FTC: Consumer Privacy Comments Concerning The Direct Marketing Association--P954807
SUPPLEMENTAL COMMENTS OF
July 16, 1997
The Direct Marketing Association appreciated the opportunity to provide our perspective on online privacy issues during the Commission's recent workshops, and to report to the agency on the progress we have made in providing businesses and consumers the information they need to make industry self-regulation work in the still-new medium of the Internet.
The Commission heard much detailed testimony from a wide range of participants over the four days of its hearings. We take this opportunity to respond to questions that were raised during the hearing and to clear up misconceptions where we think they may have occurred. As always, we remain available to the Commission and staff to address any additional questions.
Equally important, The DMA is committed to working through its self-regulatory structure and with the Commission to address the full range of issues that arose at the workshops. We will carry through existing initiatives and undertake new ones in the near future, particularly with regard to children's issues. We are committed to self-regulatory, educational, and technological solutions to consumer privacy concerns about the Internet.
Where Do We Go From Here?
We believe that the testimony presented during the course of the workshops supports the major points The DMA made before and during the workshop:
The DMA is committed to the goal of bringing the Internet industry into compliance with its guidelines to, as Georgetown University professor Mary Culnan put it during the hearings, "say what you do and do what you say." As she noted, "If you tell consumers what you"re going to do, privacy concerns will evaporate."
Online consumers already have many choices when it comes to protecting their privacy in this public medium. They can choose from a variety of online services and Internet service providers, large and small, offering varying protective features for their basic connection. They also can choose from among hundreds of thousands of Web sites. They can and will turn off their modems for good if the online and Internet industry isn't responsive or if they continue to fear the unknown.
What Is the Reality?
The survey results presented to the Commission clearly demonstrated that consumers are concerned about potential threats to their privacy online. We urge the Commission to put that concern into perspective. As the Privacy & American Business survey noted, only five percent of Internet users and seven percent of online service users say they themselves have experienced a violation of their privacy online--figures that are much lower than the comparable numbers for the traditional world, and a worst case scenario in that it allowed each respondent to define "privacy" in any manner he or she wanted to. And as the focus groups conducted by Stanley Greenberg demonstrated, concerns about online privacy reflect a more generalized fear of "uncontrollable problems" in American life--crime, drugs and so forth--not really life on the Internet. It is clear that parents are much more worried about their children's exposure to online pornography and online predators than they are to online marketing messages. Internet non-users, or novices, are fearful because of their lack of understanding of how the medium works.
More respondents in the last two Georgia Tech surveys picked "censorship" as the biggest problem on the Internet than did the number that picked 'privacy.' As we surveyed our members" Web sites prior to the FTC hearings, we found many that included discussions of credit card security on the Internet among their "Frequently Asked Questions" section, but few included privacy information there. It suggested to us that consumers were actively asking Webmasters for reassurance about the latter, but not as frequently about privacy.
Further, surveys like many of those presented to the FTC, which are devoted solely or primarily to privacy issues, do not place that issue in the context of other issues. For example, persons were invited to participate in the Center for Democracy and Technology's survey with the message: "Concerned About Your Online Privacy? Let Us Know!"
That said, we believe that it makes good business sense to provide consumers with as much information as possible about the information practices of Web sites. As the survey results indicated, consumers appear to be more willing to trust a Web site and provide the requested information when such a disclosure is provided. We also firmly believe that such disclosures will dispel much of the confusion that has been generated over what information is being collected and how it is being used. In our conversations with Webmasters, both with DMA member companies and others, we have frequently been greeted with puzzlement over why they should provide such a notice because they collected no information beyond what could be captured by system logs. We would then explain that it was precisely because of all the confusion that surrounded what they were collecting that such a notice could be helpful.
The company representatives who appeared at the FTC hearings demonstrated that less information is being collected and it is used less often than policy makers and advocates contend. There are many reasons for this: the immaturity of the medium and the fact that businesses are only beginning to use it, the relatively little attention they have given online communication, as they are focused on keeping their core businesses successful, lack of understanding of the capabilities of the technology, and the limits of technology. As the representative of Accipiter noted, tracking the individual clickstreams of thousands of Web site visitors would take terabytes of computer storage, at a cost to both the bottom line and system performance that would far outweigh any potential benefit.
