose such information if
the disclosure is--
(A) necessary to render, or conduct a
legitimate business activity related to, a
cable service or other service provided by the
cable operator to the subscriber;
(B) subject to subsection (h), made pursuant
to a court order authorizing such disclosure,
if the subscriber is notified of such order by
the person to whom the order is directed;
(C) a disclosure of the names and addresses
of subscribers to any cable service or other
service, if--
(i) the cable operator has provided
the subscriber the opportunity to
prohibit or limit such disclosure, and
(ii) the disclosure does not reveal,
directly or indirectly, the--
(I) extent of any viewing or
other use by the subscriber of
a cable service or other
service provided by the cable
operator, or
(II) the nature of any
transaction made by the
subscriber over the cable
system of the cable operator;
or
(D) to a government entity as authorized
under chapters 119, 121, or 206 of title 18,
United States Code, except that such disclosure
shall not include records revealing cable
subscriber selection of video programming from
a cable operator.
(d) Subscriber Access to Information.--A cable subscriber
shall be provided access to all personally identifiable
information regarding that subscriber which is collected and
maintained by a cable operator. Such information shall be made
available to the subscriber at reasonable times and at a
convenient place designated by such cable operator. A cable
subscriber shall be provided reasonable opportunity to correct
any error in such information.
(e) Destruction of Information.--A cable operator shall
destroy personally identifiable information if the information
is no longer necessary for the purpose for which it was
collected and there are no pending requests or orders for
access to such information under subsection (d) or pursuant to
a court order.
(f) Civil Action in United States District Court; Damages;
Attorney's Fees and Costs; Nonexclusive Nature of Remedy.--
(1) Any person aggrieved by any act of a cable
operator in violation of this section may bring a civil
action in a United States district court.
(2) The court may award--
(A) actual damages but not less than
liquidated damages computed at the rate of $100
a day for each day of violation or $1,000,
whichever is higher;
(B) punitive damages; and
(C) reasonable attorneys' fees and other
litigation costs reasonably incurred.
(3) The remedy provided by this section shall be in
addition to any other lawful remedy available to a
cable subscriber.
(g) Regulation by States or Franchising Authorities.--Nothing
in this title shall be construed to prohibit any State or any
franchising authority from enacting or enforcing laws
consistent with this section for the protection of subscriber
privacy.
(h) Disclosure of Information to Governmental Entity Pursuant
to Court Order.--Except as provided in section (c)(2)(D), a
governmental entity may obtain personally identifiable
information concerning a cable subscriber pursuant to a court
order only if, in the court proceeding relevant to such court
order--
(1) such entity offers clear and convincing evidence
that the subject of the information is reasonably
suspected of engaging in criminal activity and that the
information sought would be material evidence in the
case; and
(2) the subject of the information is afforded the
opportunity to appear and contest such entity's claim.
(i) Application of Online Personal Privacy Act.--With respect
to the provision by a cable operator of Internet service or
online service and the operation by a cable operator of a
commercial website, as such terms are defined in or under the
Online Personal Privacy Act, the provisions of that Act shall
apply in lieu of this section.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
SEC. 20. COMPUTER STANDARDS PROGRAM.
[15 U.S.C. 278 G-3]
(a) Development of Standards, Guidelines, Methods, and
Techniques for Computer Systems.--The Institute shall--
(1) have the mission of developing standards,
guidelines, and associated methods and techniques for
computer systems;
(2) except as described in paragraph (3) of this
subsection (relating to security standards), develop
uniform standards and guidelines for Federal computer
systems, except those systems excluded by section 2315
of title 10, United States Code, or section 3502(9) of
title 44, United States Code;
(3) have responsibility within the Federal Government
for developing technical, management, physical, and
administrative standards and guidelines for the cost-
effective security and privacy of sensitive information
in Federal computer systems except--
(A) those systems excluded by section 2315 of
title 10, United States Code, or section
3502(9) of title 44, United States Code; and
(B) those systems which are protected at all
times by procedures established for information
which has been specifically authorized under
criteria established by an Executive order or
an Act of Congress to be kept secret in the
interest of national defense or foreign policy,
the primary purpose of which standards and
guidelines shall be to control loss and
unauthorized modification or disclosure of
sensitive information in such systems and to
prevent computer-related fraud and misuse;
(4) submit standards and guidelines developed
pursuant to paragraphs (2) and (3) of this subsection,
along with recommendations as to the extent to which
these should be made compulsory and binding, to the
Secretary of Commerce for promulgation under section
5131 of the Clinger-Cohen Act of 1996;
(5) develop guidelines for use by operators of
Federal computer systems that contain sensitive
information in training their employees in security
awareness and accepted security practice, as required
by section 5 of the Computer Security Act of 1987; and
(6) develop validation procedures for, and evaluate
the effectiveness of, standards and guidelines
developed pursuant to paragraphs (1), (2), and (3) of
this subsection through research and liaison with other
government and private agencies.
