[Senate Hearing 106-1116]
[From the U.S. Government Publishing Office]
S. Hrg. 106-1116
TO REVIEW THE FEDERAL TRADE
COMMISSION'S SURVEY OF PRIVACY POLICIES
POSTED BY COMMERCIAL WEB SITES
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
MAY 25, 2000
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
81-862 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
SLADE GORTON, Washington JOHN D. ROCKEFELLER IV, West
TRENT LOTT, Mississippi Virginia
KAY BAILEY HUTCHISON, Texas JOHN F. KERRY, Massachusetts
OLYMPIA J. SNOWE, Maine JOHN B. BREAUX, Louisiana
JOHN ASHCROFT, Missouri RICHARD H. BRYAN, Nevada
BILL FRIST, Tennessee BYRON L. DORGAN, North Dakota
SPENCER ABRAHAM, Michigan RON WYDEN, Oregon
SAM BROWNBACK, Kansas MAX CLELAND, Georgia
Mark Buse, Republican Staff Director
Martha P. Allbright, Republican General Counsel
Kevin D. Kayes, Democratic Staff Director
Moses Boyd, Democratic Chief Counsel
C O N T E N T S
----------
Page
Hearing held on May 25, 2000..................................... 1
Statement of Senator Ashcroft.................................... 8
Statement of Senator Bryan....................................... 7
Statement of Senator Burns....................................... 6
Statement of Senator Cleland..................................... 13
Statement of Senator Gorton...................................... 12
Statement of Senator Hollings.................................... 2
Prepared statement........................................... 3
Statement of Senator Kerry....................................... 10
Statement of Senator McCain...................................... 1
Statement of Senator Rockefeller................................. 12
Statement of Senator Stevens..................................... 4
Statement of Senator Wyden....................................... 4
Prepared statement........................................... 5
Witnesses
Anthony, Hon. Sheila F., Commissioner, Federal Trade Commission.. 23
Prepared statement........................................... 25
Berman, Jerry, Executive Director, Center for Democracy and
Technology..................................................... 68
Prepared statement........................................... 70
Catlett, Jason, President and Chief Executive Officer,
Junkbusters Corporation, and Visiting Scholar, Columbia
University Department of Computer Science...................... 63
Prepared statement........................................... 65
Leary, Hon. Thomas B., Commissioner, Federal Trade Commission.... 35
Prepared statement........................................... 36
Lesser, Jill A., Vice President of Domestic Public Policy,
America Online, Inc............................................ 53
Prepared statement........................................... 56
Pitofsky, Hon. Robert, Chairman, Federal Trade Commission........ 15
Prepared statement........................................... 17
Swindle, Hon. Orson, Commissioner, Federal Trade Commission...... 28
Prepared statement........................................... 30
Thompson, Hon. Mozelle W., Commissioner, Federal Trade Commission 32
Prepared statement........................................... 33
Varney, Christine, Senior Partner, Hogan and Hartson, on behalf
of the Online Privacy Alliance................................. 60
Prepared statement........................................... 62
Weitzner, Daniel J., Technology and Society Domain Leader, World
Wide Web Consortium............................................ 77
Prepared statement........................................... 79
Appendix
Berman, Jerry, Executive Director, Center for Democracy and
Technology, letter dated September 8, 2000, to Hon. John McCain 97
Jaffe, Daniel L., Executive Vice President, Association of
National Advertisers, Inc., letter dated June 12, 2000, to Hon.
John McCain.................................................... 98
Response to written questions submitted by Hon. Max Cleland to:
Jason Catlett................................................ 91
Federal Trade Commission..................................... 93
Jill A. Lesser............................................... 92
Orson Swindle................................................ 94
Torricelli, Hon. Robert G., U.S. Senator from New Jersey,
prepared statement............................................. 99
TO REVIEW THE FEDERAL TRADE
COMMISSION'S SURVEY OF PRIVACY
POLICIES POSTED BY COMMERCIAL
WEB SITES
----------
THURSDAY, MAY 25, 2000
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 9:30 a.m. in room
SR-253, Russell Senate Office Building, Hon. John McCain,
Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN McCAIN,
U.S. SENATOR FROM ARIZONA
The Chairman. Good morning. This morning the Committee will
examine the recently released FTC report on online privacy. I
welcome the members of the Commission and all the witnesses we
will hear from today to the Committee. I also want to thank all
of you for the hard work and dedication you have brought to
this difficult issue.
Every accolade that can be ascribed to the Internet has
been stated many times over. Needless to say, it continues to
transform our lives and our economy. While the Internet
promises great opportunities, it also presents new concerns and
fears. Chief among those concerns is the ability of the
Internet to further erode individual privacy.
Since the beginning of commerce, business has sought to
learn more about consumers. The ability of the Internet to aid
business in the collection, storage, and transfer of
information about consumers, however, is unprecedented.
While this technology can allow business to better target
goods and services, it has also increased consumers' fears
about the collection and use of personally identifiable
information. The Commission documented many of these concerns
in its report.
Last year when the Committee reviewed the FTC's 1999 report
on privacy, I made clear that my primary concern was to ensure
that privacy policies were clear and understandable, that
consumers could use them to guide their decisions, and that
companies actually followed the policies they posted. Improving
the depth of privacy policies is the primary factor motivating
this Committee's interest in this matter.
This year's report demonstrates that the business community
has had great success in providing consumers with some form of
notice of their information practices. However, the report
makes it equally clear there is much work to be done to improve
the depth of information practices on the Internet.
Consumers should not be forced to forego what has been
described by Justices Brandeis and Warren as the ``sacred
precincts of private and domestic life'' to enjoy the benefits
of this new medium. It is clear that businesses should inform
consumers in a clear and conspicuous manner how they treat
personal information and give consumers meaningful choices as
to how that information is used. While we may disagree on the
manner in which we meet this goal, we all agree that it must be
done.
I am hopeful that today's hearing will begin the process of
developing consensus about the best way to accomplish this goal
and enable consumers to protect their privacy online. I look
forward to working with all of you to address this vital issue.
Welcome, Senator Hollings.
STATEMENT OF HON. ERNEST F. HOLLINGS,
U.S. SENATOR FROM SOUTH CAROLINA
Senator Hollings. Well, Mr. Chairman, let me thank you for
this hearing. We have toyed with the problem long enough. It
worsens every day. Industry agrees that there should be privacy
protection. They have all enunciated privacy policies, but that
has added more to the confusion rather than assisted the
problem because it is written either in legalese or it cannot
be found or understood.
We have had the Federal Trade Commission, this
distinguished group, work on it for at least 5 years. As a
result of their fine work, incidentally, we passed a bill on
children's privacy, and that is working. The intellectual
community is saying that this technology is advancing so
quickly that you cannot keep up with it; it is silly to try to
even draw up a statute about it because it will be obsolete by
the time it is passed.
That is not what they said when they came to us for
protection of intellectual property, regarding movies, books,
and everything else. We passed these other protections, and now
we have got to do it for the individual. Mind you me, this is
not a technology or advancement that was invented either by the
Vice President or by the advertisers. It was started by Senator
Stevens in the Defense Subcommittee back in the late sixties.
It has been free. It will stay free. And unless you are
commercializing privacy, you do not have any worry about any
statute on privacy. This is for those who are taking individual
private information and commercializing it. Internet companies
have agreed that there should be some protection for privacy.
The question is how to give notice and consent with respect to
access to what information the companies do have as well as the
enforcement of the security.
So what we need to do is look at this issue. Several
Senators have. I commend my colleagues Senator Wyden and
Senator Burns. They have sort of led the way. I have consulted
over the last 3 months now with various Senators and the FTC
and other entities interested in it, with industry, and with
the consumer groups. We have a bill on course now with ten co-
sponsors, and I think we have got a pretty good target for a
good approach, which is very necessary at this particular time.
Do not let us come here and say that it is going to ruin
the Internet and no longer is it going to be free. I have heard
statements recently to that effect. That is outrageous
nonsense. There is nothing wrong with the Internet. You and I
cannot stop it. In fact, the President only yesterday said it
is going to bring democracy to China. So it is a wonderful
thing.
I will include my full statement in the record.
[The prepared statement of Senator Hollings follows:]
Prepared Statement of Hon. Ernest F. Hollings,
U.S. Senator from South Carolina
Today the Committee will hear from the Federal Trade Commission,
the agency with unique expertise on the issue of Internet privacy.
Having studied privacy online for five years, and having issued three
consecutive annual reports on privacy policies online, beginning in
1998, the FTC concluded this week that it is time for legislation to
protect consumer privacy on the Internet. This recommendation carries
with it particular credibility in light of the FTC's record of
extensive analysis on this issue and its two prior recommendations to
allow self-regulation a chance to work.
In light of this recommendation, how should we respond? To answer
that question, I first want to recognize the constructive efforts of
two of my colleagues on this Committee, Senators Burns and Wyden, who
attempted the first foray into the complicated issue of Internet
privacy when they introduced their legislation last year. I look
forward to working with them as we grapple with this significant
consumer issue.
The bill that we introduced Tuesday with ten cosponsors, the
Consumer Privacy Protection Act, grants consumers, not companies,
control over their personal information on the Internet. We do that by
coupling a strong federal standard to protect consumers online with
preemption of state Internet privacy laws to ensure business certainty.
Our strong federal standard tracks the time-honored ``fair information
practices'' of notice, consent, access, security, and enforcement, that
the FTC recommends we codify, and that we did codify with respect to
childrens' privacy.
Specifically, we require companies to do what some like Alta Vista
are already doing--namely obtain prior consent from consumers before
collecting and using or disclosing consumers' personal information. At
the same time, we need federal preemption to give industry the business
certainty it cannot obtain from a mishmash of inconsistent state
Internet privacy laws.
Notwithstanding this sensible approach, industry will claim that we
should ignore the FTC's findings and give self-regulation more time. I
say that is like letting the fox guard the henhouse. How can we trust
companies whose every economic incentive is to collect, compile,
enhance, target, and disseminate personal information for profit. Given
these undeniable incentives, it is not surprising that industry argues
so strenuously against regulating the protection of consumer privacy on
the Internet.
What industry forgets is the Internet is not theirs. The truth is,
Internet owes its existence to federally funded research by the Defense
Department in the late 1960s. The DOD Advanced Research Project Agency
(ARPA) developed a radical new type of computer based communications
system. This system was enhanced and expanded to more users through
funding via the national science foundation. To put it simply--the
Internet was created for the public good--to facilitate scientific and
academic research, to promote our national security, and to aid the
exchange of ideas and information. The development of the Internet
represents the single greatest modern example of government support for
a revolutionary new technology. After its creation in 1969, the
government sustained it for over two decades and now is subsidizing the
commercial explosion on the Internet by refraining from imposing tax
collection duties, and by exempting the Internet from regulations and
fees that currently are imposed on other telecommunications companies.
Protecting privacy online will enhance confidence in the medium and
continue government's important and ongoing role as a promoter of the
Internet's now exponential development.
Industry also argues our approach will undermine some business
models on the Internet that are based on customized advertising
targeted to individuals whose personal information has been collected.
But The New York Times reports on May 7, 2000, that targeted
advertising on the Internet may not be a sustainable business model.
Most advertisers ``say the response to their ads does not go up enough
to be worth the extra cost and bother'' of targeting. America Online's
Robert Pittman appears to agree that targeted advertising is not
necessary. ``We don't need to track people. If you want to sell cars,
you talk to people when they are in the car area.'' More to the point--
we do not attempt to prohibit this advertising model on the Internet.
We simply create a framework that requires that consumers be notified
and consent to these practices, if businesses choose to collect
information online.
One last point. Many of the same companies that oppose privacy
regulation on the Internet were up here seeking protection for their
intellectual property on the Internet just three years ago. They
demanded legislation to protect their books, records, music, and
software from copyright infringement on the Internet. They insisted
that such protection could be accomplished notwithstanding the rapidly
changing technology of the online medium. Now, these same companies
argue that any government attempt to protect privacy online can't
possibly comport with the rapidly changing technology in the industry.
It's funny how, on the one hand, they demand Congress protect their
intellectual property online and, on the other hand, flatly oppose
congressional efforts to protect consumers' personal information on the
Internet.
The Chairman. Thank you very much, Senator Hollings.
Senator Stevens.
STATEMENT OF HON. TED STEVENS,
U.S. SENATOR FROM ALASKA
Senator Stevens. That one was long enough, Senator. You
have got me becoming the grandfather. I do not want to get in a
fight with Al Gore.
Senator Hollings. Well, we started it in defense.
Senator Stevens. You are right about that.
Mr. Chairman, I thank you for holding this hearing. I hope
we have a series of hearings. I think this is one of the most
complex issues we will face in regard to the Internet. I was
privileged to have a discussion with the chairman here this
past week. I look forward to working on it with all of you.
But I do have a firm feeling that this is not an issue to
be hasty about. So I am glad you are holding the hearing and I
hope we can pursue and understand what we are doing before we
bring out a bill from this Committee.
Thank you. By the way, I am pleased to see all the members
of the Commission here and to see that it was a unanimous
position taken by the Commission.
The Chairman. Thank you, sir. I think we may require more
hearings on this issue. As you say, it is very complex and it
is changing rather dramatically as we find out with the reports
that we receive every year from the FTC.
Senator Wyden.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. I, too, appreciate
your scheduling the hearing. At the outset, I want to thank
Senator Hollings for his kind comments. I think Senator
Hollings' bill is a very credible and very significant product.
I want to assure the Senator I am looking forward to working
closely with him.
Mr. Chairman and colleagues, Senator Burns and I introduced
more than a year ago an online privacy bill. At this point,
when you have been following the issue it probably is a little
hard to figure out how it can be that the last time the Federal
Trade Commission surveyed prospects for self-regulation things
seemed very rosy, and now it appears that prospects are pretty
dire.
My sense is that we are going to find that reality is
probably somewhere in between. The fact is that until this
week's survey, the Commission has shown extraordinary patience
and support for industry self-policing. My read of the Federal
Trade Commission's report is that they are still showing
support for self-regulation, but I think it is appropriate that
they are showing a little less patience.
In my opinion, the privacy situation was never as rosy as
the headlines that last year's survey had you believe. The
reality then was that some of the surveyed privacy policies
were just as flimsy as they are today. Further, there was
virtually no enforcement, little accountability, and many less-
visited Web sites were ignoring privacy altogether.
The truth today, I suspect, is that things are not nearly
as dire as some would have us believe. While the same problems
exist today that were in place at the time of the previous
survey, there are important steps indicating progress. The seal
programs, I think, are getting better at what they do, and it
does seem that more Web sites are taking privacy more
seriously.
But, for more than a year, Senator Burns and I, as I stated
earlier, have worked on this on a bipartisan basis and have
said that the costs are just too high to wait and see if self-
regulation alone can tackle the bulk of the online privacy
problem. None of us, none of us, want to see an Exxon Valdez of
privacy that undermines the extraordinary growth of e-commerce.
So the worst thing that we could do now is set back the
progress of self-regulatory efforts. But what I think makes the
best sense is to build on those kinds of approaches. That is
what Senator Burns and Senator Kohl and I have sought to do, to
reward and build on the self-regulatory efforts while creating
a baseline set of requirements to ensure that there are
important consumer protection standards that would apply to
those who are unwilling to take consumer privacy seriously.
Mr. Chairman, I would ask that the rest of my statement be
part of the record. I look forward to hearing from Chairman
Pitofsky and, again, commend Senator Hollings and Senator
Rockefeller for what I think is a very important bill that they
have introduced as well, and I yield back.
[The prepared statement of Senator Wyden follows:]
Prepared Statement of Hon. Ron Wyden, U.S. Senator from Oregon
I'm sure many who have been following the online privacy issue in
the newspapers are asking themselves how the situation at the time of
the last FTC survey could be so rosy, and could now be so dire. I would
counsel them that the truth, as usual, probably lies somewhere in-
between.
The fact is that until this week's survey, the Commission showed
extraordinary patience and support for industry's effort at self-
policing. And by my reading of the report, they are still showing
support for self-regulation: just a little less patience.
Frankly, the privacy situation was never as rosy as the headlines
from last year's survey would have had you believe. The reality was
that some of the surveyed privacy policies were just as flimsy then as
they are today. Further, there was virtually no enforcement, little
accountability, and many less-visited Web sites were ignoring privacy
altogether.
And the reality now, I suspect, is that things aren't nearly as
dire as some would have us believe. While the same problems exist today
as were in existence at the time of the previous survey, the seal
programs are clearly maturing and getting better at what they do, and
more Web sites are taking privacy seriously than ever before.
For over a year, however, I have been saying that the costs are
simply too high to wait and see if self-regulation, alone, tackles the
bulk of the online privacy problem. I am pleased that the Commission
now agrees with Chairman Burns and myself on this point. We also
agree--and look forward to their amplification of this point--that the
worst thing we could do now is set back the progress of the self-
regulatory efforts.
Chairman Burns, Senator Kohl, and I have legislation that is
founded on the idea of rewarding and building on the industry's self-
regulatory efforts, while creating a baseline of behavior for those who
are unwilling to take consumer privacy seriously. We believe that if
some regulation is necessary, the lightest practicable regulatory touch
should be used to protect consumers. Sensible regulation need not, and
should not, stifle private sector innovation.
Several other members now have introduced online privacy bills, or
have bills in the works. Senator Hollings has a new privacy bill with
Senator Rockefeller and others, and it strikes me as a very credible
and significant effort. Their bill raises a number of important issues,
such as consumer choice with regard to personally-identifiable
information, and I look forward to the Committee reviewing both bills,
and others, as the debate moves forward.
I'll let the Commission speak for itself, but I think it's clear
from the report that the Commission isn't here today to bury self-
regulation, but to praise it. I sure hope that's the case. I look
forward to hearing from Chairmen Pitofsky and the rest of the
Commission, and thank the Chairman for holding this timely and
important hearing.
The Chairman. Senator Burns.
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Thank you, Mr. Chairman, and thank you for
holding this hearing today, as this continues to be a great
center of interest when we start talking about the Internet and
related items around it.
I think we are charged with issues like this today. If the
Internet and electronic commerce continue to grow, we have to
do something about safety and security and privacy and these
types of things for it to reach its real potential. We have
been amazed at the continuing spectacular growth of the
Internet, which has become a staple in modern life, it seems.
The tremendous reach of the Internet does pose challenges as
well as opportunities.
Unfortunately, digital technology can be used by bad actors
to collect nearly limitless information on individuals without
their knowledge. I am convinced that legislation is necessary
to provide consumers with a safety net of privacy in the online
world. As I stated in the hearing on privacy held in the
Communications Subcommittee last summer, I am very
disappointed--I was very disappointed--in the Federal Trade
Commission's report on online privacy last year. The July 1999
report acknowledged that fewer than 10 percent of the Web sites
met the basic privacy protections, yet called for no Federal
legislation to address this critical situation.
However, at that time I was encouraged by the chairman's
pledge that if the industry failed to produce strong progress
the Commission would call for action in this area. The chairman
and the Commission have been true to their word in the report
issued to Congress just this last Monday, which called for
legislation.
I want to take a moment to specifically commend the work
and the insight of Commissioner Anthony on these privacy
matters. In retrospect, her dissenting opinion in last year's
report has proved to be absolutely correct. Last year she
stated that the legislation was necessary to ensure a minimum
consumer privacy protection in the digital area. In her
statement she expressed concern that the absence of effective
privacy protection would undermine consumer confidence and
hinder the advancement of electronic commerce.
That is exactly what has happened in this past year. While
e-commerce has continued to grow, several studies point out
that the primary reason that is preventing more people from
making purchases online and doing more business online is the
lack of privacy. While the Internet has continued to exhibit
massive growth, less than 1 percent of all consumer retail
spending is done online. In short, e-commerce still has a huge
up side potential, but the potential will never be fulfilled
without basic assurance of consumer privacy.
I am going to submit the rest of my statement, but I want
to thank Senator Wyden and his hard work on our legislation. It
continues to be massaged and to be made better.
I also welcome the introduction of Senator Hollings' piece
of legislation and look forward in working with Senator
Hollings, because we can find and take care of this problem,
because it has to be done in a bipartisan way and it is not a
partisan situation where we start talking about these building
blocks of the future e-commerce of this country. So we welcome
all of these ideas, and I am sure that we will come up with a
bill that we can all support. So I appreciate that very much.
I would ask unanimous consent that the rest of my statement
be put in the record.*
---------------------------------------------------------------------------
* The information referred to was not available at the time this
hearing went to press.
---------------------------------------------------------------------------
The Chairman. Without objection.
Senator Hollings. Who is next? Senator Bryan.
STATEMENT OF HON. RICHARD H. BRYAN,
U.S. SENATOR FROM NEVADA
Senator Bryan. Thank you very much.
First, I would like to preface my comments by thanking
Chairman McCain for calling today's hearing on this important
issue of Internet privacy. Second, I would like to commend the
FTC for all the work that it has done over the past 5 years in
the area of online privacy. Each of the FTC's three reports to
Congress detailing online privacy practices and the numerous
workshops and hearings they have held on this issue have
contributed greatly to the ongoing dialog about the best way to
protect the privacy of consumers on the Internet.
The protection of privacy is a core value of our democratic
society. Although not mentioned explicitly in the Constitution,
the Supreme Court has recognized that a fundamental right to
privacy is embodied in both the Fourth and the Fourteenth
Amendments to the Constitution. The right to privacy recognized
by the court is a reflection of our citizenry's long-held
expectation that they should be able to engage in a range of
day to day activities with a significant degree of autonomy and
confidentiality.
The Internet presents new challenges as well as new
opportunities for the protection of privacy. The sheer volume
of personal information that is exchanged on a daily basis
between individuals and businesses on the Internet, coupled
with the ability of other entities to track the flow of this
information with relative ease, poses serious privacy concerns
for many customers.
A recent survey showed that 92 percent of consumers are
concerned about the misuse of their personal information
online. Conversely, the architecture of the Internet provides
an opportunity for technology to enhance online privacy. Many
innovative companies are focusing more and more resources on
the development of privacy-enhancing tools that will enable
consumers to have more control over the use of their personal
information.
I agree with the recommendation of the majority of the
Commission that the time has come for the Congress to establish
a baseline standard for the protection of consumer privacy on
the Internet. Earlier this week, I was pleased to join the
distinguished Ranking Member of this Committee, Senator
Hollings, in introducing consumer privacy legislation that
largely tracks the recommendations of the majority FTC report.
This legislation builds upon the framework of legislation that
was established in legislation that I offered in the children's
online privacy protection, which just took effect last month.
It embodies the four widely accepted fair information
practices: notice, choice, access, and security for the
collection of personally identifiable information about
consumers online.
The Commission's report does indicate that the industry has
made progress with self-regulatory initiatives. But in spite of
this progress, however, I remain concerned about the
effectiveness of online privacy seal programs, especially in
the area of enforcement. I agree with the Commission that
legislation is necessary to complement the industry's self-
regulatory efforts in order to enhance adequate protection of
consumer privacy.
I fully understand the industry's concerns with the
regulatory approach to protecting privacy on the Internet. But
I am hopeful, however, that they will come to view this effort
as an opportunity to enhance consumer confidence in e-commerce,
much like what occurred in the offline world with the credit
card industry in the 1970's. I look forward to working with the
industry, much as I did during the Committee's consideration of
the Children's Online Privacy Protection Act, to enact a
responsible piece of legislation that adequately protects
consumer privacy online in a manner that does not unduly burden
the growing importance of e-commerce in the marketplace.
Senator Stevens [presiding]. Senator Ashcroft.
STATEMENT OF HON. JOHN ASHCROFT,
U.S. SENATOR FROM MISSOURI
Senator Ashcroft. Thank you very much. Thank you very much,
Mr. Chairman. Thank you for holding today's hearing.
I do not see this hearing as merely discussing a report
from a Federal agency to Congress. I think this hearing will
help us determine whether the Federal Government should develop
a significant and sweeping regulatory scheme. We are here to
understand whether the growth of a flourishing high-tech
industry would be hindered by such an involvement. We must
discuss this issue in terms of whether or not the American
people will be well served by significant government
involvement in this dynamic industry.
We should ask ourselves whether it will continue to grow or
will it continue to provide jobs, new opportunity, and
education and research. We should ask whether the involvement
of government bureaucrats will dramatically diminish the new
efficiencies gained by conducting business on the Internet.
All of us are concerned about consumer privacy. I am
concerned that consumers who want privacy should have privacy.
In fact, Congress recently has recognized through statutes
which apply to every segment of the economy that sensitive
consumer information, such as financial and medical records,
should be treated with extra care. I would point out that those
regulations apply to everyone, not just companies who conduct
business in the traditional brick and mortar sense. But the
privacy laws which we now have in place already apply to
companies doing business on the Internet.
However, through the fear-mongering from Washington, in
some situations consumers have been led to believe that there
are no protections in place on the Internet, and that is simply
not true. Not only do our new privacy laws apply to Internet
transactions, so do our consumer protection laws. In fact, we
have heard glowing testimony before this Committee about the
work of the FTC, about the work that the FTC has done to fight
consumer fraud on the Internet. The Internet has even been
credited with giving the FTC new and powerful tools to fight
such fraud.
A few months ago the FTC Commissioners sat before this
Committee to discuss this very issue, and at that time I was
concerned that the latest Internet sweep was predestined to
reach the conclusion contained in the Commission's report, that
is that there need to be special regulations that apply to the
Internet that do not apply to other collections of data, do not
apply to other businesses, and do not apply to the other
utilizations of data in our culture.
For example, when people promote through the distribution
of coupons refund opportunities for individuals who buy
products, people mail in those refund opportunities. There are
not special laws that relate to what they can do with that
information or how it can be used. It is not on the Internet,
but it is the collection of consumer data and it is distributed
widely.
Many people like the opportunity to participate in refund
schemes and are willing to trade the value of the refund for
the utilization of that information, which is consumer data, by
businesses. It is a big part of the way we do business in this
country. In our household, my wife scarcely lets a refund offer
go by without collecting the labels necessary to cash in. As a
matter of fact, she keeps a file of labels so that when the
offer comes out she does not have to go buy additional
products; she already has the labels ready to mail them in.
Now, I would just point out that I think we have got to be
careful that we do not impose on the Internet unnecessary
regulation that is differential, specially designed, and would
curtail and confine the Internet from operating in ways that we
do not ask for responsibility or we do not ask for regulation
on the rest of commerce.
Further, I think we ought to make sure that when we are
talking about choice we allow people the choice of saying that
they want to receive data based on the kinds of practices they
have and they are interested, for instance, in getting offers
from companies and the like based on the kinds of interest they
have expressed in purchasing patterns, whether it be through
refund coupons or other devices.
Although regulating the Internet was the recommendation
following the sweep by the Commission, I am a little confused
about how the numbers really move us toward that result. Two
years ago a sweep showed that 14 percent of Web sites had
privacy policies. Today 90 percent posted policies. That really
says that, in an industry that showed a 543 percent improvement
in 2 years, that it was deemed to be failing in self-
regulation.
So in the interest of time and because the witnesses will
address this issue, I will not mention all of the significant
work done by industry to improve privacy and security on the
net. I just want to say that I hope that we do not single out
the Internet for a kind of regulation which would stifle it,
which would limit the kinds of choices consumers have, and make
the Internet a place where it would be difficult to grow
business in the same way that it might be available for growth
in other settings.
With that note, I want to indicate again how I respect
privacy and want to be able to protect privacy, but I do not
have a clear picture of how I want to inhibit information on
the Internet that is not inhibited in other sectors of our
economy.
Thank you.
Senator Stevens. Senator Kerry.
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Mr. Chairman, thank you very much.
I am delighted that Senator McCain has called this hearing.
I think there is going to be a unanimity among most of us on
the Committee, as there is probably among most Americans, that
they want their privacy protected. I applaud the FTC and the
analysis that they have put into this, and I particularly
respect the effort of Senator Hollings and colleagues on the
Committee who drafted some legislation and who have moved in
that direction.
But I differ a little bit with some of them with respect to
the degree to which at this stage, at a 5- or 6-year point in
terms of the development of the net, that Congress has the
ability to move adroitly enough, fast enough, with sufficient
analysis and information, to be able to properly regulate
something that is developing even as we sit here so rapidly,
with so many technological advances that have the ability to
answer some of our questions without our constricting the
creativity and the efforts that are going into this.
It seems to me that there are certain principles we could
adopt, for instance anonymity. What I hear from people in the
industry is that the technology is moving fast enough that
there are ways that the offerings of the marketplace are going
to make it very clear to people that they can use one service
or another that protects their privacy and protects their
options, without our setting up a rigid, strict structure, at
least at this point.
I think the FTC sort of adopted this up until this sudden
point, and one of the questions today obviously is why there is
the moment of departure. Maybe they do not think things have
moved fast enough, obviously. But initially self-regulation was
certainly their guiding theory, and this is the first moment of
departure from that.
The opt-in requirement on the whole, while obviously I
favor opt-in as a principle and I think most Americans are
going to want that kind of choice and demand it in the
marketplace, but in point of fact to mandate that actually sets
a standard that in some cases in terms of marketplace behavior
is neither necessary nor technologically sound. There are
certain instances where certain kinds of marketing can take
place that do no harm to people, they may choose to participate
in it; you do not require that kind of burden.
I think the Committee is very much behind the curve, the
country is behind the curve, in analyzing the degree to which
we are drawing distinctions for the online world that we do not
draw in the offline world. When you go to a local store here,
let us say you go in Georgetown, you visit some store and buy a
bunch of goods and you swish your card through the thing when
you leave, that entity could determine everything you bought.
They can market accordingly.
I mean, I must get 40 or 50 magazines every 3 weeks that
are targeted based on my offline behavior. Yet we are about to
require language restrictions that have no relationship to what
is happening in the offline world, and I do not think we have
thought that through adequately.
So I think there is a lot more analysis that needs to be
done, and I am going to introduce legislation that I think will
kind of balance these interests, where we can establish what we
think are the goals and principles by which this ought to be in
its earliest stages developed. There ought to be maximum amount
of opt-in, there ought to be anonymity. Clearly, in the
marketing you do not have to know that it is John Smith at
Myrtle Street. You have to know that X number of goods are
being bought in a certain area by certain demographics. But
there are ways to protect the privacy without our becoming, I
think, extraordinarily mandating at the federal level.
I might add to that that it seems to me there are very
significant realities of the marketplace, that Americans are
going to opt for those entities that most protect them if that
is what indeed they want. And if they do not want it, they can
also have the opportunity to make that kind of conscious
choice.
There is clearly a difference between what happens in opt-
in and opt-out. We all know it. I will wrap it up very quickly.
We fought that out on the Banking Committee last year and in
the Financial Modernization Act. It seems to me that also we
have not really balanced some of those kinds of equities in how
the market works.
In my judgment, Mr. Chairman, I think we have to be very,
very careful on this Committee and in the Congress not to move
fast. I think there are ways to protect Americans, to protect
our interests, protect our prerogatives to come back, protect
the capacity of the FTC to, in fact, regulate and enforce and,
if we were to set adequate standards and goals, the FTC would,
in fact, be leveraged in its capacity to enforce, particularly
if each company adopts its own privacy regime.
So I hope we are going to measure this carefully and not
move overly rapidly, and I hope the Committee can find a
consensus on this with some careful deliberation. Thank you,
Mr. Chairman.
Senator Stevens. Senator Gorton.
STATEMENT OF HON. SLADE GORTON,
U.S. SENATOR FROM WASHINGTON
Senator Gorton. I will pass.
Senator Stevens. Thank you.
Senator Rockefeller.
STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
Senator Rockefeller. Thank you, Mr. Chairman.
I do not think the problem is whether we move slowly or
quickly. This Committee has a history of not reacting at all on
issues that we do not understand and, therefore, we have got to
give ourselves ample time.
Well, there is no such thing as ample time in the world of
the net. There is no such thing as ample time if I have
diabetes, for example, and that is my own private information
and that gets out and it is sold to a third party, and there
are not controls, and I cannot get a job. That example is used
often.
This is a different world. To compare, as the Senator from
Missouri did, this--``Missoura''--this medium that we are
talking about to sort of other things and what transactions he
and his wife might make at home, is behind the curve. This is a
new world.
There has been a 548 percent increase in online disclosure
and privacy policies. Of course that is exactly what the FTC
looked at, and it is the quality of what the privacy policies
say. Can you find them? Can you read them? Is the print big
enough, and is it written in words that only those who are
lawyers can understand? The American consumer is not always the
most sophisticated, and the American consumer when on the net
or on a Web site is almost always in a hurry and does not take
the time. It is simply understanding human nature in a medium
which is changing and then rechanging every 6 to 8 months.
So this is not a question of should we wait and make sure
that we do absolutely the most perfect thing. There are
hundreds of thousands or millions of people whose lives are
going to be intervened with in ways that are dramatic and
dangerous if this Committee does not pass a bill which supports
what the FTC basically says. That is, that the work is not
being done sufficiently.
I would remind the Senators from Massachusetts and Missouri
that we heard all these same arguments back in the 1970's when
the credit cards started up. The credit card industry was all
over everybody saying that you cannot regulate us. And it was
only, in fact, when we did put regulations on the credit card
industry that the 90 percent of American consumers who at that
time perhaps were not using credit cards or who are not at this
point on Web sites or using the Internet the way they might
gained confidence in precisely the industry that had just gone
through some form of regulation.
It was the regulation and thus the privacy and the access
and the security that in fact helped the industry to attract
users. So it is a cliche to say, but it is through judicious
and cautious regulation not irrational exuberance that will
help protect Americans and which will also help the industry
grow.
We will make a mistake here if we apply traditional values
to our legislative course.
Senator Stevens. Thank you.
Senator Cleland, do you have an opening statement?
STATEMENT OF HON. MAX CLELAND,
U.S. SENATOR FROM GEORGIA
Senator Cleland. Yes, sir, I do. Thank you very much, Mr.
Chairman.
More and more as a Member of this Committee, I feel like I
am in a cul de sac on the information highway. I am still
struggling, trying to find out what it is all about. I was
thinking this morning of how to equate what we are facing now
with what I understood. I am from a small town, and it was not
that many years ago in my little town that there were only four
numbers involved with a telephone. And it was a totally public
line. It was a party line, it used to be called, and basically
everybody else knew each other's business. My State director,
who is only 5 years older than I am, remembers when he would go
home from school in the afternoon, pick up the phone, call the
switchboard operator and say: Where is my mother? And she would
say: Over at Gracie's.
I wonder if here in the early days of the Internet that
everybody that is online is actually on a party line and does
not know it.
The information superhighway began just a few short years
ago as a footpath and now it is an unlimited expressway. People
can now use the Internet to shop at virtual stores located
thousands of miles away, find turn-by-turn directions to far
away destinations, and journey to hamlets, cities, and states
across the country.
While the virtual world is available to us with just a few
keystrokes and mouse clicks, there is one area of the Internet
that many are finding troublesome. It is the collection and use
of personal data. All too often, web surfers are providing
personal information about themselves without their knowledge
and consent. It is a party line, except people do not know they
are on a party line.
There is so much information being collected on people
visiting Web sites today that it would take several buildings
the size of the Library of Congress to store it all. That is a
lot of information, much of which is very personal, and I
believe it must be kept that way.
My concern about privacy on the Internet is that this issue
is keeping people from fully enjoying the marvelous technology
available to them. According to a recent survey by the Center
for Democracy and Technology, consumers are fearful of the sale
of their personal information to others and Web sites tracking
people's use of the web. I think the term ``cookies'' is a
fascinating term. I love cookies, but not this way.
This survey seems to be pointing to the same argument that
was made when credit cards were first introduced to the
American public. At that time credit cards did not initially
enjoy widespread usage because of the potential misuse by
others, but it was only after regulatory intervention to
protect consumers that this fear was somewhat dispelled. We
should learn this lesson from the Internet and the challenges
that it is experiencing over privacy concerns.
These concerns are translating into lost opportunities for
consumers and businesses. Now, most of the dot-com companies
doing business over the Internet today are very cognizant of
the fact that privacy is a major concern. However, in a report
you just released, you found that 92 percent of the Web sites
that you surveyed were collecting great amounts of personal
information from consumers and only 14 percent disclosed
anything about how the information would be used.
Interestingly enough, the report, your report, found that a
mere 41 percent, less than half, of the randomly selected Web
sites notified the visitor of their information practices and
offered the visitor choices on how their personal information
would be used. Now, this report seems to suggest to me that
industry efforts by themselves are, indeed, not sufficient to
control the gathering and dissemination of personal data.
At one Web site visit, a company can collect some very
interesting facts about the person who is on the other end
without them knowing it. While surfing the web the other day, I
hit on a Web site that provided me with the insight into just
how much information can be collected. In less than a minute,
the site reported what other sites I had visited, what sites I
would likely visit in the future, what plug-ins are installed
on my PC, how my domain is configured, and a lot more
information that I did not really understand.
Many consider this type of tracking akin to stalking. I
believe that the information that can be collected by Web site
administrators can create problems for people through a
violation of trust and invasion of privacy. I would say, as an
old Army signal officer, I know that you cannot communicate
important data unless you have a feeling that it is secure.
Novice Internet users generally are unaware, as I was until
visiting this site, of the extent of information being
collected on them. Even those who are aware of the capabilities
of firms to collect private data are frightened by what can
happen.
I believe in increasing the level of protection for private
information to a level that the people of our nation and the
dot-coms can live with, and I believe in providing assurances
to those who are providing information that their privacy
rights will be protected. It seems reasonable to me that firms
that are collecting private data should notify consumers of the
firm's information practices, offer the consumer choices on how
the personal information will be used, allow consumers to
access the information that is collected on them, and require
those firms to take reasonable steps to protect the security of
that information.
