Online Privacy Protection - Sheila Anthony

Online Privacy Protection

Testimony of Commissioner Sheila F. Anthony
Before the U.S. Senate Subcommittee on Communications

July 27, 1999

Mr. Chairman and members of the Subcommittee on Communications, I am delighted to be here this morning, and I appreciate your holding this hearing today to address a topic of extreme importance to the American people. I will speak briefly about online privacy protection.

As the Commission's 1999 report to Congress states, only 10% of well-traveled Internet sites in a recent survey have privacy disclosures that speak to all four substantive fair information practice principles of notice, consent, access, and security.⁽¹⁾ Even among the top 100 most frequently visited Internet sites, only some 20% have privacy disclosures addressing these four principles.⁽²⁾

Last year I was asked to grade the online privacy performance of the industry as a whole. I generously gave industry a D+.⁽³⁾ I expected industry's performance to substantially improve.

Some industry leaders have undertaken significant efforts to protect online privacy, including Microsoft, Dell Computer, Disney Online, IBM, AT&T, Eastman Kodak, Fox Broadcasting, the Boston Globe, the San Francisco Chronicle, the Wall Street Journal, CyberBills, Educational Communications, Inc., and Worldtravelcenter.com. These self-regulatory efforts constitute a reasonable response to the widespread market demand for the protection of consumer privacy and likely play an important role in the growth of electronic commerce. In addition, the seal programs show promise. But some companies have made a business out of collecting, buying, and selling individually identifiable information online.

I was shocked to discover, shortly after I joined the Commission, that at least one of the several "information brokers" operating in the marketplace had my name and my husband's name, our address, the value of our house, our social security numbers and the years in which they were issued, our mothers' maiden names, the address where we lived before coming to Washington in 1978, our two daughters' names, their husbands' names, their social security numbers, every address where they had lived, and even our 3-year-old grandchild's name and social security number. I might add that there were several mistakes in that report on me.

We in the government, and especially those of us who have experienced a confirmation process or you who have stood for election, know what it is to have our private lives laid bare. But most Americans do not, nor do they want to.

I am disappointed that sufficient progress by industry as a whole has not been made toward the protection of online privacy under a self-regulatory approach. Such a lack of progress is surprising, given the Commission's clear articulation of fair information practice principles in our 1998 Online Privacy Report. Even prior to my arrival at the Commission, the Agency had encouraged industry to adopt voluntary fair information practices.⁽⁴⁾ Indeed, Secretary of Commerce Brown plainly expressed the fair information principles of notice and consent as long ago as 1995.⁽⁵⁾ The self-regulatory environment has not advanced the ball as far as I would have expected. Thus, consumer privacy remains an issue about which 87% of online Americans, including me, are extremely concerned.

Privacy is "one of our most cherished freedoms."⁽⁶⁾ Too often, however, the debate about privacy and the protection of personal information that is surreptitiously gathered takes on an ethereal quality and looks for proof of direct harm. Direct harm is not necessary to justify fair information practices, but is evident, for example, in cases of cyberstalking and identity theft.

The American public deeply values its privacy, quite apart from notions of direct harm. The studies of which I am aware consistently show a high level of concern about online privacy. For example, a study just released in April by Harvard, MIT, AT&T Labs, and the University of California-Irvine found, as I mentioned earlier, that 87% of Internet users were concerned about personal privacy threats.⁽⁷⁾ One year ago these online privacy concerns were held by 81% of Internet users.⁽⁸⁾ So, over the years public concern has increased, not decreased.⁽⁹⁾

In reporting on the status of self-regulation and online privacy protection, the Commission has fulfilled its promises to collect information regarding online privacy and provide a response to the Congress.⁽¹⁰⁾ I respectfully disagree with my colleagues in that I believe that the time is ripe for Congress to enact federal legislation to protect online consumer privacy, at least to the extent of providing minimum federal standards. As a whole, industry progress has been far too slow since the Commission first began encouraging the adoption of voluntary fair information practices in 1996.⁽¹¹⁾ Notice, while an essential step, is not enough if the privacy practices themselves are toothless. I do believe that Congress is the appropriate place for the debate on the online protection of consumer privacy, and I note that several bipartisan online privacy bills are pending in both the House and the Senate, including the Online Privacy Protection Act that has been introduced by Chairman Burns and cosponsored by Senator Wyden. These bills can serve as starting points to craft balanced privacy legislation.

I am concerned that, without widespread implementation of fair information practices on commercial Web sites and absent effective privacy protections, several results are inevitable.

First, the dissatisfaction of the American people will grow, as it has in the past, in both pitch and intensity.
Second, a patchwork of state laws to protect online privacy will emerge. A number of states, including California, Colorado, Connecticut, Delaware, Florida, Louisiana, Maine, Massachusetts, Minnesota, Montana, Nevada, New Hampshire, New York, Pennsylvania, South Carolina, Tennessee, Virginia, Washington, and Wisconsin have moved in that direction.⁽¹²⁾ Consider the confusing environment that could result for consumers, online marketers, and the courts under such a legal patchwork.⁽¹³⁾ Consider, also, the extreme burden on online businesses to comply with this patchwork of privacy laws that their web sites certainly will encounter. Such businesses would be required to determine the jurisdictional reach of each state possessing such privacy laws and to develop compliance strategies to satisfy the privacy requirements of each jurisdiction. Further, the entire process may need to be repeated as online businesses grow and expand their product lines or information collection practices and as other states enacts their own laws.

