| April 15, 1997 Secretary Re: Consumer Privacy 1997 -- Request to Participate, P954807 Dear Secretary: I request permission to participate in Session Two of the Federal Trade Commission Public Workshop on Consumer Information Privacy on June 11 and 12, 1997. As Director of Consumer Protection for the Consumer Federation of America, I represent a national consumer advocacy perspective on issues before the Federal Trade Commission. CFA is a federation of some 250 pro-consumer groups with a combined membership of over 50 million Americans. Prior to working for CFA, I was actively involved in consumer privacy policy issues in Virginia on behalf of the Virginia Citizens Consumer Council. CFA believes that the Internet has great potential to inform and educate consumers. The on-line marketplace can improve consumer choice, facilitate comparison shopping, encourage competition, reduce costs by eliminating the middleman/agent, and enhance consumer sovereignty. A prerequisite for widespread consumer confidence in the virtual marketplace is an effective network of consumer and privacy protections. CFA respectfully requests the opportunity to participate in the Session Two workshop. Respectfully submitted, Jean Ann Fox April 15, 1997 Secretary Re: Consumer Privacy 1997 -- Comment, P954807 Dear Secretary: Consumer Federation of America (CFA) places great importance on protecting consumers in the emerging on-line marketplace. Tools to accomplish this goal include traditional fraud prevention, consumer information and education, consumer recourse, and enforcement of consumer protection laws. A key component is protection of consumer privacy and ensuring consumer control of customer-specific personal and transaction information. At its 1997 Annual Meeting, the member organizations of the Consumer Federation of America adopted the following Policy Resolution: "Consumers have a right to personal privacy and should be able to reject intrusive marketing practices, communications, technology, and unauthorized use of records. Consumers have a right to control individually identifiable transaction information and to decide to whom and for what purposes that information may go. Consumers' records, such as financial and medical information, should not be released to a third party without permission and disclosure. Children's privacy interests deserve special protections." (CFA 1997 Policy Resolutions Consumer Protection) CFA's Policy Resolutions also include the following discussion of these privacy principles: To adequately protect consumer privacy, CFA supports broad measures that require consumers to give affirmative consent, or opt in, before companies can collect information about consumers. Industries must tell consumers when and why certain information is being collected, what will be done with the information, and who will have access to information. Industries should collect only that information which is germane to the transaction and not allow the information to be used or sold for other incompatible purposes without the individual's consent. Consumers should have access to their files on request, with simple procedures for correcting errors and adding statements of explanation. CFA supports strong protections of customer-specific transaction information and consumer identification to prevent theft of identity and invasions of consumer privacy. Personal information about banking and credit transactions, retail buying patterns, and use of telecommunications and medical services is collected by both businesses and government agencies in increasing quantities. Records that were once kept private and secure are now readily available and subject to commercial exploitation. Congress and federal agencies should enact legislation and regulations that provide individuals with adequate protections against the unauthorized dissemination of information about their use of data, financial, credit, retail, employment, communications, or medical services. Consumers should not be compelled to pay to block such information dissemination, nor should they be forced to comply with cumbersome procedures to ensure that protection. Consumers should be notified of any sale of information about their financial transactions, shopping habits, purchases, subscriptions, or telephone calls. CFA supports the adoption of guidelines by the Federal Trade Commission to regulate the collection of personal information from children via the Internet and proprietary on-line services. Such guidelines must include comprehensive disclosure and verifiable parental consent prior to the collection of any information from children." CFA applauds the Commission's efforts to improve consumer and privacy protections in the on-line marketplace. Requirements that consumers retain control of personal information and individually identifiable transaction information are crucial in the on-line environment. The use of "cookies" to create a complete record of each consumer's use of the World Wide Web is far more intrusive than the collection of transaction information by traditional retailers. Whereas a supermarket's frequent shopper card and computerized store registers give a retailer a list of each product a consumer purchases, on-line tracking of visits to Web pages and purchase information tells potential marketers every page an on-line consumer viewed in addition to