However, I am looking forward to learning more about the
Internet privacy issue this morning and hearing from experts
like these wonderful people at the table, Mr. Chairman, and the
rest of our distinguished testifiers.
Thank you very much.
The Chairman [presiding]. Chairman Pitofsky, welcome. I am
sorry for the delay. I apologize to all the Commissioners.
Chairman Pitofsky.
STATEMENT OF HON. ROBERT PITOFSKY,
CHAIRMAN, FEDERAL TRADE COMMISSION
Mr. Pitofsky. Thank you, Mr. Chairman, Senator Hollings,
members of the Committee. I welcome this opportunity to once
again appear before this Committee to discuss this important
subject, especially because this Committee has supported so
consistently and so well our efforts to deal with the kinds of
problems we will discuss today.
As you know, the Commission has been active in the area of
protecting consumers on the Internet since 1995. To a large
extent we have dealt with fraud on the Internet, but we have
also addressed questions of privacy.
We all know that the Internet commerce sector of the
economy is growing at an amazing pace. But we also know that
many people, some surveys say over 90 percent, are apprehensive
about the way their private information is being used,
including people who go ahead and buy things on the Internet.
Most observers believe that consumer protection would
require four fair information practices. Incidentally, the
business community in their seal programs and elsewhere have
also indicated that these are the four bases that need to be
touched.
First, notice: What information is being collected and what
are the collectors doing with it? Consumers ought to know that.
Choice, the opportunity of consumers to say that we do not
want this information used for any purpose other than
completion of the transaction.
Most people also think that there ought to be some access,
so if sensitive information is involved in the data base and it
is wrong, there is an opportunity to correct it, so that
consumers are not injured by errors.
The fourth practice involves an obligation to keep the
information firms collect secure.
The debate really concerns whether these rights can be
achieved through legislation or through growing efforts of
responsible companies in the field to engage in self-
regulation. My own view is that neither legislation alone nor
self-regulation alone is the right answer, but it ought to be
some combination of the two.
I applaud the progress that has been made in self-
regulation in recent years. On the matter of notice, we have
gone from 14 percent notice on all Web sites to 88 percent
notice on all Web sites in a little over two years. The
question has been raised: If that is the case, why has a
majority of the Commission changed its view about the adequacy
of self-regulation? I would make a number of points.
First of all, the 88 percent figure is a little misleading.
It includes ``notice'' that says in effect, ``we protect your
privacy,'' or it could include notice that says, ``we do not
protect your privacy.'' The fact of the matter is if you ask
the questions, ``how many of these notices actually tell
consumers what information is collected and how it is used?''
then the figure falls down to about 55 percent for all sites,
89 percent for the most visited sites.
If you ask the questions, ``what about all four information
practices? Are they being adequately addressed through self-
regulation?,'' it turns out only 20 percent of firms on the
Internet, one in five, have adopted all four fair information
practices.
Some have said, ``Well, but access and security are
difficult to understand, the industry is slow to move in those
two areas.'' All right, let us leave out access and security
and ask only about notice and consent. There, on all Web sites,
we find only 41 percent have notice and consent, 60 percent of
the most traveled sites.
Finally, the whole notion of self-regulation requires that
companies be part of seal programs and if they do not abide by
self-regulatory standards, the seal will be taken away. Well,
we find in that area, even though these seal programs have been
working for over a year and a half, almost 2 years, 8 percent
of Web sites are members of seal programs. That does not seem
adequate.
What is to be done? First let me say again that self-
regulation has achieved a good deal and has an important role
to play in the future. I have always been a strong advocate of
self-regulation. It works in many sectors of the economy. But I
tell you on the basis of my experience that the most effective
self-regulatory programs are those that have a rule of law to
back them up, so that the self-regulators can then say to the
irresponsible few who do not go along with the standards that
their behavior will be referred to a law enforcement agency.
The idea that the self-regulators can go to the less
responsible few and say, if you continue to collect and sell
this information without permission at a profit to third
parties we are going to take your seal of approval away from
you, just does not get the job done. It helps, but it is not in
my opinion adequate.
Second, I do believe that Congress must be cautious in this
area and not impose on this growing and wonderful pro-consumer
marketplace burdens that will hamper the development of the
marketplace.
Third, as our report tries to emphasize, there are many
complicated questions that arise here: What is adequate notice?
How much access is required? What do we mean by ``security''?
Therefore, I applaud those who say that we should be careful;
we should get it right rather than rush to any judgment in this
area.
Any legislation should be sufficiently flexible so that if
there are technological solutions--and we hear about them all
the time--if they really develop then they should be
incorporated and they should be allowed to protect consumers
rather than direct government regulation.
Finally, an issue that has been raised by several: Why are
we emphasizing consumer protection online and not offline?
First of all, it is possible to manipulate data online in a
very special way. But more important than that, in our report
we address the question of online privacy. We have not examined
the question of offline privacy. Slowly, I have come around to
the view, as we have moved through this area, that the argument
that offline and online should be treated in a radically
different way just does not hold up and we should be addressing
whether or not consumers offline, deserve protection as well.
Let me conclude my remarks with a reference to some basic
principles. Millions of people now enthusiastically shop online
and they have no problem at all supplying personally
identifiable information--names, addresses, credit card numbers
if necessary, even social security numbers--if necessary to
complete the transaction. But many sellers on the Internet are
not just in the business of selling a product or selling a
service, but rather they are in the business of accumulating
data--the books we read, the music we hear, the pharmaceuticals
and cosmetics we buy, our travel and vacation plans, the
information we research, on and on and on. And that is often
sold at a profit to third parties with whom we have no direct
connection whatsoever. We do not even know who they are or what
they are doing with that information.
Many people do not object to that either, as long as they
have an opportunity to say to the online seller: ``If that is
what you are going to do with the data, just leave me out; I
visited your Web site to buy a product, not to provide
information about my life, my family, my habits, or my economic
class.''
I think that is the goal that virtually all of us share. We
must make sure that that option is available to consumers on
the Internet. They should not be required to forfeit their
privacy online in exchange for the rich benefits of electronic
commerce. Careful, non-burdensome legislation, backed up by
effective self-regulation, and the legislation would set
minimum standards, seems to me at this point the right way to
go.
Thank you very much.
[The prepared statement of Chairman Pitofsky follows:]
Prepared Statement of Hon. Robert Pitofsky, Chairman,
Federal Trade Commission
Mr. Chairman, I am Robert Pitofsky, Chairman of the Federal Trade
Commission. I appreciate this opportunity to present the Commission's
views on the privacy issues raised by the collection and use of
consumers' personal information by commercial sites on the World Wide
Web.\1\
---------------------------------------------------------------------------
\1\ The Commission vote to issue this testimony was 5-0.
Commissioners Anthony, Thompson, Swindle, and Leary have issued
separate statements, which are attached.
My oral testimony and any responses to questions you may have
reflect my own views and are not necessarily the views of the
Commission or any other Commissioner.
---------------------------------------------------------------------------
I. Introduction and Background
A. FTC Law Enforcement Authority
The FTC's mission is to promote the efficient functioning of the
marketplace by protecting consumers from unfair or deceptive acts or
practices and to increase consumer choice by promoting vigorous
competition. As you know, the Commission's responsibilities are far-
reaching. The Commission's primary legislative mandate is to enforce
the Federal Trade Commission Act (``FTCA''), which prohibits unfair
methods of competition and unfair or deceptive acts or practices in or
affecting commerce.\2\ With the exception of certain industries and
activities, the FTCA provides the Commission with broad investigative
and law enforcement authority over entities engaged in or whose
business affects commerce.\3\ Commerce on the Internet falls within the
scope of this statutory mandate.
---------------------------------------------------------------------------
\2\ 15 U.S.C. Sec. 45(a).
\3\ The Commission also has responsibility under 45 additional
statutes governing specific industries and practices. These include,
for example, the Truth in Lending Act, 15 U.S.C. Sec. Sec. 1601 et
seq., which mandates disclosures of credit terms, and the Fair Credit
Billing Act, 15 U.S.C. Sec. Sec. 1666 et seq., which provides for the
correction of billing errors on credit accounts. The Commission also
enforces over 30 rules governing specific industries and practices,
e.g., the Used Car Rule, 16 C.F.R. Part 455, which requires used car
dealers to disclose warranty terms via a window sticker; the Franchise
Rule, 16 C.F.R. Part 436, which requires the provision of information
to prospective franchisees; the Telemarketing Sales Rule, 16 C.F.R.
Part 310, which defines and prohibits deceptive telemarketing practices
and other abusive telemarketing practices; and the Children's Online
Privacy Protection Rule, 16 C.F.R. Part 312.
In addition, on May 12, 2000, the Commission issued a final rule
implementing the privacy provisions of the Gramm-Leach-Bliley Act, 15
U.S.C. Sec. Sec. 6801 et seq. The rule requires a wide range of
financial institutions to provide notice to their customers about their
privacy policies and practices. The rule also describes the conditions
under which those financial institutions may disclose personal
financial information about consumers to nonaffiliated third parties,
and provides a method by which consumers can prevent financial
institutions from sharing their personal financial information with
nonaffiliated third parties by opting out of that disclosure, subject
to certain exceptions. The rule is available on the Commission's Web
site at . See Privacy of
Consumer Financial Information, to be codified at 16 C.F.R. pt. 313.
The Commission does not, however, have criminal law enforcement
authority. Further, under the FTCA, certain entities, such as banks,
savings and loan associations, and common carriers, as well as the
business of insurance, are wholly or partially exempt from Commission
jurisdiction. See Section 5(a)(2) and (6)a of the FTC Act, 15 U.S.C.
Sec. 45(a)(2) and 46(a). See also The McCarran-Ferguson Act, 15 U.S.C.
Sec. 1012(b).
---------------------------------------------------------------------------
B. Privacy Concerns in the Online Marketplace
Since its inception in the mid-1990's, the online consumer
marketplace has grown at an exponential rate. Recent figures suggest
that as many as 90 million Americans now use the Internet on a regular
basis.\4\ Of these, 69%, or over 60 million people, shopped online in
the third quarter of 1999.\5\ In addition, the Census Bureau estimates
that retail e-commerce reached $5.3 billion for the fourth quarter of
1999.\6\
---------------------------------------------------------------------------
\4\ The Intelliquest Technology Panel, Panel News, available at
[hereinafter ``Technology
Panel''] (90 million adult online users as of third-quarter 1999).
Other sources place the number in the 70-75 million user range. See
Cyber Dialogue, Internet Users, available at (69 million users);
Cyberstats, Internet Access and Usage, Percent of Adults 18+, available
at (75 million
users).
\5\ Technology Panel. This represents an increase of over 15
million online shoppers in one year. See id.
\6\ United States Department of Commerce News, Retail E-commerce
Sales for the Fourth Quarter 1999 Reach $5.3 Billion, Census Bureau
Reports (Mar. 2, 2000), available at .
---------------------------------------------------------------------------
At the same time, technology has enhanced the capacity of online
companies to collect, store, transfer, and analyze vast amounts of data
from and about the consumers who visit their Web sites. This increase
in the collection and use of data, along with the myriad subsequent
uses of this information that interactive technology makes possible,
has raised public awareness and consumer concerns about online privacy.
Recent survey data demonstrate that 92% of consumers are concerned (67%
are ``very concerned'') about the misuse of their personal information
online.\7\ The level of consumer unease is also indicated by a recent
study in which 92% of respondents from online households stated that
they do not trust online companies to keep their personal information
confidential.\8\ To ensure consumer confidence in this new marketplace
and its continued growth, consumer concerns about privacy must be
addressed.\9\
---------------------------------------------------------------------------
\7\ Alan F. Westin, Personalized Marketing and Privacy on the Net:
What Consumers Want, Privacy and American Business at 11 (Nov. 1999)
[hereinafter ``Westin/PAB 1999'']. See also IBM Multi-National Consumer
Privacy Survey at 72 (Oct. 1999), prepared by Louis Harris & Associates
Inc. [hereinafter ``IBM Privacy Survey''] (72% of Internet users very
concerned and 20% somewhat concerned about threats to personal privacy
when using the Internet); Forrester Research, Inc., Online Consumers
Fearful of Privacy Violations (Oct. 1999), available at (two-thirds of
American and Canadian online shoppers feel insecure about exchanging
personal information over the Internet).
\8\ Survey Shows Few Trust Promises on Online Privacy, Apr. 17,
2000, available at (citing recent Odyssey survey).
\9\ The Commission, of course, recognizes that other consumer
concerns also may hinder the development of e-commerce. As a result,
the agency has pursued other initiatives such as combating online fraud
through law enforcement efforts. See FTC Staff Report: The FTC's First
Five Years Protecting Consumers Online (Dec. 1999). The Commission,
with the Department of Commerce, is also holding a public workshop and
soliciting comment on the potential issues associated with the use of
alternative dispute resolution for online consumer transactions. See
Initial Notice Requesting Public Comment and Announcing Public
Workshop, 65 Fed. Reg. 7,831 (Feb. 16, 2000); Notice Announcing Dates
and Location of Workshop and Extending Deadline for Public Comments, 65
Fed. Reg. 18,032 (Apr. 6, 2000). The workshop will be held on June 6
and 7, 2000. Information about the workshop, including the federal
register notices and public comments received, is available at .
---------------------------------------------------------------------------
C. The Commission's Approach to Online Privacy--Initiatives Since 1995
Since 1995, the Commission has been at the forefront of the public
debate concerning online privacy.\10\ The Commission has held public
workshops; examined Web site information practices and disclosures
regarding the collection, use, and transfer of personal information;
and commented on self-regulatory efforts and technological developments
intended to enhance consumer privacy. The Commission's goals have been
to understand this new marketplace and its information practices, and
to assess the costs and benefits to businesses and consumers.\11\
---------------------------------------------------------------------------
\10\ The Commission's review of privacy has mainly focused on
online issues because the Commission believes privacy is a critical
component in the development of electronic commerce. However, the FTC
Act and most other statutes enforced by the Commission apply equally in
the offline and online worlds. As described infra, n.11, the agency has
examined privacy issues affecting both arenas, such as those implicated
by the Individual Reference Services Group, and in the areas of
financial and medical privacy. It also has pursued law enforcement,
where appropriate, to address offline privacy concerns. See FTC v.
Rapp, No. 99-WM-783 (D. Colo. filed Apr. 21, 1999); In re Trans Union,
Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C.
Cir. Apr. 4, 2000). These activities--as well as recent concerns about
the merging of online and offline databases, the blurring of
distinctions between online and offline merchants, and the fact that a
vast amount of personal identifying information is collected and used
offline--make clear that significant attention to offline privacy
issues is warranted.
\11\ The Commission held its first public workshop on privacy in
April 1995. In a series of hearings held in October and November 1995,
the Commission examined the implications of globalization and
technological innovation for competition and consumer protection
issues, including privacy concerns. At a public workshop held in June
1996, the Commission examined Web site practices regarding the
collection, use, and transfer of consumers' personal information; self-
regulatory efforts and technological developments to enhance consumer
privacy; consumer and business education efforts; the role of
government in protecting online information privacy; and special issues
raised by the online collection and use of information from and about
children. The Commission held a second workshop in June 1997 to explore
issues raised by individual reference services, as well as issues
relating to unsolicited commercial e-mail, online privacy generally,
and children's online privacy.
The Commission and its staff have also issued reports describing
various privacy concerns in the electronic marketplace. See, e.g., FTC
Staff Report: The FTC's First Five Years Protecting Consumers Online
(Dec. 1999); Individual Reference Services: A Federal Trade Commission
Report to Congress (Dec. 1997); FTC Staff Report: Public Workshop on
Consumer Privacy on the Global Information Infrastructure (Dec. 1996);
FTC Staff Report: Anticipating the 21st Century: Consumer Protection
Policy in the New High-Tech, Global Marketplace (May 1996). Recently,
at the request of the Department of Health and Human Services
(``HHS''), the Commission submitted comments on HHS' proposed Standards
for Privacy of Individually Identifiable Health Information (required
by the Health Insurance Portability and Accountability Act of 1996).
The Commission strongly supported HHS' proposed ``individual
authorization'' or ``opt-in'' approach to health providers' ancillary
use of personally identifiable health information for purposes other
than those for which the information was collected. The Commission also
offered HHS suggestions it may wish to consider to improve disclosure
requirements in two proposed forms that would be required by the
regulations. The Commission's comments are available at .
The Commission also has brought law enforcement actions to protect
privacy online pursuant to its general mandate to fight unfair and
deceptive practices. See FTC v. ReverseAuction.com, Inc., No. 00-0032
(D.D.C. Jan. 6, 2000) (consent decree) (settling charges that an online
auction site obtained consumers' personal identifying information from
a competitor site and then sent deceptive, unsolicited e-mail messages
to those consumers seeking their business); Liberty Financial
Companies, Inc., FTC Dkt. No. C-3891 (Aug. 12, 1999) (consent order)
(challenging the allegedly false representations by the operator of a
``Young Investors'' Web site that information collected from children
in an online survey would be maintained anonymously); GeoCities, FTC
Dkt. No. C-3849 (Feb. 12, 1999) (consent order) (settling charges that
Web site misrepresented the purposes for which it was collecting
personal identifying information from children and adults).
---------------------------------------------------------------------------
In June 1998 the Commission issued Privacy Online: A Report to
Congress (``1998 Report''), an examination of the information practices
of commercial sites on the World Wide Web and of industry's efforts to
implement self-regulatory programs to protect consumers' online
privacy.\12\ The Commission described the widely-accepted fair
information practice principles of Notice, Choice, Access and Security.
The Commission also identified Enforcement--the use of a reliable
mechanism to provide sanctions for noncompliance--as a critical
component of any governmental or self-regulatory program to protect
privacy online.\13\ In addition, the 1998 Report presented the results
of the Commission's first online privacy survey of commercial Web
sites. While almost all Web sites (92% of the comprehensive random
sample) were collecting great amounts of personal information from
consumers, few (14%) disclosed anything at all about their information
practices.\14\
---------------------------------------------------------------------------
\12\ The Report is available on the Commission's Web site at
.
\13\ 1998 Report at 11-14.
\14\ Id. at 23, 27.
---------------------------------------------------------------------------
Based on survey data showing that the vast majority of sites
directed at children also collected personal information, the
Commission recommended that Congress enact legislation setting forth
standards for the online collection of personal information from
children.\15\ The Commission deferred its recommendations with respect
to the collection of personal information from online consumers
generally. In subsequent Congressional testimony, the Commission
discussed promising self-regulatory efforts suggesting that industry
should be given more time to address online privacy issues. The
Commission urged the online industry to expand these efforts by
adopting effective, widespread self-regulation based upon the long-
standing fair information practice principles of Notice, Choice,
Access, and Security, and by putting enforcement mechanisms in place to
assure adherence to these principles.\16\
---------------------------------------------------------------------------
\15\Id. at 42-43. In October 1998, Congress enacted the Children's
Online Privacy Protection Act of 1998 (``COPPA''), which authorized the
Commission to issue regulations implementing the Act's privacy
protections for children under the age of 13. 15 U.S.C. Sec. Sec. 6501
et seq. In October 1999, as required by COPPA, the Commission issued
its Children's Online Privacy Protection Rule, which became effective
last month. 16 C.F.R. Part 312.
\16\See Prepared Statement of the Federal Trade Commission on
``Consumer Privacy on the World Wide Web'' before the Subcommittee on
Telecommunications, Trade and Consumer Protection of the House
Committee on Commerce, U.S. House of Representatives (July 21, 1998),
available at .
---------------------------------------------------------------------------
Last year, Georgetown University Professor Mary Culnan conducted a
survey of a random sample drawn from the most-heavily trafficked sites
on the World Wide Web as well as a survey of the busiest 100 sites.\17\
The former, known as the Georgetown Internet Privacy Policy Survey,
found significant improvement in the frequency of privacy disclosures,
but also that only 10% of the sites posted disclosures that even
touched on all four fair information practice principles.\18\ Based in
part on these results, a majority of the Commission recommended in its
1999 report to Congress, Self-Regulation and Privacy Online, that self-
regulation be given more time, but called for further industry efforts
to implement the fair information practice principles.\19\
---------------------------------------------------------------------------
\17\ The results for the random sample of 361 Web sites are
reported in Georgetown Internet Privacy Policy Survey: Report to the
Federal Trade Commission (June 1999), available at [hereinafter ``GIPPS Report'']. The
results of Professor Culnan's study of the top 100 Web sites, conducted
for the Online Privacy Alliance, are reported in Online Privacy
Alliance, Privacy and the Top 100 Sites: Report to the Federal Trade
Commission (June 1999), available at [hereinafter ``OPA Report''].
\18\ See GIPPS Report, Appendix A, Table 8C.
\19\ Self-Regulation and Privacy Online (July 1999) at 12-14
(available at ).
---------------------------------------------------------------------------
This week the Commission issued its third report to Congress
examining the state of online privacy and the efficacy of industry
self-regulation. Privacy Online: Fair Information Practices in the
Electronic Marketplace (``2000 Report'') * presents the results of the
Commission's 2000 Online Privacy Survey, which reviewed the nature and
substance of U.S. commercial Web sites' privacy disclosures, and
assesses the effectiveness of self-regulation. The 2000 Report also
considers the recommendations of the Commission-appointed Advisory
Committee on Online Access and Security.\20\ Finally, the Report sets
forth the Commission's conclusion that legislation is necessary to
ensure further implementation of fair information practices online and
recommends the framework for such legislation.\21\
---------------------------------------------------------------------------
* The information referred to has been retained in Committee files.
\20\ On December 1999, the Commission established the Federal Trade
Commission Advisory Committee on Online Access and Security, pursuant
to the Federal Advisory Committee Act, 5 U.S.C. App. Sec. Sec. 1-15.
Notice of Establishment of the Federal Trade Commission Advisory
Committee on Online Access and Security and Request for Nominations, 64
Fed. Reg. 71,457 (1999).
The Commission asked the Advisory Committee, a group comprising 40
e-commerce experts, industry representatives, security specialists, and
consumer and privacy advocates, to consider the parameters of
``reasonable access'' to personal information collected from and about
consumers online and ``adequate security'' for such information, and to
prepare a report presenting options for implementation of these fair
information practices and the costs and benefits of each option. The
duties of the Advisory Committee were solely advisory. The Advisory
Committee Report and proceedings are available at .
\21\ The Commission vote to issue the 2000 Report was 3-2, with
Commissioner Swindle dissenting and Commissioner Leary concurring in
part and dissenting in part. Both Commissioners' separate statements
are attached to the Report. Copies of the 2000 Report and of the report
of the Advisory Committee on Online Access and Security are attached. *
The Reports are also available at and , respectively. *The information referred to has been
retained in Committee files.
---------------------------------------------------------------------------
II. Fair Information Practices in the Electronic Marketplace: The
Results of the 2000 Survey
In February and March 2000, the Commission conducted a survey of
commercial sites' information practices, using a list of the busiest
U.S. commercial sites on the World Wide Web.\22\ Two groups of sites
were studied: (a) a random sample of 335 Web sites (the ``Random
Sample'') and (b) 91 of the 100 busiest sites (the ``Most Popular
Group'').\23\ As was true in 1998, the 2000 Survey results show that
Web sites collect a vast amount of personal information from and about
consumers. Almost all sites (97% in the Random Sample, and 99% in the
Most Popular Group) collect an e-mail address or some other type of
personal identifying information.\24\
---------------------------------------------------------------------------
\22\ The list of Web sites was provided by Nielsen//NetRatings
based upon January 2000 traffic figures. 2000 Report, Appendix A.
\23\ 2000 Report at 7, 9 and Appendix A.
\24\ 2000 Report at 9.
---------------------------------------------------------------------------
The 2000 Survey results also show that there has been continued
improvement in the percent of Web sites that post at least one privacy
disclosure (88% in the Random Sample and 100% in the Most Popular
Group).\25\ The Commission's 2000 Survey went beyond the mere counting
of disclosures, however, and analyzed the nature and substance of these
privacy disclosures in light of the fair information practice
principles of Notice, Choice, Access, and Security. It found that only
20% of Web sites in the Random Sample that collect personal identifying
information implement, at least in part, all four fair information
practice principles (42% in the Most Popular Group).\26\ While these
numbers are higher than similar figures obtained in Professor Culnan's
studies, the percentage of Web sites that state they are providing
protection in the core areas remains low. Further, recognizing the
complexity of implementing Access and Security as discussed in the
Advisory Committee report, the Commission also examined the data to
determine whether Web sites are implementing Notice and Choice only.
The data showed that only 41% of sites in the Random Sample and 60% of
sites in the Most Popular Group meet the basic Notice and Choice
standards.\27\
---------------------------------------------------------------------------
\25\ Id. at 10.
\26\ Id. at 12-13.
\27\ Id. at 13-14.
---------------------------------------------------------------------------
The 2000 Survey also examined the extent to which industry's
primary self-regulatory enforcement initiatives--online privacy seal
programs--have been adopted. These programs, which require companies to
implement certain fair information practices and monitor their
compliance, promise an efficient way to implement privacy protection.
However, the 2000 Survey revealed that although the number of sites
enrolled in these programs has increased over the past year,\28\ the
seal programs have yet to establish a significant presence on the Web.
The Survey found that less than one-tenth, or approximately 8%, of
sites in the Random Sample display a privacy seal. Moreover, less than
one-half, or 45%, of the sites in the Most Popular Group display a
seal.\29\
---------------------------------------------------------------------------
\28\ Id. at 6-7.
\29\ Id. at 20.
---------------------------------------------------------------------------
III. Commission Recommendations
Based on the past years of work addressing Internet privacy issues,
including examination of prior surveys and workshops with consumers and
industry, it is evident that online privacy continues to present an
enormous public policy challenge.\30\ The Commission applauds the
significant efforts of the private sector and commends industry leaders
in developing self-regulatory initiatives. The 2000 Survey, however,
demonstrates that industry efforts alone have not been sufficient.
Because self-regulatory initiatives to date fall far short of broad-
based implementation of effective self-regulatory programs, a majority
of the Commission has concluded that such efforts alone cannot ensure
that the online marketplace as a whole will emulate the standards
adopted by industry leaders. While there will continue to be a major
role for industry self-regulation in the future, a majority of the
Commission recommends that Congress enact legislation that, in
conjunction with continuing self-regulatory programs, will ensure
adequate protection of consumer privacy online.
---------------------------------------------------------------------------
\30\ As noted earlier, supra n.10, and as illustrated by
legislative decisions made in the areas of medical and financial
privacy, offline privacy issues are also significant.
---------------------------------------------------------------------------
The proposed legislation would set forth a basic level of privacy
protection for consumer-oriented commercial Web sites.\31\ Such
legislation would establish basic standards of practice for the
collection of information online, and provide an implementing agency
with the authority to promulgate more detailed standards pursuant to
the Administrative Procedure Act.\32\
---------------------------------------------------------------------------
\31\ Legislation should cover such sites to the extent not already
covered by the Children's Online Privacy Protection Act, 15 U.S.C.
Sec. Sec. 6501 et seq.
\32\ 5 U.S.C. Sec. 553.
---------------------------------------------------------------------------
Consumer-oriented commercial Web sites that collect personal
identifying information from or about consumers online would be
required to comply with the four widely-accepted fair information
practices:
(1) Notice--Web sites would be required to provide consumers
clear and conspicuous notice of their information practices,
including what information they collect, how they collect it
(e.g., directly or through non-obvious means such as cookies),
how they use it, how they provide Choice, Access, and Security
to consumers, whether they disclose the information collected
to other entities, and whether other entities are collecting
information through the site.\33\
---------------------------------------------------------------------------
\33\ The Commission will soon be addressing the issue of third-
party online collection of personal information for profiling purposes
in a separate report to Congress.
(2) Choice--Web sites would be required to offer consumers
choices as to how their personal identifying information is
used beyond the use for which the information was provided
(e.g., to consummate a transaction). Such choice would
encompass both internal secondary uses (such as marketing back
to consumers) and external secondary uses (such as disclosing
---------------------------------------------------------------------------
data to other entities).
(3) Access--Web sites would be required to offer consumers
reasonable access to the information a Web site has collected
about them, including a reasonable opportunity to review
information and to correct inaccuracies or delete information.
(4) Security--Web sites would be required to take reasonable
steps to protect the security of the information they collect
from consumers.
The Commission recognizes that the implementation of these
practices may vary with the nature of the information collected and the
uses to which it is put, as well as with technological developments.
For this reason, a majority of the Commission recommends that any
legislation be phrased in general terms and be technologically neutral.
Thus, the definitions of fair information practices set forth in the
statute should be broad enough to provide flexibility to the
implementing agency in promulgating its rules or regulations.
Finally, the Commission notes that industry self-regulatory
programs would continue to play an essential role under such a
statutory structure, as they have in other contexts.\34\ The Commission
hopes and expects that industry and consumers would participate
actively in developing regulations under the new legislation and that
industry would continue its self-regulatory initiatives. The Commission
also recognizes that effective and widely-adopted seal programs could
be an important component of that effort.
---------------------------------------------------------------------------
\34\ For example, the program administered by the National
Advertising Division of the Council of Better Business Bureaus, Inc.
(``NAD'') is a model self-regulatory program that complements the
Commission's authority to regulate unfair and deceptive advertising.
The NAD expeditiously investigates complaints made by consumers or
competitors about the truthfulness of advertising. An advertiser that
disagrees with the NAD's conclusion may appeal to the National
Advertising Review Board (``NARB''), which includes members from inside
and outside the advertising industry. The vast majority of disputes
handled by the NAD and NARB are resolved without government
intervention, resulting in greater respect for and enforcement of the
law at a substantial savings to the taxpayer. Those disputes that the
NAD and NARB are unable to resolve are referred to the Commission.
The Commission also has a long record of working with industry to
develop and disseminate informational materials for the public. See,
e.g., Notice of Opportunity to Participate and Obtain Co-Sponsorship in
Agency Public Awareness Campaign re: Children's Online Privacy
Protection Rule, available at .
---------------------------------------------------------------------------
For all of these reasons, a majority of the Commission believes
that its proposed legislation, in conjunction with self-regulation,
will ensure important protections for consumer privacy at a critical
time in the development of the online marketplace. Without such
protections, electronic commerce will not reach its full potential and
consumers will not gain the confidence they need in order to
participate fully in the online marketplace.
IV. Conclusion
The Commission is committed to the goal of assuring fair
information practices for consumers online, and looks forward to
working with the Committee as it considers the Commission's Report and
proposals for protecting online privacy.
The Chairman. I thank you, Chairman Pitofsky.
I would tell the other Commissioners, your complete
statement will be made part of the record and if you could
summarize we would very much appreciate it. But at the same
time, we do not want to prevent the Committee from receiving
all the information you wish to convey.
Commissioner Anthony.
STATEMENT OF HON. SHEILA F. ANTHONY, COMMISSIONER,
FEDERAL TRADE COMMISSION
Ms. Anthony. Thank you, Mr. Chairman. I am delighted to be
here today and I am pleased that the Commission is recommending
Federal legislation----
Senator Stevens. Would you pull that mike up to you,
please.
Ms. Anthony. Sure.
I am pleased that the Commission is recommending
legislation necessary to protect consumer privacy. I wish to
emphasize four points related to our legislative
recommendation:
One, any quality privacy policy should offer true
protections to consumers and be presented in a simple format
that is clear and understandable;
Two, an enforcement mechanism must be in place that gives
consumers confidence that Web sites do what they say they do
with consumers' personal data;
Three, a patchwork of State privacy laws will result in
confusion both to consumers and businesses, and thus Federal
preemption should at least be seriously considered;
Four, implementation of consumer consent via opt-in and
opt-out may require making a distinction between market
information and sensitive health and financial information.
The 2000 survey reports that 97 percent of the random
sample and 99 percent of the most popular group collect
personally identifying information, but only 20 percent of the
random sample and just 42 percent of the most popular group
address, at least in part, all four information practices.
Seal programs and audits can be key enforcement mechanisms.
Yet only 8 percent in the random sample and 45 percent of the
most popular group display a seal.
Perhaps more troubling to me is that many privacy policies
are confusing, contradictory, and ambiguous. I reviewed some of
the privacy policies in the most popular group of Web sites in
our survey. Frankly, I was disappointed. Almost half of the
policies are too long, varying from 3 to 12 pages. Many try to
lull a consumer into a false sense of comfort. Despite opening
statements asserting the importance of the user's privacy,
subsequent paragraphs frequently contain contradictory
information.
Consider the following language in an Internet service
provider's published privacy policy. The first sentence states:
``Your privacy is important to us,'' but continues several
paragraphs later: ``The personal information we collect from
members during the registration process is used to manage each
member's account. This information is not shared with third
parties unless specifically stated otherwise or in special
circumstances.''
Three pages later, the same policy goes on to say: ``We may
disclose personal information about our visitors or members or
information regarding your use of the services or Web sites
accessible through our services for any reason if, in our sole
discretion, we believe it is reasonable to do so.''
Would you call this a clear, unambiguous disclosure? I do
not. Does it inform consumers about whether his or her
information will be shared and, if so, with whom? I do not
believe it does.
My next example illustrates serious concerns with regard to
meaningful consent. I quote from a privacy policy statement
from one of the top 100 sites: ``When you submit personal
information to us, you understand and agree that our
subsidiaries, affiliates, and trusted vendors may transfer,
store, and process your customer profile in any of the
countries in which we and our affiliates maintain offices.''
Has the site identified with specificity the parties with
whom it will share this consumer's information? Is consent
meaningful if consumers do not see this notice or have access
to it at the time they supply their personal information?
Even a policy that incorporates all four fair information
practices can be ambiguous and contradictory. What do you make
of this privacy policy that contains the following disclaimer:
``This statement and the policies outlined herein are not
intended to and do not create any contractual or other legal
rights in or on behalf of any party.'' This disclaimer seems to
absolve the site of any responsibility to protect a consumer's
information. It reminds me of a letter I once received from a
lawyer which had the following postscript: ``Dictated but not
read.''
I do not think it is difficult to design a standardized,
conspicuous privacy notice that informs consumers in an
unambiguous, non-contradictory way. The chart, which is
attached to my testimony and is what you see here, tells the
viewer most of what she needs to know about a Web site's
privacy practices and consumer choices. Web sites can take
advantage of the interactive nature of the Internet to design
effective mechanisms and to provide meaningful notice or
privacy policies.
I share Commissioner Leary's view that a comprehensive
privacy policy for consumers must extend to the offline world.
The business incentive to compete simultaneously in both the
offline and online worlds is high. To create a distinction
between offline and online is artificial and outdated and in
the long run may foster market barriers.
Finally, I want to commend the FTC staff for the hard work
they have done on this report. The Bureau of Consumer
Protection, with the assistance of the Bureau of Economics,
designed and implemented this survey, and the numbers were
reported clearly, fairly, and without bias.
Thank you for allowing me to share my views.
[The prepared statement of Commissioner Anthony follows:]
Prepared Statement of Hon. Sheila F. Anthony, Commissioner,
Federal Trade Commission
Mr. Chairman and members of the Committee, I am delighted to be
here this morning, and I appreciate your holding this hearing to
address a topic of great importance to the American people and critical
to the growth and success of electronic commerce.
I am pleased the Commission is recommending that federal
legislation is necessary to protect consumer privacy. Survey after
survey demonstrates that public concerns about privacy have been
growing and that these concerns have focused on the power of
technologies to collect, store, search, and transmit large amounts of
personally identifiable information. I not only share those concerns, I
note that threats to consumer privacy are increasing with the merging
of the offline and online worlds. In short, things may be getting worse
for Americans on the privacy front.
I wish to emphasize four points related to the legislative
recommendation the Commission makes to you today:
1) Any quality privacy policy should offer true protections to
consumers and be presented in a simple format that is clear and
understandable.
2) An enforcement mechanism must be in place that gives
consumers confidence that Web sites do what they say they will
do with consumers' personal data. While the seal of approval
programs offer promise, 92 percent of the surveyed sites did
not have a privacy seal from one of the industry-established
programs. There may be some advantage to building on industry
standards that utilize audits.
3) A patchwork of state privacy laws will result in confusion
to both consumers and businesses, and thus federal pre-emption
should be, at least, seriously considered. People value
uniformity and predictability.
4) Implementation of consumer consent, via opt-in and opt-out
methods, may require making a distinction between market
information and sensitive health and financial information.
A. Fair Information Principles Are Widely Accepted
In the Commission's first Privacy Report in 1998, we summarized
four widely accepted principles regarding the collection, use, and
dissemination of personal information. These core principles of privacy
protection are common to government reports, guidelines, and model
codes, and predate the online medium:
Notice--data collectors must disclose their information
practices before collecting personal information from
consumers.
Choice--consumers must be given options with respect to
whether and how personal information collected from them may be
used for purposes beyond those for which the information was
provided.
Access--consumers should be able to view and contest the
accuracy and completeness of data collected about them.
Security--data collectors must take reasonable steps to
assure that information collected from consumers is accurate
and secure from unauthorized use.
B. The Vast Majority of Web sites Collect Personal Data But Do Not
Provide Privacy Protections
The percentage of commercial Web sites that collect personally
identifying information is very high. The 2000 Survey reports that 97
percent of the Random Sample and 99 percent of the Most Popular Group
collect personally identifying information, but the percentage
providing aspects of these fair information practices is still quite
low. The 2000 Survey reports that only 20 percent of the Random Sample
and just 42 percent of the Most Popular Group address, at least in
part, all four fair information practices. In fact, these results
likely overstate the percentage of sites that truly implement the fair
information practices in a meaningful way. Our content analysts
credited policies if the stated practices applied to any of the
information collected, even if it did not apply to all the information
collected.\1\
---------------------------------------------------------------------------
\1\ The 2000 Survey analysis gave Access credit for informational
statements about any one of three elements (review, correction or
deletion). However, the Commission previously stated that fair
information practices require that consumers be afforded both an
opportunity to review information and an opportunity to contest the
data's accuracy or completeness. Under this standard, only 11% of the
random and 27% of the Most Popular Group would receive credit for
providing Access rather than the 18% of the random and 47% of the Most
Popular Group calculated using an expansive measure.
