Prepared Statement of
"Self-Regulation and Privacy Online"
July 13, 1999
Mr. Chairman and members of the Subcommittee, I am Robert Pitofsky, Chairman of the Federal Trade Commission ("FTC" or "Commission"). I appreciate this opportunity to present the Commission's views on the progress of self-regulation in the area of online privacy.(1)
I. Introduction and Background
The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far-reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.(2) With the exception of certain industries, the FTCA provides the Commission with broad law enforcement authority over entities engaged in or whose business affects commerce(3) and with the authority to gather information about such entities.(4) Commerce on the Internet falls within the scope of this statutory mandate.(5)
In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy.(6) Based in part on its extensive survey of over 1400 commercial Web sites, the Commission concluded that effective self-regulation had not yet taken hold.(7) The Commission recommended that Congress adopt legislation setting forth standards for the online collection of personal information from children; and indeed, just four months after the 1998 Report was issued, Congress enacted the Children's Online Privacy Protection Act of 1998.(8) As required by the Act, on April 20, 1999, the Commission issued a proposed Children's Online Privacy Protection Rule, which implements the Act's fair information practices standards for commercial Web sites directed to children under 13, or who knowingly collect personal information from children under 13.(10) Commission staff is reviewing comments on the proposed rule and will issue a final rule this fall.
When the 1998 report was released, there were indications that industry leaders were committed to work toward self-regulatory solutions. As a result, in Congressional testimony last July the Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs.(11) In the ensuing year, there have been important developments both in the growth of the Internet as a commercial marketplace and in consumers' and industry's responses to the privacy issues posed by the online collection of personal information. The Commission has just issued a new report on these developments, Self-Regulation and Online Privacy: A Report to Congress (June 1999) ("1999 Report").(12) The 1999 Report assesses the progress made in self-regulation to protect consumers' online privacy since last June and sets out an agenda of Commission actions in the coming year to encourage industry's full implementation of online privacy protections. I am pleased to present the 1999 Report's findings to the Committee.
II. The Current State of Online Privacy Regulation
The new survey results show, however, that, despite the laudable efforts of industry leaders, significant challenges remain. The vast majority of the sites in both the GIPPS and OPA surveys collect personal information from consumers online.(19) By contrast, only 10% of the sites in the GIPPS sample,(20) and only 22% of the sites in the OPA study,(21) are implementing all four substantive fair information practice principles of Notice/Awareness, Choice/Consent, Access/Participation, and Security/Integrity.(22) In light of these results, the Commission believes that further improvement is required to effectively protect consumers' online privacy.
In the Commission's view, the emergence of online privacy seal programs is a particularly promising development in self-regulation. Here, too, industry faces a considerable challenge. TRUSTe, launched nearly two years ago, currently has more than 500 licensees representing a variety of industries.(24) BBBOnLine, a subsidiary of the Council of Better Business Bureaus, which launched its privacy seal program for online businesses last March, currently has 42 licensees and more than 300 applications for licenses.(25) Several other online privacy seal programs are just getting underway.(26) Together, the online privacy seal programs currently encompass only a handful of all Web sites. It is too early to judge how effective these programs will ultimately be in serving as enforcement mechanisms to protect consumers' online privacy.
The self-regulatory initiatives discussed above, and described in greater detail in the 1999 Report, reflect industry leaders' substantial effort and commitment to fair information practices. They should be commended for these efforts. Enforcement mechanisms that go beyond self-assessment are also gradually being implemented by the seal programs. Only a small minority of commercial Web sites, however, have joined these programs to date. Similarly, although the results of the GIPPS and OPA studies show that many online companies now understand the business case for protecting consumer privacy, they also show that the implementation of fair information practices is not widespread among commercial Web sites.
Based on these facts, the Commission believes that legislation to address online privacy is not appropriate at this time. We also believe that industry faces some substantial challenges. Specifically, the present challenge is to educate those companies which still do not understand the importance of consumer privacy and to create incentives for further progress toward effective, widespread implementation.
First, industry groups must continue to encourage widespread adoption of fair information practices. Second, industry should focus its attention on the substance of web site information practices, ensuring that companies adhere to the core privacy principles discussed earlier. It may also be appropriate, at some point in the future, for the FTC to examine the online privacy seal programs and report to Congress on whether these programs provide effective privacy protections for consumers.
Finally, industry must work together with government and consumer groups to educate consumers about privacy protection on the Internet. The ultimate goal of such efforts, together with effective self-regulation, will be heightened consumer acceptance and confidence. Industry should also redouble its efforts to develop effective technology to provide consumers with tools they can use to safeguard their own privacy online.