ultimate purchases. Coupled with personal information, marketers can create a detailed and specific profile of each consumer. CFA submits the attached comments in response to questions 2.1, 2.3, 2.16-18 for the FTC's Public Workshop on Consumer Information Privacy, Session Two. In addition to these comments, CFA has also filed comments on children's privacy along with the Center for Media Education. Respectfully Submitted: Jean Ann Fox Information Collection and Use 2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information? Computer technologies make it possible to track all interactions users have on-line. Such covert data collection is becoming an essential tool for on-line advertisers. Unlike TV ratings which generally use anonymous aggregate numbers to reveal the viewing behavior of key demographic groups, on-line usage data can directly track how individuals respond to advertising. A burgeoning industry has developed to provide such on-line tracking services. On-line advertisers seek assurances that their ads will be seen by a significant number of people. To meet this need, corporations such as DoubleClick and Netscape have developed elaborate systems for collecting visitor information. These two companies have devised some of the most popular tracking methods. Netscape Communications Corp., maker of the most widely used Web browser, utilizes "cookies" to track computer users' on-line activities. Cookies are files stored on the hard drives of all Netscape users, keeping a log of each page within a site a user has visited. Companies using Netscape software can use the detailed user data to create detailed profiles of individual users.(1) DoubleClick has issued more than 40 million "cookies" to users in just over a year of operation.(2) Several other companies also provide tracking services.(3) One company, Bradley Madison Co. has designed software, "Birds of a Feather," to overcome the "hurdle" of consumer concern for privacy, and still collect on-line marketing data.(4) The software, which is distributed for free, enables individuals with similar interests to find each other. The users enroll anonymously through passwords. The software company then tracks their on-line movements and sells the aggregate data to marketers.(5) As one author notes, tracking tools essentially force individuals to act unwittingly as their own direct mail agents. On-line advertisers can collect information about which ad was displayed each time an individual visited a specific site page and whether the user clicked on the ad. Using the information to construct a user profile, the advertiser will be able to select ads that best fit this profile.(6) Recently, the Internet Engineering Task Force proposed RFC 2109, an HTTP State Management Mechanism that would allow users to decide whether or not they want their cookies to be collected. This would give individuals greater control over the creation and collection of their personal information on the Internet. CFA, as well as other groups interested in privacy protection, strongly supports adoption of this proposal.(7) However, RFC 2109 has caused quite an uproar in the on-line advertising industry. Several on-line advertisers, including CNET and ADSmart, oppose this privacy-protecting measure, favoring instead a system that does not permit user choice.(8) Just as interactive technology is facilitating more intrusive information collection, this same technology is also contributing to new tracking methods. For example, TAG, developed by Digital Renaissance, Inc., takes advantage of interactive technology by enabling on-line marketers to track consumers' moves and offer promotional material based on the user's choices. The technology records the users' selections and the time spent on them. TAG's manufacturer boasts, "I know what they watch and how they watch it and now I know what's important to that consumer. I can tell what that person liked and disliked and whether or not that person left and never came back."(9) The Federal Trade Commission should require companies to inform consumers that their every move on a Web site is being recorded for marketing purposes. Commercial entities should not be permitted to write or read information on a consumer's hard disk, without explicit authorization. The practice of tailoring ads to individuals, known as "microtargeting," permits on-line services to use sophisticated efforts to target advertising to consumers. Using individualized advertising based on intimate knowledge of each consumer's interests, behavior, and socioeconomic status will give on-line marketers unprecedented powers to tap each consumer's unique vulnerabilities. Several companies are offering new ways of combining tracking and microtargeting to make it easier for sites to provide personalized content. As noted in Advertising Age, "...there already are a slew of companies that mine information about a Web user's computer and Web browser to make sure the right ad message reaches the right type of Web user at the right time."(10) For example, Blau/Coyote Technologies uses invisible "tokens" to follow a user's actions on the Internet. The tokens are linked to the marketer's database and prompt different information, depending upon the user's behavior. Similarly, 133 Communications Corp. relies on "cupcakes" to track and microtarget. For this system, a user completes an electronic demographic form on a cupcakes-enable site. The information on the form is stored on the user's hard drive, and when he visits a participating site, the site provides information personalized to the user's interest.