---------------------------------------------------------------------------
C. Policies Posted By Web sites Are Confusing and Contradictory
Perhaps more troubling to me is that many privacy policies are
confusing, contradictory, and ambiguous. What good is a privacy policy
that is not understandable by ordinary consumers, is contradictory from
paragraph to paragraph, or fails to offer basic protections?
I reviewed some of the privacy policies of the Most Popular Group
of Web sites in the survey. Frankly, I was disappointed. Almost half of
the privacy polices are too long, varying from 3-12 pages. Many try to
lull the consumer into a false sense of comfort by utilizing opening
statements regarding the importance of respecting individual privacy or
by referring to third parties as ``trusted vendors'' or those with whom
there is an ``established agreement to protect your privacy.'' Despite
the opening statements asserting the importance of the user's privacy,
subsequent paragraphs frequently contain contradictory information.
After reviewing some of these policy statements, I am left to wonder
whether:
these policies truly inform consumers
the Web sites have something to hide
the Web sites themselves are confused about their own
policies
the drafting lawyers have run amok.
Consider the following language in an Internet Service Provider's
published Privacy Policy.
The first sentence states:
Your privacy is very important to us.
But, continues several paragraphs later:
The personal information we collect from members during the
registration process is used to manage each member's account.
This information is not shared with third parties unless
specifically stated otherwise or in special circumstances.
Three pages later, the same policy goes on to say:
[We] may disclose personal information about our visitors or
members or information regarding your use of the Services or
Web sites accessible through our Services, for any reason if,
in our sole discretion, we believe that it is reasonable to do
so, . . .
Would you call this a clear, unambiguous disclosure? I do not. Does
it inform the consumer about whether his or her information will be
shared and, if so, with whom? I do not believe it does.
My next example illustrates serious concerns with regard to
meaningful consent. I quote from a privacy policy statement from one of
the top 100 sites:
When you submit personal information to [us] you understand and
agree that our subsidiaries, affiliates and trusted vendors may
transfer, store, and process your customer profile in any of
the countries in which we and our affiliates maintain offices.
Has the site identified with specificity the parties with whom it
will share customer information? Is consent meaningful if consumers do
not see this notice or have access to it at the time they surrender
their personal information?
Even a policy statement that incorporates all of the four fair
information practices may still be ambiguous and contradictory. What do
you make of a privacy policy that contains the following disclaimer:
These policies are effective as of [x date]. [This site]
reserves the right to change the policy at any time by
notifying users of the existence of a new privacy statement.
This statement and the policies outlined herein are not
intended to and do not create any contractual or other legal
rights in or on behalf of any party.
I wonder through what means consumers will be notified of changes
in the policy statement. How will data collected pursuant to one policy
be treated under a new policy? Must consumers ``check back'' from time
to time? The disclaimer, quoted above, seems to absolve the site of any
responsibility to protect a consumer's information. It reminds me of a
letter I once received from a lawyer, which had the following post
script: ``Dictated, but not read.''
D. An Increase in Posted Privacy ``Policies'' Does Not Correlate with
Increased Privacy Protections
Although the survey demonstrates some increase in the percentage of
sites posting privacy policies, these policies all too often do not
offer privacy protections. While Web sites should be offering privacy
protections, a whopping 80 percent of the surveyed Web sites in the
Random Sample failed to implement aspects of notice, choice, access,
and security.
E. No Enforcement Tools Exists to Ensure Sites Do What They Say
For years the Commission has urged industry to engage in meaningful
self-regulatory efforts. For self-regulation to be credible, there must
be an enforcement mechanism that gives consumers confidence that Web
sites do what they say they do with consumers' personal data. Seal
programs and audits can be key enforcement mechanisms. Yet, 92 percent
of the surveyed Web sites in the Random Group did not have a privacy
seal. Our legislative recommendation would reward those sites that have
offered meaningful privacy protections and would require all others to
meet basic privacy standards. It would also give consumers the
assurance that a legal structure is in place to provide confidence that
stated privacy polices will be honored.
F. A Standardized Privacy Notice May be Useful: See Chart
How difficult is it to design a conspicuous privacy notice that
informs consumers in a standardized, unambiguous, non-contradictory
way? Not very difficult. Appended to this testimony is a simple chart
that tells the viewer most of what she needs to know about a Web site's
privacy practices and consumer choices. Web sites can take advantage of
the interactive nature of the Internet to design effective mechanisms
to provide meaningful notice or privacy policies.
G. Profiling is Invisible and Threatens Consumer Privacy
Profiling is beyond the scope of this report, and I believe it will
be the subject of a later Commission report. Profiling poses a serious
privacy threat to consumers because it is largely invisible to them. I
am concerned about the passive, surreptitious collection of information
about consumers and their browsing habits without their knowledge. Our
report notes that third party cookies are placed by ad servers on 78
percent of the sites in the Most Popular Group. Of those sites, only 51
percent disclose to consumers that they have allowed third party
cookies to be placed (and they usually locate that disclosure at the
end of the policy statement). Unless consumers are technically skilled
enough to set their browser to alert them to cookies or to decline all
third party cookies, the placement of third party cookies generally
goes unnoticed by consumers.
H. Online, Offline: What's the Difference?
Finally, I share Commissioner Leary's view that a comprehensive
privacy policy for consumers must extend to the offline world.
Traditional brick and mortar businesses no longer store and maintain
their customer records on index cards. The data businesses have
collected offline are often transferred to computers and can be merged
with online databases with a simple click of a button. The business
incentive to compete simultaneously in both the online and offline
worlds is high. To create a distinction between the offline and online
worlds is artificial and outdated and in the long run may foster market
barriers.
Finally, I want to commend the FTC staff for the excellent job they
have done on this Report. The Bureau of Consumer Protection, with the
assistance of the Bureau of Economics, designed and implemented the
survey that formed the basis of this report. The survey numbers were
reported clearly, fairly, and without bias. My hat is off to them.
I appreciate the opportunity to express my views.
Sample Privacy Policy
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
We collect Personally Identifiable Information about Yes No Click here to see
you what kinds of
EJNo information
we collect
We use your personal information to notify you of our Yes No Click here to opt
future promotions out/opt in
We share information about you with Third Parties for Yes No Click here to opt
marketing purposes. Click here to see who we share out/opt in
information with
You may review and correct or delete information Yes No Click here to
about yourself (with proper authentication) access our
database. Have
your Membership
# and Pin #
ready.
We provide reasonable security to protect your Yes No
personal information during its transmission and
while it is in our possession
----------------------------------------------------------------------------------------------------------------
The Chairman. Thank you very much, Commissioner Anthony.
Commissioner Swindle.
STATEMENT OF HON. ORSON SWINDLE, COMMISSIONER,
FEDERAL TRADE COMMISSION
Mr. Swindle. Thank you, Mr. Chairman, Senator Hollings, and
members of the Committee.
The Chairman. You need the microphone.
Mr. Swindle. I appreciate this opportunity to be with you
today and share some thoughts. I will, at the chairman's
request, try to summarize my prepared statement, which we have
all submitted.
I have dissented against the Commission's embarrassingly
flawed privacy report and its conclusory, yet sweeping,
legislative recommendation. In an unwarranted reversal of its
earlier acceptance of a self-regulatory approach, a majority of
the Commission has recommended that Congress require all
commercial consumer-oriented Web sites that collect personally
identifying information from consumers to adopt government-
prescribed versions of four fair information privacy practices,
known as FIPPs. You have heard: notice, choice, access, and
security.
The majority has abandoned the self-regulatory approach in
favor of an excessive government regulation despite continued
progress in self-regulation. Why has a majority of the
Commission decided to discontinue relying on self-regulation?
The fundamental rationale given is that not enough Web sites
are providing the type of privacy protections that the
Commission has decided should be provided and this is hindering
and will continue to hinder the growth of electronic commerce.
Instead of focusing on consumers' increasing ability to
make choices concerning online privacy protection, the majority
emphasizes that the survey, the 2000 survey, reveals that only
20 percent of all commercial Web sites and 42 percent of the
most popular Web sites meet the full FIPPs requirement. But the
main reason for this relatively low percentage is that
commercial Web sites have not disclosed to consumers whether
they provide access and security. This failure to disclose is
not surprising given the access and security implementation
difficulties recently identified by the Advisory Committee on
Access and Security, a copy of which I believe is included in
our report.
In this regard, it is important to emphasize that the 2000
survey did not attempt to measure whether sites actually
provide access and security. Rather, it gauged only whether
disclosures address these issues. The 2000 survey certainly did
not give any credit for no access, even though the majority
indicates it might consider no access to be reasonable access
in some instances.
If these access and security disclosure requirements are
eliminated, the percentages of all Web sites meeting the FIPPs
requirement rises significantly, to 41 percent of all
commercial Web sites and 60 percent of the most popular. But
even this 41 percent figure is understated because it uses a
very strained definition of choice that is more accurately, in
my mind, described as mandated choice.
Specifically, there is no choice recognized by the survey
unless the consumer is allowed to make two choices: whether or
not his information can be used internally by the Web site or
the business or, and the second requirement, whether the
business is allowed to use that information with third parties.
The report's recommendation that choice be legislated does
not mean the kind of choice that informed consumers exercise in
a marketplace once they know the terms on which they are
dealing with retailers. That is real choice. The effect of
mandated choice may be, as Senator Kerry pointed out, to start
to eliminate or reduce choices for the consumers.
Legislation, in my mind, should be reserved for problems
that the market cannot fix on its own and should not be adopted
without consideration of the problems legislation may create
by, for example, imposing costs or other unintended
consequences that could severely stifle a thriving new economy.
The majority has recommended that Congress give rulemaking
authority to an implementing agency, presumably the Commission,
to define the proposed legislative requirements. In my
judgment, however, the Commission owes it to the Congress and
to the public to comment more specifically on what it has in
mind before it recommends legislation that requires all
consumer-oriented commercial Web sites to comply with
breathtakingly broad laws whose details will be filled in later
during the rulemaking process.
The privacy report is devoid of any consideration of cost
of legislation in comparison to the asserted benefits of
enhancing consumer confidence and allowing electronic commerce
to reach its full potential.
For the sake of time, I will not cover my entire dissent
nor the prepared statement that I have submitted today. But, I
would like to make a couple of remarks in conclusion. The
privacy report fails to pose and to answer basic questions that
all regulators and lawmakers should consider before embarking
on extensive regulation that could throttle the new economy.
Shockingly, there is absolutely no consideration of the costs
and benefits of regulation, nor of regulation's predictable and
unanticipated effects on competition and consumer choice, nor
the experience we have to date with government regulation of
privacy, nor of the constitutional issues, nor of how this
vague and vast mandate will be enforced.
Industry self-regulation is working. Effective privacy
protection is more than a numbers game, and the private sector
is continuing to address consumer concerns about privacy
because it is in industry's best interest to do so. Let us not
make the search for the perfect the enemy of the good. The best
way to build consumer trust and to ensure the continued growth
of the Internet is through a combination of education, strong
industry self-regulation, and strong FTC enforcement under
existing legal authority. It is premature and counterproductive
for the Commission to radically change course and call for
broad legislation.
Thank you, sir. I would be happy to answer questions later.
[The prepared statement of Commissioner Swindle follows:]
Prepared Statement of Hon. Orson Swindle, Commissioner,
Federal Trade Commission
Mr. Chairman and Members of the Committee, I am Orson Swindle, a
Commissioner of the Federal Trade Commission. I appreciate the chance
to testify today on the issue of online privacy.\1\
---------------------------------------------------------------------------
\1\ My oral testimony and any responses to questions you may have
reflect my own views and are not necessarily the views of the
Commission or any other Commissioner.
---------------------------------------------------------------------------
I have dissented from the Commission's embarrassingly flawed
Privacy Report and its conclusory--yet sweeping--legislative
recommendation. In an unwarranted reversal of its earlier acceptance of
a self-regulatory approach, a majority of the Commission has
recommended that Congress require all commercial consumer-oriented Web
sites that collect personal identifying information from consumers to
adopt government-prescribed versions of four fair information practice
principles (``FIPPs''): Notice, Choice, Access, and Security.\2\ The
majority has abandoned a self-regulatory approach in favor of extensive
government regulation, despite continued progress in self-regulation.
---------------------------------------------------------------------------
\2\ While this is a reversal for the Commission, Commissioner
Anthony has consistently preferred a legislative approach. See
Statement of Commissioner Sheila F. Anthony, Concurring in Part and
Dissenting in Part, Self-Regulation and Privacy Online (July 1999),
available at .
---------------------------------------------------------------------------
Why has the majority of the Commission decided to discontinue
relying on self-regulation? The fundamental rationale given is that not
enough Web sites are providing the type of privacy protections that the
Commission has decided should be provided, and this is hindering and
will continue to hinder the growth of e-commerce. The available data do
not support this rationale. The 2000 Survey shows that 88% of all
commercial Web sites (100% of the most popular sites) displayed at
least one privacy disclosure to consumers, up from a mere 14% of all
sites (71% of the most popular sites) in 1998. (Privacy Report [``PR'']
at 10, Appendix C, Table 2a). Thus, online companies are by and large
providing notice to consumers as to their privacy policies, and
consumers can choose whether to deal with these companies based on
their privacy policies. For those who believe that allowing consumers
to make their own choices is the fundamental objective, the results of
the 2000 Survey are very encouraging, although more work certainly
needs to be done by industry.
Instead of focusing on consumers' increasing ability to make
choices concerning online privacy protections, the majority emphasizes
that the 2000 Survey reveals that only 20% of all commercial Web sites
(42% of the most popular sites) meet the full FIPPS requirements. (PR
Appendix C, Table 4). But the main reason for this relatively low
percentage is that commercial Web sites have not disclosed to consumers
whether they provide access and security. This failure to disclose is
not surprising, given the access and security implementation
difficulties recently identified by the Advisory Committee on Access
and Security.\3\
---------------------------------------------------------------------------
\3\ In 1999, the Commission established an Advisory Committee on
Online Access and Security to provide advice and recommendations to the
Commission regarding implementation of reasonable access and adequate
security by domestic commercial Web sites. That Committee provided the
final version of its report to the Commission on May 15, 2000,
describing options for implementing reasonable access to, and adequate
security for, personal information collected online and the costs and
benefits of each option.
---------------------------------------------------------------------------
In this regard, it is important to emphasize that the 2000 Survey
did not attempt to measure whether sites actually provide Access and
Security; rather, it gauged only whether disclosures addressed these
issues. And the 2000 Survey certainly did not give any credit for ``No
Access,'' even though the majority indicates it might consider no
access to be ``reasonable Access'' in some instances.
If these access and security disclosure requirements are
eliminated, the percentage of all Web sites meeting the FIPPS
requirements rises significantly to 41% of all commercial Web sites
(60% of the most popular sites). But even this 41% figure is
understated because it uses a strained definition of ``choice'' that is
more accurately described as ``Mandated Choice.'' Specifically, the
2000 Survey gave credit for choice only when a Web site (1) gave the
consumer a chance to agree to or to authorize communications back to
the consumer from the Web site and (2) gave the consumer a chance to
agree to or authorize disclosure of the consumer's information to third
parties. The Report's recommendation that ``choice'' be legislated does
not mean the kind of choice that informed consumers exercise in a
marketplace once they know the terms on which they are dealing with
retailers. That is real choice. Instead, the majority has recommended
Mandated Choice that would require Web sites to continue to do business
with consumers who do not agree to the uses the site tells them it will
make of their personal information. For sites whose business depends on
the use of information to provide consumers with discounts or to reduce
the cost of services to consumers, the effect of Mandated Choice may be
to mandate their exit from the marketplace or at least the reduction of
the choices or products and services now available. Thus, in the name
of Mandated Choice, consumers would have less choice.
Not satisfied with the self-regulation's very encouraging progress
concerning privacy policy notices and its solid progress with regard to
Mandated Choice, the majority recommends that the Congress impose a
legislative solution. Legislation could limit consumer choices and
provide a disincentive for the development of further technological
solutions. Government regulation may actually give consumers fewer
choices and, as technology changes, less privacy. Legislation should be
reserved for problems that the market cannot fix on its own and should
not be adopted without consideration of the problems legislation may
create by, for example, imposing costs or other unintended consequences
that could severely stifle the thriving New Economy.
The majority has recommended that Congress give rulemaking
authority to an ``implementing agency'' (presumably the Commission) to
define the proposed legislative requirements. In my judgment, however,
the Commission owes it to Congress--and to the public--to comment more
specifically on what it has in mind before it recommends legislation
that requires all consumer-oriented commercial Web sites to comply with
breathtakingly broad laws whose details will be filled in later during
the rulemaking process.
The Privacy Report is devoid of any consideration of the costs of
legislation in comparison to the asserted benefits of enhancing
consumer confidence and allowing electronic commerce to reach its full
potential. Instead, it relies on skewed descriptions of the results of
the Commission's 2000 Survey and studies showing consumer concern about
privacy as the basis for a remarkably broad legislative recommendation.
It does not consider whether legislation will address consumer
confidence problems and why legislation is preferable to alternative
approaches that rely on market forces, industry efforts, and
enforcement of existing laws.
For the sake of time, I will not cover my entire dissent, but I
would like to draw your attention to additional points that it makes:
the Report does not adequately credit self-regulatory
efforts and ignores developments in technology;
the 2000 Survey provides a unique baseline for measuring the
quality of privacy disclosures;
individual FIPPS are widespread;
measuring success on the basis of full FIPPs is irrational;
equating self-regulatory enforcement with the prevalence of
seal programs is misleading;
the Report confirms the exponential growth in online
commerce but misuses consumer confidence surveys and lost sales
projections;
the meaning of surveys showing consumer unease is unclear;
and
the Report ignores or glosses over Constitutional issues,
enforcement difficulties, and questions relating to the
protection of offline privacy.
In conclusion, the Privacy Report fails to pose and to answer basic
questions that all regulators and lawmakers should consider before
embarking on extensive regulation that could throttle the New Economy.
Shockingly, there is absolutely no consideration of the costs and
benefits of regulation; nor of regulation's predictable and
unanticipated effects on competition and consumer choice; \4\ nor of
the experience to date with government regulation of privacy; nor of
Constitutional issues; nor of how this vague and vast mandate will be
enforced.
---------------------------------------------------------------------------
\4\ I note that the regulations promulgated to implement the
Children's Online Privacy Protection Act (``COPPA''), 15 U.S.C.
Sec. 6501 et seq., require detailed Notice; Access, including the
ability to review, correct, and delete information maintained by the
site; and a form of opt-in mandated Choice (verifiable parental
consent). 16 C.F.R. Sec. Sec. 312.4, 312.6(a)(1), 312.6(a)(2),
312.5(a), 312.5(b). The regulations went into effect on April 21, 2000,
and already press reports state that some small online companies have
stopped providing services to children because implementation of
COPPA's requirements is too costly. See, e.g., ``New Children's Privacy
Rules Pose Obstacles for Some Sites,'' The Wall Street Journal at B-8
(April 24, 2000) (reporting one attorney's estimate that it will cost
her clients between $60,000 and $100,000 annually to meet COPPA
standards); ``New privacy act spurs Web sites to oust children,''
William Glanz, The Washington Times (April 20, 2000), available at
. See also
``COPPA Lets Steam out of Thomas,'' Declan McCullagh, Wired News (May
16, 2000), available at .
---------------------------------------------------------------------------
Industry self-regulation is working. Effective privacy protection
is more than a numbers game, and the private sector is continuing to
address consumer concerns about privacy because it is in industry's
interest to do so. Let us not make the search for the perfect the enemy
of the good. The best way to build consumer trust and to ensure the
continued growth of the Internet is through a combination of education,
strong industry self-regulation, and strong FTC enforcement under
existing legal authority. It is premature and counterproductive for the
Commission to radically change course and call for broad legislation.
The Chairman. Thank you.
Commissioner Thompson.
STATEMENT OF HON. MOZELLE W. THOMPSON,
COMMISSIONER, FEDERAL TRADE COMMISSION
Mr. Thompson. Thank you, Mr. Chairman. Good morning to you
and members of the Committee. I wanted to thank you for
inviting me to appear before you again with my fellow
Commissioners to address our most recent report on online
privacy.
In 1997 when we began to look at the issue of privacy on
the Internet, consumer-based electronic commerce was largely
viewed as a place for the most adventurous and technologically
savvy. But at the same time, people with vision viewed the
Internet as a place that could potentially transform the
American consumer marketplace by empowering consumers with
access to vast quantities of information and new goods and
services.
Since then we have witnessed great progress in achieving
that transformation. Yet we still have a long way to go until
Americans fully embrace the Internet and accept its technology
as integral parts of their daily lives. Today industry,
government, and consumers alike share a common goal of making
the Internet as meaningful and productive for those at the
center of the market bell curve, namely the family in the
suburbs of Canton, Ohio, as it is for the technologist in
Silicon Valley.
To achieve this goal, we must be led by the voice of users
and allow the Internet to become consumer-driven. From the
beginning of the Commission's work, consumers have expressed a
great concern about privacy of their personal information on
the Internet, and industry has focused its attention on
attracting the core of American consumers. The concern that the
public has about privacy has only grown louder, so today the
issue of data privacy has become a litmus for consumer
confidence in the online marketplace.
Back in December 1998, I told industry that we were at a
critical juncture, one where industry is asked to self-regulate
at the behest of government and public trust. This choice,
while daunting, provides an exciting and unprecedented
opportunity for industry to take the lead in shaping public
policy for this important new medium. Consumers are expecting
that industry and government will work together to find new and
better ways to make the Internet safe, inspire consumer
confidence, and preserve the innovative spirit of e-commerce.
But the failure of industry to meet this challenge will not
only have a negative effect on the future of e-commerce, but
also on the public's confidence in industry's ability to take
the lead in solving important public policy problems.
To its credit, the most responsible segments of the online
economy recognized the importance of data privacy, both from
the public policy standpoint and as a test of their own
accountability.
The Chairman. Commissioner Thompson, could you summarize.
Commissioner Thompson. OK.
I think that we are at a critical juncture here. I think
that what we are trying to do is propose a model that is not
heavy-handed legislation, but provides a means for what some
people term as co-regulation. That puts industry in the
forefront.
But the problem of Internet privacy may indeed be larger
than what we originally envisioned. Industry has a very
important role as the lead, but there are holes in the Swiss
cheese. A legislative backdrop allows us to get at those holes.
You see them in our report when we talk about the quality of
what is being provided, and still parts of the Internet
industry that are not doing anything at all. Those need
attention, and we think it is a critical issue for consumer
confidence.
Thank you.
[The prepared statement of Commissioner Thompson follows:]
Prepared Statement of Hon. Mozelle W. Thompson, Commissioner,
Federal Trade Commission
In 1997 when the FTC began looking at the issue of privacy on the
Internet, consumer-based electronic commerce was largely viewed as a
place only for the adventurous and technologically savvy. At the same
time, however, many also viewed the Internet as a place that could
potentially transform the American consumer marketplace by empowering
consumers with access to vast quantities of information, as well as
goods and services. Since then, we have indeed witnessed great progress
in achieving that transformation; yet, we still have a long way to go
until Americans fully embrace the Internet and accept its technology as
integral parts of their daily lives. Today, industry, government and
consumers alike share the common goal of making the Internet as
meaningful and productive for those Americans at the center of the
market bell curve--the family in the suburb of Canton, Ohio--as it is
for the technologist in Silicon Valley. To achieve this goal, we must
be led by the voice of users and allow the Internet to become
``consumer driven.''
From the beginning of the Commission's Internet work, consumers
have expressed strong concern about the privacy of their personal
information on the Internet. And as industry has focused its attention
on attracting the core of American consumers, public concern about
privacy has only grown louder so that today, the issue of data privacy
has become a litmus for consumer confidence in the online marketplace.
In December 1998, I stated:
[W]e are all at a critical juncture, a point where industry is
asked to self-regulate at the behest of government and public
trust. This choice, while daunting, presents an exciting and
unprecedented opportunity for industry to take the lead in
shaping public policy for this important new medium. Consumers
are expecting that industry and government will work together
to find new and better ways to make the Internet safe, inspire
consumer confidence, and preserve the innovative spirit of e-
commerce. But, the failure of industry to meet this challenge
will not only have a negative effect on the future of e-
commerce, but also on the public's confidence in industry's
ability to take the lead in solving important public policy
problems.\1\
---------------------------------------------------------------------------
\1\December 1, 1998, ``Managing the Privacy Revolution `98,''
Remarks Before the 4th Annual National Conference on Privacy & American
Business.
To its credit, the most responsible segment of the online economy
recognized the importance of the data privacy issue--both from a public
policy standpoint as a test of the technology industry's
accountability, as well as from a consumer confidence perspective as a
test of industry responsiveness to consumer demand. As a result, the
industry leaders have worked with the Commission and consumer groups to
provide the market with seal programs, privacy policies and consumer
and business education initiatives designed to address the public
policy and business challenge posed by the issue of Internet privacy.
Furthermore, to date, government has appropriately put industry self-
regulatory efforts at the forefront of America's response to the
privacy challenge. We recognize the important role that industry plays,
and will continue to play, in defining good business practices in
electronic commerce. After three years of Internet surveys, public
workshops, hearings and reports, however, it has become evident that
the public policy challenge posed by the issue of Internet privacy may
indeed be larger than any one segment--industry, government or
consumers--can address alone.
People in the Internet community are fond of stating that one
Internet year is equivalent to three calendar years. The Commission has
carefully and cautiously waited over three Internet years before
recommending legislative action. During that time, government, industry
and consumers have all learned much more about the substantial
challenge involved with providing online privacy. In recognition of
this complexity and the importance of Internet privacy as a threshold
issue for the future growth of electronic commerce, I believe that now
is the appropriate time for well-crafted legislation.
In July 1999, I testified before the Senate Commerce Committee
where I cautioned that industry faced a formidable challenge in
achieving effective self-regulation of Internet privacy. I stated that:
During the past year, industry leaders have expended
substantial effort to build self-regulatory programs. However,
I believe that we will not progress further unless industry
acts on the specific shortcomings that our report documents.
Congress and the Administration should not foreclose the
possibility of legislative and regulatory action if we cannot
make swift and significant additional progress.\2\
---------------------------------------------------------------------------
\2\ July 13, 1999, Statement of Commissioner Mozelle W. Thompson in
support of ``Self-Regulation and Privacy Online,'' FTC Report to
Congress.
Based upon what I perceived as real progress by industry in having
a greater number of Web sites bearing a privacy disclosure, I was
willing to withhold calling for legislative action to give industry
further opportunities to: (1) maximize privacy coverage by reaching out
to spur non-participating companies to adopt and implement effective
privacy policies; and, (2) to significantly improve the quality of
privacy protections by encouraging participating companies to embrace
and implement what the Commission, the Organization for Economic
Cooperation and Development and industry groups themselves (See e.g.
Privacy Principles of the Online Privacy Alliance) have long recognized
as the fair information principles of notice, choice, access, security
and enforcement.
Now, three years after the Commission submitted its initial report
to Congress and a year-and-a-half after I posed a direct policy
challenge to industry, our most recent survey shows that the quality of
privacy protections that even the most responsible sites provide, is
far from adequate. In fact, our survey shows that forty percent of the
most popular (and presumably most sophisticated and responsible) Web
sites still do not provide consumers with adequate notice and choice--
the most fundamental elements for any privacy policy. I believe these
results are especially disappointing because they demonstrate
substantial deficiencies in providing what most industry leaders agree
should serve as the bedrock of privacy self-regulatory efforts.
So where does that leave us? Based not only on our 2000 Survey
results but also our three years of working interactively with everyone
interested in the online privacy issue, a majority of the Commission
has concluded that Federal legislation is now appropriate because:
[S]elf-regulatory initiatives to date fall short of broad-based
implementation of effective self-regulatory programs, . . .
[and] that such efforts alone cannot ensure that the online
marketplace as a whole will emulate the standards adopted by
industry leaders.\3\
---------------------------------------------------------------------------
\3\ May 2000, Privacy Online: Fair Information Practices in the
Electronic Marketplace, at 35.
In making my recommendation, I believe that appropriate legislation
should not be viewed as a substitute for well-crafted industry self-
regulatory programs. This point is particularly important because
industry self-policing could ultimately provide the public with
consumer-driven privacy responses. Instead, legislation incorporating
directed rule-making and safe-harbors should provide a principled
backstop for effective industry efforts. Thus, if basic privacy
principles and industry self-regulation define the ``Swiss cheese'' of
online privacy, the Children's Online Privacy Protection Act and our
legislative recommendation should be viewed as a means of addressing
the holes in the cheese.
I believe the Commission's recommendation is also consistent with
my view of the cautious, balanced and responsible approach government
should take in the fast-moving Internet environment. Our recommendation
incorporates the principles of interactivity, flexibility and
innovation. Through safe-harbors and a rulemaking process, government
will interact with consumers and industry to implement appropriate
solutions to this important public policy problem. Moreover, by
recommending legislation that ``would set forth a basic level of
privacy protection for consumer-oriented Web sites [and providing] an
implementing agency with the authority to promulgate more detailed
standards,'' \4\ government would avoid an inflexible ``one size fits
all'' approach that would preclude recognition that consumers vary
their view of privacy obligations depending on how they believe their
personal information is being used. Finally, by recommending a
rulemaking process, it is possible to encourage, and over time
incorporate, technological innovation that can provide consumers with
better tools to protect their own privacy.
---------------------------------------------------------------------------
\4\ May 2000, Privacy Online: Fair Information Practices in the
Electronic Marketplace, at
iii-iv.
---------------------------------------------------------------------------
Accordingly, I strongly support the recommendations contained in
the Commission's May 2000 Report, Privacy Online: Fair Information
Practices in the Electronic Marketplace.
The Chairman. Thank you very much, Commissioner Thompson.
As I mentioned, your complete statement will be made part of
the record, which I read and I appreciate.
Commissioner Leary.
STATEMENT OF HON. THOMAS B. LEARY, COMMISSIONER,
FEDERAL TRADE COMMISSION
Mr. Leary. Mr. Chairman, members of the Committee: You have
my concurring and dissenting statement and, in the interest of
time, I would just like to summarize and start with the areas
where I think we have broad agreement.
There is a dramatic increase in the number of companies
that publicly address privacy one way or the other, but the
quality of disclosures varies widely. Too many are confusing,
if not misleading, and I think that the examples that
Commissioner Anthony has cited for you speak for themselves.
More widespread disclosures of this kind could actually do more
harm than good. Therefore, I agree with some members of this
Committee and with the Commission majority that both business
and consumers would benefit from better disclosures.
There also seems to be broad agreement that any legislation
to address privacy concerns should ultimately apply in the same
way to both the online and the offline worlds to the extent the
information is the same. There are special capabilities in the
online world, which may require special attention, but there is
no reasonable basis for treating information that is collected
about my purchases on Amazon.com any differently from my
purchases at Borders. I think that we have a consensus on that.
There seems to be some difference on the issue of timing
and some question as to whether the Commission has enough
expertise to recommend broad-based legislation to you because
we have studied the Internet only. We have had a lot of
experience in privacy issues in the offline world as well,
Senators, and if there are any doubts about the issue you have
the capability yourselves to investigate and satisfy yourselves
that when the information is the same there should be an equal
playing field between the online and the offline worlds.
Finally, I would say that I think we all generally
recognize that once you get past the issue of notice and
disclosure the further elements of the so-called fair
information practices become progressively more complicated.
There is an even more compelling reason for treating them
differently than notice or disclosure. I agree with those
members of this Committee who state that ultimately adequately
informed consumers should be able to select for themselves the
level of privacy protection they want and may be willing to pay
for either directly or by foregoing some benefit.
It is not fair to allow consumers who are particularly
solicitous about particular elements of privacy and want broad
access and broad ability to correct, and so on, to impose costs
on those consumers who do not care. So I urge you to consider
whether or not the market, as it does in so many other areas of
our life, will not work better ultimately than government
regulation.
There may be certain special categories of information or
special uses, like health information or financial information,
that require special treatment in both the online and the
offline worlds. But they should not be part of a broad privacy
policy imposed on the Internet alone.
Finally, I would just like to say that I think it is in all
of our interest to continue to encourage the self-regulatory
schemes which are under way and which I believe ultimately hold
tremendous promise for improving performance in this industry
in a market-based fashion.
Thank you.
[The prepared statement of Commissioner Leary follows:]
Prepared Statement of Hon. Thomas B. Leary, Commissioner,
Federal Trade Commission
Today the Federal Trade Commission recommends that Congress enact
legislation to help consumers protect their privacy when transacting
business on the Internet. I agree that some legislation is appropriate,
but believe that the recommendation in the Report endorsed by a
majority is too broad in one respect and too narrow in another. The
recommendation is too broad because it suggests the need for across-
the-board substantive standards when, in most cases, clear and
conspicuous notice alone should be sufficient. The recommendation is
too narrow because any legislation should apply to offline commerce as
well.
The Report's recommendation is based, in part, on our common belief
that the Internet has enormous potential to grow our economy; that this
potential is inhibited to some degree by consumers' concerns about
their privacy; and that it is an appropriate policy objective to
address these concerns and encourage growth. So far, so good. The
issue, then, is how best to address these privacy concerns in an
evenhanded way. If the Internet is subjected to requirements that do
not apply pro tanto to offline commerce, the regulatory imbalance could
itself inhibit the growth of the Internet and undercut our common
objective.
We also agree unanimously that, whatever government does or does
not do, the private sector will have an important role to play. The
majority looks at the 2000 Web Survey data and concludes that the
private sector has failed to address privacy concerns rapidly enough. I
am not convinced that the Survey supports this conclusion, but agree,
for other reasons, that some legally mandated privacy protections would
be appropriate.
The Survey does not necessarily demonstrate that the market has
failed to respond to consumer demand. It only measures ``inputs,'' the
prevalence of privacy policies of various kinds; it does not measure
``outputs,'' the impact that these policies have on consumer confidence
and consumer behavior. The Survey numbers could be read to support
alternative scenarios. For example, the most popular sites generally
have more comprehensive disclosures, and this could mean that some
consumers favor them because of the disclosures. The fact that gains
are modest overall, however, may also indicate that consumers are not
quite as fixated on privacy issues as might appear from the public
opinion polls cited in the Report. Marketers generally know more about
consumer demand than regulators do.
Marketers know, for example, that consumers' actual buying habits
are not necessarily consistent with their expressed preferences. Their
stated interest in various ancillary protections like privacy may fade
or become more nuanced, once they learn more about them and realize
that there are costs attached. Consumer opinion on privacy issues
appears to be a complex subject,\1\ and public opinion polls simply do
not provide an adequate predicate for a legislative recommendation of
the scope contained in the Report.
---------------------------------------------------------------------------
\1\ Jupiter Communications, Proactive Online Privacy: Scripting An
Informed Dialogue to Allay Consumers' Fears, at 3-7 (June 1999).
---------------------------------------------------------------------------
There Is a Need for Better Disclosures
There is one aspect of the 2000 Web Survey, however, that I find
particularly disturbing. The Survey results do show a steadily rising
trend in the number of companies that address privacy, one way or
another, but we cannot therefore conclude that consumers are better
informed today or would be even better informed if the numbers rose
even further. In fact, a site's mere mention of privacy may lead to a
misperception that the consumer's privacy is well-protected, and a
plethora of varying and inconsistent privacy claims could add to
consumer confusion. The Survey tells us that the scope of the
disclosures varies widely (see Privacy Online: Fair Information
Practices in the Electronic Marketplace: A Report to Congress
(``Report'') at 38-44) and, in my view, vendors and their customers
would both benefit from a legislative initiative to require disclosures
of greater clarity and comparability.
Market processes, supplemented by traditional remedies against
consumer deception, should ultimately provide the most appropriate mix
of disclosures and substantive protections, but these forces sometimes
work slowly and I am convinced that privacy concerns have some special
characteristics that make it prudent to prompt the market to work more
rapidly. Some standardization of the disclosures would allow consumers
to compare more easily the privacy practices of different vendors. As
we learned when considering environmental marketing claims, for
example,\2\ varied and inconsistent claims lead to consumer confusion.
Consumers may not be able to recognize valid and invalid comparisons
when they are dealing with unfamiliar concepts. When terms have uniform
meaning and basic equivalent information is disclosed for each site,
the marketplace should work more efficiently.
---------------------------------------------------------------------------
\2\ See Guides for the Use of Environmental Marketing Claims (the
``Green Guides''), 16 C.F.R. pt. 260 (1999). When the Commission
requested public comment on these Guides three years later,
commentators generally agreed that they benefit both consumers and
industry, inter alia, by promoting consistency and accuracy in claims,
helping consumers to make accurate decisions, and thereby bolstering
consumer confidence. See Guides for the Use of Environmental Marketing
Claims, Final Rule, 61 Fed. Reg. 53,311 (1996).
---------------------------------------------------------------------------
Although consumers' knowledge and understanding of these issues is
steadily increasing, it still has a long way to go. Not only is the
Internet a recent invention, consumers are just beginning to become
aware of the potential for data collection both online and offline.