In preparing its report on these hearings, we encourage the FTC to provide an accurate and objective view of the state of privacy on the Internet and to focus, not on worst case scenarios, but reality. We urge it to focus not on what can be done, but on a reasoned response taking into account the many things that industry is currently doing to address privacy online. The hard drive of a computer or an e-mail address is not "personally identifiable" the way a name and address are. The Commission can make an invaluable contribution for the future of Internet commerce by sorting out these issues carefully.
DMA Member Practices
In reviewing the Web sites of DMA members and talking to them before the FTC hearings, we found that our members who market to consumers online are beginning to post notices describing their online privacy policies. This represents good progress, considering our online principles were only formally adopted in January, and so many companies are new to the Internet. (For example, our surveys show that more than half of our members that are on the Web have been there for less than a year.) We believe it would be difficult to find any other equally rapid response of industry to a new medium's need for self-regulation.
While about two-thirds of our online consumer marketers say they collect information at their Web sites, most of that is because a site visitor specifically requested more information or entered an order. Only 15 percent of that group say they rent or exchange information that has been gathered online.
DMA Peer Review Procedures
DMA members are expected to follow the Association's guidelines, including the online principles, and there is a process in place to deal with them if they don't. Because the online principles are still so new, we view our immediate task as educating our members about what the principles say and what they need to do to comply.
In the months leading up to the FTC hearings, we received only one complaint about a member who was selling information collected online without having posted a disclosure notice or providing an opt-out mechanism. We immediately contacted the company and asked it to address the problem. In our review of members' Web sites, we noted those that were not in compliance and notified them, beginning first with those whose Web sites might attract an audience of children.
If these members refuse to comply, their cases will be referred to the DMA Committee on Ethical Business Practice. The committee has just begun publishing a three-times-a-year compilation of the cases it has reviewed. In addition, the DMA Board recently gave the committee the authority to disclose the names of companies that refuse to comply with the guidelines.
We encourage the FTC and advocacy groups to help us monitor companies that are not complying with our guidelines by referring cases to us.
A Word About Cookies
Although we do not have information on the number of our members who use cookie technology, the "cookie alert" feature now available on the major browser software products permits consumers to make this determination easily for themselves.
While some Web sites could understandably be interested in creating data bases of customers with whom they have built a relationship, a cookie deposited on the user's computer is unlikely to be an effective way of achieving that. Further, it should be underscored that a cookie is not necessarily personally identifiable, unless a user volunteers his name and address at a Web site or builds that information into his browser settings. As panelists testified, cookies are used by some sites to better manage the reach and frequency of advertising without communicating information about individuals. And the current state of "cookie alert" technology can notify a consumer when a cookie is about to be placed, the site that is placing it and when the cookie will expire.
The TRUSTe Approach
We applaud the goals of the TRUSTe effort, because we believe that better consumer notification can only help Internet commerce. Several of our member companies have become sponsors of this initiative and we view it as complementary to our own efforts.
While we believe that privacy policies can be used as a market differentiator, under TRUSTe's program, Web sites pay between $500 and $5,000 to receive their privacy labels. Although we acknowledge that there are very real costs involved in maintaining a labeling and auditing service, we believe that this cost threshold is high and may keep many sites from participating.
Further, we believe that the TRUSTe labels may not provide the specificity some consumers would want to evaluate a company's privacy policies. Companies may be wary of characterizing their practices into one of three broad categories. For example, there is no way, with the current TRUSTe labels, for a company that provides an opt-out mechanism before sharing data with third parties to distinguish itself from companies that do not. The TRUSTe program is not likely to gain wide acceptance from companies that would receive the "worst" of the program's three labels even when they let consumers restrict the distribution of their personally identifiable information.
We believe the Platform for Privacy Preferences (P3), now under development by the World Wide Web Consortium, offers a better long-term solution.
Platform for Privacy Preferences
This year The DMA became the first trade association to provide support for the World Wide Web Consortium, which previously developed the Platform for Internet Content Selection (PICS). The Consortium has since announced it will develop the Platform for Privacy Preferences (P3).
The goal of the P3 project is to develop a protocol through which Internet users could communicate their privacy preferences while Web sites communicate their information collection practices. The goal is to let each Web surfer set his browser to provide the level of privacy protection that he desires.