A single minimum federal standard of online privacy would decrease the cost and complexity of compliance, while simultaneously establishing essential privacy protections for American consumers. Further, I believe that federal legislation and meaningful self-regulation should operate hand-in-hand.

Third, I am concerned that the absence of online privacy protections will continue to undermine consumer confidence and hinder the advancement of electronic commerce and trade, specifically of trade with the European Union and its 320 million consumers. Some types of personal information, such as health and financial information, will require heightened privacy protections. Without the widescale adoption of fair information practices, however, not even an across-the-board minimum standard of protection exists.

Let me conclude by saying that I am troubled by the results of the Georgetown surveys, which show much less progress than I had hoped. I am pleased to say that the Commission will continue its involvement in the privacy arena, and our report sets out a number of initiatives for the coming year.

Thank you for the opportunity to share my views.

1.Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress, 7 n.10. (July 1999) [hereinafter Report]; see FIPs Compliance Gap, chart infra.

2.Report at 7 n.42; see FIPs Compliance Gap, chart infra.

3.Statement of the Honorable Sheila F. Anthony before the House of Representatives, Committee on Commerce, Subcommittee on Telecommunications, Trade, and Consumer Protection (July 21, 1998).

4.Federal Trade Commission Letter to Senator John McCain 6 n.2 (July 31, 1997).

5.Ronald H. Brown, U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information pt. III.A-B(Oct. 1995), available at National Telecommunications and Information Administration, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (visited June 23, 1999) <http://www.ntia.doc.gov/ntiahome/privwhitepaper.html> at 13-16.

6.Statement of President Clinton, Morgan State University (May 18, 1997), available at The White House, Commencement Address by the President at Morgan State University (May 18, 1997) http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1997/5/19/1.text.1 .

7.Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, Research Technical Report, TR 99.4.3 (Apr. 14, 1999), available at AT&T Labs, Beyond Concern: Understanding Net Users' Attitudes About Online Privacy 3, 5-6 (visited June 22, 1999) <http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm> [hereinafter AT&T Labs].

8.See id., available at AT&T Labs, supra note 7, at 4.

9.See Growing Public Concern, chart infra; Cranor, supra note 7, available at AT&T Labs, supra note 7, at 5-6 (1999 figure); Louis Harris & Associates, Privacy & American Business, summarized in Privacy Exchange, Consumers & Credit Reporting 1994 (visited July 6, 1999) <http://www.privacyexchange.org/iss/surveys/con_cre.html> at 1 n.1 (1993 figure); Louis Harris & Associates, The Road After 1984, summarized in Equifax, Equifax Executive Summary 1990 (visited July 6, 1999) < http://www.privacyexchange.org/iss/surveys/eqfxexecsum.1990.html> at 1 (1983 figure); Louis Harris & Associates, Dimensions of Privacy, summarized in Equifax, Equifax Executive Summary 1990, supra, at 1 (1978 figure).

10.See Letter to Senator McCain, supra note 4; Federal Trade Commission, Privacy Online: A Report to Congress (June 1998).

11.See Federal Trade Commission, Public Workshop on Consumer Privacy on the Global Information Infrastructure, Staff Rept. (Dec. 1996).

12.See Proliferating Privacy Patchwork, chart infra; see, e.g., Conn. H. B. 6895, File No. 608, as amended by House Amendment Schedule A (reissued and approved by Legislative Commissioner on May 7, 1999) (passing law to prohibit state from requiring social security numbers of voter registrars); Cal. S.B. 417, Supermarket Club Card Disclosure Act of 1999 (heard June 15, 1999 by Assembly Committee on Consumer Protection, Governmental Efficiency & Economic Development); Del. H.B. 100 (House concurred in Senate amendments with additional amendments and forwarded bill to Senate for concurrence on June 17, 1999) (making videography or photography where reasonable expectation of privacy exists a felony); Wash. H.B. 2220 (to House Committee on Criminal Justice and Corrections on Feb. 22, 1999), amending ch. 9.73 RCW (making visual surveillance where reasonable expectation of privacy exists a misdemeanor); see also Thomas Shapley, A Move to Ban Videos that Invade Privacy, Seattle Post-Intelligencer, Mar. 2, 1999, available at Seattle Post-Intelligencer, Seattle PI-Plus (visited June 24, 1999) <http://www.seattle-pi.com/local/peep02.shtml>; Maine S.P. 93 - L.D. 232 - P.L. 17 (interim enactment on Mar. 19, 1999), amending § 1 20-A MRSA § 6001, as amended by P.L. 1989, c. 911 § 1.

13.The point about courts goes to establishing a uniform legal standard of a "legitimate expectation of privacy." See, e.g., Smith v. Maryland, 442 U.S. 735, 735 (1979).