Consumers still do not know much about the possible uses of their
personal information (and new ones are invented every day), the
ramifications of permitting its use, and the costs associated with
limiting its dissemination. Because an efficient market presupposes
full and accurate information, it is appropriate to mandate more
extensive privacy disclosures.
Privacy concerns also differ from concerns about product attributes
that consumers may value. An uninformed decision to deal with a vendor
that disseminates personal information could have ramifications for
years to come, and that decision cannot be retracted. The marketplace
may ultimately discipline the less-than-candid vendor, but the
potential consumer harm will continue because the personal information
may have spread and cannot be retrieved. The privacy loss and
consequent harm results from mere participation in the market, with
insufficient notice, not from a bad purchase decision. By contrast, if
consumers are uninformed about particular product attributes, and
regret the purchase, the damage may at most be limited to the value of
the purchase.\3\
---------------------------------------------------------------------------
\3\ This limitation may not apply to products that are hazardous to
health and safety, and this is one reason why there are also
affirmative disclosure requirements to deal with these risks.
---------------------------------------------------------------------------
I therefore agree with the Report insofar as it recommends a
legislative prod to ensure better disclosures. Thereafter, I part
company.
The Report's Proposal Is Too Broad
The Report's recommendation is framed around the so-called ``fair
information practices'' of notice, choice, access, and security.
Notwithstanding references to the need for flexibility (see, e.g.,
Report at 60-61), the overall thrust of the Report is that any privacy
policy should, at a minimum, recognize substantive consumer rights in
each of these areas. What the Report does not do is adequately explain
why.
In addition to its expertise on consumer disclosures, the
Commission is supposed to have some expertise in the operation of
competitive markets--when they are likely to succeed and when they are
likely to fail. The Report does not explain why an adequately informed
body of consumers cannot discipline the marketplace to provide an
appropriate mix of substantive privacy provisions. These are matters
that Congress can and should investigate on its own, but our Report
does not provide any help. It is one thing to recognize that the fair
information practices (beyond adequate notice) are laudable goals and
to encourage their adoption by various self-certifying industry groups.
These certifying programs can make a valuable contribution by
reinforcing consumers' confidence and reducing consumer costs of
obtaining information. It is quite another thing to urge that the
practices, in one form or another, be mandated by legislation and by
rules.\4\
---------------------------------------------------------------------------
\4\ I acknowledge that previous Commission reports to Congress,
which advocated a ``wait and see'' policy, have suggested that
legislation could be appropriate if the fair information practices were
not more broadly adopted. I would not have endorsed that aspect of the
previous reports either, had I been here.
---------------------------------------------------------------------------
When the Commission issued the Green Guides, it expressly
disclaimed any authority or intention to achieve a substantive result:
The Commission does not have a statutory mandate to set
environmental policy. It is not the Commission's goal, for
example, to require that product [sic] be ``recyclable.''
Rather, any Commission cases, rules, or guides would be
designed to address how such terms may be used in a non-
deceptive fashion in light of consumer understanding of the
terms.\5\
---------------------------------------------------------------------------
\5\ Request for Public Comments on Issues Concerning Environmental
Marketing and Advertising Claims and Pending Petitions, 56 Fed. Reg.
24,968 (1991).
These disclosure-oriented guides did have a substantive effect; later
public comments indicated that they did ``encourage manufacturers to
improve the environmental characteristics of their products and
packaging,'' while ``allowing flexibility for manufacturers to improve
the environmental attributes of their products and to communicate these
improvements to consumers.'' \6\ Better information did lead to a
better market outcome. In my view, we should follow the precedent of
the Green Guides, and not request the authority to issue substantive
standards.
---------------------------------------------------------------------------
\6\ Guides for the Use of Environmental Marketing Claims, Final
Rule, 61 Fed. Reg. 53,311, 53,313 (1996).
---------------------------------------------------------------------------
The fact that the fair information practices have been favorably
regarded in the regulatory community for almost thirty years (Report at
8-9), does not justify mandatory legislation. A provenance from the
1970s is scant cause for comfort, because government regulators, here
and throughout the world, had much less faith in free market
institutions then than they have today.\7\ Moreover, it cannot be
claimed that the fair information practices are ``widely-accepted'' in
the business community (Report at 8). Our own Survey of the Internet
world demonstrates the contrary, and there is no indication that the
principles are widely accepted in the offline world either. I would not
be so quick to conclude that we are right and so many others are
wrong.\8\
---------------------------------------------------------------------------
\7\ See, e.g., Daniel Yergin and Joseph Stanislaw, The Commanding
Heights: The Battle Between Government and the Marketplace that is
Remaking the Modern World (1998).
\8\ The Commission's own Internet privacy policy, which can be
readily accessed by a click on the Commission's home page, provides
notice only. The Commission does protect consumer privacy. It complies
with the Privacy Act of 1974, a statute that applies fair information
practice principles to the federal government's collection and use of
information. 5 U.S.C. Sec. Sec. 552a et seq. However, the Commission's
privacy policy does not provide information about choice, access or
security measures.
---------------------------------------------------------------------------
The Report not only fails to explain why adequate disclosures are
insufficient, it passes too lightly over issues of complexity. Granted,
these are issues more appropriately addressed in a rule-making
proceeding, but Congress needs to have a better understanding of what
we mean when we ask for authority to set ``reasonable'' standards. For
example, the Report recognizes that ``access'' is a complicated matter
and indicates that any determination of what is ``reasonable'' should
be informed by the discussion of the Advisory Committee on Access and
Security (Report at 30-31, 61). At the same time, however, the Report
endorsed by the majority states flatly that ``the Commission believes
that fair information practices require that consumers be afforded both
an opportunity to review information and an opportunity to contest the
data's accuracy or completeness--i.e., to correct or delete the data.''
(Report at 32). This is an extraordinarily broad claim, which could in
many cases lead to vast expense for trivial benefit and which provides
an ominous portent for the content of any substantive rules.
Even ``choice,'' which at first glance seems only a natural
corollary of ``notice'' is a complicated subject. The Report
recognizes, for example, that it may be appropriate to provide
affirmative benefits if a consumer agrees to certain personal
disclosures (Report at 61). If the collection of data is one thing that
makes it possible for a vendor to offer lower prices, consumers who are
particularly tender of privacy would otherwise be able to free ride on
the value created by those who are not. (If a supermarket issues a card
that offers discounts to people who use it, in exchange for compilation
of useful data, consumer ``choice'' surely does not involve the right
to get the discount without supplying the data.\9\)
---------------------------------------------------------------------------
\9\ This use of an offline example is deliberate because the logic
is not dependent on the mode of collection. See discussion, infra pp.
10-12.
---------------------------------------------------------------------------
On the other hand, if the premium for permission to use information
is too generous, or the penalty for refusal too severe, consumer
``choice'' really involves nothing more than the ``choice'' to refuse
dealings with the vendor. The issue of what is or is not a reasonable
price differential is complicated, but may be too difficult to bother
with in a situation where a particular vendor competes with a number of
others that have their own policies. Does this mean that reasonableness
should depend on the market power of the vendor?
Other examples could be cited to illustrate the difficulties
involved in fashioning substantive rules about choice, access and
security, but there is no need to burden this statement further.
Congress can, and should, explore these issues in detail if it takes up
this aspect of the Report's legislative recommendation.
I therefore believe that any across-the-board legislative mandate
should be confined to notice alone, although disclosure rules might
appropriately provide that notice include information about the other
categories. In some cases, involving particular kinds of information or
particular uses, the risk of harm may be so great that specific
substantive standards are required. This is a legislative judgment.
Congress can, and already does pass industry-specific legislation to
deal with these situations.\10\ In addition, I believe it is entirely
appropriate for the Commission to impose more specific restrictions as
``fencing-in'' relief in a consent settlement, in order to discipline
the future behavior of business entities that have misused consumer
information in the past.
---------------------------------------------------------------------------
\10\ Gramm-Leach-Bliley Act, 15 U.S.C. Sec. Sec. 6801 et seq.;
Telecommunications Act of 1996, 47 U.S.C. Sec. Sec. 222 et seq.; Video
Privacy Protection Act of 1988, 18 U.S.C. Sec. Sec. 2710 et seq.; Cable
Communications Policy Act of 1984, 47 U.S.C. Sec. Sec. 551 et seq.;
Fair Credit Reporting Act, 15 U.S.C. Sec. Sec. 1681 et seq.
---------------------------------------------------------------------------
The Report does recognize (Report at 25) that notice is ``the most
fundamental of the fair information practice principles,'' but it
recognizes it for the wrong reason. Notice is not fundamental ``because
it is a prerequisite to implementing other fair information practice
principles, such as Choice or Access'' (Id.); it is fundamental because
it helps the marketplace accurately to reflect consumer preferences
with respect to the other principles. Consumers, so long as they are
informed by clear and conspicuous disclosures, will be able to select
the vendors that give them the privacy protections they want and are
willing to pay for.
The Report's Proposal Is Too Narrow
I also disagree with the Report's legislative recommendation to the
extent that it treats issues of online privacy as wholly different from
offline privacy. At times the Report acknowledges the existence of
offline privacy concerns and the erosion of the distinction between
online and offline commerce (Report at 8 n.26, 55 n.196), but it
justifies special treatment of Internet privacy on the ground that the
technology of the Internet has ``enhanced the ability of companies to
collect, store, transfer and analyze vast amounts of data[.]'' (Report
at 1).
Of course, some privacy issues are particular to the Internet. This
new technology has permitted uniquely invasive tracking of consumer
preferences by recording not just purchases, but consumers' movements
on the Internet as well. This practice of tracking, including third-
party profiling, may be particularly threatening and distasteful to
many. (See Report at 37-38, discussing so-called ``cookies''). Any
legislative or regulatory scheme can and should ensure that consumers
are adequately informed about these Internet capabilities.
However, the majority's recommendation is not focused on the
special characteristics of e-commerce or on particular categories of
sensitive information collected online. Instead, the majority would
apply the fair information practice principles to any personal
information collected by any commercial Web site, even though the
identical information can be collected offline. The distinction between
online and offline privacy is illogical, impractical and potentially
harmful.\11\ Let me examine each of these points in turn.
---------------------------------------------------------------------------
\11\ Chairman Pitofsky has expressed some of these views in one of
his own speeches. See Robert Pitofsky, Electronic Commerce and Beyond:
Challenges of the New Digital Age, Speech before the Woodrow Wilson
Center, Sovereignty in the Digital Age Series, Washington, D.C. (Feb.
10, 2000).
---------------------------------------------------------------------------
Recognition of the privacy concerns specific to e-commerce should
not obscure the fact that in significant respects online privacy
concerns are identical to those raised by offline commerce. The same
technology that facilitates the efficient compilation and dissemination
of personal information by online companies also allows offline
companies to amass, analyze and transfer vast amounts of consumers'
personal information.\12\ Offline companies collect and compile
information about consumers' purchases from grocery stores, pharmacies,
retailers, and mail order companies, in particular.
---------------------------------------------------------------------------
\12\ Abacus, a consortium of mail order companies, is a good
example of the ability of merchants to compile and share detailed data
about consumers' purchasing habits. See In re Trans Union, Docket No.
9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4,
2000).
---------------------------------------------------------------------------
It is also not possible to distinguish offline and online privacy
concerns on the basis of the nature of the information collected. With
the exception of online profiling, it is the same information. The
Report's recommendation would require Amazon.com to comply with the
fair information practice principles but not the local bookstore which
can compile and disseminate the same information about the reading
habits of its customers. The consumer polls, upon which the Report
places such significant reliance, demonstrate that consumer concerns
about the disclosure of personal information are not dependent on how
the data has been collected.\13\
---------------------------------------------------------------------------
\13\ See IBM Multi-National Consumer Survey, prepared by Louis
Harris Associates Inc., at 22-24 (October 1999).
---------------------------------------------------------------------------
Moreover, it is impractical to maintain such a distinction.
Businesses are likely to have a strong incentive to consolidate
personal information collected, regardless of the mode of collection,
in order to provide potential customers with the most personalized
message possible. Already, companies are seeking to merge data
collected offline with data collected online.\14\ In light of this
reality, the majority's recommendation would result in perverse and
arbitrary enforcement. Enforcement actions would depend on the source
of and method used to collect a particular piece of consumer data
rather than on whether there was a clear-cut violation of a company's
announced privacy policy or mandated standards.
---------------------------------------------------------------------------
\14\ Dana James, Synchronizing the Elements; Traditional Companies,
Yearning to Catch Up on the Basics, Find Value in Merging Online,
Offline Databases, Marketing News, Feb. 14, 2000, at 15.
---------------------------------------------------------------------------
Finally, the Report's focus only on online privacy issues could
ultimately have a detrimental impact on the growth of online commerce,
directly contrary to the Report's objectives. It is clear from the
Advisory Committee's Report on Access and Security and from limited
portions of the Commission's own Report that implementation of the fair
information practices will be complex and may create significant
compliance costs. Online companies will be placed at a competitive
disadvantage relative to their offline counterparts that are not forced
to provide consumers with the substantive rights of notice, choice,
access and security. Traditional brick and mortar companies that have
an online presence or are considering entry into the electronic
marketplace will be forced to assess how the cost of regulation will
affect their participation in that sector.
A better approach would be to establish a level playing field for
online and offline competitors and to address consumers' privacy
concerns through clear and conspicuous privacy disclosures. Any privacy
concerns that are unique to a particular medium or that involve
particular categories of information (however collected) can continue
to be addressed through separate legislation.\15\
---------------------------------------------------------------------------
\15\ See supra note 10.
---------------------------------------------------------------------------
The Report's recommendation limits itself to online privacy for
reasons that seem primarily historical. The Commission first looked at
the online world at a public workshop in 1995, followed by subsequent
workshops in 1996 and 1997. Then, starting in 1998, Commission staff
conducted annual surveys of Internet sites and their privacy policies
to measure in a rough way the state of industry self-regulation. Each
survey has been reported to Congress. The Report's legislative
recommendation flows from that series of surveys. The surveys have
provided a lot of useful information, and undoubtedly spurred industry
attention to online privacy issues, but the scope of these particular
surveys should not dictate the parameters of a legislative proposal.
The Commission has ample information available to support a broader
recommendation, and Congress will have ample opportunity to develop its
own legislative record. The fair information practices so frequently
referenced in the Report were, after all, originally developed to
address concerns regarding the collection of information offline. And
the Commission itself has had significant exposure to offline privacy
issues. For example, the Commission has enforced the Fair Credit
Reporting Act since its enactment in 1970.\16\ This statute addresses
consumer concerns about the collection and dissemination of sensitive
data by credit bureaus. Although the Act predates the advent of the
fair information practices, its provisions mandate some of these same
requirements.\17\
---------------------------------------------------------------------------
\16\ 15 U.S.C. Sec. Sec. 681 et seq.
\17\ The Commission recently issued its decision in In re Trans
Union, Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141
(D.C. Cir. Apr. 4, 2000), an enforcement action concerning the
dissemination by a credit bureau of certain information to target
marketers. The decision considered not only the privacy implications of
this practice but also the availability of other information collected
offline.
---------------------------------------------------------------------------
The Commission also undertook in 1997 a study of the ``look-up''
service industry, computerized database services that collect and sell
consumers' identifying information. The workshop and subsequent report
to Congress focused on the benefits of these services as well as the
risks, including consumers' privacy concerns.\18\ Although the Internet
increased access to these informational products, the information at
issue was primarily collected offline. Finally, just last week, the
Commission issued its final rule implementing the privacy provisions of
the Gramm-Leach-Bliley Act, a rule that focuses on the treatment of
consumer information by financial institutions--again without regard to
how the information was collected.\19\
---------------------------------------------------------------------------
\18\ See Individual Reference Services: A Federal Trade Commission
Report to Congress (Dec. 1997).
\19\ See Privacy of Consumer Financial Information, _ Fed. Reg._
(2000) (to be codified at 16 C.F.R. pt. 313).
---------------------------------------------------------------------------
Even if the Commission majority, who endorse the Report, determined
that our experience was insufficient to assess offline privacy
concerns, a better course would have been to invite further
Congressional inquiry. As it is, the Report's advocacy of legislation
limited to the online world suggests that public remedies should be
bounded by the scope of the studies we have chosen to conduct. This is
thinking upside down.
Existing Remedies Should Be Actively Pursued
Legislation to mandate more comprehensive and clear privacy
disclosures should ensure in the long run that the marketplace provides
consumers with their desired level of privacy protection. Legislation
and rule-making may take considerable time, however, and in the interim
some consumers may suffer long-lasting harm because they have not been
adequately informed about privacy issues. In order to reduce these
potential harms, I would recommend that the Commission take some
immediate steps.
First, the Commission should more actively employ its existing
authority under Section 5 to prohibit unfair or deceptive practices. We
can not only challenge outright violations of express privacy
policies,\20\ but also challenge policies that deceive because they
impliedly offer more protection than they deliver. As noted earlier,
although the Survey results demonstrate an increase in the number of
privacy disclosures, they also indicate that these disclosures often
involve inconsistent or confusing claims. (Of course, enforcement
actions should only be brought in cases of clear-cut deception, so that
companies which attempt in good faith to provide information, up to now
on a voluntary basis, would not be chilled from doing so.) Stepped-up
enforcement in this area, as elsewhere, serves a double purpose: it
addresses specific situations and sends a message both to consumers and
businesses.
---------------------------------------------------------------------------
\20\ See FTC v. ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan.
6, 2000); GeoCities, FTC Dkt. No. C-3849 (Feb. 12, 1999).
---------------------------------------------------------------------------
Beyond this, the Commission should redouble its efforts to educate
consumers directly about the benefits and potential risks associated
with the collection and dissemination of their personal information.
Without additional authorization, we can help consumers to better
understand the meaning of various privacy disclosures. Informed
consumers will ultimately be the most effective agents for protection
of privacy, online and offline, by rewarding companies that offer the
preferred levels of protection.
The Chairman. Thank you very much, Commissioner.
We have another panel and I know all of our members have
questions, so I will just ask one. As has been pointed out, at
least statistically it is fairly impressive the number of Web
sites that offer privacy policies. But once you get into some
of these so-called policies it gets somewhat interesting.
In May, USA Today reviewed 10 major Web sites and found
their policies to be a confusing jumble of incomprehensible
language riddled with loopholes. Yahoo's policy, for instance,
is eight pages long, and your survey finds that fewer than half
of the sites had clearly worded procedures.
One of the more controversial Web sites, Doubleclick, says
that it would use personal information only with your
``permission.'' It does not tell you that it assumes it has
permission unless you explicitly opt out. And here is what you
have to do: Read the first 1,468 words, click on a link to
another page, read 650 more words that tell you why you should
not opt out, read 200 more words urging you once again not to
opt out, and click onto a final link to opt out of the program.
That is not exactly privacy as some of us understand it.
Now, I think this is a matter of real concern, particularly
when we look at what Doubleclick was set up for. I wonder if,
according to your report, as the numbers of Web sites that
provide ``privacy protection'' are more like Doubleclick's than
the kind of thing we assume that would allow us to ensure
privacy.
So I guess I would begin with Chairman Pitofsky and go
through the witnesses, because I think this is a serious
problem, for a Web site to advertise that it will protect your
privacy and then have this kind of mumbo-jumbo. When Yahoo,
which is one of the most respected and I believe the most used
Web site, takes eight pages and 3,405 words and 167 sentences,
that is not what we had in mind and I hope it is not your
definition of a Web site that allows people to have their
privacy ensured.
We will begin with you, Commissioner Pitofsky, and we will
go through in order of how the Commissioners spoke.
Mr. Pitofsky. Mr. Chairman, I went through the same process
with Doubleclick that you followed and I have to tell you, if I
did not have somebody helping me I would never have found out
how to get to the third and fourth screen in order to opt out.
The Chairman. And you are a former university professor.
Mr. Pitofsky. And I have been doing this consumer
protection work for 30 years.
I would have been lost somewhere between the third and the
fourth screen. This example is extreme, but I tell you, it is
not the only one. I saw one yesterday that was brought to my
attention, the headline is: ``We protect your privacy. Read on
and find out the terms.'' There are then ten single-spaced
pages. Lawyers would have trouble reading it. When you get to
the ninth page, you find out you have no rights at all. It is
notice, I suppose, but it is a kind of notice that does not do
consumers much good.
But on the other hand, 60 percent of the Web sites have
notice that we found was quite fair. The question is how you
get from that 60 percent all the way to the end. Let me just
repeat what I said: I am all for self-regulation, but if the
self-regulators cannot say: if you fail to give better notice
than that you violate our standards and we will refer you to
some law enforcement agency, then I am afraid many of these Web
sites who are fairly irresponsible are going to say: Well, why
do I not keep making the money selling private identifiable
information; so take my seal away from me; I will have to get
along without it.
I think there has to be a backup. Effective self-regulation
in my experience almost always has that kind of backup of law.
The Chairman. Did you see the Yahoo Web site?
Mr. Pitofsky. I did not see that one.
The Chairman. I am curious whether that would warrant a
seal of approval. And I say that not in any bias for or against
Yahoo, but the fact is it is the most popular Web site there
is.
Mr. Pitofsky. Let me check it out and I will get an answer
for you.
The Chairman. Thank you.
Commissioner Swindle.
Mr. Swindle. I will defer to Commissioner Anthony since she
was second--OK, or I will continue.
The Chairman. I am sorry. Commissioner Anthony, I am sorry.
I apologize.
Ms. Anthony. That is all right, Senator McCain.
My view is that a uniform standardized notice setting forth
in a simple manner, understandable and noncontradictory would
be a good thing for consumers to reveal what exactly the Web
site's practices are, and then have an opportunity to either
opt in or opt out. If there is additional information that
needs to be conveyed to the consumer, there could be
interactive ``click-here'' links on a standardized uniform
notice that could be utilized to further explain the policy.
But I do not think consumers have any protections if the
policy is so confusing that not even a university professor can
understand it.
The Chairman. Well, I will not comment on university
professors.
Commissioner Swindle.
Mr. Swindle. Mr. Chairman, I think we all agree that these
lengthy dissertations that we go through, they are so bad that
we do not look at them. That is obviously counterproductive,
and I think we can all agree that some form of reasonable
English notice--and I do not want to get trapped into saying I
am for English only here, since we have other people of other
languages----
The Chairman. How do we enforce that, then?
Mr. Swindle. The enforcement of it, I think, comes from the
Federal Trade Commission with its existing regulations. We had
a case here a couple of years ago called Geocities. It is a
very popular site. I personally have never visited it, but I
will take the staff's word that it is very popular. They had a
privacy statement and they said that, we will do certain
things.
We alleged that, contrary to what they said, they turned
around and shared the information with a third party in some
sense. They settled the case with us. However, once they posted
the policy they then came under the umbrella of Section 5 of
the Federal Trade Commission Act, and if they are deceiving
their customers we have authority to do something.
Now, our surveys, as has been reflected here in some of the
numbers that are addressed today, indicate that something on
the order of 90 percent of all Web sites have posted some form
of notice. Now, if that notice was properly conveyed in a more
simple manner than we are seeing now, to express what the site
does in the way of collecting information and how it uses it,
all those sites would be under the oversight of the Federal
Trade Commission under the existing laws.
I might point out that, even though we have a quantum leap
in the number of sites that have these notices, we have only
handled just a bare handful of cases in which we have
challenged the practices that they are implementing, having
stated what they do, such as in Geocities. But I think if we
continue to expand the numbers of people who have notice, state
their privacy policies, and we apply very close scrutiny on
what they are doing, I think the effects of FTC action will
have a positive effect on seeing more comply with it.
The Chairman. Commissioner Thompson.
Mr. Thompson. Mr. Chairman, I agree with you that--and you
are talking about what we consider to be the good guys, because
there are people out there who are saying nothing, and that we
have very few tools to get at those people. One of the
questions that some people raise is what is it that industry
cannot fix on its own? As you may remember, last year I was
here and I talked to you a little bit about coverage, and I
said that there is a core group that you still cannot get to.
They are still out there, and consumers deserve better.
Second of all, there is also a benefit to having a level
playing field here, so that there are not these wide
disparities, so the consumers wind up taking a risk every time
they go on the Internet.
The reason I might disagree slightly with some of my
colleagues about why online and why now, is because the
Internet provides you with an opportunity. The Internet allows
somebody to follow you around the shopping mall without your
knowledge. It is a little bit different. And because it allows
you to aggregate data and collect it on a real-time basis as
you put it in, they get it and they use it, means something. So
I think there is a slight difference.
One other thing is that I understand that Forrester
Research is coming out with a report today that is going to
talk a little about this, about some of the pressures on
businesses in the dot-com space that make it more advantageous
to sell data. They need to do that for economic reasons, and
the combination of hyper-partnering, meaning companies doing
things with other companies, the pressure to get profits in
that way may actually mean that you will see more of this
occurring in the Internet space faster.
The Chairman. Mr. Leary.
Mr. Leary. Mr. Chairman, I agree with the majority here
that there should be some legislation directing us to make
rules to assure more consistent and more adequate disclosure.
That is something we know how to do and we have done in other
areas.
I also agree with a somewhat different majority that you
should have the same disclosures when you order by mail or when
you open a charge account at your department store to the
extent the information is exactly the same.
Thank you.
The Chairman. Senator Hollings has a question, and we have
two votes on the floor and after that we will take a brief
recess until we can return from the vote. Thank you. Senator
Hollings.
Senator Hollings. There is not any question that the
offline should be regulated as online. We gave it to you to do
just as you just said, Mr. Leary, that you promulgate rules and
regulations for the offline as we have it for the online.
Otherwise we have got the proposition, of course, that it is
going to be more difficult each day that passes to ex post
facto or retroactively do anything. We are into an environment
where the best of the best--and I know Fred Yang and Yahoo and
they are one of the best, and yet they give little notice. You
can see the game that is going on.
I feel like I am in a class where the professor is grading
by way of a scale and everybody is cheating. I am going to have
to cheat in order to pass, regardless of how much I know about
the subject.
Kennedy said years ago, the captain who waited for his ship
to be fit never puts to sea. So we put to sea with S. 2606, and
we did it with your counsel. There is not any question that you
folks are the nearest experts I can find and the most objective
folks that I can find. Our staff has done, along with your
staff, an outstanding job.
We have drawn a target with S. 2606. Maybe most of you have
not had a chance to read it because we waited for you to submit
your report and then we of course introduced our bill. We
already have ten co-sponsors.
I want each of you in writing to give me criticisms of that
particular bill, what is heavy-headed, what is unrealistic, and
what is impossible for industry. We have been very considerate
of industry. The Internet is not going to stop. All of these
folks here act like some day it is going to slow down. It will
never slow down. This thing is a dynamic that is running way
ahead of all of us, and each day that passes with State's
attorneys general all trying to pass their laws, with any and
everything coming out of the Congress and nothing real, we have
got to really move on this thing. After 5 years, I think we are
pretty well in a position to move with your counsel and
criticism.
Please do that for me, and we thank you very, very much for
what you have done for us so far.
Excuse me. The Committee will be in a brief recess.
[Recess.]
The Chairman. The Committee will resume. Please,
Commissioners, take your seats, and we will begin questioning.
I think Senator Wyden by early bird rules is next.
Senator Wyden. Thank you. Thank you very much, Mr.
Chairman. I will let our guests get their seats.
[Pause.]
Mr. Chairman, this question is for you. As you know,
Senator Burns and I have been at it for well over a year trying
to craft bipartisan legislation. As I have indicated, I happen
to think that Senator Hollings, Senator Kerry, and others are
making important contributions. I think it would be helpful if
you could tell us, in your view are there any dangers in
waiting to pass bipartisan privacy legislation?
Mr. Pitofsky. It is an interesting question. Yes, I think
that there are inappropriate invasions of privacy that go on at
this time, and they are of a sort that it is difficult for us
to get at under present law. Nothing is said about privacy or
it is a confusing disclosure, but not really a deceptive one.
So I think there is always a question of protecting
consumer rights as promptly as possible. On the other hand, I
do think, having worked on this now for 5 years and very
energetically for 3, there are differences of view reflected in
some of the legislation. There are tough questions that were
raised by our advisory committee and in our report. Therefore I
think it is more important to do this in a thorough and careful
way than to rush to any judgment in this area.
I think we are all aware that it is the end of a
Congressional session and there are not that many legislative
days left. If it can be done appropriately in a short period of
time, fine. But I think it is more important to get it right.
Senator Wyden. Do you believe that you have existing
rulemaking authority under your underlying statute, the organic
statute, to protect consumer privacy?
Mr. Pitofsky. No, we do not. That is the point. It seems to
me we need the kind of legislation that we have recommended and
that you and Senator Burns have authored in order to engage in
rulemaking. We could call invasions of privacy ``unfair,'' but
I do not believe that we could sustain that position.
Senator Wyden. Let me wrap up with this. I do not think
what you are talking about now is a radical departure from your
previous position, and I do not think you are abandoning self-
regulation. I hope that what people will see in this whole
effort is that this is not some sinister government power grab.
This is an opportunity to empower the consumer; at the end of
the day, what we want to do is give consumers control over
important information.
We can have this debate about the technical terms, opting
out and opting in. In English what we all understand is that
explicit permission from the consumer for things like medical
and financial information is clearly their expectation. Senator
Kerry has defined that as opt-in.
At the same time, if you subscribe to Newsweek for 20 years
and they are thinking about contacting you for the 21st year,
we should not make them send you one letter in order to get
permission to send another letter. I think the approach that
you are talking about is very much in line with the bipartisan
legislation that Senator Burns has talked. I think it is
consistent with the kinds of ideas Senator Hollings and Senator
Kerry have expressed, and we appreciate your leadership and
look forward to working with you.
Thank you, Mr. Chairman.
The Chairman. Senator Kerry.
Senator Kerry. I appreciate Senator Wyden's comment.
Senator Wyden, Senator Hollings, Senator Rockefeller, and I
were chatting on the floor a few moments ago, and it seems to
me that there is an opportunity here for us, Mr. Chairman, to
try to see if we cannot find a bipartisan meeting ground here
that pulls people together. I do not think we are that far off.
Clearly, medical and financial Web sites deserve some kind
of special status. I think we can agree on that. We need to
find a way to do that.
I still maintain that the degree to which, when you get
beyond the notice, the choice, access, and security issues are
at this point perhaps left too much to the regulatory process
rather than trying to bring the marketplace into it. This would
bring the private sector into some perhaps joint resolution
that might even result, for instance, in something like an FTC
seal of approval, in conjunction with the corporate community
in a joint effort to arrive at an agreement as to what the
appropriate measure should be.
It seems to me there are some choices in front of us. But I
still remain troubled. Let me ask this question first. If we
were to pass a fairly significant disclosure and fairly clear
disclosure requirement, without mandating in specificity each
aspect of choice, access, or security, would you not then be
empowered to enforce? And would you not, if you joined together
with the community in this sort of FTC seal, be leveraged
significantly in your ability to be able to hold people
accountable?
Mr. Pitofsky. In my view, a notice bill is better than the
status quo and I would be comfortable with it. But I think we
should go further. I believe Congress should go further.
Let me emphasize the choice aspect, because access and
security become very complicated. But what would be the
consequence of a bill that mandated notice--and we could
enforce that, of course--but did not provide choice? Well,
first of all I would point out that is not the way we do things
in consumer protection. We do not say to consumers: If you go
to a store and you are the victim of bait and switch, if you
buy a defective product, if you buy a dangerous product, if you
are abused in credit terms, then why do you not go to some
other store? We say to them: You have a right to be protected
against fraud.
Now, if privacy is worthwhile--and I believe it is--then we
ought to go the next step and say: First, you should be told
what is going to happen with that information; and, second, you
should be given an opportunity to say count me out.
Senator Kerry. Sure. But my point is, rather than mandating
whether it is going to be opt-out or opt-in in a particular
instance, it seems to me you could arrive with the industry at
a fair set of options on which you put your approval. And if
they vary from that or they are not clear, as Chairman McCain
suggested they are not in eight pages--I agree with that. It is
clear. You go on the Internet today to some of these sites and
it is an exercise in obfuscation. They are clearly trying to
not have you opt-out.
So we need to empower consumers. Most people I talk to who
are in the industry want to empower consumers. The entire
salesmanship of this industry has been based on its
democratization impact and consumer empowerment. So it seems to
me you could arrive at that, could you not?
Mr. Pitofsky. I agree and I think we could. I think if we
sat down with the responsible people in this industry, from
what I have seen of their behavior so far, we could find common
ground about what the rules of play ought to be.
Senator Kerry. I also want to say that I think it is far
more urgent because of the conglomeration of information on the
net and because of the speed with which the net moves and sort
of the new awareness of choice. The American public is now
becoming far more sensitized to the privacy issue.
But, in point of fact, we cannot just gloss over this
offline-online distinction. It sometimes amuses me. Somebody
does not want to give their credit card on the Internet, but
they will hand it to a waiter at a restaurant they have never
been to and they are never going to go to again. He disappears
in a back room for 5 minutes and they do not have a clue what
happened to the credit card or what may happen in the ensuing
days.
Likewise, you can buy, I am told, criminal information
records on individuals in the marketplace today. Additionally,
information is available on somebody's social security number
and through any kind of credit check. I have seen people's
personal credit card transactions appear in newspapers based on
their private sleuthing through the offline market.
So the notion that there is some new threat really needs to
be thought through, because the level of loss of privacy of the
average American today is absolutely extraordinary. Marketing
takes place in highly specified ways offline, but we are only
worried about online, this seems imbalanced.
Do you not agree that these are inconsistencies we have got
to try to work through?
Mr. Pitofsky. I do agree with that.
Senator Kerry. Are there not dangers in the offline issue?
Mr. Pitofsky. Speaking for myself, I have increasingly come
around to the view--I did not start there--that the theory of
distinguishing online from offline is really rather weak. I was
very influenced by one of our advisory panel people who said:
What is the point of treating differently warranty information
that is gathered when the consumer files a warranty card--an
example of offline private information--when we know some clerk
is going to sit there and read it right into an electronic
format? Why would you treat one differently than the other? I
found that a very powerful argument.
I am also influenced by the fact that we hear that through
mergers, joint ventures, and otherwise that online and offline
companies are merging their data bases, and that is another
reason why we should think about both.
Senator Kerry. But I also say respectfully, and I will
terminate on this, that that is another reason why I think we
need to approach this thoughtfully and carefully. I suggest
simply that if we had at least the first step, where we all
could agree on a simple, clear, straightforward form of
required disclosure with a set of principles on which each of
the acceptable four major principles and enforcement: security,
access, choice, notice, and enforcement. If we could establish
that in terms of principles, and then you went to work with the
industry, it seems to me that you may wind up with a better
product. Meanwhile, we can go to work.
Now, I want to emphasize, Mr. Chairman, on financial
information and medical information those are places where
there ought to be significant rigidity and clarity, and I hope
the Committee can come together on it.
Thank you, Mr. Chairman.
The Chairman. I would remind Committee members we do have
another panel after this and it is now quarter to 12. So I hope
we can ask sufficient questions and yet exercise brevity.
Senator Burns.
Senator Burns. Thank you, Mr. Chairman.
I only have one question in listening to the testimony
here. It will be very simple. We are pretty much--we agree that
the four areas of concern in this are notice, choice, access,
and security. Ms. Anthony, I was interested in your
recommendation on strong enforcement mechanisms as well as an
audit process. Can you give me some detail on what that might
look like? I would be interested in that.
Ms. Anthony. Well, as I said in my testimony, Senator
Burns, there are enforcement mechanisms at hand. The seal
programs I think really had a very sensible way to deal with
privacy. However, I am unaware of anybody that they have kicked
out for not complying, and I do not think everyone has
complied.
I think also that government has used, in the past,
industry standards in audits, and that is just another
suggestion. I am not making any firm recommendation on those
fronts. I am just throwing them out as suggestions for you to
consider when you devise some enforcement mechanism.
Senator Burns [presiding]. That is--everybody jumped up and
ran away. Oh, are you next? Senator Rockefeller. If you can be
brief, please.
[Laughter.]
Senator Burns. Sorry I asked.
Senator Rockefeller. A couple quick points. A comparison
was made between fraud and privacy, and I just want to
emphasize the enormity of the issue of privacy. It affects
every single American, mostly without their knowledge, as
opposed to fraud, which is the usual thing you complain about
with Medicare and other things--waste, fraud, abuse, etcetera.
These are issues of enormously different dimensions.
Second, if you have voluntary compliance or if you have a
regulatory system set up in which you actually get 80 percent
or 90 percent of companies that are complying with proper
notification that meets all of Commissioner Anthony's
specifications, that the 10 percent can undo all of the 90
percent in an instant. So it has got to be 100 percent. That is
not offline; that is an online problem.
That is why I think that we tread on dangerous water when
we start comparing offline and online and saying, well, if we
are going to do one we have got to do the other. They operate
under different sets of market rules and they access or make
themselves available and dangerous to the American public at
very different levels of speed and enormity.
About nine out of ten businesses that start up fail. This
means that businesses are starting often. Their accounting
rules have changed and now we have discovered they do not have
as much money as they thought they did, but people are still
into it. It is driving the economy and it is a very good thing
for America and for the world.
But again, all it takes is a couple of startups that do not
have the money or the time or cannot afford the lawyers to be
able to put that proper notification on. All the good work that
you enforce or lay out self-regulatory or we lay out other
rules for is gone. The 2 percent can undo the 98 percent
because once they sell it to the third-party purchaser or they
have bought it from a third-party purchaser, it is all gone.
That point needs to be made. That is why I think this is a
very different level of problem than talking about online-
offline.