(b) Technical Assistance and Implementation of Standards
Developed.--In fulfilling subsection (a) of this section, the
Institute is authorized--
(1) to assist the private sector, upon request, in
using and applying the results of the programs and
activities under this section;
(2) as requested, to provide to operators of Federal
computer systems technical assistance in implementing
the standards and guidelines promulgated pursuant to
section 5131 of the Clinger-Cohen Act of 1996;
(3) to assist, as appropriate, the Office of
Personnel Management in developing regulations
pertaining to training, as required by section 5 of the
Computer Security Act of 1987;
(4) to perform research and to conduct studies, as
needed, to determine the nature and extent of the
vulnerabilities of, and to devise techniques for the
cost-effective security and privacy of sensitive
information in Federal computer systems; and
(5) to coordinate closely with other agencies and
offices (including, but not limited to, the Departments
of Defense and Energy, the National Security Agency,
the General Accounting Office, the Office of Technology
Assessment, and the Office of Management and Budget)--
(A) to assure maximum use of all existing and
planned programs, materials, studies, and
reports relating to computer systems security
and privacy, in order to avoid unnecessary and
costly duplication of effort; and
(B) to assure, to the maximum extent
feasible, that standards developed pursuant to
subsection (a)(3) and (5) are consistent and
compatible with standards and procedures
developed for the protection of information in
Federal computer systems which is authorized
under criteria established by Executive order
or an Act of Congress to be kept secret in the
interest of national defense or foreign policy.
(c) Protection of Sensitive Information.--For the purposes
of--
(1) developing standards and guidelines for the
protection of sensitive information in Federal computer
systems under subsections (a)(1) and (a)(3), and
(2) performing research and conducting studies under
subsection (b)(5), the Institute shall draw upon
computer system technical security guidelines developed
by the National Security Agency to the extent that the
National Bureau of Standards determines that such
guidelines are consistent with the requirements for
protecting sensitive information in Federal computer
systems.
(d) Development of Internet Privacy Program.--The Institute
shall encourage and support the development of one or more
computer programs, protocols, or other software, such as the
World Wide Web Consortium's P3P program, capable of being
installed on computers, or computer networks, with Internet
access that would reflect the user's preferences for protecting
personally-identifiable or other sensitive, privacy-related
information, and automatically execute the program, once
activated, without requiring user intervention.
[(d)] (e) Definitions.--As used in this section--
(1) the term ``computer system''--
(A) means any equipment or interconnected
system or subsystems of equipment that is used
in the automatic acquisition, storage,
manipulation, management, movement, control,
display, switching, interchange, transmission,
or reception, of data or information; and
(B) includes--
(i) computers;
(ii) ancillary equipment;
(iii) software, firmware, and similar
procedures;
(iv) services, including support
services; and
(v) related resources;
(2) the term ``Federal computer system'' means a
computer system operated by a Federal agency or by a
contractor of a Federal agency or other organization
that processes information (using a computer system) on
behalf of the Federal Government to accomplish a
Federal function;
(3) the term ``operator of a Federal computer
system'' means a Federal agency, contractor of a
Federal agency, or other organization that processes
information using a computer system on behalf of the
Federal Government to accomplish a Federal function;
(4) the term ``sensitive information'' means any
information, the loss, misuse, or unauthorized access
to or modification of which could adversely affect the
national interest or the conduct of Federal programs,
or the privacy to which individuals are entitled under
section 552a of title 5, United States Code (the
Privacy Act), but which has not been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept secret in the
interest of national defense or foreign policy; and
(5) the term ``Federal agency'' has the meaning given
such term by section 3(b) of the Federal Property and
Administrative Services Act of 1949.