The Commission has developed an agenda to address online privacy issues throughout the coming year as a way of encouraging and, ultimately, assessing further progress in self-regulation to protect consumer online privacy:
The Commission is committed to the goal of full implementation of effective protections for online privacy in a manner that promotes a flourishing online marketplace, and looks forward to working with the Subcommittee as it considers the Commission's 1999 Report.
1. The Commission vote to issue this testimony was 3-1, with Commissioner Anthony concurring in part and dissenting in part. Commissioner Anthony's statement is attached to the testimony. Commissioner Swindle's concurring statement is also attached. My oral testimony and responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any Commissioner.
2. 15 U.S.C. § 45(a).
3. The Commission does not have criminal law enforcement authority. Further, certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance are wholly or partially exempt from Commission jurisdiction. See Section 5(a)(2) of the FTC Act, 15 U.S.C. § 45(a)(2), and the McCarran-Ferguson Act, 15 U.S.C. § 1012(b).
4. 15 U.S.C. § 46(a). However, the Commission's authority to conduct studies and prepare reports relating to the business of insurance is limited. According to 15 U.S.C. § 46(a): "The Commission may exercise such authority only upon receiving a request which is agreed to by a majority of the members of the Committee on Commerce, Science, and Transportation of the Senate or the Committee on Energy and Commerce of the House of Representatives. The authority to conduct any such study shall expire at the end of the Congress during which the request for such study was made."
The Commission also has responsibility under approximately forty additional statutes governing specific industries and practices. These include, for example, the Truth in Lending Act, 15 U.S.C. §§ 1601 et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. §§ 1666 et. seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 30 rules governing specific industries and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of information to prospective franchisees; and the Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices.
5. The Commission held its first public workshop on online privacy in April 1995. In a series of hearings held in October and November 1995, the Commission examined the implications of globalization and technological innovation for competition issues and consumer protection issues, including privacy concerns. At a public workshop held in June 1996, the Commission examined Web site practices in the collection, use, and transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children. The Commission held a second workshop in June 1997 to explore issues raised by individual reference services, as well as issues relating to unsolicited commercial e-mail, online privacy generally, and children's online privacy.
These efforts have served as a foundation for dialogue among members of the information industry and online business community, government representatives, privacy and consumer advocates, and experts in interactive technology. Further, the Commission and its staff have issued reports describing various privacy concerns in the electronic marketplace. See, e.g., Individual Reference Services: A Federal Trade Commission Report to Congress (December 1997); FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (December 1996); FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996).
The Commission has also brought enforcement actions under Section 5 of the Federal Trade Commission Act to address deceptive online information practices. In 1998 the Commission announced its first Internet privacy case, in which GeoCities, operator of one of the most popular sites on the World Wide Web, agreed to settle Commission charges that it had misrepresented the purposes for which it was collecting personal identifying information from children and adults through its online membership application form and registration forms for children's activities on the GeoCities site. The settlement, which was made final in February 1999, prohibits GeoCities from misrepresenting the purposes for which it collects personal identifying information from or about consumers, including children. It also requires GeoCities to post a prominent privacy notice on its site, to establish a system to obtain parental consent before collecting personal information from children, and to offer individuals from whom it had previously collected personal information an opportunity to have that information deleted. GeoCities, Docket No. C-3849 (Feb. 12, 1999) (Final Decision and Order available at http://www.ftc.gov/os/1999/9902/9823015d&o.htm ).
Since the fall of 1994, the Federal Trade Commission has brought 91 law enforcement actions against over 200 companies and individuals to halt fraud and deception on the Internet. The FTC has not only attacked traditional schemes that have moved online, like pyramid and credit repair schemes, but in addition, the FTC has brought suit against modem hijacking, fraudulent e-mail marketing, and other hi-tech schemes that take unique advantage of the Internet. The Commission pioneered the "Surf Day" concept and has searched the Net in tandem with law enforcement colleagues around the world, targeting specific problems and warning consumers and new entrepreneurs about what the law requires. The Commission has also posted "teaser pages" online, i.e., fake scam sites that give consumers education just when they are about to fall victim to an Internet ruse.
7. 1998 Report at 41.
8. Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. No. 105-277, 112 Stat. 2681, ________ (Oct. 21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998). The Act requires, inter alia, that operators of Web sites directed to children under 13 or who knowingly collect personal information from children under 13 on the Internet: (1) provide parents notice of their information practices; (2) obtain prior, verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions); (3) upon request, provide a parent with the ability to review the personal information collected from his/her child; (4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child; (5) limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and (6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.(9)
9. Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681, ________ (October 21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998).
10. 64 Fed. Reg. 22750 (1999) (to be codified at 16 C.F.R. pt. 312).
11. Commission testimony on Consumer Privacy on the World Wide Web before the House Subcommittee on Telecommunications, Trade and Consumer Protection, Committee on Commerce (July 21, 1998) (available at http://www.ftc.gov/os/1998/9807/privac98.htm ). The Commission also presented a legislative model that Congress could consider in the event that then-nascent self-regulatory efforts did not result in widespread implementation of self-regulatory protections. Id. at 5-7.