The third thing I want to say is that this is a wonderful
set of circumstances into which to introduce minutia which
distracts, but which is nevertheless important as you listen to
it. Witness: Somebody comes in my office yesterday, they do not
like what Senator Hollings and I are doing, and so they say,
but if you get into access, that means that the consumer might
be, as we used to say, a deadbeat dad, until we started getting
all the letters from dads who did not consider themselves that
way. They go in and then they change information to protect
themselves from having to do what they need to do. Or criminals
also can access and change their records.
In other words, there are a thousand ways you can come at
this to nitpick, to show that there is no perfect software,
there is no perfect system. What that does is it tends to throw
us on the defensive and say, oh, we cannot do that. We cannot
have deadbeat dads changing their records so they do not have
to pay child support. Let us just back off and do nothing.
Again, I come back to my original point. We do not have
that luxury. I think that is why, Mr. Chairman, you come down
with the line of we have to do better. And I think you want to
do online and offline together, but my question is are they
really of the same dimension? Do they move at the same speed?
Do they have the same consequences, offline as online? I think
that you would agree with me that they do not.
Mr. Pitofsky. I do agree with you, Senator. I think the
online threats to the privacy of consumers is greater than
offline because of the way in which information can be
gathered, marshalled, sorted out, accumulated, and then sold.
So it is different. But I do not know about very different.
There are threats to privacy that occur in the offline world
that deserve our attention.
I know the bill that you are sponsoring suggests that the
FTC take a look at that and report back to Congress, and I
think that is the right way to go. We did not report on it on
this occasion, because we really had not investigated it.
The Chairman [presiding]. Thank you.
Senator Bryan.
Senator Bryan. Mr. Chairman, if I might just followup on
that. You are not suggesting, however, that because in your own
thought process as you describe the evolution of the
significance of offline privacy invasion, that we should hold
up on these recommendations in terms of developing these base
standards of notice, choice, access, and enforcement? I want to
be clear on that.
Mr. Pitofsky. Yes, Senator, exactly right, I am not.
Senator Bryan. Mr. Swindle, if I might ask you a couple of
questions. I believe you were a dissenter in the report that
the majority filed. As I understood the thrust of your
testimony, you believe that self-regulation ought to be given
an opportunity to work its course before we embark upon a
legislative course of action. Is that a fair statement of your
position, sir? I do not want to mischaracterize it.
Mr. Swindle. Yes, sir, that is a fair description of it,
but it goes further than that. My concerns with the report were
that the report is a misconstruing of information and data. It
is the basis for making the recommendation that we have this
very broad, all-encompassing legislation on virtually every Web
site that exists. And, I think the data is used in a misleading
manner and that leads to a recommendation which is illogical. I
think we are on the wrong track.
Senator Bryan. Do you support the concept that consumers
ought to be given a notice of what the privacy policies are of
online providers?
Mr. Swindle. Yes, sir.
Senator Bryan. Well, let me ask you to respond. Ms. Anthony
had an example which she shared with us, where you have got to
be referred from one page to another and several hundred
intervening words. Our Chairman cited an example of one which I
think any fair-minded person would say is not effective notice.
I believe that Senator Kerry used the word ``obfuscation.'' I
would say that it triumphs form over substance.
Now, why should we not have some legislative standard that
requires meaningful notice if this kind of action is being done
by some of the major online providers in the country?
Mr. Swindle. Senator Bryan, I think you will perhaps
recall, in commenting to Senator McCain's comments, I said
these things are so ridiculous that I do not even read them. I
just click them off.
Senator Bryan. I apologize, I think I had to leave.
Mr. Swindle. I am in the same group, and I think some form
of clear and conspicious notice would be most appropriate. I
also made the statement that, in effect, our survey indicates
that in excess of 90 percent of Web sites now provide some form
of notice already. It is not the best of notices because some
of them are Yahoo versions and some of them probably do not say
anything other than, ``we have a privacy policy.'' So the
quality of that statement, if it were prepared and put into
very clear and precise, easy to understand form, would be a
very good thing to do.
I think choice naturally follows from being able to
understand what is before you. It is like going into a store,
it costs a dollar for this ball. If I want to pay a dollar for
the ball, I pay it. If the privacy notice says, we want to
collect this information if you want to come into our site,
then you make a choice. You go or do not go.
Senator Bryan. I am sure there are other examples other
than those that were cited for the record. The notices are
misleading and confusing, and I think you are saying that you
agree that in effect those are not real notice. Do we not need
to have some type of a legislative response that says, look,
notice cannot be just some game in which the consumer is moved
from one link to another on a web page. It has got to be
meaningful.
Is there anything wrong with a legislative standard that
requires notice to in fact be----
Mr. Swindle. No, sir.
Senator Bryan. So you would agree with that?
Mr. Swindle. My disagreement is with the all-encompassing
nature of the recommendation. We are not talking about the same
thing here.
Senator Bryan. So you would have no problem with
legislation that talks about notice in a meaningful sense?
Mr. Swindle. Yes, sir. And I think in my statement or my
dissent I said if the Congress believes we must legislate, let
us go no further than notice.
Senator Bryan. Notice. Let me ask about an aspect of
enforcement. Mr. Chairman, this is my last question. You have
been patient, but I do not think I have belabored the point.
We had a situation with Chase Manhattan, one of the major
banks in America. Those of us that serve on the Banking
Committee know. Their privacy policy indicated a course of
action in terms of how they would deal with consumer
information, with private information. In point of fact, they
violated their own consumer policy and sold to third party
telemarketers. They received a 24 percent commission for each
sale that was ultimately consummated as a result of that third
party, the telemarketer, negotiating with the customer.
Now, ultimately what occurred, as you know, is the Attorney
General in New York brought suit. But that deals with an
enforcement issue. I mean, I do not know the law of every state
in the country, and I certainly do not know the particular
circumstances of the New York law. But, clearly, that is such a
blatant violation of a stated policy there has got to be some
enforcement.
Would you agree with that point, Mr. Swindle?
Mr. Swindle. Yes, sir, and we can do that under Section 5
of the Federal Trade Commission Act. I made reference earlier
to Geocities, which is exactly that case. We would not be
involved in the banking industry, as the Senator knows. But in
the case of Geocities they had a privacy statement, they said
we will do A, B, and C, and we found out later, alleged that
they did A, B, C, D, E, and F and did a similar thing, they
sold the information to third parties. And we have the power
today to take enforcement action against them.
Senator Bryan. So I take it from your response that it
would be within your jurisdiction. Maybe we need to look at
that; that is a separate issue. So you would certainly favor a
regulation that would clearly provide some sanction for
violation of a stated privacy policy such as that?
Mr. Swindle. We have that authority today under existing
law.
Senator Bryan. Mr. Chairman, thank you very much.
I appreciate your response, Mr. Swindle.
The Chairman. Thank you.
I would like to tell the witnesses I appreciate their
patience. I apologize for the break while we had a couple of
votes. I thank you for helping us address these very difficult
issues. We will be in communications with you. In fact, we may
ask you to come back if and when there is some proposed
legislation concerning this very, very important issue.
So thank you very much.
Mr. Pitofsky. Thank you, Mr. Chairman.
The Chairman. The next panel is: Ms. Jill Lesser, Vice
President of Domestic Public Policy, America Online; Ms.
Christine Varney, senior partner of Hogan and Hartson,
testifying on behalf of the Online Privacy Alliance; Mr. Jason
Catlett, President of the Junkbusters Corporation; Mr. Jerry
Berman, Executive Director, Center for Democracy and
Technology; and Mr. Daniel Weitzner, who is Technology and
Society Domain Leader of the World Wide Web Consortium.
I would ask those who are departing to expedite their
departure and those who are witnesses to please come forward as
quickly as possible so we can continue the hearing.
I want to thank all the witnesses for their patience.
Obviously, your complete statement will be made a part of the
record. Welcome, Ms. Lesser.
STATEMENT OF JILL A. LESSER, VICE PRESIDENT OF DOMESTIC PUBLIC
POLICY, AMERICA ONLINE, INC.
Ms. Lesser. Thank you, Chairman McCain, and I will try to
be brief. Chairman McCain----
The Chairman. Could I emphasize, of course, we want you to
be brief, but it is most important that we receive the
information you have to impart. If there is any appearance of
impatience on the part of the chairman and members of the
Committee, please disregard that. The most important thing----
[Laughter.]
Ms. Lesser. I will take that under advisement.
The privacy report issued this week by the Federal Trade
Commission shows in many ways that we have reached a crossroads
in the development of the online medium. It is clear that the
Internet is revolutionizing our society, dramatically changing
the way we learn, communicate, and do business. People are
migrating to the Internet to meet their commerce and
communications needs at an extraordinary rate because it is
convenient and fast and offers unprecedented selection of
information, goods, and services.
Yet, despite this enormous growth the Internet has enjoyed
over the past few years, or perhaps because of it, we have seen
a heightened awareness of online privacy and security issues,
consumer protection, and a whole host of issues related to
online safety. And even though the medium continues to grow at
an enormous rate, online companies are realizing that it is
their responsibility to address these issues for their
consumers.
Of course--and I think this has perhaps been
underemphasized today--this medium offers to users an ability
unprecedented to customize and personalize their experiences.
Consumers can, and do on a regular basis, communicate specific
preferences that will allow them to receive information
tailored to their own interests.
No other commercial or educational medium has ever afforded
such tremendous potential for personalization, and we are
seeing consumers take advantage of these opportunities at an
incredible rate. But we know that the power of the Internet can
only be fully realized if consumers feel confident that their
privacy is properly protected when they take advantage of these
benefits, and therefore we, along with many other companies,
are protecting privacy. We view it as an essential aspect to
earning their trust, and this trust is, in turn, essential to
building the medium.
That is why we and other companies have devoted so much
time and energy to creating strong policies that provide
meaningful protection. As we have discussed much this morning,
there are several important elements of those policies and I
believe many, particularly the industry leaders, have policies
that address all of those elements.
Our own commitment is based on the lessons we have learned
and the input we have gotten from consumers, policies that
clearly notify our users what information will be collected,
why, how it will be used, and the opportunity to exercise
choice and disclosure. Indeed, we intend to fully implement
those notice and choice principles across all of our brands
when we hope our merger with Time-Warner is finally
consummated.
We also make sure that our policies are well understood
with respect to our employees, and I think this is an important
point as well. Implementation throughout a company of a privacy
policy is critical to making sure that it is really truly
within the ethos of all of our companies.
We do try to keep users informed about the steps they can
take. That is, do not give out your password and certainly do
not give information out to companies or anybody you do not
know and you do not trust.
Finally, with respect to children, we have worked with many
of you, Senator Bryan and Senator McCain in particular,
supporting the Online Privacy Act related to children in the
105th Congress and do believe it was an area where additional
steps were needed.
In adopting and implementing our own policies, we are
committed to fostering best practices within the industry, and
you will hear from the Online Privacy Alliance and many other
trade associations and others we have worked with, and we have
done a lot to make sure that our business partners are also
following important privacy policies.
So after all of that background, where are we now? The FTC
report concludes that, despite this progress, industry has not
done enough and that broad privacy legislation is necessary in
order to ensure that consumers are protected. Does this mean in
their view that self-regulation is a failure, and what are we
as industry therefore supposed to do?
As the Committee and other Congressional leaders begin to
sift through the FTC's recommendations, I would just like to
offer a few thoughts as you do that. First, it is important for
all of us in industry and government to stop thinking about
this issue as a zero sum game, as self-regulation versus
government regulation. Instead, we must remember that the crux
of the issue is about consumer confidence, consumer protection,
safety, and security, and since all of us have the same end
goal, to ensure that consumers trust the online medium, we do
not need to set ourselves up as opponents in a privacy battle.
One way to approach this joint responsibility is to allow
the market to lead, as it has, in developing up-to-date and
innovative initiatives for protecting privacy, but give the
government its important enforcement activities. Indeed--and I
think this is important to note in light of all the numbers we
have heard today--the government's existing enforcement powers
are greatly expanded simply by the proliferation of privacy
policies, now numbering almost 90 percent.
If you look at the examples used by Chairman McCain, by
Commissioner Anthony and others this morning about perhaps
unfair or deceptive privacy policies, I would note that the FTC
does have broad enforcement authority in those areas. So if you
compare 90 percent of sites having privacy policies with the
enforcement authority of the FTC, I think there is an enormous
amount of coverage that we are underestimating.
Second, I would say that it is critical that neither the
government nor industry view this issue as simple. On the
contrary, when we as businesses ask our consumers what they are
most concerned about, we get a variety of different answers.
For some consumers, it is really security rather than privacy--
identity theft, hacking--and certainly this is an area where
the industry has every incentive to do the right thing, but the
government must make clear that bad behavior is unacceptable.
For other consumers, the primary concern relates to
sensitive information, an issue we have talked about a lot this
morning. Individuals want to take advantage of online health-
related services, for example, without worrying about
embarrassing or compromising releases of their health
information. Indeed, Congress has addressed these issues
through financial services legislation enacted last Congress
and the Health Insurance Portability and Accountability Act of
1996, neither of which, I would note, have been fully
implemented. So we do need to make sure we understand what is
out there.
Such examples and others underscore the intricacy of the
privacy issue and the difficulty in pinpointing the actual
problems that need to be addressed through industry or
government action. Unfortunately, I would say the FTC's
recommendation for a sweeping regulatory regime for online
privacy does not take into account either the complex
dimensions of this issue or the need for industry-government
partnership on privacy.
The Commission purports to recognize the important role
that industry leadership on self-regulation has played, yet it
recommends broad legislation with expansive regulatory
authority that could actually discourage industry-led
initiatives and market-driven solutions by outlawing consumer-
oriented methods of privacy protection and personalization.
We would therefore simply ask that members of this
Committee look at privacy with a high regard for the benefits
of personalization and the efficacy of industry action to date.
You may find there are gaps in industry enforcement where
government must step in to ensure compliance. Nevertheless, it
is clear that companies are responding to increasing
marketplace demand for online privacy, and the tremendous
growth of e-commerce reflects a positive trend on a variety of
consumer protection issues, including privacy.
The challenges that lie ahead will give us a chance to
prove that industry and government can work together, but
ultimately it is the consumer who will judge whether those
efforts are adequate because, no matter how extraordinary the
opportunities for e-commerce may be, the marketplace will fail
if we cannot meet consumers' demands for privacy protection and
gain their trust.
We as a company are committed to doing the right thing. We
believe our colleagues in the industry are as well. We
appreciate the opportunity to discuss these important issues
with you this morning. Thanks.
[The prepared statement of Ms. Lesser follows:]
Prepared Statement of Jill A. Lesser, Vice President of
Domestic Public Policy, America Online, Inc.
Chairman McCain, Senator Hollings, and Members of the Committee, I
would like to thank you, on behalf of America Online, for the
opportunity to discuss online privacy with you today. My name is Jill
Lesser, and I am the Vice President for Domestic Policy at AOL.
The privacy report issued this week by the Federal Trade Commission
shows that, in many ways, we have reached a crossroads in the
development of the online medium. It is clear that the Internet is
revolutionizing our society--dramatically changing the way we learn,
communicate, and do business. People are migrating to the Internet to
meet their commerce and communications needs at an extraordinary rate
because it is convenient and fast, and offers an unprecedented
selection of information, goods and services. AOL subscribers can sign
on to our service and do research, shop for clothing, obtain health
information, and buy airline tickets--all in a matter of minutes. And
every day we are seeing new online opportunities arise, and new users
flocking to take advantage of these opportunities.
Yet despite the enormous growth that the Internet has enjoyed over
the past few years--or maybe because of it--we have seen a heightened
awareness of online privacy and security issues. Every day we are faced
with new reports, studies, and statistics--many of which seem to
contradict each other--about how Internet users feel about the medium
and how online privacy is, or isn't, being protected. And even though
the medium continues to grow at an incredible rate, online companies
are realizing that they have to sit up and pay attention to privacy if
they want to stay in business.
Of course, one of the most attractive benefits that this medium
offers to users is the ability to customize and personalize their
online experience. Consumers can communicate specific preferences
online that will allow them to receive information tailored to their
own interests. For instance, AOL members can set their online
preferences to get sports scores or stock quotes, read news stories
about their own hometown, or receive notices about special discounts on
their favorite CDs. No other commercial or educational medium has ever
afforded such tremendous potential for personalization, and we are
seeing customers take advantage of these opportunities at an incredible
rate--through our own services and through countless other business
models for personalization, from online bookclubs to discount ticket
agencies to special offers from the local supermarket.
But we know now that the power of the Internet can only be fully
realized if consumers feel confident that their privacy is properly
protected when they take advantage of these benefits. If consumers do
not feel secure online, they will not engage in online commerce or
communication--and without this confidence, our business cannot
continue to grow. For AOL, therefore, protecting our members' privacy
is essential to earning their trust, and this trust is, in turn,
essential to building the online medium. That's why AOL and other
companies have devoted so much time and energy to creating strong
privacy policies that provide meaningful protection and are backed up
by compliance and enforcement programs.
AOL's own commitment is based on the lessons we've learned over the
years and the input we've received from our members. We've created
privacy policies that clearly explain to our users what information we
collect, why we collect it, and how they can exercise choice about the
use and disclosure of that information. AOL's current privacy policy is
organized around 8 core principles:
We do not read your private online communications.
We do not use any information about where you personally go
on AOL or the Web, and we do not give it out to others.
We do not give out your telephone number, credit card
information or screen names, unless you authorize us to do so.
And we give you the opportunity to correct your personal
contact and billing information at any time.
We may use information about the kinds of products you buy
from AOL to make other marketing offers to you, unless you tell
us not to. We do not give out this purchase data to others.
We give you choices about how AOL uses your personal
information.
We take extra steps to protect the safety and privacy of
children.
We use secure technology, privacy protection controls and
restrictions on employee access in order to safeguard your
personal information.
We will keep you informed, clearly and prominently, about
what we do with your personal information, and we will advise
you if we change our policy.
We give consumers clear choices--which are easy to find and easy to
exercise--about how their personal information is used, and we make
sure that our users are well informed about what those choices are. For
instance, if an AOL subscriber decides that she does not want to
receive any tailored marketing notices from us based on her personal
information or preferences, she can simply check a box on our service
that will let us know not to use her data for this purpose. Because we
know this issue is so critically important to our members and users, we
make every effort to ensure that our privacy policies are clearly
communicated to our customers from the start of their online
experience, and we notify our members whenever our policies are changed
in any way.
We also make sure that our policies are well understood and
properly implemented by our employees. We require all employees to sign
and agree to abide by our privacy policy, and we provide our managers
with training in how to ensure privacy compliance. We are committed to
using state-of-the-art technology to ensure that the choices
individuals make about their data online are honored, and that such
data is protected and secured.
And we try to keep users informed about the steps they can take to
protect their own privacy online. For instance, we emphasize to our
members that they must be careful not to give out their personal
information unless they specifically know the entity or person with
whom they are dealing, and we encourage them to check to see whether
the sites they visit on the Web have posted privacy policies and to
review those policies.
Furthermore, AOL takes extra steps to protect the safety and
privacy of children online. One of our highest priorities has always
been to ensure that the children who use our service can enjoy a safe
and rewarding online experience, and we believe that privacy is a
critical element of children's online safety.
We have created a special environment just for children--our ``Kids
Only'' area--where extra protections are in place to ensure that our
children are in the safest possible environment. In order to safeguard
kids' privacy, AOL does not collect personal information from children
without their parents' knowledge and consent, and we carefully monitor
all of the Kids Only chat rooms and message boards to make sure that a
child does not post personal information that could allow a stranger to
contact the child offline. Furthermore, through AOL's ``Parental
Controls,'' parents are able to protect their children's privacy by
setting strict limits on whom their children may send e-mail to and
receive e-mail from online.
As you know, AOL supported legislation in the 105th Congress to set
baseline standards for protecting kids' privacy online--precisely
because of the unique concerns relating to child safety in the online
environment. We worked with Senator Bryan, Senator McCain, the FTC, and
key industry and public interest groups to help bring the Child Online
Privacy Protection Act (COPPA) to fruition. We believe the enactment of
this bill--which took effect last month--was a major step in the
ongoing effort to make the Internet safe for children.
In addition to adopting and implementing our own policies, AOL is
committed to fostering best practices among our business partners and
industry colleagues. One of the strongest examples of this effort is
our ``Certified Merchant'' program, through which we work with our
business partners to guarantee our members the highest standards of
privacy and customer satisfaction when they are within the AOL
environment. AOL carefully selects the merchants we allow in the
program, and requires all participants to adhere to strict consumer
protection standards and privacy policies. The Certified Merchant
principles are posted clearly in all of our online shopping areas,
thereby ensuring that both consumers and merchants have notice of the
rules involved and the details of the enforcement mechanisms, which
help to foster consumer trust and merchant responsiveness.
Through our Certified Merchant program, we commit to our members
that they will be satisfied with their online experience, and we have
developed a money-back guarantee program to dispel consumer concerns
about shopping online and increase consumer trust in this powerful new
medium. We believe that these high standards for consumer protection
and fair information practices will help bolster consumer confidence
and encourage our members to engage in electronic commerce.
We at AOL are proud of the steps we've taken to create a privacy-
friendly environment online for our members and encourage our industry
colleagues to do the same. But we haven't done these things to prove a
point or to discourage government regulation--we've done them because
we must do them, because our business, more than ever, requires us to
respond to consumer demands and take privacy seriously in order to
build more consumer trust in the medium. And we know that many other
online businesses feel exactly the same way. That's why AOL joined with
other companies and associations two years ago to form the Online
Privacy Alliance (OPA), about which you will hear more this morning
from another witness. And that's why through NetCoalition, a group
representing some of the largest and most active online companies, we
recently sent a letter to 500 CEOs encouraging them to post good
privacy policies on their Web sites that contain the key fair
information principles, and to fully implement these policies within
their companies. The progress that industry has made is real--one thing
the FTC report clearly shows is that the proportion of commercial Web
sites posting privacy policies has skyrocketed in less than three years
from less than 14% to over 90%--unbelievable progress for an industry
that barely existed just a few years ago and which today is
demonstrating the most rapid growth in the history of media.
So where are we now? The FTC report concludes that, despite this
progress, industry hasn't done enough, and that broad privacy
legislation is necessary in order to ensure that consumers are
protected. Does this mean that self-regulation is a failure? What are
we supposed to do next?
As the Commerce Committee and other Congressional leaders begin to
sift through the FTC's recommendation and face the issue of whether to
take action in this area, I would like to offer just a few thoughts on
how you might approach answering these difficult questions:
First, it is important that all of us in industry and government
stop thinking about the privacy issue as a ``zero sum game''--as self-
regulation versus government regulation. Instead, we must remember that
the crux of the issue is really consumer confidence, consumer
protection, safety and security. And since all of us have the same end
goal--to ensure that consumers trust the online medium--we do not need
to set ourselves up as opponents in a privacy ``battle.'' Clearly the
industry has an enormous incentive to make consumer protection a
fundamental part of doing business, but there is also an important role
for government in protecting consumers. One way to approach this joint
responsibility is to allow the market to lead the way in developing up-
to-date and innovative initiatives for protecting privacy, but let the
government step up its enforcement activities. Indeed, the government's
existing enforcement powers are greatly expanded simply by the
proliferation of privacy policies, now numbering 90 percent. This type
of partnership allows for maximum flexibility and technological
innovation, so that the ``good guys'' can set the stage for best
practices while the ``bad guys'' pay the price for bad behavior.
Second, it is critical that neither the government nor industry
view privacy as a simple issue with a simple answer. On the contrary,
when we as businesses ask our consumers what it is they are most
concerned about we get a variety of different answers:
For some consumers it is security rather than privacy that
is the greatest concern. They care more about whether their
credit cards can be safely ``submitted'' online than about
whether their ISP will send them a tailored advertisement. In
reality, the risks of identity theft may actually be greater in
the offline world than in the online world, where fewer humans
actually touch or handle an individual's credit card, for
example. Yet the prospect of personal information being
compromised through hacking and theft is likely keeping many
consumers from going online. This is certainly an area where
the industry has every incentive to do the right thing but the
government must make clear that bad behavior is not acceptable.
For other consumers, the primary concern relates to
sensitive information like health and financial data.
Individuals want to take advantage of online health-related
services, for example, without worrying about embarrassing or
compromising releases of their health information. For these
types of information, industry and government will need to
determine what privacy standards need to be in place for
particular businesses to succeed, and indeed Congress has
already addressed these issues through financial services
legislation enacted last Congress and the Health Insurance
Portability and Accountability Act of 1996, neither of which
have yet been fully implemented.
Still another group of consumers is concerned about whether
their online behavior is being ``tracked.'' Yet when the
technologies behind such activity are explained and consumers
are able to understand that there are both positive and
negative uses of these types of tools, it may turn out that
consumers simply want to know what a particular Web site is
doing so they can make their own decisions about how to use
these services.
Such examples underscore the intricacy of the privacy issue and the
difficulty in pinpointing the actual problems that need to be addressed
through industry or government action.
Unfortunately, the FTC's recommendation for a sweeping regulatory
regime for online privacy does not take into account either the complex
dimensions of this issue or the need for an industry-government
partnership on privacy. The Commission purports to recognize the
important role that industry leadership on self-regulation plays in any
privacy solution; yet the report recommends broad legislation that
would provide ``flexibility to the implementing agency in promulgating
its rules or regulations . . . [that could] define . . . fair
information practices with greater specificity.'' Such expansive
regulatory authority could actually discourage industry-led initiatives
and market-driven solutions by outlawing consumer-oriented methods of
privacy protection and personalization. Furthermore, such sweeping
legislation would not take into account all of the more targeted
proposals that have either been enacted or are pending--from the new
children's privacy law, to rules for health and medical data, to
financial privacy regulations.
We at AOL would therefore ask the Members of this Committee to
develop its policies in the privacy area with high regard for the
benefits of personalization and the efficacy of industry action to
date. You may find that there are gaps in industry enforcement where
government must step in to ensure compliance. Nevertheless, it is clear
that companies are responding to the increasing marketplace demand for
online privacy, and that the tremendous growth of e-commerce reflects
positive trends on a variety of consumer protection issues, including
privacy. Sweeping regulatory action could very likely curb such market
innovation and competition and discourage creative and flexible
approaches to privacy protection.
The challenges that lie ahead will give us the chance to prove that
industry and government can work together to promote online privacy.
But ultimately, it is the consumer who will be the judge of whether
these efforts are adequate. Because no matter how extraordinary the
opportunities for electronic commerce may be, the marketplace will fail
if we cannot meet consumers' demands for privacy protection and gain
their trust.
We at AOL are committed to doing our part to protecting personal
privacy online. Our customers demand it, and our business requires it--
but most importantly, the growth and success of the online medium
depend on it. We appreciate the opportunity to discuss these important
issues before the Committee, and look forward to continuing to work
with you on other matters relating to the Internet and electronic
commerce.
The Chairman. Ms. Varney, welcome.
STATEMENT OF CHRISTINE VARNEY, SENIOR PARTNER, HOGAN AND
HARTSON, ON BEHALF OF THE ONLINE
PRIVACY ALLIANCE
Ms. Varney. Thank you, Chairman. It is a pleasure to be
here. Thank you for inviting me. Mindful of your admonition, I
am just going to talk for a few minutes. I have got longer
remarks that we have submitted for the record and I would like
to address some of the issues that have been raised this
morning.
First of all, we can sit here all day and argue about
numbers--88 percent, 60 percent, 40 percent, back out access,
back out security, whatever. I think that it is fairly clear
that there has been enormous progress. If you look over time,
the increase in the numbers of Web sites that are making some
type of privacy disclosures, providing some types of choices,
is going up. I think that is something that this Congress can
take a lot of credit for because they have shown a lot of
leadership in working with the industry on it.
The complexity that we get to, that Commissioner Anthony
and others have mentioned, when you read these notice policies
should not be underestimated. Both Yahoo and Doubleclick have
very large, very complex businesses and, Chairman, both those
companies have been working very hard in the last month to
completely revamp their privacy policies and make them easier
to use, easier to read, and both those companies would like to
come and talk to you, perhaps next week if you have time, to
show you what they are planning on doing and get your feedback
and your thoughts about it.
The Chairman. I would be glad to do that.
Ms. Varney. Thank you.
If privacy policies, if notices are misleading, I think as
Ms. Lesser said, the FTC has the authority. Maybe what they
need is more resources. They ought to prosecute those people.
To put a statement up that says we protect your privacy policy
and somewhere in the statement say we do whatever we deem
reasonable with your data and you do not get any choice about
it, I think is deceptive on its face and it ought to be
prosecuted.
Senator Kerry talked a lot----
The Chairman. Yahoo? Yahoo ought to be prosecuted?
Ms. Varney. Well, Yahoo's is not deceptive, Senator.
Yahoo's is complex. Yahoo is a very large company with an
enormous Web site offering a wide array of services and
products. When I read Yahoo's privacy policy, what I think they
tried to do was be completely comprehensive, tell you
everything. And it is not easy to read, they will agree with
you.
The Chairman. Why do you have to be comprehensive? Can you
not just say, this information will be private? What is the
comprehensiveness?
Ms. Varney. You may absolutely say, we will never disclose
this information to anyone under any circumstances, if that is
what you do. When you run a Web site where you have content
provider partners, where you have chat rooms that you link to
that are run by other companies, where you have ask-a-doctor
questions, where you e-mail a doctor who does not work for a
company but works for somebody else, that information is in
fact going to someone else.
It might be clear to you, it might not be clear to you. But
to say we never give your information to anyone under any
circumstances is flat out deceptive, unless that is precisely
what you do. I would submit to you, Senator, unless you are
dealing with a very small Web site, that is not the case today.
These Web sites, why are they so complex and
comprehensive----
The Chairman. So we need a how many sentence----
Ms. Varney. I think that what you see----
The Chairman. Ms. Varney, that is not appropriate. It is
not appropriate for most Americans not to be able to understand
a Web site's privacy policy.
Ms. Varney. I agree, I agree.
The Chairman. Now, can you understand the Yahoo statement?
Ms. Varney. I do not think that is a fair test, Senator.
The Chairman. Well, we just had a university professor who
could not.
Ms. Varney. I will leave that one.
I think that you are right, it is too complicated, and the
companies are really working on how to make it less complex.
Why is it so complicated? Because they are big companies with
lots of business units. They are publicly traded companies that
face shareholder lawsuits if they are not completely accurate
in every regard. That is not to say that they cannot do it
better and that they should not and that they will. I think
they all will, which goes to my next point.
The Chairman. I apologize for interrupting you, by the way.
Ms. Varney. Not at all. Always better to have an exchange,
I think, a dialog than a monologue.
What you have seen, what you have identified here this
morning, I think is a real problem in making these notices easy
to find, read, and understand. How do you do that? That is a
problem we ought to address and perhaps ultimately it may need
to be addressed legislatively.
Do you need to delegate what I consider to be broad,
sweeping regulatory authority to the FTC to do that? No. This
Congress has not delegated to any Federal agency broad
regulatory authority over the Internet and I do not think this
is the time to start.
Senator Kerry mentioned the financial data, data related to
health and medical information, data related to kid-sensitive
data. That may need a more complex regulatory scheme. In fact,
as Ms. Lesser said, you passed the Financial Services
Modernization Act. Now, we can argue about whether or not the
privacy protections in that are adequate, but you passed it and
it is just now going into effect.
You passed the Health Insurance Portability and
Accountability Act. Those regulations dealing with privacy are
not even done yet. We need to look at them. We need to figure
out if there is loopholes. We have to give Americans the
highest level of protection for their health and medical data.
The kids law, the Children's Online Privacy Protection Act,
which this Committee birthed, has been wildly successful in my
view, but it has had some unintended consequences, maybe not
bad but unintended. Let us take a look and see where the gaps
are.
The question I think is, whether it is 80 percent or 90
percent or 60 percent, how do you get this last mile to get
every Web site that is collecting personal information to tell
consumers in a straightforward way what they are doing and what
their choices are? I do not believe the answer is delegating
broad regulatory authority to the Federal Trade Commission at
this time.
Thank you, Senator.
[The prepared statement of Ms. Varney follows:]
Prepared Statement of Christine Varney, Senior Partner, Hogan and
Hartson, on Behalf of the Online Privacy Alliance
Mr. Chairman:
Thank you very much for inviting me to testify this afternoon on
behalf of the Online Privacy Alliance. My name is Christine Varney. I
am a former Federal Trade Commissioner and am currently a partner at
Hogan & Hartson where I chair the Internet Practice Group. In addition,
I am an advisor to the Online Privacy Alliance--a coalition of over 100
industry and trade associations who came together two years ago to
formulate and advocate for best privacy practices online. With your
permission I have submitted for the record extensive descriptions of
privacy practices developed by the Online Privacy Alliance that can be
used for future reference. I would like to take a few minutes here to
discuss the FTC's report and the Commission's call for regulatory
authority.
First, let me congratulate and thank the Commission for their
ongoing work in examining the issues of privacy in the information age.
It was not that long ago when I was a Commissioner in 1995 and I was
told by some of my colleagues, none of whom are still at the FTC, that
privacy was not a consumer protection issue. I think we have all come
to realize that privacy is the consumer protection issue of the
information age.
It is important to remember that the FTC's study is not and cannot
be considered an evaluation of the state of privacy on the Internet.
The FTC's analysis that only 20 percent of Web sites comply with all
four fair information practices, and therefore, provide inadequate
privacy is fundamentally flawed. As Commissioner Leary points out in
his statement, the Commission's own Internet privacy policy does not
meet the Commission's own test for an adequate privacy policy. In fact,
in many many Web sites, both commercial and otherwise, some of the fair
information practice elements, such as choice, security, or access, may
not be at all relevant.
Let me give you a few examples as to when or why some of these
criteria may not be relevant. If a site only uses your data only to
complete a transaction, no choice is necessary. A site that does not
disclose its security precautions doesn't mean they don't exist. Many
experts testified in front of the Federal Trade Commission's Advisory
Committee on Security and Access that security measures and precautions
should not be disclosed on Web sites as it can lead to increased
attempts at unauthorized access. Finally, the FTC's own Advisory
Committee could not come to any agreement on what, if any, level of
access is appropriate for non-sensitive data, under what circumstances,
and at what costs.
While the FTC report does provide metrics, it clearly does not nor
should it be interpreted as evaluating the state of privacy on the
Internet. Thus, I entirely disagree with the conclusion that privacy in
cyberspace is woefully inadequate and that legislation is necessary to
empower the Federal Trade Commission to regulate data practices in e-
commerce.
Two years ago, close to 10% of all Web sites posted some type of
privacy policy or described their privacy practices in some way. Today
that number is close to 90%. That is astonishing! Consumers are now
better able than ever to determine whether a Web site's data practices
match their own preferences. The ability of consumers to make
meaningful privacy choices likewise doesn't guarantee privacy on the
Net. We clearly need to do more work to make those choices clear and
easy.
When asked ``do you care about your privacy?'' an overwhelming 90%
of Americans will respond that yes, they do. But when you push down on
those numbers, what you find out is that Americans care deeply about
the abuse and misuse of their personal financial information, personal
medical or health information, and information about their children.
Additionally, Americans are very concerned about identity theft and
credit card fraud on the Internet. In each of these arenas, Congress
has either already acted or the FTC already has sufficient authority to
enforce existing law. You have dealt with collection of data, from or
about children in the Children's Online Privacy Protection Act which
went into effect just last month. Last year, you passed the Financial
Services Modernization Act. While we may argue about the adequacy of
the financial privacy protections in the Act, clearly the Congress has
begun addressing financial privacy in that Bill and the FTC has, just
last week, released its regulations implementing that Act. The
regulations implementing the Health Insurance Portability and
Accountability Act are still being drafted. These regulations clearly
address health and medical privacy. Credit card fraud and identity
theft are already illegal and should be prosecuted to the fullest
extent.
Thus, I believe the FTC's conclusion that privacy on the Internet
is inadequate is not supported by the facts in their report. That is
not to say that we, industry and government, can't do a better job
empowering consumers to protect privacy on the Internet. What is
needed, I believe, is a commitment by government and industry to
continue the work started several years ago to make privacy policies
easy to find, read and understand. To make the promise of meaningful
choice and control over personal data real--whether through technology
solutions like P3P, software solutions like Privida and Privaseek,
enforcement actions under existing law, or filing specific legal gaps.
What we do not need are sweeping regulations governing the collection
and use of data, the conditions and methods under which that data use
can be consented to, the dimensions of access that must be provided to
data and the level and design of web security. Rather, what I would
suggest is that Congress continue its work with consumers and industry
representatives in order to determine how best to reach the last 10
percent of Internet sites that do not disclose their data practices and
perhaps begin consideration of a means to create a coherent and simple
standard for privacy disclosures across all Internet sites. Congress
has wisely refrained from delegating to any agency enormous regulatory
authority over the Internet. When Congress has seen a problem, it has
specifically addressed the problem. If there is any problem with
privacy for non-sensitive data on the Internet, it is the lack of
ubiquity in the posting of privacy policies and inconsistent and often
complicated disclosure statements. Neither of these problems is
successfully addressed through an enormous regulatory undertaking.
Whatever solutions Congress, industry and consumers come to that will
make privacy choices on the Internet ubiquitous, the solutions must be
technology neutral, market driven, and hospitable to the online
environment.
Those who sit before you and talked about self-regulation as a
failure and legislation as the answer, or self-regulation as a panacea
and legislation as repugnant, are in my view, clearly missing the
point. The point in the information age has to be how can American
consumers, whether they are consuming medical information, financial
information, or other commercial information, protect themselves and
their privacy desires. In some instances, there will be technological
solutions. In some instances, there may be best practices, and in other
instances, there may be loopholes in existing law that need to be
closed or an absence of law altogether that must be filled.