Last fall, DMA representatives began working with the broad-based Internet Privacy Working Group to develop a common vocabulary that would support P3. This involved first identifying the kinds of information that a Web site could conceivably collect, how it might use that information and how it might be disclosed to others. An individual could set his browser to provide maximum privacy protection, alerting him every time he visited a Web site. Or an individual might choose less restrictive preferences where, say, he might only be alerted when a Web site wanted to share his personally identifiable information with others.
In response to a question during the hearings as to whether P3 would permit users to be notified if Web sites were collecting information such as the Internet address of their home server, the answer is yes, if that possibility is covered by the language that is eventually implemented by the browser manufacturers. Again, let us underscore that P3 is envisioned as a technology that would facilitate communication between Web sites and users, at a level that reflects the user's own level of comfort. When a user understands how a Web site intends to use information, he will be in a better position to evaluate whether he wants to authorize the use of that information.
IPWG's participants readily acknowledged that a matrix of 85 choices could easily overwhelm a consumer. So, they recommended a choice of six "automatic" or "macro" settings that it was felt would cover the range of privacy preferences of most consumers, from a consumer who wanted to control every aspect of information collection that he could, to a consumer who felt no need for this protection. Consumers could then modify these if they wished, particularly after they had gained more experience using P3. It was also envisioned that advocacy organizations, associations, companies and others might develop recommended settings that consumers could also refer to when they installed their browsers. It's even possible that a company might decide to market an "Ultimate Privacy Browser" with those settings already made.
On the Web site side, site operators could choose to describe their site with a single statement covering all their practices or label individual pages, based on the information that is collected on each. This way, for example, a site that lets users browse most of its pages anonymously could apply a separate label to the page where users could provide their e-mail address if they wished to receive an electronic newsletter about the site.
Ultimately, however, the shape of these products will be determined by browser manufacturers, and will reflect market realities. Netscape and Microsoft both have come out in support of an Open Profiling Standard, another tool for controlling the dissemination of personal information online, which will be reviewed by the World Wide Web Consortium as it works on P3.
Because of the special concerns that are raised when children are involved, the participants in the IPWG and P3 processes have taken pains to address the need to protect the online privacy of children. It is envisioned that browser developers would either develop special "Kid Browsers" or enable parents to configure browser settings for their children, with a password required to change the settings. Parents could then presumably choose to restrict their children from accessing sites that collect say, name and address or e-mail addresses. IPWG also suggested that two other restrictions might be appropriate where children are concerned: one would let parents bar their children from using sites that have bulletin boards or chat areas to protect their children from posting personal information in publicly available places. The other would let parents restrict their children's access to sites that require the use of a credit card. While neither of these is a purely privacy concern, it was thought that they could provide parents with additional tools to control their children's online activities.
In response to question posed by a Commissioner, there is no reason these products could not be used in schools and libraries to protect children who access the Internet in those settings. If desired, children could be restricted from accessing any site that solicited personal information. It's possible, too, that these products would be developed in such a way as to permit a school to override this block if it wanted children to have access to a particular site that had been reviewed by teachers.
Marketing to Children Online
The information collection practices of Web sites targeted to children are a valid concern of the Commission, and an obvious concern to parents. But here, too, we urge caution on the part of the FTC.
As we indicated at the hearings, only about 15 percent of The DMA's online consumer marketers sell products for children and the vast majority (80 to 90 percent) aim their message at parents and in some cases teachers and other youth leaders. Our surveys indicate that the number of companies in The DMA membership who actually redistribute information collected from children online could be counted on one hand.
We believe that concerns about the safety of children online must be put into context. As the witnesses from the U.S. Justice Department and Federal Bureau of Investigation testified--and the FTC's ruling today underscored--chat rooms and bulletin boards, where children can disclose all sorts of information about themselves and their vulnerabilities to anonymous third parties who read their postings or lurk there, may pose a threat to the well-being of children. Conversations with reputable online marketers do not.
Moreover, as Sharon Strover of the University of Texas reported, parents often know when their children are online because they have only one telephone line to the house and cannot make or receive calls when the computer is in use. She added, though, that parents are desperate for guidance on how best to supervise their children's online experiences.