(11) Although presently, users must register at a site or request information for a marketer to be able to send a targeted message to a specific user,(12) without proper disclosure, these techniques can easily manipulate consumers. The use of electronic surveys may foster a new wave of direct marketing. While some sites state that the information they collect is for internal use only, and will not be made available to third parties, there are currently no regulations that prevent personal information about consumers from being collected or sold to third parties. Sites do not explain how they intend to use the information that they have collected. 2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context? Personal consumer information is a valuable commodity to marketers. An investigation reported in MacWorld June 1993 ("Privacy in Peril") states that the Burwell Directory of Information Brokers describes 1253 commercial services in the personal information market. The marriage of such computer databases containing demographic information and Social Security numbers with information gleaned from individual consumer transactions in Cyberspace will create extensive records of very personal information that can be used to invade privacy or to support fraud. These risks range from credit card fraud and stolen identity to loss of access to insurance, employment, or housing due to inaccurate or inappropriate information. Unsolicited Commercial E-Mail 2.16 How widespread is the practice of sending unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose? 2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e-mail? 2.18 What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they? Unsolicited e-mail is the equivalent of telemarketing calls that interrupt the dinner hour, junk faxes that fill the in-tray with wasted paper, and junk mail stuffed into mail boxes. Consumers have paid for their Internet access and computer systems to be used for consumers' purposes, not for the convenience of companies. For consumers who have to pay for Internet access, sometimes by the minute, any time spent reading unsolicited e-mail imposes a real monetary cost. In addition, irritated consumers waste time reading and deleting unwanted e-mail messages. More seriously, consumers receive inappropriate and offensive unsolicited messages.(13) Although companies provide a response method, consumers cannot always communicate directly with the sender. Companies may keep their promise not to e-mail a second time to consumers who do not respond to the first message, but an endless supply of first time e-mail contacts takes their place. The central issue is one of consumer control of this method of communications. Consumers should be asked for affirmative permission before commercial entities can send e-mail messages. At the time consumers initiate service, on-line services and Internet Service Providers could provide opt-in screens to authorize these messages. This system is preferable to a national don't-call-me list or the DMA's mail preference service. It places the decision and control in the hands of the consumer who paid for the computer system and time spent on the Internet. 1. Netscape 2.0 and 3.0 includes cookies as one of its features. J. Rigdon, "Internet Users Say They'd Rather Not Share Their 'Cookies,'" The Wall Street Journal, Feb. 14, 1996. Netscape: (http://home.netscape.com/). 2. Kristi Coale, "DoubleClick Tries to Force Hand into Cookie Jar," Wired News, Mar. 17, 1997 (http://www.wired.com/news/technology/story/2615.html) 3. Other tracking companies include: Intermind (www.intermind.com), and Interse (www.interse.com), Firefly Network (www.ffly.com). See Matt Carmichael, "Are Cookies Really Monsters?" in Advertising Age, Nov. 18, 1996. 4. See Birs Maker: Consumer Anonymity Will Link Online Users, Marketers, Interactive Marketing News, Jan. 17, 1997 at 1. 5. Id. 6. Victor Mayer-Shonberger, The Internet and Privacy Legislation, Cookies for a Treat, 1996. 7. See "Net Users Urge Standards Group to Protect Privacy" Press Release, April 7, 1997 (http://www.epci.org/privacy/Internt/cookies/ietf_letter.html) 8. See Rick E. Bruner, "'Cookie' Proposal Could Hinder Online Advertising" in Advertising Age Int., March 1997. 9. See "Company Rolls Out Interactive Database for Tracking Consumers," in Interactive Marketing News, Jan. 17, 1997 at 1. 10. Debra Aho Williamson, "Web Advertising Saunters Toward Personalization" in Advertising Age, Nov. 18, 1996. 11. Id. Other companies utilizing similar strategies include Broadvision (www.theangle.com) (registered users provide personal information. Advertisers can then target these individuals, but Broadvision won't reveal individual identities.) and Cyber Dialogue (www.cyberdialogue.com) (registered users are placed within pre-defined psychographic profiles based on information they provide and advertisers can then locate these users within a site). 12. Debra Aho Williamson, "Web Advertising Saunters Toward Personalization" in Advertising Age, Nov. 18, 1996 at 44. 13. CFA has been collecting unsolicited e-mail and will share findings with the FTC in June. |