Too often the privacy debate has been polarized between those who
wish to prohibit the use of personal information for any and all
purposes, and those who wish to exploit the use of personal information
for any and all purposes. Neither of these postures addresses the
increasing concerns of Americans regarding the protection of their
personal privacy while allowing for its beneficial use. Neither of
these polar positions realizes that there are benefits and limits to
the use of personal information. Neither of these positions frankly can
bring a balanced economically viable and societally appropriate
conclusion to the privacy debate.
The Chairman. Thank you very much.
Mr. Catlett, for the benefit of the Committee perhaps you
could tell us what Junkbusters is about.
STATEMENT OF JASON CATLETT, PRESIDENT AND CHIEF
EXECUTIVE OFFICER, JUNKBUSTERS CORPORATION, AND
VISITING SCHOLAR, COLUMBIA UNIVERSITY DEPARTMENT OF COMPUTER
SCIENCE
Mr. Catlett. I would be pleased to, Senator. Junkbusters is
a Web site where people go for information about how to stop
junk communications, such as junk e-mail, junk telemarketing
calls, junk faxes, unwanted junk mail, and so forth.
The Chairman. It sounds to me like you are doing the Lord's
work, Mr. Catlett.
[Laughter.]
Mr. Catlett. Thank you, sir.
Senattor Burns. Maybe we do not have to pass the spamming
bill then?
Mr. Catlett. I strongly recommend that you do pass
something like H.R. 3113 without the provision of labeling. I
think that is very much needed.
There are those who say that technological solutions for,
for example, filtering out junk e-mail will suffice. But I can
tell you, after running this Web site for 4 years and
publishing software to help people protect their privacy,
publishing information about how to remove cookies, how to stop
junk phone calls and so forth, I can tell you that technology
is not going to stop the death of privacy in this country.
Furthermore, self-regulation is also not alone or with
technology going to stop the erosion of privacy. It is
necessary to have laws that give individuals the right to
protect their own interests.
The Chairman. You do not believe that the FTC has existing
authority?
Mr. Catlett. I do not believe they have sufficient
authority to require sites to, for example, stop selling your
telephone number to telemarketers when you tell them if the
site's policy is stated as they will do that or they do not
state that. There is nothing you can do, and we get e-mail at
Junkbusters from harassed mothers in West Virginia who say, how
can I get these telemarketers to stop calling me?
Mere notice is not enough. The doctrine that all actions
can be taken on the basis of fraud is simply mistaken, I think.
There has been a lot of discussion about online and offline
worlds and I would like to relate a little experience when I
used to work at AT&T Bell Labs. I came here in 1992 to work on
research on marketing and data bases. That work was governed by
very strict laws about what could be done with people's phone
call records. Suppose that Congress had not passed those laws
to protect the privacy of people when they use the phone
system.
Well, we would have a situation similar to what we have
today on the Internet, where we are reading headlines about the
terrible things that phone companies are doing. Instead of
Doubleclick, it would be some company--I will fictionally call
it Orwell Long Distance--that is spying on the phone customers.
For example, it might have speech recognition technology
that listens to the key words that you speak in your phone
conversations with business and uses them to target more
interesting telemarketing calls to you. It might analyze the
telephone numbers that you call, look them up in the Yellow
Pages categories, and see what kind of categories of products
you are interested in, and sell that information to
cataloguers.
Now, if they did that people would be outraged and it would
be simply illegal. But analogous practices on the web are
prevalent from companies such as Doubleclick.
The Federal Trade Commission's report has been criticized
by some people as understating the amount of progress that has
been made. But if you look at the analysis of, say, Forrester
Research, an independent industry analysis firm, they actually
paint a much bleaker picture of the amount of privacy
protection that has been provided by industry. Forrester called
many of these policies a joke and said that they serve to
protect the interests of the companies rather than consumers.
The Electronic Privacy Information Center has also done a
series of excellent reports that come to the same conclusion.
So to my mind the FTC's conclusion that legislation is
necessary is absolutely unassailable. We need legislation. What
kind of legislation is needed? Well, the Online Privacy
Alliance's four principles are not sufficient. Merely having
notice, offering choice, some sort of weak access, and some
sort of security is not enough. What is needed is in many cases
to ask the consent of the person concerned before using his or
her information.
That is one of the great principles of the bill before you,
the Consumer Privacy Protection Act. It furthermore
establishes, would establish, standing institutions that look
to the privacy issue beyond the trade issue. Most importantly,
it gives individuals a private right of action so that they can
defend their own interests when their privacy is violated.
My own major criticism of the bill is that it preempts
State law. I think it is entirely proper to allow the States
their traditional role of laboratories of legislative
innovation.
Privacy is a fundamental human right and Congress with this
bill now has the opportunity to head off the demise of that
right. It is really clear to me that, looking at the U.S. as
someone who was not born here, that the world looks to the U.S.
as a Nation that deeply respects human rights and individual
liberties, and the citizens of this country do not have enough
rights to defend their own privacy in cyberspace.
So I think that you all bear a great responsibility for
determining whether the United States' leadership will extend
into cyberspace and whether American citizens' rights will be
preserved into the twenty first century.
Thank you.
[The prepared statement of Mr. Catlett follows:]
Prepared Statement of Jason Catlett, President and Chief Executive
Officer, Junkbusters Corporation, and Visiting Scholar, Columbia
University Department of Computer Science
My name is Jason Catlett, and I am President and CEO of Junkbusters
Corp., a for-profit dot com company working to promote privacy. I'm
very grateful to the Senate for this opportunity to discuss with you
how to protect privacy in the Internet age.
I came to this country from Australia eight years ago to join the
computer science research staff at AT&T Bell Laboratories. Since I
founded Junkbusters in 1996, the company has published advanced
software and provided services and information to help people defend
their own privacy. These resources have been used by hundreds of
thousands of Americans. Based on feedback from people across this
country, and my own investigations, I have been led to the conclusion
that technical solutions to the challenges of privacy will not prevent
the death of American privacy online. It is clear to me that
legislation is appropriate and necessary to protect privacy on the
Internet.
My work in marketing and databases at AT&T Bell Labs was governed
by strict laws to protect the privacy of telephone subscribers. The
Internet still has few corresponding laws, so companies are engaging in
practices that would be regarded as unacceptable and illegal on a phone
network.
Collectively, this commercial surveillance is having the tragically
perverse consequence of scaring off consumers from the entire medium
rather than attracting them to a particular site. The Harris/Business
Week polls and many others since 1998 have found that fear for privacy
is a major or primary reason consumers give for not going online, and
for not participating in e-commerce. Their 2000 poll showed a strong
majority of Americans favoring new privacy legislation. Forrester
Research, a highly regarded firm of technology analysts whose
reputation has been built by providing accurate research and advice to
companies, has harshly criticized the poor standards of privacy
protection online, finding in September 1999 that 90 percent of Web
sites fail to comply with basic privacy principles. Forrester called
most privacy policies ``a joke'' and concluded that ``the vast majority
of such policies, like those of the Gap, Macy's and JC Penney, use
vague terms and legalese that serve to protect companies and not
individuals.'' These are not the words of some bleeding heart privacy
advocate, but of hard-nosed analysts working for a company whose long-
term success heavily depends on understanding and promoting the growth
of Internet commerce. In October 1999 Forrester published a report
finding that ``Nearly 90% of online consumers want the right to control
how their personal information is used after it is collected. This
desire for online anonymity cuts across consumers from a broad range of
demographic backgrounds, including gender, income, and age.
Surprisingly, these concerns change very little as consumers spend more
time online.'' It is not ignorance that is causing Americans to worry.
It is a rational assessment of the lack of control over their personal
information, and the paucity of recourse available to them if it is
misused.
This privacy problem will not go away by itself because the
economic incentives of individual companies work against it. As an
example, providing customers with an opt-out from a list of phone
numbers being sold to telemarketers means both forgoing future revenue
and incurring a capital cost to set up an opt-out system. Companies can
ill afford to unilaterally jump ahead of their competitors, even though
the sums of money are minor compared to the increase in participation
that would result from a market where privacy rights are widely
respected. The idea that consumer demand will force companies to offer
privacy protections is naive and simply not supported by empirical
evidence in surveys. What company is going to produce advertising copy
like the following? ``Buy books from us and we will give you a choice
in whether we sell your phone number to telemarketers.'' As
Commissioner Anthony wisely observed in a statement Monday, legislation
of the kind recommended by the FTC ``would reward those sites that have
offered real privacy protections and require all others to meet basic
privacy standard.''
We are facing a tremendous loss of both economic opportunity, and
of our fundamental human right to privacy. The only way to stop this
tragedy is to require all companies to respect the privacy of their
customers and prospects. And that is an entirely proper thing for the
federal government to do.
On the Internet this loss is particularly acute, but is obscured by
technical complexity. Let me describe one example by analogy.
Online advertisers build up profiles based on where people go, what
they look for, and how they behave on the Net. Imagine if Congress had
not passed laws to protect the privacy of telephone users. The
headlines would be full of the kind of privacy horror stories we see
today about the Internet. We might see a telco that I will fictionally
name Orwell Long Distance using speech-recognition technology to spot
keywords in your conversations with businesses in order to target you
with more interesting telemarketing calls. OLD might look up the yellow
pages categories of the numbers you frequently call, and sell that
information to junk mailers to decide the kinds of catalogs you're less
likely to throw away. This sounds absurd to us now, but on the Web,
equivalent practices abound, unrestrained.
Banner ad companies get to see the specific Web pages people visit,
plus the keywords they type into search engines and other forms. They
track individual PCs using unique identifiers called ``cookies'' placed
on Web browsers. Most people haven't heard these companies' names, but
some of them have started identifying people by name. Large profiles
that were previously gathered with just an anonymous identifier are
being linked to a street address, and phone number, and e-mail address.
If Orwell Long Distance were unencumbered by present phone privacy
laws, its lobbyists would be telling Congress that any attempt to
restrict the free flow of information on the international phone system
would be futile, and could result in the collapse of toll-free
ordering. But you would wisely dismiss that claim and judge that the
greater economic good requires that people have confidence that their
privacy is protected by law when they do business by phone.
It would be silly to expect consumers to defend themselves from
Orwell Long Distance by using their own voice scramblers and payphones,
or indeed technology from OLD itself. Suppose OLD designed a device
that could be held up as a technological solution to the privacy
concerns of phone subscribers. The result might be rather like a caller
ID box, but in addition to displaying to the name and number of the
calling party, it would indicate the degree of privacy being offered by
the various carriers involved in the call. The called party would then
supposedly be given ``choice'' on whether to pick up and speak to her
mother for example, or have her call automatically rejected because it
doesn't meet her daughter's privacy ``preferences.'' This scheme would
not protect privacy on the phone, and its Internet equivalent, P3P,
will not protect privacy online.
What people need are simple, predictable standards, not more
complexity, just as businesses need simple predictable copyrights. Both
privacy and copyright law accommodate more complex arrangements
whenever needed, with the consent of the parties involved.
The comparison with copyright is useful in dismissing many
commonly-heard objections to privacy legislation. ``We mustn't impede
the free flow of information, so privacy/copyright laws are bad.'' On
the contrary, such laws promote participation in the information
economy, by protecting the rights of the participants. ``The Internet
is international, so privacy/copyright laws are useless.'' On the
contrary, that is no reason to permit domestic abuses, and
international treaties can be developed. ``Technology changes quickly,
so copyright/privacy laws are useless.'' On the contrary, such laws
should be technology-independent; it is the data that needs protecting,
not the means of transmission. ``It's impossible to enforce copyright/
privacy laws completely, so we shouldn't have them.'' Of course
incidental violations will occur, but organizations will not base their
businesses on piracy/privacy violation, or at least not for long.
Finally, imagine if Recording Industry Association of America were
assessing the results of a fictional survey by the Department of
Commerce showing that more than 80% of U.S. households do not infringe
music copyrights, and concluding that copyright law should therefore be
repealed. Preposterous, the RIAA would say. Even 95% of households
respecting copyright would still leave 5% free to infringe copyrights.
We must have a law. Won't new technology for preventing the
unauthorized duplication of CDs provide the answer, a lobbyist against
one-size-fits-all legislation might ask? No, the RIAA would say. We
need a law, and we need substantial criminal and civil penalties. The
Digital Millennium Copyright Act of 1998 was Congress's response to
this issue.
In general, information technology produces many more opportunities
for enabling undesired uses of information than it does for preventing
it. As someone who has personally designed, coded, documented and
published privacy-enhancing software, I would be the last to try to
impede such technologies. The argument by some lobbyists that
legislation would dampen technological innovation to protect privacy is
specious. On the contrary, legislation would give companies an
incentive to adopt technologies that promote privacy. Services for
assuring anonymity become more valuable in a world where data
protection is required, because anonymity is an infallible way of
obviating the misuse of personal information.
The Report and Recommendation of the Federal Trade Commission
The FTC's report has been criticized by some trade associations as
understating the level of privacy protection being provided by major
Internet sites. I believe exactly the opposite is the case. Three years
of surveys by the Electronic Privacy Information Center plus
Forrester's assessment in September provide far stronger evidence that
the average site provides substandard privacy. As an illustration, take
the issue of access by consumers to information collected about them.
The Online Privacy Alliance's spokesperson Christine Varney said in a
press release Tuesday that ``There is no agreed-upon standard for
access, so how can the FTC measure it?'' They can't. The answer was on
page 23 of the FTC's report: ``With respect to Access, a site received
credit if it offers the ability to review, correct, or delete at least
one item of personal information it has collected--oftentimes simply an
opportunity to update an e-mail address--without regard to what other
information a site may have actually collected or compiled.'' Plainly
the FTC can measure access, and they did. It is significant that the
FTC were very easy graders, and yet most sites still failed. As to the
consumer's view of access, a study in April 1999 by AT&T Laboratories
asked respondents about ``importance of whether the site will allow me
to find out what info about me they keep in their databases.'' 57%
replied saying it was very important, 27% somewhat important, 4.2% not
important, with the rest not responding. The FTC's conclusion that
legislation is needed to improve consumer confidence in a world where
most sites are not providing sufficient privacy is simply unassailable.
What is remarkable is that the majority of Commissioners waited so long
before recommending legislation.
The four privacy principles of the Online Privacy Alliance and the
FTC (namely notice, choice, access and security) are necessary but not
sufficient to adequately protect privacy. Orwell Long Distance, for
example, would post a privacy policy (notice), offer an 800 number
where people can opt out of surveillance (choice), let consumers fill
out their own change-of-address forms (access), and deliver all its
lists to telemarketers encrypted (security). Missing are affirmative
consent and purpose specificity: not using information gathered for one
purpose (to complete the phone call) for another purpose (to give to
telemarketers) without gaining affirmative permission. These are among
the principles endorsed the OECD in 1980 and used as the basis of
privacy laws in most developed countries, including recently Canada.
The Consumer Privacy Protection Act of 2000
The Consumer Privacy Protection Act from Senator Hollings and his
colleagues is a landmark work, making giant strides towards the wide
application of all these principles, across technologies and across
market sectors, within a legal framework that will really protect
privacy in this country.
The CPPA addresses the problem that privacy policies have become
``moving targets'' that are constantly subject to change. Requiring
consent for material changes in use an important part of the principle
of purpose specificity. In line with this goal, the requirement for
notice might be waived when the policy change merely narrows the
purposes to which information is put, rather than widening them.
The CPPA moves toward addressing the urgent need for standing
institutions that consider privacy and security policy issues not
merely in the context of commerce, but also of government, society and
human rights.
Very importantly, the bill provides a private right of action,
which is essential if people are to have the means to protect their own
interests. Some, but not all enforcement power should vest in agencies
such as the FTC. Experience with the Telephone Consumer Protection Act
of 1991 dispels the scare mongering claim that a vast government
bureaucracy would be needed to curtail privacy violations. The FTC has
restricted its enforcement actions to cases of fraud (which are indeed
widespread and severe in that industry). State Attorneys General
occasionally take action. But it is the precious few individuals who
file suit in small claims court that have done the most to discourage
the telemarketing industry from routinely violating the law.
Finally, to allow further progress, federal laws should not preempt
state law. A good federal law that allows state Attorneys General
sufficient enforcement powers will reduce the need for new state-
specific legislation, but the states should not be deprived of their
traditional role as laboratories of legislative innovation.
Congress now has before it a comprehensive proposal to head off the
demise of privacy in this country. It is time for each member of
Congress to decide whether the right to privacy is worth defending, or
whether it should be allowed to lapse into a 20th century memory.
Throughout this nation's history, the world has looked to the
United States as a bastion of liberty, and to its elected governments
as defenders of individual rights. Congress now bears a great
responsibility for determining whether that leadership will extend into
cyberspace, and whether the American citizen's right to privacy--a
fundamental liberty--will endure into the 21st century.
I appreciate the opportunity to speak before you today. I would be
pleased to answer your questions.
[A list of references is available at http://www.junkbusters.com/
testimony.html on the Web.]
The Chairman. Thank you, Mr. Catlett.
Mr. Berman.
STATEMENT OF JERRY BERMAN, EXECUTIVE DIRECTOR, CENTER FOR
DEMOCRACY AND TECHNOLOGY
Mr. Berman. Thank you, Mr. Chairman and Members of the
Committee. It is a privilege to be here.
My organization is a civil liberties organization, but also
an Internet policy organization, and we are trying to maximize
the democratic potential of the Internet to build a bill of
rights in cyberspace. We have worked with all of you on
different issues affecting the Internet, whether it is
objectionable content and indecency and how to protect the
rights of adults versus how to protect our children,
encryption, communications privacy, and here data privacy.
In every one of those areas we have recognized that the
Internet is a different paradigm, it is global, it is
decentralized, and that we need to focus in every one of those
areas on empowering users and caretakers to protect their
rights. That is the thrust of every model piece of legislation.
There is consensus between Senator Burns' effort with
Senator Wyden a year ago, and the Boucher and Goodlatte effort
that something needs to be done. All four chairs of the
Internet Caucus who share that vision of the Internet are
supporting privacy legislation.
It is very important to understand that none of that
legislation is saying government takes over the Internet. All
the thrust of that legislation is to empower users to protect
their rights on the Internet. And users cannot protect their
rights if they have a crazy quilt of notice and obfuscation on
the net where they do not know what the information policies
are of those nets, of those Web sites, and they cannot exercise
the right to choose or opt-in or opt-out of particular
practices, and there has to be flexibility in that area.
The legislation I see that has been introduced not only
provides that baseline information, that information will not
be provided by 100 percent of the sites until Congress acts,
because everyone can be a publisher on the Internet. There are
so many net sites that do not know that privacy is even an
issue. It is not the last mile, as Christine Varney says,
because if Yahoo does not know what notice is required and they
may be suffering from a potential prosecution over their eight
pages, what about the little Web site?
Is it not important for the government to set some standard
so that people on the Internet, the Web sites and consumers,
know where they are? That is the key part of this legislation.
You do not have to rely on the heavy hand of government,
particularly in trying to figure out on the web what notice
means. You can also rely on self-enforcement and some of the
web, TrustE and BBBOnLine, they can become safe harbors under
the legislation. But to move it from 8 percent takeup by the
industry to 100 percent is going to require some push that they
know that is a safe harbor, and only Congress can do that.
If Congress does not act in this area, you are facing 270
bills in the States, and we have recognized in many areas that
a crazy quilt of State laws is counterproductive, a burden on
the Internet, a burden on commerce, a burden on speech, and not
in the interest of the Internet.
I think that the companies like AOL and IBM and Microsoft
and others that we have worked with on their online privacy
guidelines have done a terrific job and they have moved forward
and they should be commended for it. But they cannot bear the
burden and they do not have the resources or the time to drag
the other Web sites along or to subsidize them or to pick them
up. That is a role for government, and it is balancing and
making their practices the best practices as part of
legislation which will build legislation which maps onto the
decentralized Internet and preserves and protects and enhances
the values that we share.
Thank you.
[The prepared statement of Mr. Berman follows:]
Prepared Statement of Jerry Berman, Executive Director, Center for
Democracy and Technology
Mr. Chairman and members of the Committee, the Center for Democracy
& Technology (CDT) is pleased to have this opportunity to speak to you
about the important subject of privacy on the Internet. CDT is a non-
profit, public interest organization that is dedicated to developing
and implementing public policies to protect civil liberties and
democratic values on the Internet. CDT has been at the forefront of
efforts to establish and protect the very high level of constitutional
protection that speech on the Internet has been afforded by the United
States Supreme Court in the Reno v. ACLU \1\ decision, and to develop
sound public policies and technical solutions to protect individual
privacy.
---------------------------------------------------------------------------
\1\ American Civil Liberties Union v. Reno, 929 F. Supp. 824, 844
(E.D. Pa. 1996), aff'd, Reno v. American Civil Liberties Union, 521
U.S. 844 (1997).
---------------------------------------------------------------------------
Mr. Chairman, the Internet is at a critical junction in its
evolution. Although as a popular mass medium the Internet is less than
ten years old, it is already entering into a period of significant
transformations. Ensuring privacy on the Internet requires a multi-
faceted approach that draws upon the strengths of technology, self-
regulation, and legislation to deliver to the American public the
ability to exercise control over their personal information.
I wish to emphasize four key points this morning:
Privacy is not a partisan issue. Privacy is a deeply held
American value. It is broadly supported by the American public
and has frequently been the subject of bi-partisan legislative
efforts.
Privacy and the Internet are ill served by a crazy quilt of
standards. Consistency is critical to consumers, businesses,
and the character of the Internet. In an environment where
everyone is a publisher and a business it is impossible to
develop a consistent standard for privacy without legislation.
While self-regulatory efforts, auditing, and self-enforcement
schemes work for some businesses, on its own it will result in
an inconsistent framework of privacy protection.
Industry leaders should not ignore or carry bad actors or
outliers, but rather participate in a system of self-regulation
and legislation that ensures a level playing field and
predictable standards. Industry leaders would be ill advised to
ignore the cost to privacy of bad actors and newcomers. Bad
actors will not self-regulate: the clueless or new on the scene
may not have the resources or wherewithall to participate in
regulating their own behavior. Law is critical to spreading the
word and ensuring widespread compliance with fair, privacy
protective standards. By building a system of self-regulation
and legislation we can create a framework of privacy and
instill consumer trust.
Legislation can and should support self-regulation and
technical developments. The tired debate over self-regulation
versus legislation does not serve our mutual interest in
privacy protection. It is our collective task to develop a
legislative privacy proposal that fosters the best industry has
to offer through self-enforcement and privacy enhancing tools.
Realizing privacy on the Internet demands that we develop a
cohesive framework that builds upon the best all three of these
important tools offer.
I. Privacy
The critical starting point on the privacy questions is the current
state of privacy (and citizens' expectations of privacy) and the ways
in which the evolution of the Internet may threaten privacy principles.
CDT believes that a key privacy consideration should be
individuals' long-held expectations of autonomy, fairness, and
confidentiality, and policy efforts should ensure that those
expectations are respected online as well as offline.\2\ These
expectations exist vis-a-vis both the public and the private sectors.
By autonomy, we mean the individual's ability to browse, seek out
information, and engage in a range of activities without being
monitored and identified. Fairness requires policies that provide
individuals with control over information that they provide to the
government and the private sector. In terms of confidentiality, we need
to continue to ensure strong protection for e-mail and other electronic
communications.
---------------------------------------------------------------------------
\2\ For a fuller exploration of these issues see, e.g., Testimony
of Deirdre Mulligan, Staff Counsel of the Center For Democracy &
Technology, Before the Subcommittee on Communications of the Senate
Committee on Commerce, Science, and Transportation, July 27, 1999.
---------------------------------------------------------------------------
As it is evolving, the Internet poses both challenges and
opportunities to protecting privacy. The Internet accelerates the trend
toward increased information collection that is already evident in our
offline world. The trail of transactional data left behind as
individuals' use the Internet is a rich source of information about
their habits of association, speech, and commerce. When aggregated,
these digital fingerprints could reveal a great deal about an
individual's life. The global flow of personal communications and
information coupled with the Internet's distributed architecture
presents challenges for the protection of privacy.
II. The Expectation of Fairness and Control Over Personal Information:
What the FTC's Report Reveals
When individuals provide information to a doctor, a merchant, or a
bank, they expect that those professionals/companies will collect only
information necessary to perform the service and use it only for that
purpose. The doctor will use it to tend to their health, the merchant
will use it to process the bill and ship the product, and the bank will
use it to manage their account--end of story. Unfortunately, current
practices, both offline and online, foil this expectation of privacy.
Much of the concern with privacy in electronic commerce stems from a
lack of robust privacy rules in various sectors of the economy, such as
financial and health, that handle a treasure trove of sensitive
information on individuals. Whether it is medical information, or a
record of a book purchased at the bookstore, or information left behind
during a Web site visit, information is routinely collected without the
individual's knowledge and used for a variety of other purposes without
the individual's knowledge--let alone consent.
The online environment facilitates the collection of information
about consumers that offline entities can only dream of. To paraphrase
Chairman Pitofsky, ``Not only do they know I ordered the steak, but
they know I considered the salmon and how long it took me to make up my
mind.'' Recent months have witnessed detail reports, investigations,
and law suits about the surreptitious collection of personal
information by businesses--some completely unknown and invisible to the
consumer. From network advertisers to fraud detection systems,
profiling Web site visitors is routine. Using a mix of ``cookies,''
``web bugs,'' and other monitoring techniques consumers are routinely
being watched, their activities assessed, and their experience of the
Internet altered.
The FTC report released on Monday is the third study to assess the
state of privacy on the World Wide Web. This year's report is by far
the most comprehensive study of consumer privacy online. Not only did
the FTC tally raw numbers, but also, finally, the FTC explored the
important question of whether improved numbers equal improved privacy
for consumers. The good news is that progress, in terms of sheer
numbers, continues. The disappointing news is that the sum is less than
the parts.
The head count is improving.
The constant call by industry, the FTC, and consumers for privacy
policies has been heeded. Today, consumers are more likely than not to
find a privacy statement of some sort at Web sites. The number of sites
sporting a ``privacy policy''--a comprehensive description of a Web
site's information practices that is located in one place--has risen
from 2% in 1998 to 62% in 2000. Similarly, more Web sites are providing
consumers with some information about how they use information
(referred to as ``information practice statement'' or ``privacy
disclosure''). In 1998 only 14% of surveyed sites made any statement
about their use of personal information. This year 79% of the surveyed
sites posted at least one information practice statement. While
progress was more modest in other areas, every area witnessed some
improvement over previous years.
Notice, choice, access, and security remain the exception not
the rule.
While progress continues, the Web has not witnessed the widespread
implementation of the Fair Information Practice principles of notice,
choice, access, and security. (The principles are set forth in detail
in Appendix A.) While the number of sites meeting this standard has
doubled--from 10% in 1999 to 20% in 2000--the number represents a small
portion of total Web sites. It is troubling to note that even at those
sites that sport a privacy seal from a self-regulatory program
adherence to these four fair information practices hovers at 52%. And
of the sites surveyed, 8% participate in a seal program--leaving the
critical area of self-regulatory enforcement unsettled.
A lack of clear rules has led to the proliferation of
confusing privacy notices that are beyond the reading comprehension
skills of the majority of the American public.
This year the FTC delved into the difficult realm of substantive
analysis of privacy policies. What they found mirrors CDT's
experience--and based on reports and e-mail those of consumers as well.
(Appendix B* includes several examples of Web site privacy policies
that contain confusing and contradictory statements.) Privacy policies
can be exceedingly difficult to decipher. Several articles have
documented the difficulties faced by consumers seeking to understand
the protections a Web site affords them by reading privacy policies.\3\
As Chairman Pitofsky stated in a recent USATODAY.com story, ``Some
sites bury your rights in a long page of legal jargon so it's hard to
find them and hard to understand them once you find them. Self-
regulation that creates opt-out rights that cannot be found (or)
understood is really not an acceptable form of consumer protection.''
\4\
---------------------------------------------------------------------------
* Appendix B has been retained in the Committee files.
\3\ See, Will Rodger, ``Privacy isn't public knowledge: Online
policies spread confusion with legal jargon,'' USATODAY.com, May 1,
2000 ; The Industry
Standard, March 13, 2000, at 208-9.
\4\ Will Rodger, ``Privacy isn't public knowledge: Online policies
spread confusion with legal jargon,'' USATODAY.com, May 1, 2000.
---------------------------------------------------------------------------
While some sites may be actively attempting to confuse consumers--
for example CDT identified several privacy policies that use common
terms in a misleading fashion and others that contain contradictory
statements. In general, we believe that Web sites are in the unenviable
position of trying to assuage legitimate public concern with privacy
and ensure their attorneys that in doing so they will not
unintentionally create a liability disaster. The rock and the hard
place that many Web sites find themselves in creates a tendency toward
legalese, over and under disclosure, and hedging. When doing the right
thing creates liability that those who sit still don't face, notices
resemble legal disclaimers rather than vehicles for consumer education
and empowerment.
Regardless of the intent, consumers interests are ill served by
policies that are written in complex, vague language. Guidelines on the
essential elements for inclusion in a notice would help both consumers
and businesses. It would likely result in shorter more direct
statements for consumers, and, for businesses, it would take some of
the risk out of the process of writing a privacy policy notice.
Surreptitious data collection techniques continue to grow.
Over the past twelve months privacy concerns surrounding the use of
technology to track and profile individuals has taken center stage.
From the joint FTC and Department of Commerce workshop on Online
Profiling, to the massive online consumer protest of Doubleclick's
withdrawn proposal to tie online profiles to individuals' offline
identities, to the private lawsuits against Realnetworks, to State
Attorneys' General actions against Doubleclick--it is clear that
policy-makers and the public are concerned with the use of technology
to undermine privacy expectations.
There is reason for concern. Third-party cookies, as the FTC Web
sweep reports, are routinely found at commercial Web sites. In fact,
consumers visiting 78% of the 100 most popular Web sites will be
confronted with cookies from entities other than the Web site. While
the growth of third-party cookies continues, less than 51% of the top
100 sites that set third-party cookies tell consumers about this
practice.
Similarly, the use of ``web bugs'' or clear gifs--invisible tags
that Internet marketing companies use to track the travels of Internet
users--has grown exponentially over the past year. Richard Smith, a
well-known computer security expert, in his presentation to the
Congressional Privacy Caucus stated that in January 2000 approximately
2000 ``web bugs'' were in use on the Web (according to a search using
Alta vista), but in just 5 months that number multiplied ten-fold to
27,000.\5\ While the FTC did not look for ``web bugs'' or for
statements about them, it is unlikely that Web sites are telling
consumers about this new tracking device.
---------------------------------------------------------------------------
\5\ Richard M. Smith, Statement at the Congressional Privacy Caucus
briefing, May 18, 2000. See, http://www.tiac.net/users/smith for
additional information on ``web bugs'' and other privacy and security
issues.
---------------------------------------------------------------------------
III. Bringing Privacy to the Internet
Privacy as discussed above is a complex concept. It encompasses our
right to withhold information, our interest in maintaining confidences
in information we willingly choose to disclose, as well as our right to
walk--or surf--the streets without having every step captured, analyzed
and tied to our identity forevermore. Protecting these three
interests--autonomy, fairness, and confidentiality requires a wise use
of resources in the public and private sector. Of utmost importance it
demands that we empower individuals with the information, tools, and
protections necessary to exercise meaningful control over their
personal information. To deliver privacy we must build a program of
self-regulation and legislation, and support the widespread deployment
of privacy enhancing technology.
A. Enforceable Fair Information Practices are Essential in the Online
Marketplace
The Federal Trade Commission's latest report confirmed what
advocates, industry representatives and the public knew: privacy on the
Internet is far from a reality. The Federal Trade Commission's five
year focus on privacy has raised the level of attention and concern,
but has not delivered anything close to comprehensive compliance by
businesses operating online. Despite commendable efforts such as BBB
Online and TrustE, judged by the full set of agreed upon privacy
principles the overwhelming majority of Web sites have not delivered
privacy to the marketplace.
Numerous surveys have documented the public's overwhelming concern
with privacy online. Many responsible industry actors are engaged in
efforts to craft privacy rules; unfortunately many other companies have
yet to take the actions necessary to protect privacy. We have the
opportunity to develop privacy rules that establish strong protections
for individuals, a fair baseline for a competitive marketplace, and a
framework of trust for electronic commerce. Embedding these rules in
federal legislation will not be easy, but it can, and ultimately must,
be done.
If Congress fails to act on the FTC's recommendation, there is no
doubt that the states will fill the gap. At last count over 200 privacy
bills were introduced at the state level. While many do not directly
deal with online privacy, several do. The states have become
increasingly active in protecting consumer privacy and if left with a
vacuum it is likely that they will step in. A strong federal law is in
the interest of consumers, industry and the Internet. If the rules
provide strong protections for privacy, consumers and businesses would
both benefit from the certainty that a federal approach affords. In
addition, the borderless nature of communication and commerce on the
Internet is best approached with common rules. A patchwork of
inconsistent and conflicting standards could increase consumer
confusion, burden businesses, and interfere with the relatively
seamless operation of the Internet.
B. Delivering on Technology's Promise: Ubiquitously Available, Tools
that Empower Consumers to Make Real-Time, Flexible Decisions
About Their Personal Information.
1. Technology is critical to consumer privacy on the Internet.
The specifications, standards, and technical protocols that support
the operation of the Internet offer a new way to implement policy
decisions. By building privacy into the architecture of the Internet,
we have the opportunity to advance public policies in a manner that
scales with the global and decentralized character of the network. As
Larry Lessig repeatedly reminds us, ``(computer) code is law.''
Accordingly, we must promote specifications, standards and products
that protect privacy. A privacy-enhancing architecture must
incorporate, in its design and function, individuals' expectations of
privacy. For example, a privacy-protective architecture would provide
individuals the ability to ``walk'' through the digital world, browse,
and even purchase without disclosing information about their identity,
thereby preserving their autonomy and ensuring the expectations of
privacy. A privacy-protective architecture would enable individuals to
control when, how, and to whom personal information is revealed. It
would also provide individuals with the ability to exercise control
over how information once disclosed is subsequently used. Finally, a
privacy-protective Internet architecture would provide individuals with
assurance that communications and data will be technically protected
from prying eyes.
While there is much work to be done in designing a privacy-
enhancing architecture, some substantial steps toward privacy
protection have occurred. Positive steps to leverage the power of
technology to protect privacy can be witnessed in tools like the
Anonymizer, Crowds, and Onion Routing, which shield individuals'
identity during online interactions, and encryption tools such as
Pretty Good Privacy that allow individuals to protect their private
communications during transit.
The World Wide Web Consortium's Platform for Privacy Preferences
(``P3P'') is also a promising development. The P3P specification will
allow individuals to query Web sites for their policies on handling
personal information and to allow Web sites to easily respond. While
P3P does not drive the specific practices, it is a standard designed to
promote openness about information practices, to encourage Web sites to
post privacy policies, and to provide individuals with a simple,
automated method to make informed decisions. Through settings on their
Web browsers, or through other software programs, users will be able to
exercise greater control over the use of their personal information.
An important milestone is June 21. On that day, major Internet
companies will offer the first public demonstration of a new generation
of Web-browsing software based on P3P, designed to give users more
control over their personal information online. We are hopeful that P3P
products will provide consumers with increased control over their
personal information. Technologies must be a central part of our
privacy protection framework, for they can provide protection across
the global and decentralized Internet where law or self-regulation
alone may prove insufficient.
2. Tools must reflect the diversity of consumers' privacy needs.
Privacy is not the same as secrecy. Tools must support individuals'
needs to shield their identity, reveal certain information to a limited
set of entities, ensure information is not compromised in transit, and
protect information stored on their own computer. While tools are
coming to market that reflect consumers' varied needs for privacy,
there is much work to be done.
The Internet Engineering Task Force (IETF) is undertaking a
critical privacy effort. IETF is working on two standards that would
create new guidelines for the appropriate use of cookies. While cookies
are helpful for Web sites looking to maintain relationships with
visitors, they have been implemented in ways that give users very
little control and have been used by some to subvert consumers'
privacy. On most browsers, users are given only the option to either
accept or reject all cookies or to be repeatedly bombarded with
messages asking if it is OK to place a cookie.
The IETF is considering two complementary ``Internet drafts'' that
would encourage software makers to design cookies in ways that give
users more control. These drafts lay out guidelines for the use of
cookies, suggesting that programmers should make sure that:
the user is aware that a cookies is being maintained and
consents to it,
the user has the ability to delete cookies associated with a
Web visit at any time,
the information obtained through the cookie about the user
is not disclosed to other parties without the user's explicit
consent, and
cookie information itself cannot contain sensitive
information and cannot be used to obtain sensitive information
that is not otherwise available to an eavesdropper.
The drafts say that cookies should not be used to leak information
to third parties nor as a means of authentication. Both are common
practices today. The IETF is expected to make its decision to move
forward with these, and perhaps other cookie specifications, before the
end of the summer and will invite public comments at that time.\6\
---------------------------------------------------------------------------
\6\ The draft can be found at: http://www.ietf.org/internet-drafts/
draft-iesg-http-cookies-03.txt and http://www.ietf.org/internet-drafts/
draft-ietf-http-state-man-mec-12.txt.
---------------------------------------------------------------------------
The recent report of the Federal Trade Commission's Advisory
Committee on Online Access and Security recommended that steps be taken
to improve security. The Committee's report highlighted the need for
Internet businesses to develop robust security practices that protect
data from both internal and external threats and protect customer data
during both transit and storage. Specifically the Advisory Committee
recommended that:
Each commercial Web site should maintain a security program
that applies to personal data it holds.