The Center for Media Education and the Consumer Federation of America have done important work in highlighting the potential for misuse of children's information, however, we believe their report deserves a closer analysis. We agree that all Web sites, whether targeted to children or not, need to make their information collection policies clear--and that includes most of the sites described in the CME/CFA study. However, we also believe that CME and CFA have painted a picture that showcases a worst possible scenario that is much more negative than reality.
CME and CFA contend that 90 percent of the 38 sites they reviewed "collect personally identifiable information from children." However, a closer review of their "study" indicates that only about a third of the sites collect both name and address. A name alone is not valuable marketing information, and an e-mail address is certainly not personally identifiable. In fact, others told the FTC that many children don't have their own e-mail address, but rather use their parents'.
Further, the dozen or so sites that the CME and CFA cited for collecting personally identifiable information promote brands such as Gatorade, Coca-Cola, Pepsi, the National Basketball Association, Sega, and Frito-Lay that also market to adults. While children undoubtedly visit these sites, a Web site operator cannot identify whether a visitor is a child unless he asks for and obtains truthful information. Indeed, as noted below, the U.S. Supreme Court recently concluded that there is no way to verify the age of visitors to a Web site or other Internet site. In addition, most of this collection of name and address is done in connection with conducting sweepstakes or providing an online store or catalog. Are Web sites to be barred from providing these services to adults?
Yes, some sites collect e-mail addresses to build positive relationships with children by sending them e-mail messages. But let's put this issue into context: is it really harmful for a child to receive a message from the Tooth Fairy that urges him to brush his teeth?
Further, there are a number of good reasons why information might be collected from children. Such information can help a Web site police participants who engage in inappropriate activities. A Web site that greets a visitor by his name is likely to do a better job of engaging a child's interest. Children who are encouraged to contribute their thoughts and ideas can provide the same kinds of valuable insights that the children provided in the Zillions magazine survey. Asking for names or e-mail addresses also permits sites to provide more accurate numbers to potential advertisers who could provide financial support to improve the content of a site--or even to finance the infrastructure required for better communication with parents. A list of families whose children are online could, in fact, be one of the most cost-effective ways to reach parents to inform them of parental control software and to get privacy protection products into American homes--tools that, as one presentation indicated, can unfortunately be hard to find in retail stores.
If a climate develops in which it is considered unacceptable to ask a child any sort of question online, we might as well unplug our computers and send our children back to the passivity of their television sets. Clearly, the White House Web site would not have solicited personal information, such as name and age, from children if staffers believed that an e-mail message or letter from the President or First Lady would harm the children.
We believe that Web sites should develop methods for communicating with parents and seeking their permission commensurate with the amount of information a Web site is interested in collecting and the sensitivity of that information. Companies such as Kids.com, Disney, and Avery Dennison have in the past months developed mechanisms, and it is likely that within a year, new technologies will provide other alternatives. Other companies, such as Time Warner, have cut back in their collection of information from children, do not require children to register before they can play at a site, have posted notices for children and parents, and repeatedly encourage children to involve and inform their parents before they provide even the small amount of information now elicited at the company's sites. And Internet notices urging children to consult their parents before furnishing information are meaningful because, as Sharon Strover of the University of Texas noted, most families have only one computer, which is located near parental activity and makes parental supervision the rule rather than the exception.
We are also wary of requiring verifiable parental permission because it is virtually impossible for a Web site to know for certain which of its visitors are children and how old the child is. In addition, children may be exploring Web sites through their schools when parents have no knowledge of, or access to a computer or fax machine. If the requirements for communicating with parents are set too stringently, interactive Web sites for children may simply disappear. The Web sites that will be left will be operated by the outliers, not the companies that have an interest in preserving their good and trusted brand names.
The fact remains that parents and teachers already have many choices when deciding what type of experience their children will have on the NII. For example, they choose whether to have a computer and, if so, whether to have an Internet connection. They also choose whether to supervise their children's activities, whether to furnish them with passwords to access chat rooms or the Internet, and whether to activate parental control software. Guidance material like Get CyberSavvy--coupled with adequate notices to children and parents--help parents learn about their choices and maximize their children's online experiences.