The elements of the security program should be specified
(e.g., risk assessment, planning and implementation, internal
reviews, training, reassessment).
The security program should be appropriate to the
circumstances. This standard, which must be defined case by
case, is sufficiently flexible to take into account changing
security needs over time as well as the particular
circumstances of the Web site--including the risks it faces,
the costs of protection, and the data it must protect.
It is critically important that standard setting bodies support the
development of privacy enhancing technologies and robust security
standards. It is equally important that businesses bring these
important developments to the mainstream market in products that are
accessible and user-friendly for individual consumers and the myriad of
small shop-keepers establishing Web sites.
3. Tools must be widely available and easy to use.
In the area of child protection, industry and the public interest
community have collaborated on efforts to bring tools and information
to consumers through common resources, educational campaigns and other
efforts. Similarly, privacy enhancing tools must be widely deployed if
they are to truly benefit all consumers. While experienced Internet
users may avail themselves of today's tools, it is unlikely that
newcomers can find them, let alone use them effectively. As privacy
enhancing technologies come to market ensuring their wide-spread
availability and use should be a priority.
IV. Conclusion: Protecting Privacy on the Internet Requires a Multi-
pronged Approach that Involves Self-regulation, Technology, and
Legislation.
On self-regulation, we must continue to press the Internet industry
to adopt privacy policies and practices, such as notice, consent
mechanisms, and auditing and self-enforcement infrastructures. We must
realize that the Internet is global and decentralized, and thus relying
on legislation and governmental oversight alone simply will not assure
privacy. Because of extensive public concern about privacy on the
Internet, the Internet is acting as a driver for self-regulation, both
online and offline. Businesses are revising and adopting company-wide
practices when writing a privacy policy for the Internet. Efforts that
continue this greater internal focus on privacy must be encouraged.
On the technology front, while the Internet presents new threats to
privacy, the move to the Internet also presents new opportunities for
enhancing privacy. Just as the Internet has given individuals greater
ability to speak and publish, it also has the potential to give
individuals greater control over their personal information. We must
continue to promote the development of privacy-enhancing and empowering
technology, such as the World Wide Web Consortium's Platform for
Privacy Preferences (``P3P''), which will enable individuals to more
easily read privacy policies of companies on the Web, and could help to
facilitate choice and consent negotiations between individuals and Web
operators.
On the public policy front, we must adopt legislation that
incorporates into law Fair Information Practices--long-accepted
principles specifying that individuals should be able to ``determine
for themselves when, how, and to what extent information about them is
shared.'' \7\ Legislation is necessary to guarantee a baseline of
privacy on the Internet, but it is not one-size-fits-all legislation.
Congress must do more to protect privacy in key sectors such as privacy
of medical records. For consumer privacy on the Internet--and we
believe more broadly--there needs to be baseline standards and fair
information practices to augment the self-regulatory efforts of leading
Internet companies, and to address the problems of bad actors and
uninformed companies. We also stress that legislation is needed to
raise the standards for government access to citizens' personal
information increasingly stored across the Internet, ensuring that the
4th Amendment continues to protect Americans in the digital age.\8\
---------------------------------------------------------------------------
\7\ Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7.
\8\ See, Testimony of Deirdre Mulligan, Staff Counsel of the Center
for Democracy & Technology, before the Subcommittee on Courts and
Intellectual Property of the House Committee on the Judiciary, March
26, 1998, at 11-13 (concerning disclosure of subscriber information to
the U.S. Navy).
---------------------------------------------------------------------------
Several proposals are circulating in Congress today. Members of
this Committee have introduced two important bills: Senator Hollings
``Consumer Privacy Protection Act'' (S. 2606); and, Senators Burns and
Wyden ``Online Privacy Protection Act'' (S. 809). We believe that the
outlines of sound privacy protection for the online environment have
taken shape and look forward to working with this Committee on these
efforts.
The history of the Internet is that policy regimes are first
created by consensus among a broad cross section of the community. CDT
is committed to participating in any process that helps to build a new
social contract embodying democratic values in the emerging online
world. The work of the Federal Trade Commission--through its public
workshops, hearings, and its recent Advisory Committee on Online Access
and Security--provides a model of how to vet issues and move toward
consensus. We look forward to working with this Committee, as well as
others, the industry and the public interest community to build a
cohesive system of privacy protections for the online environment.
Thank you for the opportunity to participate in this timely hearing.
Appendix A
The Code of Fair Information Practices as stated in the Secretary's
Advisory Comm. on Automated Personal Data Systems, Records, Computers,
and the Rights of Citizens, U.S. Dept. of Health, Education and
Welfare, July 1973:
1. There must be no personal data record-keeping systems whose
very existence is secret.
2. There must be a way for an individual to find out what
information about him is in a record and how it is used.
3. There must be a way for an individual to prevent information
about him that was obtained for one purpose from being used or
made available for other purposes without his consent.
4. There must be a way for the individual to correct or amend a
record of identifiable information about him.
5. Any organization creating, maintaining, using, or
disseminating records of identifiable personal data must assure
the reliability of the data for their intended use and must
take precautions to prevent misuse of the data.
The Code of Fair Information Practices as stated in the OECD
guidelines on the Protection of Privacy and Transborder Flows of
Personal Data http://www.oecd.org/dsti/sti/ii/secur/prod/PRIV_EN.HTM:
1. Collection Limitation Principle: There should be limits to
the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
2. Data quality: Personal data should be relevant to the
purposes for which they are to be used, and, to the extent
necessary for those purposes, should be accurate, complete and
kept up-to-date.
3. Purpose specification: The purposes for which personal data
are collected should be specified not later than at the time of
data collection and the subsequent use limited to the
fulfillment of those purposes or such others as are not
incompatible with those purposes and as are specified on each
occasion of change of purpose.
4. Use limitation: Personal data should not be disclosed, made
available or otherwise used for purposes other than those
specified in accordance with the ``purpose specification''
except: (a) with the consent of the data subject; or (b) by the
authority of law.
5. Security safeguards: Personal data should be protected by
reasonable security safeguards against such risks as loss or
unauthorized access, destruction, use, modification or
disclosure of data.
6. Openness: There should be a general policy of openness about
developments, practices and policies with respect to personal
data. Means should be readily available of establishing the
existence and nature of personal data, and the main purposes of
their use, as well as the identity and usual residence of the
data controller.
7. Individual participation: An individual should have the
right: (a) to obtain from a data controller, or otherwise,
confirmation of whether or not the data controller has data
relating to him; (b) to have communicated to him, data relating
to him: within a reasonable time; at a charge, if any, that is
not excessive; in a reasonable manner; and, in a form that is
readily intelligible to him; (c) to be given reasons if a
request made under subparagraphs (a) and (b) is denied, and to
be able to challenge such denial; and, (d) to challenge data
relating to him and, if the challenge is successful to have the
data erased, rectified completed or amended.
8. Accountability: A data controller should be accountable for
complying with measures which give effect to the principles
stated above.
The Chairman. Thank you, Mr. Berman.
Mr. Weitzner. Is that the proper pronunciation?
STATEMENT OF DANIEL J. WEITZNER, TECHNOLOGY AND SOCIETY DOMAIN
LEADER, WORLD WIDE WEB CONSORTIUM
Mr. Weitzner. That is exactly correct.
The Chairman. Welcome, Mr. Weitzner.
Mr. Weitzner. Thank you, Chairman McCain. It is an honor to
be here and I am very pleased to be part of this discussion.
My testimony, which I have submitted and I will not read
all of, makes three very basic points. First, and I think based
on the discussion we do not even have go to through this any
further, the increasing sophistication of web technology
enables the collection of large volumes of personal
information, both directly from users and in the background in
some way or another. Some characterize it as surreptitious,
others characterize it as convenient. But there is an
increasing volume of information collected.
Second, the World Wide Web Consortium, the organization I
work for, which is the group that sets technical standards for
the web and includes over 420 members from industry, academia,
research, consumer organizations all around the world,
recognized the increasing consumer concern over privacy and we
therefore launched a project called P3P, the Platform for
Privacy Preferences, which will enable the marketplace to
deliver software tools and services that enhance users'
knowledge of Web sites' information practices and give users
more control over their personal information.
Finally, I hope that we can dispense with the false
dichotomies, the false choices, presented between law,
regulation, technology, industry practices, or self-regulation.
I think it should be clear to us that some balance of all of
those factors is needed. No one of those is going to solve the
problem--not law, not self-regulation, not technology. So we do
not need to worry about any one of them being sufficient. I
think we should all just stipulate that we need to find the
right combination.
I am going to----
The Chairman. You are saying right combination of
legislation and regulation? Is that what you are saying?
Mr. Weitzner. Well, I suppose that is a further distinction
that I would probably leave to you. I think we need some kind
of legal baseline. Whether that is implemented solely in
statute or through regulation is something I would leave to
you. But I think we need a legal framework in which to operate
here along with technology tools and responsible industry
practices.
Let me dispense with the discussion of all the myriad ways
that information, personal information, can be collected online
because I think there is a general appreciation for that point,
and I want to talk directly about W3C's efforts to build
technology tools that will help enhance users' privacy
experiences and particularly, given all the discussion we have
had, we have heard already, about the complexity of privacy
policies, the difficulty of finding them, the number of words
that one has to get through to get to the bottom line of the
policy, let me talk in a little bit more detail about W3C's
Platform for Privacy Preferences.
Through this project, which is really a project to develop
technical standards that address privacy, we hope to enable the
development of a variety of tools and services, produced by the
marketplace, that give users greater control over personal
information and thereby enhance trust between web services and
individual users.
P3P enables services, whether they are in web browsers, in
web servers, in other pieces of software or services that users
come across, that will enhance user control by putting privacy
policies where users can find them, by presenting the policies
in a form that users can understand, and, most importantly, by
enabling users to act on the policies that they see more
quickly.
For e-commerce services there are benefits as well. P3P can
be used to make the browsing experience more seamless. Any web
designer who is concerned about offering a product or a service
to someone who visits their site has a difficult balancing
task, even if they want to provide the maximum information
about their privacy policy to that user. It is not easy to
present, and I think it is a fair point that it is sometimes
complicated to articulate in prose, especially prose readable
to the non-experts out there, exactly what information
practices sites are engaged in, and I think it is quite fair to
say that, whether it is Yahoo or any of the other really
sophisticated, exciting services, they do a lot of different
things with your personal information in a lot of different
places, and to try to catalogue all that in one single place is
bound to be complex.
So with P3P what we have tried to do is to enable the
association of particular web pages and privacy policies that
apply to what is going on at that point on the web, so that
when you are asked to fill out a form right there your browser
will be able to tell you, not necessarily in prose terms but
with graphical icons or some other means, exactly what is going
to happen there when you submit that form data.
Think if you will for a minute about the experience we have
had with security on the web. Several have referred to the fact
that there was great concern about providing credit card
numbers on the web by a number of users. How was that concern
alleviated? In some part it was alleviated by, I think, a very
broad education campaign. In some part, though, it was
alleviated because browsers added tools that told users that
their transaction was secure.
No one on this Committee may know the acronym SSL. That is
the technology that secures the communication between a user
and a Web site. But I think vast numbers of people who use the
web recognize the little lock or the little key icons and know
when that lock or that key is closed they should feel
comfortable putting their credit card number onto that page.
We are looking to do the same kind of thing for privacy, to
be able to represent to users exactly what is going on at
exactly the point in the Web site they are at, rather than
forcing them to go back and read through the Web site and click
through. I was amused at the description of the number of
clicks. I have never actually counted them, and the number of
words, but I think that is exactly the problem that we are
trying to address with P3P.
Finally, P3P can help to assist with three of the four
information practices that the FTC report has outlined.
Obviously, notice; it provides a capable for presenting easy-
to-understand notice to users. It helps users to make a choice.
Finally, it tells--it has the vocabulary to tell users
exactly where they can go, what they have to do, to get access
to their personal information. Security is dealt with in other
parts of web standards, so we have not addressed it directly in
P3P.
I would say that the question of access is complex and P3P
does not pretend to provide a mechanism to enable access, but
we do provide a way for users to understand how to go and get
access.
I want to just close by saying that I think that this
Committee does face very difficult questions regarding what
legal or regulatory framework, if any, is best to address
privacy on the web. There are obviously a variety of options
before you and I am not here to support or oppose any
particular approach. I would urge, though, that with or without
legislation, with or without regulation, web users both in the
United States and around the world need more powerful technical
tools to give them greater control over their online privacy
relationships and greater information about what kinds of
relationships they enter into.
Even with the most stringent privacy laws in place, I would
submit, so much of individual users' practical privacy rights
on a day to day basis depends on being able to make
individualized choices about what they want done with their
personal information in a particular interaction. The web is
getting so complex that we are going to need technology tools
to help with that.
We certainly also need some way or another to encourage and
in some cases most likely require Web sites that offer those
choices. But we are going to need the tools to make those
choices effective choices and make sure that they are not
buried four or five clicks and thousands of words down in some
policy.
So I hope that, whatever action this Committee takes, it
will be consistent with encouraging the development of these
tools and unleashing the innovative forces in the marketplace
which, whether or not they have an incentive to provide privacy
regulation, privacy protection, the innovation that we see in
this marketplace can help to solve these problems and we should
make sure that it is able to do that.
Thank you very much.
[The prepared statement of Mr. Weitzner follows:]
Prepared Statement of Daniel J. Weitzner, Technology and Society Domain
Leader, World Wide Web Consortium
Introduction
Good Morning. My name is Daniel J. Weitzner. I thank the Committee
for holding this hearing on online privacy and am honored to be able to
contribute to your consideration of this critical issue. I am head of
the World Wide Web Consortium's (W3C) Technology and Society
activities, responsible for development of technology standards that
enable the Web to address social, legal, and public policy concerns.
W3C, an international organization made up of over 420 members from
industry, academe, users organizations and public policy experts, is
responsible for setting the core technical standards for the World Wide
Web. W3C was founded in 1994 by Tim Berners-Lee, inventor of the Web,
who serves as the Director of the Consortium. In addition to my work at
W3C, I also hold a research appointment at MIT's Laboratory for
Computer Science, teach Internet public policy at MIT, and am a member
of the Internet Corporation for Assigned Names and Numbers (ICANN)
Protocol Supporting Organization Protocol Council.
Today I will touch on three major points:
The Online Privacy Environment: Increasing sophistication in
Web technology enables the collection of large volumes of
personal information, sometimes with the explicit knowledge of
the user, and sometimes in the ``background.'' While this
information may often be collected for purposes considered
positive by the user, most users are unable to exercise
meaningful control over data collection and in many cases will
have little control over subsequent use of personal
information.
The Platform for Privacy Preferences (P3P): W3C's P3P
project will enable the marketplace to deliver software tools
and services that enhance users knowledge of Web sites'
information practices and give users more control over their
personal information. A wide cross-section of the Web community
has contributed to the development of P3P and is now beginning
to test early implementations of the draft standard.
Balancing Law, Technology, and Industry Practice: All three
of these elements are required to give users the privacy
protections they need in the online environment. Whatever the
mix of law and self-regulation, we should assure that it
creates an environment that encourages the development of
innovative privacy-enhancing tools.
I. The Online Privacy Environment
The Internet and the World Wide Web have put extraordinary power
over information in the hands of people and institutions around the
world. With unprecedented ability to both publish and access
information in the hands of hundreds of millions of people, centuries
old barriers to knowledge and exchange of ideas have vanished. Yet this
same interactivity, the bi-directional ability to exchange information
from any point to any other point on the Net has brought about
significant threats to individual privacy. For the same communications
mechanisms that give individuals the power to publish and access
information can also be used, sometimes without the user's knowledge or
agreement, to collect sensitive personal information about the user and
his or her information usage behavior. At W3C, our goal is to use the
power of the Web, and enhance it where necessary with new technology,
to give users and site operators tools to enable better knowledge of
privacy practices and control over personal information.
Urban legends of the Web's imagined surveillance capabilities
abound. Nevertheless, Web technology has evolved quite sophisticated
data collection techniques which have caused alarm and distrust among
many users. State-of-the-art Web sites are able to collect personal
information about users both directly, by presenting online forms to be
filled out by users, and in the background, through use of various
technologies such as access logs, cookies and, in some cases, the
placement of small programs that run on users computers collecting
information and delivering it back to the site. The background
techniques are often used to offer more customized, personalized and
easy-to-use services, many of which users appreciate. Yet, all but the
most technologically sophisticated users have no practical ability to
understand what sort of background data collection is taking place on
their computers, much less limit such collect when they wish.
Powerful data collection techniques, users inability to know what
is being collected or how to stop it, together with occasional highly
publicized abusive privacy practices, all combine to generate a
significant level of fear and distrust on the part of many Web users.
Three of the most notable online privacy incidents in the last year
illustrate how strongly users and the general public react when users
discover that data collected about them may be used for a dramatically
different purpose, or that personal information will be disseminated
without their control.
Intel Processor Serial Number: Just before it released its
new Pentium III processor, Intel had to turn off access to the
unique serial number inside each processor because users
objected to the inability to block transmission of this serial
number to Web sites. Though Intel believed this ID would actual
enhance security by providing better transaction verification,
users felt that it would be used to track their browsing and
buying habits without giving sufficient control to users.
Doubleclick personally-identifiable web usage tracking:
Widespread outcry arose earlier this year when Doubleclick
announced plans to use user information previously collected to
track surfing habits of users for the purpose of targeting
banner ads. User objected to the fact that information
previously collected was to be used for a different and more
invasive purpose, and because it was not clear to many people
how to opt-out of such tracking. Doubleclick has subsequently
withdrawn the tracking plans and mounted an education campaign
to inform users, among other things, how to control the
information collected by Doubleclick.
W3C and its members became concerned about privacy on the Web
because people won't use the Web to its full potential if they have to
face such uncertainty. The majority of users are perfectly willing to
share some information on the Web. At the same time, basic human
dignity demands the we have meaningful control over which information
we chose to expose to the public. Our goal is to include in the basic
infrastructure of the Web the building blocks of tools that can provide
each user this basic control.
II. P3P Enables Greater User Control
To help address growing concerns about online privacy, W3C launched
the Platform for Privacy Preferences (P3P) project to enable the
development of a variety of tools and services that give users greater
control over personal information and enhance trust between Web
services and individual users.
P3P-enable services will enhance user control by putting privacy
policies where users can find them, present policies in a form that
users can understand them, and, most importantly, enable users to act
on what they see in policies more easily. For e-commerce services and
other Web sites, P3P can be used to offer seamless browsing experience
for customers without leaving them guessing about privacy. Moreover,
P3P will help e-commerce services develop comprehensive privacy
solutions in the increasingly complex value chain that makes the
commercial Web such a success. On today's Web, when a consumer buys a
product or service from one Web site, completing the transaction may
well involve numerous individual services linked together, each of
which has some role in the ultimate delivery to the user and each of
which has some responsibility for honoring the privacy preferences
expressed by the user at the beginning of the transaction.
Consider all of the steps involved in the increasingly common
processing, printing, distributing, and archiving a digital photo.
After the user takes a digital image with a common digital camera, one
site may be the point to which the photo is first uploaded, from there
the user follows a link to another site that performs special image
processing, after which the next site created prints, which are then
delivered by yet another service to family members. Finally, yet
another site may offer archival services for the photos. At each step
along the way, these sites are dealing with sensitive information (the
names of the people in the photos, their location, etc.).
Setting the stage where such flexible combinations of services can
be offered to users requires widespread agreement on standards,
including the means of communicating from one service to another about
how personal information should be handled. Standards have a vital role
in the operation of the Web in general. The Web is not run by any
single organization, but it does enable people to share information
around the world because everyone who operates a piece of the Web
agrees to follow shared technical standards. In the same was as the
HTML standard ensures that everyone who looks at a Web page will see it
as the author intended it to look, regardless of what computer or
software is used, the P3P standard will enable every user and site
operator on the Web to communicate in a common language about privacy.
Can users find P3P in their browsers today? Not yet, as the
standard is only just being completed. P3P has been under development
over the last two years at the World Wide Web Consortium in a design
effort that has included software vendors, large commercial users,
privacy advocates, and government data protection commissioners from
around the world. Participants in the effort include
America Online/Netscape
American Express
AT&T
Center for Democracy and Technology
Commission Nationale de l'Informatique et des Libertes
Citibank
Electronic Frontier Foundation
Microsoft
NCR
NEC
Nokia
Information and Privacy Commission/Ontario, Canada
PrivacyBank
Privacy Commissioner of Schleswig-Holstein, Germany
Phone.com
Geotrust
With the standard definition nearly complete, we are now entering
the testing and implementation phase. Our last step in finalizing the
design of the standard is to host a series of interoperability testing
events, one in June and one in September. We are encouraged that a
number of large Web software developers as well as innovative smaller
services have committed to implementing P3P in their products.
Following this testing phase, we will issue a final standard for the
Web community.
III. Conclusion: Role of Law, Technology Tools, and Industry Practice
in Privacy Protection
This Committee faces hard questions regarding what regulatory
framework, if any, will best address the serious privacy issues on the
Web today. Congress may choose to enact a general privacy baseline, or
may consider targeted legislation focused on certain sensitive sectors,
such as has already been done with respect to children's privacy. Or,
those who seek more time for self-regulatory efforts may take hold. I
am not here to support or oppose any particular approach, but rather to
suggest that with or without legislation, Web users in the United
States and around the world need more powerful technical tools to give
users greater control over their online privacy relationships.
Similarly, e-commerce service providers need tools to enable them to
build innovative, flexible, customizable services that respect users'
privacy rights and preferences.
Even with the most stringent privacy laws one might imagine, so
much of practical privacy rights depends on users being able to make
individualized choices about the privacy relationships that want to
have with the growing number of Web-based services with which the
interact. Effective exercise of informed choice, whether under
legislative mandate or enlightened self-regulation, can only be
accomplished in the increasingly complex Web of personal information
with the help of tools that users can use. So whatever the final
outcome of this debate, we should all be committed to see that the
innovative and entrepreneurial energy that abound in the Internet are
able to develop innovative tools to help users and vendors.
The Chairman. Thank you.
Ms. Lesser, Ms. Varney, do you have a response to Mr.
Catlett's allegations?
Ms. Lesser. Well, I would say the following. Obviously, we
sort of fundamentally disagree with Mr. Catlett on approach,
but we fundamentally agree with Mr. Catlett on the need to
protect consumers' privacy.
The Chairman. Do you disagree when he says that there is no
technology that will solve this problem nor does the FTC have
sufficient authority?
Ms. Lesser. Let me take the first and then the second. On
the technology question, I think it is certainly not technology
alone. As Mr. Weitzner has laid out, there are lots of efforts
going on in terms of technological development in helping
consumers and businesses have that conversation and making it
easier for consumers to get notice and make choices, and that
is critical.
However, in order for technology to solve some of these
problems, you have to rely on implementation and in many ways
you need to rely on how businesses are going to deal with their
consumers. So I would say, in answer to some of the questions
raised about whether there are large companies or small
companies having complicated, incomplete, misleading privacy
policies, I would submit, based on our own data with our
customers, those companies will not ultimately succeed in
getting consumers' trust and they will see a decrease in their
business.
So I do not think that technology can do it alone, but we
have never relied on technology to do anything alone. It needs
to be coordinated with good business practices.
In terms of legislation, I think that, as I said, it is not
a zero sum game. There may be areas where we need to see
standards set by this Committee to guide the industry and to
make sure that we are all headed in the right direction,
particularly those of us who are not at this particular point.
However, we need to do this in a deliberative way and make sure
that we have identified what issues need to be addressed and
who best to address them.
I strongly believe that the FTC has an important role to
play. I believe this Committee has an important role to play
and that industry and consumers engaged in a dialog have an
important role to play.
I will say there is one important thing I disagree with in
Mr. Catlett's remarks that I think it is important to
emphasize, and that is the issue of preemption. However you
folks begin to look at this issue, it is critical as we look at
this medium, which we know is national but we also know is
global, that we do not seek out a multiplicity of confusing and
inconsistent standards, that whatever road we go down we make
sure that companies, every single company, be it the smallest
company in any of the States represented here, go online and
serve customers, they may be serving customers from all 50
States very quickly and from all over the world, and they
simply, both large and small companies, cannot comply with a
multiplicity of laws that are inconsistent around the globe and
around this country.
So I would strongly urge you, as you look at standards, to
think clearly about the need to respect the global and national
nature of the Internet online medium.
The Chairman. Ms. Varney.
Ms. Varney. Yes, Senator. As to the second question, the
FTC authority, clearly the Federal Trade Commission has the
authority to prosecute anybody who posts a privacy policy that
is deceptive or misleading, and they should do it and perhaps
they need more resources to do it.
Do they have the authority to compel Web sites that do not
post privacy policies to do so? Probably not. Do they have the
authority to compel Web sites to post privacy policies using
certain language or in a certain way? Probably not.
The Chairman of the Federal Trade Commission and I, as a
former Federal Trade Commissioner, have had a longstanding
argument, which I think you have heard before, about whether or
not the FTC's unfairness authority, as opposed to their
deception authority, would be a sufficient basis for them to
prosecute those who collect and use personal information for
purposes other than it was provided without adequate notice and
consent.
The Chairman believes he does not have--that the Section 5
unfairness standard does not give him that authority. I think
it does. But he is a professor and a former dean of a
university and he is the Chairman.
The Chairman. Mr. Catlett.
Mr. Catlett. Thank you, sir. On the issue of preemption, if
Congress moves promptly and passes a good law that gives strong
rights to individuals, then the States will not need to move in
to address particular needs of their citizens.
As to the question of inconsistent legislation, companies
deal globally with this problem all the time. For example,
Doubleclick does not set cookies in Germany because of laws
that relate to privacy. Therefore Germans are getting better
privacy protection from an American company than Americans are.
So companies do deal with these large differences and a nation
gets the level of privacy protection that it demands.
The Chairman. Mr. Berman.
Mr. Berman. I think some companies can deal with the crazy
quilt of regulations. One of the arguments for legislation is
to get away from that and to have some uniformity. I agree with
Jason that it ought to be a high standard--and a standard that
protects privacy, but it also has to protect the free flow of
information over the Internet. And if our companies or our
small Web sites have to figure out the laws and design their
sales and their approaches to be consistent with every country
in the world, I think that will be an enormous burden on
commerce.
So one of the reasons why I think that it is important for
the United States and for us to work these things out now is to
establish we are a leader in the Internet and what the
regulatory regime that makes sense for the Internet makes sense
also internationally. A traditional large regulatory role over
every Web site, which some Europeans advocate, I think is
inconsistent with the way the web is designed and will not
work. So it is part of providing leadership.
One last point. These issues are complex and I think that
in order to work them out it does require drilling down on what
do we mean by notice, what do we mean by access, what do we
mean by a remedy. What is fair when L.L. Bean sends your shoe
size to the wrong company? Do they go to jail? Those are not
easy questions, what access do you have and what is the
security, those issues.
But--and I think that in order--and a regulatory agency
should not be given an enormous amount of discretion. In order
to limit that discretion, one of the things that Congress can
do is when it writes its legislation, which is to make clear in
legislative history and go and really use staff time and drill
down on how its legislation is going to work, the explain to
the FTC and explain to the public and to the companies what
they have in mind.
That is not easy legislation, but it is absolutely I think
critical in this area or you will see too much discretion and
you will not have the confidence of the Internet community.
The Chairman. So, Mr. Catlett, along those lines, I like
many others buy books online. Now when I go on one of these Web
sites they say: Hi, John; we just got in a new biography of
Napoleon we know you would like--which is true. They know, they
know what my preferences are. So actually they are helping me
by informing me of books that I would like to read. What is
wrong with that?
Mr. Catlett. That is a wonderful service, sir, and I use it
myself.
The Chairman. You know what I am getting at here, OK. Where
does the line stop where they are informing me and helping me
and they are invading my privacy?
Mr. Catlett. Everybody wants the benefits of personalized
technologies and the Internet is wonderful at providing that,
provided that the personal information is treated fairly. That
means several things: only using the information for the
purpose that they collected it for, in the case of say making
book recommendations, and not for selling to, giving to
journalists who want to get a psychographic profile of the
individual who buys the books.
Second, the individual should have access to that complete
profile that is built up so that they can be sure for
themselves----
The Chairman. Like a FOIA, like a Freedom of Information
Act.
Mr. Catlett. Precisely, sir. And those laws should apply
very broadly to all commercial entities that maintain personal
information. It is the right of people to determine information
that is held about them. That information is being used by
companies supposedly for their benefit and so people have the
right to see that information.
The Chairman. Do they now?
Mr. Catlett. No, they do not, sir. You have the right to
see your credit report, but you do not have the right to see
the vastly greater profiles about you that marketing companies
have.
The Chairman. Is that fair, Ms. Lesser?
Ms. Lesser. I think it is a fair articulation of the
current law. I do not think it is necessarily a fair
articulation of all business practices. So for example----
The Chairman. Now wait a minute. Is it fair for me not to
know what----
Ms. Lesser. Oh, I am sorry, I misunderstood your question.
The Chairman. Should I be able to see what Amazon.com's
profile of me is?
Ms. Lesser. I imagine that if Amazon.com is creating, is
giving you, for example, as we do, an opportunity to have a
member profile----
The Chairman. Is it fair for me to know what the profile
is, Ms. Lesser?
Ms. Lesser. Sure, absolutely, it is fair for you to know.
The Chairman. But right now I do not have that right.
Ms. Lesser. You will probably be given a right to know what
your profile says by a lot of companies, because it is smart
business practice.
The Chairman. But if they do not choose to----
Ms. Lesser. Now, the level of--there is a difference
between understanding access, i.e., do you access directly into
the data base or do you have an ability to basically say----
The Chairman. You are complicating the issue.
Ms. Varney, do I have the right to know what profile is
compiled on me by an Internet corporation?
Ms. Varney. Do I get to ask you a question back, to further
this?
The Chairman. Yes.
Ms. Varney. OK, thank you.
The Chairman. Tragically, yes.
[Laughter.]
Ms. Varney. Do you want to know--the company is going to
take what you have purchased on their Web site to develop their
profile. Do you want access to everything that you have
purchased?
The Chairman. No, what their profile of me is.
Ms. Varney. So you do not care about getting access to your
past purchases? You want to see what they do with that
information?
The Chairman. I want to know what the profile is because
obviously they are letting other people know that profile.
Ms. Varney. Why are they letting other people know the
profile?
The Chairman. I do not know why. For profit and fun.
[Laughter.]
Ms. Varney. Not yours, Senator, I can assure you.
The Chairman. I am sorry, Conrad.
Ms. Varney. If they are not sharing the profile, does that
matter to your question?
The Chairman. Even if they are not sharing the profile. The
FBI has a file on me and I hope they are not sharing it, and
yet I have the ability--well, I do not care if they are.
[Laughter.]
The Chairman. Most citizens would not want that. So through
the Freedom of Information Act I can find out, I can get my FBI
file. Should I not be able to, through some kind of Freedom of
Information Act, know the profile that is kept on me?
Ms. Varney. Having been through the Senate confirmation
process, I do have an FBI file and I have reviewed it, and what
is in my FBI file are facts and summaries of conversations----
The Chairman. Should every American have the same right as
they do with the FBI file?
Ms. Varney. But Senator, that is what I am getting at, what
is in the FBI file. If the FBI has a psychographic profile on
me, I have not seen it, I cannot see it.
The Chairman. They may and they may not. I have seen all
kinds of FBI files.
Ms. Varney. Can you see what they have on me?
The Chairman. You are evading my question. Should they have
the right to know the profile--should I have the right to know
the profile that is kept on me?
Ms. Varney. Senator, I do not mean to be evasive. I am
trying to----
The Chairman. So you are not going to give me an answer?
[Laughter.]
Ms. Varney. I am going to give you an answer.
The Chairman. Then say it.
Ms. Varney. I am trying to draw a distinction----
The Chairman. If you want to ask me a question, you have
got to give me a yes or no answer.
Ms. Varney. I will, I will. You will not let me, though. I
am trying to draw a distinction between the data that is used
by a company to create a profile and the profile. Obviously you
have a right to all the data, the transactional data. What some
of the companies will say back to you, whether or not you
accept this argument, is: We spend a lot of time and a lot of
money and hire a lot of people and do algorithms and all kinds
of things to come up with what we think is the profile. It is
our proprietary property.
Is it good business sense to share it with you? Sure. Do
you want to legislate it? Talk to the companies that do it. I
do not know.
The Chairman. So your answer is ``I do not know.'' Now,
what is your question for me?
Ms. Varney. I asked the question, whether you wanted access
to the underlying data or to the profile that the data was used
to generate.
Mr. Weitzner. Well, my question is I want to see your
profile.
The Chairman. I think I should have access--very frankly, I
think I should have access to any information that is collected
about me and conclusions that are drawn about me. I think that
is the right of citizens, and I do not understand how it could
be--well, go ahead.
Mr. Weitzner. Could I suggest we just take one step back. I
do not have a quick answer to this question, but the right of
access----
The Chairman. By law I can have my credit profile.
Mr. Weitzner. That is right, and the reason that you can
have your credit profile is because important decisions are
made affecting your life based on that credit profile. So you
have a right to see it really in order to correct it if there
are mistakes.
The Chairman. Suppose that this company that makes a
profile of me that portrays me as an axe murderer is then sold
and distributed to others, all over the Internet. Is that good?
Mr. Weitzner. I think that what you certainly have a right
to know is what are they disseminating to others. I am not sure
that I am comfortable with the notion that any single Web site
that has any kind of commercial activity has to have a
mechanism for disclosing all of the information that it
compiles that is in some way personally identifiable. That
really goes pretty far and I think, as the FTC Advisory
Committee recently pointed out, you get into a whole other set
of privacy problems.
How does Amazon know that you are you when you are coming
to look at your profile? A lot of people are going to be trying
to figure out every Senator's password.
The Chairman. They have got my credit card. They get my
credit card when I make a purchase, so they are pretty darn
sure that it is me.
Mr. Weitzner. Well, they insure against the risk that it
actually is not you and they protect themselves. And the credit
card companies charge you whatever interest they charge you.
The Chairman. They do not know that I like history books
just because of one purchase.
Go ahead, Mr. Berman.
Mr. Berman. I think the answer is--I raised it before--this
is not an easy question. There has been a committee now on
access which has drilled down and made a distinction between
proprietary information, information which you should have
which might be exempt information. So it depends. That is one
of the critical factors in writing legislation like this. In
order to decide the access----
The Chairman. You are making an argument we better be very
careful about writing----
Mr. Berman. You better be very careful and go through the
hypotheticals about what you mean by access and who has access.
You might also raise the question which we raise: If you have
total commitment from the private sector to both only give you
that profile and keep it for themselves and never use it for
anyone else because they are the only ones that want to sell
you Napoleon books, what is the right of the FBI to get access
to that information, that profile?
What we have done is we are making an enormous transfer of
third party information, personal sensitive information, to the
net without also examining what the government access standards
are to that information. I mention the Monica Lewinsky example.
A colleague of mine at CDT is testifying over in another----
The Chairman. We try not to mention that.
Mr. Berman.--committee dealing with government access. I
would urge that at some point the committee try and look at
them together because they are of a piece.
The Chairman. Well, this is fascinating. This is a
fascinating issue. I mean, it is really a remarkable issue, and
I would argue that 5 years ago if we had said we would be
having this kind of discussion, it simply was not on the
screen. I believe that Mr. Catlett is right, though. I think
this is a very rapidly growing issue rather than one that is
diminishing.
I apologize to my friend and colleague for the length of
time I took, but it is a fascinating dialog.
I thank the witnesses.
Senator Burns. I have never missed a meal and I do not plan
to.
[Laughter.]
Mr. Berman. You have never missed a meal while I have been
up here.
Senator Burns. In light of the conversation and the dialog
with the Chairman, give me your assessment--and I would ask
you, Jerry. Give your assessment of the safe harbor approach.
Mr. Berman. Well, I think that the safe harbor approach
offers a real opportunity in dealing with the Internet. One of
the things that the FTC has built up is a considerable amount
of experience in dealing with that there are a whole myriad--it
is not one-size-fits all on the Internet. We want to encourage
a lot of different experiments in enforcement and trying to get
companies to do audits and so on.
If the safe harbors encourage that experimentation so that
good practices can find their way into that safe harbor, then
after developing a data base and factual basis on how those
work you can make decisions about whether you need to go
further and deal with criminal penalties and all the other
paraphernalia. But I would not start at that end, which is with
big penalties and high standards for what is a safe harbor,
because there is so much experimentation, so many new people on
the Internet.
But I think that what is the problem with the self-
regulatory regime now is not that people are not trying these
experiments, but that they do not know what a safe harbor is.
So they do not know what to spend, whether it is worth it,
whether if they join E-Trust or BBBOnLine whether they are
going to be safe from prosecution or safe from legislation. So
I think that that uncertainty is something that your
legislation begins to address. I mean, we need to work on it,
and Senator Hollings----
Senator Burns. In other words, we do not want to abandon
the safe harbor approach?
Mr. Berman. I do not think so.
Senator Burns. Now let us go, let us go one step further
then. Does the simple posting of privacy policy amount to
actual privacy to the end user? I mean, once they make----
Mr. Berman. It does not amount to privacy if the statement
is not complete or it says in some circumstance we do this, in
some circumstance, and it is conflicting. We have examples in
our testimony. It has to be a complete statement covering the
fair information practices. It has to give you adequate
information so that you know what the scope of collection and
use is.
Senator Burns [presiding]. That is all I have today. I have
listened to the testimony and the questions. I do not know what
happened to the Chairman, but I will tell you this, that we
thank you for coming today. There will be other Senators with
questions. If you could respond to the individual Senators and
to the Committee, that would be helpful.