One final point that we wish to make in regard to the CME/CFA report. It seems to suggest that by asserting their right to their intellectual property, Web sites are asserting absolute rights to do whatever they wish with personally identifiable information that visitors may have volunteered. This is not true. Many brand-name companies face major problems preventing Internet users--including children and teenagers--from misappropriating their brands, logos and trade names. In addition, the companies want to protect themselves from suits in which individuals might claim that the companies stole their own ideas. As a result, many name-brand companies have posted notices designed to provide these protections to their Web sites. Privacy is but one of a number of contentious, and challenging, public policy and legal issues with which Web site operators have to contend.
Children's Online Privacy and the Reno v. ACLU Decision
The U.S. Supreme Court announced its decision in Reno v. ACLU, 65 U.S.L.W. 4715 (June 26, 1997), after the FTC concluded its workshop. The Court's unanimous conclusion that communications over the Internet are entitled to the highest level of First Amendment protection for any medium of communication--higher than for radio, broadcast television, or cable TV--has important implications for efforts to regulate children's privacy on the Internet.
Several passages in the Reno decision cast doubt on an approach to privacy that would ban Web sites from collecting information from children without prior parental consent, and instead support a less regulated approach. The Supreme Court in Reno specifically found that there is no way to verify the age of visitors to a Web site or other Internet site, and suggested that parental empowerment technologies are more effective than legal prohibitions. Id. at 4718, 4724. For the same reason, a prohibition against data collection from children on the Internet without parental consent would fail to achieve its goal, and would be less effective than relying upon empowerment software "by which parents can prevent their children from [disclosing information] which parents may believe is inappropriate." Id. at 4724 (emphasis in original).
Furthermore, the Reno decision signals that a broad prohibition against data collection from children would pose significant overbreadth problems. The Court in Reno held that content-based restrictions on expression on the Internet are subject to strict scrutiny. The disclosure of an individual's identifying information is expression protected by the First Amendment, and prohibiting the disclosure of this information would be a content-based restriction on expression. Because site operators cannot know with certainty whether or not individuals who visit their sites are children, prohibiting the collection of data from children would likely "curtail a significant amount of adult communication on the Internet," Reno, 65 U.S.L.W. at 4724, by inducing sites to cease collecting information from any users.
More generally, the Reno decision suggests that deregulatory approaches to expression on the Internet are far more likely to pass constitutional muster than content-based approaches--be they directed at children's exposure to indecency or at children's privacy.
Unsolicited Commercial E-Mail
The panels devoted to unsolicited commercial e-mail certainly demonstrated the difficulty of finding an easy solution to this problem. We commend the FTC for bringing many of the major players together to discuss possible solutions. We also encourage the Commission to use its existing authority to stop those individuals who are using this medium to promote consumer scams or are manipulating header information to disguise who they are. In addition, we would be happy to work with the Commission to help alert consumers to the scams that are turning up in e-mail.
Aside from the fraud, which should be dealt with, there is a need to put into perspective the issue of unsolicited commercial e-mail marketing. While it is cause for concern for some people who receive it, it's important to note that receipt of unsolicited commercial e-mail is not universal. Sixty-seven percent of Internet users (and half of online users) in the Westin survey said they do not receive unsolicited commercial e-mail. Further, a majority of those who receive such messages described them as "a little bothersome," but said that they just delete them. Clearly, unsolicited commercial e-mail has become a problem for persons who choose to be active in Internet newsgroups, who participate in online chat rooms or who have voluntarily put their name in the Member Directory of their online service. It is not a major problem for the person who does not do these things.
It appears that among those DMA members that use e-mail as a marketing tool (and the percentage appears to be very small), the vast majority use it only on a targeted basis. Almost all of them collect addresses from users themselves--i.e., at their Web site, through an e-mail inquiry or from an in-store or online contest. Only one out of 26 companies surveyed on this point said they collected names from "public" sources, such as magazines, newspapers and the Internet.
Commissioner Varney mentioned receiving e-mail messages related to automobiles after she and her husband began visiting Web sites featuring information about cars. Although a bug in an earlier version of one of the major browser products enabled some Web sites to be able to determine the e-mail address of some of their visitors, that capability has largely disappeared, as the Center for Democracy and Technology has attested to us. Perhaps the Commissioner has either built her e-mail address into her browser, volunteered it at one of those sites, posted a question in a bulletin board or newsgroup devoted to comparing cars, or provided her e-mail address when she filled out a form during her search for a car. Targeted marketing doesn't happen by magic. We also expect that a simple "reply" message would be enough to stop the flow of these kinds of messages.
We look forward to continue working with other participants, as the FTC suggested, to come up with a solution that will meet consumer concerns, further the development of electronic commerce, identify the bad actors and still preserve freedom of expression. We hope that The DMA's proposed e-Mail Preference Service can be part of that solution. We note that the Georgia Tech studies of Internet users have found strong support for a solution that includes an e-Mail Preference Service, particularly when compared to a solution based on government regulation. We also believe that such a service, operated by a broad-based industry association, can help build consumer confidence and industry participation more effectively than a service provided by a single company, a smaller group of companies or the government. We believe that The DMA can build on its long history of operating both its Mail Preference Service and Telephone Preference Service in tackling the problem of unwanted, unsolicited commercial e-mail. We would be happy to keep the Commission and its staff posted on our progress in working with the rest of the industry to achieve this goal.
Points to Remember
We acknowledge the Commission's efforts to take a broad look at the issues surrounding Internet privacy, and believe that several points need to be underscored.
The first concerns the role of the Internet in American commerce. Throughout the workshop, some participants seemed to take the view that entities that create World Wide Web sites should do so for solely altruistic purposes. Although many persons and institutions do create Web sites as labors of love, to make information available to the public or simply to gain greater exposure for their sponsors, most companies that create interesting, highly interactive, creative sites need to justify them from a business standpoint. That business justification may include brand promotion, building customer loyalty, managing customer inquiries more cost-effectively or selling products and services effectively.
A Web site that provides no opportunity for interaction is not interesting to consumers, adds little or no value to their dialogue with marketers, and therefore is of little value to businesses. Some may need to simply track the number of persons who are visiting their sites. Others may encourage visitors to ask questions as a way of improving their services or building their customer base. Others may provide a product for free that they charge for in the traditional world. In return, it seems reasonable for a publisher to ask a Web site visitor to register before providing that person with the same material that could cost him on a newsstand. In all of these cases, we firmly believe that companies should disclose their information collection practices and enable visitors to prevent their personally identifiable information from being used or shared with others for marketing purposes. But shouldn't a consumer be permitted to decide whether the value of a product he is receiving for free is worth sharing his name with a marketer? Some consumers may choose not to volunteer their names for a free product; some marketers may decided that they want to maximize the number of visitors to their site and thus will not require registration. We believe that is something the marketplace should decide.
The second point is that as the Internet grows exponentially and technology develops, there are benefits that users can enjoy when Web sites know more about them. For instance, at the most basic level, if a Web site knows what kind of browser software a visitor uses, it can present a Web page in the format that will be appropriate to that browser and the technology it can support. As users become increasingly overwhelmed by the number of references that a search engine turns up, user profiles may be useful in identifying the information that is likely to be most interesting.
If the Internet is going to succeed as an advertising medium, advertisers must be able to take advantage of the medium to better target their messages. Consumers are likely to benefit, too, when they are presented with advertising that addresses their information needs, rather than products in which they have no interest. That said, we believe that information practices must be communicated clearly and consumers' preferences respected. But we also caution the Commission to be careful that in the rush to protect perceived threats to individual privacy that they don't destroy some of the few tools that advertisers and publishers have available to manage things like relevance, reach and frequency. A cookie can, for instance, identify a hard drive that has previously seen an ad message without necessarily uncovering anything about the persons who are using that hard drive.
Third, the market is already responding to consumers who desire greater privacy protection. The browser manufacturers are continuing to build new privacy features into their products. The parental control software products continue to improve. E-mail management software provides new filtering capability. Clever shareware developers have come up with products that can obliterate cookies and advertisements for those consumers who have these concerns.
The Internet is a market that is so democratic and flexible that it is easy for companies and software developers to respond to a perceived market need.
The Direct Marketing Association has devoted substantial resources to promoting consumer and business education and supporting the technological developments of the World Wide Web Consortium. We intend to continue to have these kinds of activities at the top of our priority list.