Right now, this hearing is adjourned. The record will
remain open for 2 weeks.
[Whereupon, at 12:51 p.m., the Committee was adjourned.]
A P P E N D I X
Response to Question Submitted by Hon. Max Cleland to Jason Catlett
Question 1. As you know, I am a co-sponsor of S. 2606, which was
introduced this week by Senator Hollings and nine other Senate
colleagues. This bill allows for ``opt-in'' provisions for Web sites
using and sharing personally identifiable information, and ``opt-out''
for non-personally identifiable information. I would like to get your
thoughts on these provisions, specifically addressing the
implemenatation of these provisions by Web sites and the possible
effects it may have on online commerce.
Answer. This responds to Senator Cleland's question to me about S.
2606.
I believe the bill makes broadly the right decision on both opt-in
for personally identifiable information (PII) and opt-out for non-
personally identifiable information (non-PII), subject to the following
qualifications.
For PII, opt-in should certainly be required, since to have
personal data distributed without the consent of the person concerned
on a data transmission medium as powerful as the Internet would mean
the death of privacy online. It may further be necessary to set and
evolve a high standard to ensure that the consent is both well-informed
and affirmative.
For non-PII, at least an opt-out should certainly be required, but
it is possible that in some cases that may arise in the future, the
standard should be raised to opt-in. The use of pseudonymous identities
is expected to greatly increase in the next few years, and it may be
necessary to protect the privacy of these identities, even if they are
not personally identified with any natural person.
Accordingly, I would recommend proceeding with the broad standards
as they are in this bill, but remove the language preempting state law.
If changes become necessary following experience with the law, states
should be free to act accordingly.
On the implementation for Web sites, I can speak from direct
experience, having operated for about four years a Web site that
collects personal information on a purely opt-in basis. The Internet
makes the process of opting-in and opting-out very inexpensive, at near
zero marginal cost.
This contrasts with the relatively high cost of processing opt-
transactions in the physical world. As to the cost of establishing the
opt-processing systems, it would be only a very small percentage of the
total development cost of a typical e-commerce site. It is entirely
reasonable to require this.
The major effect on e-commerce would be to increase consumer
participation due to improved consumer confidence. This could be as
much as 20 or 40 percent over several years, compared to the ugly
scenario where no protections are in place, and consumer confidence
continues to decline. People who are scared offline at their earliest
encounters with the Internet may be reluctant to return.
Online advertisers might complain that they have to ask people's
permission before using or selling information about them, and that
therefore they would have to forgo some revenue. This is a very poor
reason to lower the standards proposed in the bill, because (i) online
advertisers still have a fine business selling ads that are targeted
not based on personal information, using the so-called old-fashioned
``print model'' of putting ads for golf clubs in the sports section:
this constitutes the vast majority of their existing revenues; (ii)
online advertising is only a tiny percentage of e-commerce revenues;
and (iii) it is unfair to permit the advertisers to maximize their
revenues at the expense of reducing the total size of the market.
If it is not out of place here, I would like to commend the Senator
and his cosponsors on the Consumer Privacy Protection Act, and to
express my admiration for the plain common sense of his remarks about
online privacy during the hearing.
If I can be of any further assistance to you or the Committee,
please free to ask.
______
Response to Written Questions Submitted by Hon. Max Cleland
to Jill A. Lesser
Question 1. Do you believe people should be able to know what
information is collected about them by third parties, how that
information is used, and the ability to correct incorrect information?
Answer. Yes. We at America Online believe strongly that ``notice''
and ``choice'' with respect to personally identifiable information are
essential elements of online privacy protection. In other words,
consumers should be given clear notice about what personally
identifiable information is collected about them and why it is being
collected, and should be given the opportunity to exercise choice about
how such information is used. In addition, we believe that
organizations that collect personally identifiable information from
consumers should take steps to protect the security of that information
and should establish a process for correcting inaccuracies in important
information, such as account or contact information. AOL's privacy
policy is based on these essential principles.
Question 2. As you know, there are several privacy seal programs that
Web sites can earn by their privacy practices. Several of the ``good
players'' attempt to influence their business partners to adopt
stronger privacy protections and earn the endorsement of these seal
programs. AOL works with its partner companies to ensure good privacy
practices. However, how do you explain the fact that the FTC report
found only 8% of randomly selected sites participate in these programs?
Answer. AOL supports the development of privacy seal programs to
help encourage good business practices, build public awareness, and
increase consumer confidence in the online medium. AOL helps to promote
sound privacy practices through its Certified Merchant Program, which
requires AOL merchants to post a comprehensive privacy policy that is
consistent with the principles outlined in AOL's privacy policy and the
industry guidelines developed by the Online Privacy Alliance.
While we do not know the precise reason for the low level of seal
program participation found in the FTC report earlier this year, one
factor may be simply that more public education is needed to make both
consumers and businesses more aware of the importance of such programs.
As public awareness about online privacy issues continues to grow,
participation in these programs will likely increase. Furthermore, it
is possible that the FTC survey focused narrowly on strict ``seal''
programs, and perhaps did not take into account the wide variety of
compliance and certification programs that currently exist, such as
AOL's Certified Merchant program, to help ensure good privacy practices
and increase consumer confidence. We believe that the proliferation of
all such programs will help to build consumer trust in the online
medium.
Question 3. What evidence have you seen to indicate that the average,
not necessarily Web-savvy, American Web surfer is knowledgeable about
information-gathering practices of Web sites? Especially among groups
coming online more and more, like older Americans?
Answer. It is clear that online privacy issues have taken center
stage in the public debate over the past year, and that Americans
generally are more aware than ever before about both the tremendous
benefits of electronic commerce and the potential privacy implications
of doing business online with sites that do not protect their privacy.
This year's FTC report shows a dramatic increase in the number of
commercial Web sites that have posted privacy policies describing their
information-gathering practices. Despite this incredible progress, we
believe that the average user's knowledge and understanding of how his
or her personal information is collected and used online is still not
at the level where it needs to be in order to ensure that consumers'
privacy is being fully protected.
AOL believes, therefore, that companies doing business online have
a responsibility to reach out to Internet users to help educate them
about what they can do to protect their privacy online. AOL makes it a
priority to clearly inform our members about our privacy policies and
about the steps they can take to ensure that their personal information
is protected wherever they go online. In addition, we have participated
in a number of industry-wide efforts to raise public awareness about
online privacy, such as the ``Privacy Partnership 2000,'' an ongoing
grassroots initiative created by TrustE and leading online companies
like AOL to promote privacy education on the Internet, as well as the
recent media consumer education campaign sponsored by the members of
Netcoalition.com, a public policy organization comprised of leading
online consumer companies. We believe that industry, government, and
consumer groups must continue to work together to promote public
education about online privacy and bring consumer education to the
level where it needs to be.
______
Response to Written Questions Submitted by Hon. Max Cleland
to the Federal Trade Commission
Dear Senator McCain:
Thank you for transmitting Senator Cleland's post-hearing questions
related to the Federal Trade Commission's report, Privacy Online: Fair
Information Practices in the Electronic Marketplace (``Report''). The
Commission's responses are as follows.\1\
---------------------------------------------------------------------------
\1\ The Commission vote to issue this letter was 4-1, with
Commissioner Swindle dissenting. His views are expressed in a separate
letter, which is attached.
Question 1. Some people have called for the creation of a privacy
commission to establish future privacy guidelines and ``add flesh'' to
laws that may be passed by Congress. Do you feel as though this role
could be effectively performed by the Federal Trade Commission? And,
what is your opinion on the creation of such a commission?
Answer. Yes, based on the proposals we have seen about the
anticipated role of a privacy commission, we believe that the FTC could
effectively perform the duties associated with such a commission. As
you know, the FTC has been involved with data privacy issues since
1995, and has in fact performed many of the same functions that a
privacy commission would perform. The Commission has held a series of
widely-attended public workshops, which included participation by
industry, advocates, and academics, and has produced numerous reports
focusing on a variety of privacy issues, including the collection of
personal information from children, self-regulatory efforts and
technological developments to enhance consumer privacy, consumer and
business education efforts, and the tale of government in protecting
online privacy. Moreover, at Congress's direction, the Commission has
promulgated a well-received rule pursuant to the Children's Online
Privacy Protection Act. The agency will continue to examine privacy
issues and we believe the Commission could effectively fill the role of
implementing any additional laws Congress may enact. Moreover, the FTC
also has a competition mission that gives the agency a unique ability
to consider the competitive implications of any privacy regulations.
We generally believe that additional resources can be brought to
bear on the evaluation and development of effective privacy protection
for Americans. We are concerned, however, that the creation of a
separate privacy commission might be inefficient given the FTC
resources already devoted to privacy issues. Furthermore, a number of
states are moving forward with their own form of online privacy
legislation. Thus, such a commission also could have the counter
productive effect of delaying thoughtful consideration and development
of otherwise appropriate and timely legislation to protect privacy.
Question 2. Do you feel Internet business has the potential to grow
with clear, concise privacy policies in effect?
Answer. Yes. As described in our recent report, ``Privacy Online:
Fair Information Practices in the Electronic Marketplace,'' (May 2000,
available at http://www.ftc.gov/os/2000/05/index.htm#22), some survey
research suggests that the vast majority of online consumers are
concerned about the misuse of their personal information online, and
that large numbers of consumers do not trust online companies to keep
their personal information confidential. Alleviation of these concerns
should prompt more consumers to use the Internet. Sites with clear and
concise privacy policies that implement the fair information practices
outlined in the Commission's Report have the potential to appeal to
consumers who are concerned by providing a ``privacy-friendly''
marketplace in which consumers can shop. Moreover, a majority of the
Commission believes that if Congress enacts legislation requiring a
baseline of privacy protections, consumers could benefit from the
knowledge that they would be entitled to at least a uniform level of
protection wherever they visit online. This knowledge should also
result in a concomitant increase in consumer confidence in the online
marketplace.
Question 3. What evidence have you seen to indicate that the average,
not necessarily web savvy, American Web surfer is knowledgeable about
information gathering practices of Web sites? Especially among groups
coming online more and more like older Americans?
Answer. As noted in our recent Report, although consumers may not
be conversant in the specific information-gathering practices of Web
sites, survey evidence indicates that consumers are increasingly
concerned about their privacy online. (Report at 2-3.) Some evidence
also suggests that older Americans are concerned about shopping online
because of their privacy concerns. (Report at 2 n.15, referring to AARP
National Survey on Consumer Preparedness and E-Commerce: A Survey of
Computer Users Age 45 and Older (March 2000), available at ) The Commission unanimously
believes that all consumers, including older Americans and others new
to the online medium, would benefit from clear and conspicuous privacy
disclosures online.
In addition, consumer education about online information gathering
is still badly needed. The FTC will continue its efforts to educate
consumers about the online marketplace and its information practices
and will encourage self-regulatory groups to focus on consumer
education as well. Educating businesses about the need to implement
privacy protections has and continues to be an important complement to
these consumer education efforts.
Question 4. As you know, the Better Business Bureau and other companies
have online ``seals'' for which Web sites can apply if the site
believes it meets the privacy standards of those seal programs. The FTC
report states that only 8% of the Random Sample of sites and 45% of the
Most Popular sites in the survey display a privacy seal. Could each of
you comment ou these seal programs and their influence on the Internet
industry and its privacy practices?
Answer. The Commission has long supported the development and
implementation of seal programs as part of industry self-regulatory
efforts. We believe online privacy seal programs can play an important
role in advancing the implementation of fair information practices in
the online marketplace. They educate both online businesses and online
consumers about online privacy protections, and they can serve as a key
enforcement component of industry self-regulation in this area. The
established programs are to be commended for their efforts to date, and
the emergence of several new, competing seal programs is a welcome
development.
If widely adopted, seal programs promise an efficient way to alert
consumers to licensees' information practices and to demonstrate
licensees' compliance with program requirements. Although the number of
sites enrolled in seal programs has increased in absolute terms over
the past year, with 45% of the Most Popular sites participating, the
seal programs have yet to establish a significant presence on the Web.
Therefore, their impact on online commerce remains limited. The
Commission believes that seal programs' efforts would be bolstered by
legislation requiring online companies to adhere to core fair
information practice principles.
Question 5. Several Internet companies claim that privacy policies will
``kill the goose that laid the golden egg'' by being too burdensome on
this fledgling industry. The FTC report references concerns of FTC
staff and the Advisory Committee an Online Access and Security that
some of these recommendations to protect consumer privacy should not be
overly burdensome to the company. Do you have any further guidelines on
what is ``overly burdensome'' for the Committee?
Answer. The Commission has specifically recognized that
implementation of the fair information practices of Access and Security
raise complex issues. As you note, many of these issues were
highlighted in the Report of the Advisory Committee on Online Access
and Security. The majority of the Commission does not believe that
providing Access and Security would necessarily create unreasonable
burdens or costs to online businesses.\2\ Furthermore, the issue of
burden, particularly with respect to small businesses, could be fully
and fairly addressed in a rulemaking proceeding. Such a proceeding,
with input from online businesses and consumers would greatly assist
any implementing agency in crafting a rule that implements online
privacy protections in a flexible and reasonable manner.
---------------------------------------------------------------------------
\2\ Commissioner Leary opposes mandated access and security at this
time because he believes that the Commission has insufficient
information about the relative costs to businesses and benefits to
consumers in this area, and because, if notice is adequate, the
competitive marketplace should provide a better solution than
regulation.
Please let me know if the Commission can provide any additional
information on this important matter.
By direction of the Commission.
Robert Pitofsky,
Chairman.
______
Response to Written Questions Submitted by Hon. Max Cleland
to Orson Swindle
Dear Chairman McCain:
Thank you for transmitting Senator Cleland's post-hearing questions
related to the Federal Trade Commission's report, Privacy Online: Fair
Information Practices in the Electronic Marketplace (``Privacy
Report''). For the most part, I do not share the views expressed in the
Commission majority's response to Senator Cleland's questions.
Accordingly, for the Senator's consideration, I am providing my
individual responses to his questions.
Question 1. Some people have called for the creation of a privacy
commission to establish future privacy guidelines and ``add flesh'' to
laws that may be passed by Congress. Do you feel as though this role
could be effectively performed by the Federal Trade Commission? And,
what is your opinion on the creation of such a commission?
Answer. A Congressionally established privacy commission could add
measurably to the general understanding of online privacy. A serious
examination of all the issues surrounding online privacy should add
significantly to a better understanding of the possible unintended
consequences of the laws that may be passed for the online economy.
Such an examination should look at the costs and benefits of various
options, including legislation, industry self-regulation, government
guidelines regarding industry best practices, etc. As I pointed out in
my dissent from the Privacy Report, an analysis of this type should
have preceded any recommendation of legislation by the FTC and
certainly should precede enactment of legislation mandating privacy
protections.\1\
---------------------------------------------------------------------------
\1\ Privacy Report, Dissenting Statement of Commissioner Orson
Swindle at 2, 21-24.
---------------------------------------------------------------------------
Having some experience and certainly a reservoir of knowledge about
privacy online, competitive issues, how to make clear and conspicuous
disclosures online, and implementation of the Children's Online Privacy
Protection Act, the FTC theoretically could perform this function.
However, the recent FTC Privacy Report indicates to me that a more
objective, probing analysis and less pro-regulatory bias are desirable.
Perhaps it would be best for an independent, non-partisan commission to
take on this task, in a manner similar to the Advisory Commission on
Electronic Commerce.\2\
---------------------------------------------------------------------------
\2\ This Commission was created by Congress when it enacted the
Omnibus Appropriations Act of 1998, Pub. L. No. 105-277, to study and
make recommendations about taxation on transactions using the Internet.
The Commission's final report is available at http://www.e-
commercecommission.org/report.htm.
Question 2. Do you feel Internet business has the potential to grow
with clear, concise privacy policies in effect?
Answer. Yes, although it is obviously growing exponentially now
with less than perfect privacy policies in effect. To my knowledge, no
one has empirically established the impact of privacy policies on
consumer behavior. Industry self-regulation is making good progress. I
suspect that the degree to which privacy concerns are impeding the
growth of online commerce has been vastly overstated. The FTC's efforts
to evaluate online privacy have not included any empirical study of the
effects on online commerce of the existence of privacy policies,
whether consisting of simple notice or comprehensive statements
implementing all four FTC-suggested fair information practice
principles. Instead, the FTC, relying upon consumer opinion surveys
showing that many consumers are concerned about online privacy, has
asserted that online commerce will not reach its full potential without
legislation ensuring full fair information practices.\3\ Consumer
opinion polls showing a generalized concern about-privacy, however,
should not be relied upon as the basis for concluding that legislation
is required for the optimal growth of online commerce.\4\ There is no
reason to conclude that legislation will necessarily increase consumer
confidence in the online marketplace.
---------------------------------------------------------------------------
\3\ Privacy Report at iv.
\4\ See generally Concurring and Dissenting Statement of
Commissioner Orson Swindle to Statement of the Federal Trade Commission
on Online Profiling; see also Privacy Report, Dissenting Statement of
Commissioner Orson Swindle at 10-16.
---------------------------------------------------------------------------
For example, a study conducted by Jupiter Communications in mid-
1999,\5\ concluded that ``consumers do not see government regulation as
the solution to the online privacy issue. The vast majority of
respondents to a Jupiter Consumer Survey--86%--said that they would not
trust a Web site with their privacy even if the government regulated
it.'' \6\ The same study asked consumers to identify the top two
factors that would increase their trust in Web sites regarding privacy.
``The posting of privacy policies eased the concerns of 36 percent of
consumers surveyed.'' \7\ Government regulation was ``not a popular
option'' for increasing consumers' confidence: ``only 14 percent
indicated that they would more likely trust a Web site on privacy
issues if the site were subject to government regulation.'' \8\
---------------------------------------------------------------------------
\5\ This study predates the noteworthy increase in the display of
privacy policies online and in online sales in late 1999 and the first
quarter of 2000.
\6\ Michele Slack, Jupiter Communications, Proactive Online
Privacy, Scripting an Informed Dialogue to Allay Consumers' Fears at 19
(June 1999).
\7\ Id. at 4.
\8\ Id.
Question 3. What evidence have you seen to indicate that the average,
not necessarily Web savvy, American Web surfer is knowledgeable about
information gathering practices of Web sites? Especially among groups
coming online more and more like older Americans?
Answer. To my knowledge, the research cited in the Commission's
Privacy Report does not directly address this issue. One study
mentioned in the Report, a telephone survey of adult computer users
conducted in March 2000 by Harris Interactive for Business Week, found
that 40% of computer users had heard of cookies and, of these, 75%
understood them to be ``files downloaded onto your computer that track
your online habits.'' \9\ The Harris poll also found that 55% of
computer users while surfing online had seen a privacy notice or other
explanation of how personal information collected by a Web site will be
used. Of those who had seen a privacy notice, 35% always read it, 42%
sometimes read it, 18% rarely read it, and only 4% never read it.\10\
---------------------------------------------------------------------------
\9\ Business Week Online, Business Week/Harris Poll: A Growing
Threat (March 2000), available at . Interestingly, of those computer users that are
aware of cookies, many set their computers to reject them, either
always (21%) or sometimes (21%), while an even larger group either
never (43%) or only rarely (10%) did so.
\10\ Id.
---------------------------------------------------------------------------
Surveys that indicate that consumers are increasingly concerned
about online privacy are not evidence that consumers are knowledgeable
about the information gathering practices of Web sites. Simply stated,
once again the FTC is presenting misleading interpretations of opinion
survey results, including the AARP survey.
The AARP report shows that the majority (54%) of older Americans
who use the Internet make purchases online.\11\ Three out of four of
these online purchasers describe themselves as either very or somewhat
concerned about the privacy of the information, yet they make
purchases.\12\ This confirms my sense that consumers who express
concerns about privacy in the abstract find that their concerns are
outweighed in practice by the convenience and other benefits of
shopping online.
---------------------------------------------------------------------------
\11\ AARP National Survey on Consumer Preparedness and E-Commerce:
A Survey of Computer Users Age 45 and Over (``AARP Report'') at 32, 62
(March 2000), available at .
\12\ Id. at 54.
---------------------------------------------------------------------------
The Privacy Report, relying only on the press release and not the
full AARP Report, cited the press release as support for the
proposition that ``many consumers who have never made an online
purchase identify privacy concerns as a key reason for their
inaction.'' \13\ In fact, the AARP study itself does not permit any
conclusions to be drawn about the degree to which privacy concerns or
any other reason influenced consumers' decisions not to purchase
online.
---------------------------------------------------------------------------
\13\ Privacy Report at 2 n.I5.
---------------------------------------------------------------------------
Instead, the study used an open-ended question followed by probing
to determine why those respondents who stated that they never purchased
over the Internet have not made such purchases).\14\ The resulting
tabulation of reasons offered by consumers in response shows only how
frequently these consumers identified particular reasons for not
purchasing, not whether a particular reason was ``key'' to their
decision not to purchase. Of the Internet users who have never made an
online purchase, 43% ``simply are either not interested in online
shopping (28%) or do not like online shopping (15%).'' \15\ Another 20%
indicated that they like to shop and/or examine products in person.
Twenty-four percent cited ``concerns about privacy'' and an additional
6% stated they were concerned about ``safety of payment.'' \16\
---------------------------------------------------------------------------
\14\ AARP Report at 64.
\15\ Id. at 34.
\16\ Id. A variety of other reasons are also identified in the AARP
Report, but only reasons mentioned by at least 3% of those surveyed are
reported.
Question 4. As you know, the Better Business Bureau and other companies
have online ``seals'' for which Web sites can apply if the site
believes it meets the privacy standards of those seal programs. The FTC
Report states that only 8% of the Random Sample of sites and 45% of the
Most Popular sites in the survey display a privacy seal. Could each of
you comment on these seal programs and their influence on the Internet
industry and its privacy practices?
Answer. The ``seal programs'' are a good idea. However, the fact
that a company does not use a seal program does not mean that it has
unsatisfactory privacy policies and practices. No conclusions should be
drawn from not belonging to a seal program. Seal programs are but one
of many practices that can be used to give consumers confidence.
Companies with good business practices that satisfy consumers
accomplish that confidence-building without necessarily having to
employ seal programs.
I disagree with the majority's conclusion that seal programs have
yet to establish a significant presence on the Web. As I mentioned in
my dissent from the Privacy Report, seal programs are not the only
enforcement mechanism that backs up self-regulation).\17\ In any event,
45% of the most popular sites--the ones that attract the greatest
number of individual visitors--use a privacy seal, and that is not an
insignificant presence by any stretch of the imagination.
---------------------------------------------------------------------------
\17\ Privacy Report, Dissenting Statement of Commissioner Orson
Swindle at 9-10.
Question 5. Several Internet companies claim that privacy policies will
``kill the goose that laid the golden egg'' by being too burdensome on
this fledgling industry. The FTC report references concerns of FTC
staff and the Advisory Committee on Online Access and Security that
some of these recommendations to protect consumer privacy should not be
overly burdensome to the company. Do you have any further guidelines on
what is ``overly burdensome'' for the Committee?
Answer. I do not know what privacy policies will be ``overly
burdensome,'' although I suspect that mandating Choice, Access, and
Security may be burdensome for many small Internet companies, as well
as for larger companies whose business models rely on the sale or use
of consumer information to offset the costs of providing benefits and
services to consumers. No one, at the FTC or elsewhere, has made an
assessment that answers your question. This was my sharpest
disagreement with the majority's legislative recommendation in the
Privacy Report.\18\ It is critical to look at the costs and burdens
that proposed legislation might impose before imposing them, and it is
just as critical to realistically assess the likely benefits of such
legislation.
---------------------------------------------------------------------------
\18\ Id. at 21-24.
---------------------------------------------------------------------------
Regulations have a long history of not accomplishing their
original, well-intended purposes, and unintended adverse consequences
are a well known, oft-occurring fact of life. No one at the FTC has
made a cost-benefit analysis of either the legislative/regulatory
approach or the industry self regulation approach.
In its response to this question, the majority basically says, as
it did in the Privacy Report that, regardless of the costs of
legislatively imposed privacy requirements, Congress should impose them
anyway, and we will work out the problems later. This could have a
chilling effect on the New Economy, and the damage could be difficult
to repair.
Please let me know if I can provide additional information on this
important matter.
Sincerely,
Orson Swindle
______
Center for Democracy and Technology
Washington, DC, September 8, 2000
Hon. John McCain,
Chairman,
Senate Committee on Commerce, Science, and Transportation,
Washington, DC.
Dear Chairman McCain,
Thank you again for inviting the Center for Democracy and
Technology (CDT) to testify at the May 25, 2000 oversight hearing on
Internet privacy. We are happy to answer the Committee's additional
question on CDT's view of current practices in Internet advertising.
The ability to personalize and customize content for the individual
is one of the main features drawing a vast number of individuals and
businesses to the Internet. Individuals can be empowered by this
personalization. For example, tailoring information to a person's needs
could help a citizen more easily find details about their local
elections or a consumer could aggregate advertisements in order to
compare prices. In both of these cases, some sort of personal
information or preference data may be needed. All of these and other
similar activities should be encouraged, but in each case the companies
providing the personalization service must make decisions about how
they plan to protect the individual's privacy in the process. Too
often, CDT has seen common Internet business practices that
surreptitiously collect information. These practices should not be
blamed on a particular technology, but on how tracking technologies are
utilized.
Simply put, individuals should be told when decisions are being
made about them.
CDT is not a business organization and therefore we cannot offer a
comparison or analysis of the effectiveness of a particular business or
marketing plan, but we can offer an assessment of ways to personalize
while protecting privacy. Despite the polls showing that as many of 96%
of Americans are concerned about privacy, many companies still do not
take privacy into account or purposely ignore privacy when creating new
business models. These companies are left to defend bad practices that
could have been avoided at an earlier stage if privacy had been a
consideration.
The good news is that the tide has begun to turn. Everyday CDT
meets with companies that want to make sure that they are protecting
privacy or have created new privacy enhancing technologies that put
users in control. Two members of the CDT staff have recently written a
short article entitled ``Your Place or Mine: Privacy Concerns and
Solutions for Client and Server Side Storage of Personal Information''
* detailing some of the legal and technical concerns that business
should take into consideration when making decisions about how to
personalize. I have also included a recent law review article with a
broader overview.*
---------------------------------------------------------------------------
* The information referred to has been retained in the Committee
files.
---------------------------------------------------------------------------
I would be happy to answer any remaining questions that you may
have. Please feel free to contact me.
Sincerely,
Jerry Berman,
Executive Director.
cc: Senator Max Cleland
______
Association of National Advertisers, Inc.
Washington, DC, June 12, 2000
Hon. John McCain,
Chairman,
Committee on Commerce, Science, and Transportation,
United States Senate
Washington, D.C.
Dear Mr. Chairman:
The Association of National Advertisers (ANA) commends you for
holding the May 25th hearing on Internet privacy issues and the FTC's
report on the most recent privacy ``sweep.'' We continue to believe
that the most effective way to protect privacy in the online
environment is through a combination of strong industry self-
regulation, consumer empowerment and strong FTC enforcement under
existing legal authority. While much more remains to be done, we
believe that industry self-regulation has made substantial progress in
the past few years. Also, the FTC has been an active, effective ``cop
on the beat'' in this area. Therefore, ANA believes it would be
counterproductive and premature for Congress to adopt broad privacy
legislation at this point.
We would appreciate it if you would include these comments in the
official record for the May 25, 2000 hearing.
In last year's ``report card'' to Congress on the state of online
privacy protection, the FTC stated: ``The Commission believes that
self-regulation is the least intrusive and most efficient means to
ensure fair information practices online, given the rapidly evolving
nature of the Internet and computer technology.'' We agreed then and
strongly believe now that those sentiments continue to be correct.
The most recent FTC survey found significant progress in the number
of sites that posted privacy policies, 88% of a random sample and 100%
of the most popular sites. This is truly a major improvement from the
FTC's first sweep in 1998, when only 14% of Web sites had any
disclosure about privacy policies.
We agree with you that the privacy disclosures on many Web sites
are too long and complex. We have urged our member companies to take
another look at their notices to make sure that, to the maximum extent
possible, the disclosures are clear and conspicuous and in language
that ordinary consumers can understand.
According to the FTC report, only 20% of the busiest commercial
sites implement all four of the fair information principles of notice,
choice, access and security. We believe that the 20% finding must be
placed in the proper context.
While most sites have policies on notice and choice, many are still
developing policies on the complex issues of access and security. These
issues are very challenging, as demonstrated by the report of the
Commission's Advisory Committee on Online Access and Security (ACOAS).
Even the FTC admits in its report that it has not been able to
establish clear standards on how to implement these policies. Yet the
FTC's report graded down Web sites for not fully addressing access and
security.
Everyone agrees on the concepts of access and security, but these
issues are the true Gordian Knot of privacy. Implementing these
concepts is a difficult and complex process. Providing consumers with
broad access to information, without adequate protections, poses
potential severe security risks. Overly stringent security precautions
can make access very difficult.
Effective privacy protection is more than a numbers game. Even if
100% of Web sites provided easy access to information, without
stringent security precautions, 100% access may in fact diminish rather
than enhance consumer privacy. It is thus not surprising that while
most Web sites address notice and choice, many are still struggling
with how best to address access and security. The online community is
nevertheless committed to addressing these areas in a timely and
effective manner.
Though groups such as the Online Privacy Alliance (OPA), ANA and
others in the business community have reached out to encourage all
commercial Web sites to post privacy policies. There are now three
major privacy seal programs in operation and numerous software programs
available in the marketplace. Several tools are available that allow
consumers to surf online completely anonymously. New technological
solutions such as P3P are closer to implementation. A number of major
marketers have refused to place advertising on Web sites that do not
have strong privacy policies.
These and other self-regulatory efforts can respond more quickly to
changes in the marketplace than an overly restrictive regulatory
regime. We must be careful not to impose regulations that would impede
the growth of the Internet, rather than enhance it.
While more must be done, we believe self-regulation is working and
becoming stronger. ANA, several of our member companies and other
industry groups are committed to taking major steps to accelerate these
efforts. These steps will include improving privacy policies and making
them more user-friendly, further development of technological tools to
empower consumers to protect themselves, and a broad consumer education
program.
As you know, the FTC already has broad power to regulate the online
marketplace under section 5 of the FTC Act. We believe that this
authority, coupled with consumer education programs and enhanced
technological tools, is the most effective and flexible approach to the
rapidly changing online environment. Since the Internet is a global
medium, there are real, practical limitations to the reach of national
legislation and regulation. Therefore, effective self-regulation and
consumer empowerment become more important in this environment.
We remain committed to working with you to protect the privacy of
online consumers. However, we believe that broad privacy legislation at
this point would be premature and counterproductive.
Thank you for your consideration of these views. Please feel free
to contact me if you have any questions.
Sincerely,
Daniel L. Jaffe,
Executive Vice President.
______
Prepared Statement of Hon. Robert G. Torricelli, U.S. Senator from New
Jersey
Mr. Chairman and Members of the Committee, I am honored to have the
opportunity to address online privacy, an issue that is of growing
concern to the millions of Internet users all across the country and
the world. It is estimated that over 100 million Americans have the
ability to access the Internet. The rise in the use of the Internet has
led to concerns regarding the privacy of personal information
transmitted online, particularly, as more people use the Internet for
transmitting sensitive financial and medical information and for
shopping purposes. While some argue that given the Internet's global
reach and constantly changing technology, industry self-regulation
would best protect privacy, others advocate for strong legislative and
regulatory protections. And, still others, such as the witnesses here
before us today, recommend a multilayered protection consisting of
self-regulatory efforts supplemented by legislation authorizing
regulatory oversight. Today's hearing is an important way for Congress
to gather the information necessary to thoughtfully consider the range
of issues involved in the online privacy debate and to evaluate the
proper way to address those issues.
An Internet users' life is ``virtually transparent.'' \1\ This is
in part due to the number of companies that fail to provide consumers
with full disclosure regarding how the company may use personal
information transmitted online. As the Federal Trade Commission's (FTC)
May 2000 report ``Privacy Online: Fair Information Practices in the
Electronic Marketplace'' reveals, only forty-one percent of Web sites
in the random sample and sixty percent of the most popular sites
provide the most critical of fair information practice: notice and
choice.\2\ The notice that is provided is often densely worded and at
times even misleading.
---------------------------------------------------------------------------
\1\ Jeffrey Rosen, Why Internet Privacy Matters, The New York Times
Magazine, April 30, 2000, at 52.
\2\ FTC, Privacy Online: A Report to Congress, May, 2000 at 13.
---------------------------------------------------------------------------
Even more troubling are the number of companies allowing online
marketers to place third-party cookies on their Web sites. Without our
consent or knowledge, programs known as ``cookies'' monitor and collect
information regarding our Web browsing habits. Personal data is also
extracted directly by Web sites whenever we transmit the information
required to purchase a product or surf the Internet for a specific
topic. The FTC survey found that fifty-seven percent of sites in the
random sample and seventy-eight percent of the most heavily trafficked
sites allow the placement of cookies by third parties and that the
majority of these cookies are placed by advertising companies engaging
in online profiling. The report further revealed that the majority of
Web sites that allow third-party cookies do not disclose that fact to
consumers.\3\
---------------------------------------------------------------------------
\3\ Id. at 21.
---------------------------------------------------------------------------
Our actions will be monitored and our information will be shared
unless we specifically request that a company not do so, a process
known as ``opting out'' Opting out requires a user to directly contact
a site to decline disclosure. Online industries argue that by posting
opt out features, they are, in fact, affording consumers a choice to
protect their privacy. However, as a means of securing the right to
online privacy, opting out is a burdensome solution that has proven
itself largely ineffective. Opt out procedures are often confusing and
obscured within a Web site. They are therefore rarely exercised. One
leading marketing company that tracks eighty million online consumer
profiles has revealed that it receives an average of only twelve opt
out requests per day.
This situation, while unsettling, is not inherently menacing.
Marketing, both online and off, is a common and often beneficial
practice occurring daily in other forms such as mailings and telephone
surveys. Businesses benefit from online marketing through improved
efficiencies resulting from a more detailed analysis of their markets.
Many consumers also desire the information marketing provides about
products and services that reflect their preferences and budgets. A
healthy balance can and must be established that allows consumers and
commerce to reap the benefits of these practices but in a way that is
mindful of the public right to privacy. This balance has yet to be
achieved. Unlike individuals choosing to partake in surveys and
questionnaires, those of us participating in online marketing do so
unwittingly and involuntarily, unable to hang up a phone or throw away
an envelope.
Disturbing examples such as these point to an immediate need to
provide consumers with direct control over outside access to their
online activities. Consumers must be given the right of consent prior
to any disclosure of personal information. They must be afforded a
clear choice to ``opt in'' to disclosure programs rather than the need
to opt out of them. They must also be given clear and accessible
knowledge of the extent of their privacy so that any choice they make
will be fair and informed. Web sites must accept the burden of
persuading consumers of the benefits and desirability of information
sharing. If companies are successful in convincing consumers that these
benefits are clear and substantial, consumers will readily agree to
participate.
Early this year, with these provisions in mind, I introduced S.
2063, the Secure Online Communication Enforcement Act of 2000. This
legislation was intended to establish a national dialogue to educate
Americans about the challenges of cyberspace. In doing so, I hope it
will intensify public participation in an emerging debate to determine
the relationship of the Internet to our society and the role of our
government in determining that relationship. This dialogue is also
vital towards preserving and strengthening public confidence in the
viability of the Internet as a secure medium for commerce and
information exchange. Consumers are currently spending over fifty
billion a year at over eleven million dot-coms.\4\ As ``The Industry
Standard'' recently argued, customer relationships are the new currency
of the Internet. And, if e-commerce companies place a greater value on
the customer data they collect rather than on the customer
relationships they are building, they risk squandering the enormous
potential of the Internet, thereby relegating it to a secondary role in
the American economy.\5\
---------------------------------------------------------------------------
\4\ Saul Klein and Tara Lemmey, Customer Relationships: The Net's
New Currency, The Industry Standard, Mar. 13, 2000, at 275.
\5\ Id.
---------------------------------------------------------------------------
The SECURE Act is mindful of the need to involve Congress in the
issue of online privacy because of the industry's demonstrated
inability to provide adequate and enforceable self-regulation. It is
also mindful of the need to limit our involvement and shield the
Internet from a system of rigid government regulations that would
stifle its dynamic expansion and development. We must remember that
during America's great economic revolutions, government has functioned
best as a silent partner with industry, fostering growth, but also
molding it in a socially responsible manner. Therefore, instead of
regulating, the SECURE Act expands online freedom. It empowers
consumers with the ability to protect themselves and make the informed
choices that will render this legislation self-enforcing. It prevents a
patchwork of state laws from miring the global growth of online
commerce. And, it avoids the necessity to resort to extensive FTC
oversight.
The SECURE Act is a beginning of a national dialogue on online
privacy and does not represent an end product in addressing this issue.
Senator's Burns, Wyden, Leahy, Hatch and now Hollings have also
introduced important contributions to the debate. I look forward to
working with them in reaching a consensus on the most appropriate
legislative response to the privacy issues raised by the new
technologies of the information age. Although I believe that
entrepreneurial and innovative practices online are best served by
minimizing the government's regulatory authority over the Internet, the
FTC's report is pivotal to the development of appropriate public policy
regarding online privacy. I am pleased that the FTC has officially
acknowledged the need for online privacy standards with a statutory
basis.
Again, I thank the Chairman for giving me the opportunity to
participate in this hearing. I look forward to working with the
Committee to reach conclusions that are balanced and fair and that give
Americans a greater sense of confidence in the privacy of their
personal information.