13. The report is available at http://www.msb.edu/faculty/culnanm/gippshome.html [hereinafter "GIPPS Report"]. The following analysis is based upon the Commission's review of the GIPPS Report itself; Commission staff did not have access to the underlying GIPPS data.
14. GIPPS Report, App. A at 5.
16. The GIPPS Report discusses findings on the information practices of 361 Web Sites drawn from a list of the 7,500 busiest servers on the World Wide Web. The list, a ranking of servers by number of unique visitors for the month of January 1999, was compiled by Media Metrix, a site traffic measurement company. As larger sites are more likely to have multiple servers, the largest sites on the Web had a greater chance of being selected for inclusion in the sample drawn for the GIPPS survey. See GIPPS Report, App. A at 2; App. B at 9 n.iii. The Commission's 1998 Comprehensive Sample was drawn at random from all U.S., ".com" sites in the Dun & Bradstreet Electronic Commerce Registry, with the exception of insurance industry sites. 1998 Report, App. A at 2. Unlike the Media Metrix list used in the GIPPS sample, the Dun & Bradstreet Registry does not rank sites on the basis of user traffic.
17. Online Privacy Alliance, Privacy and the Top 100 Sites: A Report to the Federal Trade Commission at 3, 8 (1999) (available at http://www.msb.edu/faculty/culnanm/gippshome.html ). The following analysis is based upon the Commission's review of the OPA Study report itself; Commission staff did not have access to the underlying OPA Study data.
18. 1998 Report at 28.
19. Ninety-three percent of the sites in the GIPPS survey, GIPPS Report, App. A at 3, and 99% of the sites in the OPA Study, OPA Study at 3, 5, collect personal information from consumers.
20. The GIPPS results show that thirty-six sites in the sample (or 10%) posted at least one survey element, or disclosure, for each of the four substantive fair information practices. GIPPS Report at 10 and App. A at 12 (Table 8C). Thirty-two of these sites (or 8.9%) also posted contact information. Id. Georgetown University Professor Mary Culnan, author of the GIPPS Report, reports the number of sites posting disclosures for the four substantive fair information practice principles and for contact information in two additional ways: as a percentage of sites in the sample that collect at least one type of personal information (9.5%); and as a percentage of sites in the sample that both collect at least one type of personal information and post a disclosure (13.6%). GIPPS Report, App. A at 12 (Table 8C).
21. Twenty-two sites in the OPA Study (or 22%) posted at least one survey element, or disclosure, for each of the four substantive fair information practices. OPA Study at 9-10 and App. A at 10 (Table 6C). Nineteen of these sites (or 19%) also posted contact information. Id. Professor Culnan also reports the number of sites posting disclosures for the four substantive fair information practice principles in two additional ways: as a percentage of sites in the sample that collect at least one type of personal information (22.2%); and as a percentage of sites in the sample that both collect at least one type of personal information and post a disclosure (23.7%). OPA Study, App. A at 10 (Table 6C).
22. The Commission's 1998 Report discussed the fair information practice principles developed by government agencies in the United States, Canada, and Europe since 1973, when the United States Department of Health, Education, and Welfare released its seminal report on privacy protections in the age of data collection, Records, Computers, and the Rights of Citizens. 1998 Report at 7-11. In addition to the HEW Report, the major reports setting forth the core fair information practice principles are: The U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (1977); Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); U.S. Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (1995); U.S. Dept. of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995); The European Union Directive on the Protection of Personal Data (1995); and the Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996). The 1998 Report identified the core principles of privacy protection common to these government reports, guidelines, and model codes: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. 1998 Report at 7-11.
The Notice/Awareness principle is the most fundamental: consumers must be given notice of a company's information practices before personal information is collected from them. The scope and content of the notice will vary with a company's substantive information practices, but the notice itself is essential. The other core principles have meaning only if a consumer has notice of an entity's information practices and his or her rights with respect thereto. Id. at 7.
The Choice/Consent principle requires that consumers be given options with respect to whether and how personal information collected from them may be used.(23)
23. Although choice in this context has been traditionally thought of as either "opt-in" (prior consent for use of information) or "opt-out" (limitation upon further use of information), id. at 9, interactive media hold the promise of making this paradigm obsolete through developments in technology. Id. "-" "-" ' - - -
24. Information about TRUSTe is taken from materials posted on TRUSTe's Web site, http://www.truste.org, and from public statements by TRUSTe staff. Several hundred additional companies have joined the TRUSTe program but are not yet fully licensed. See "TRUSTe Testifies Before House Judiciary Committee," May 27, 1999 (press release available at http://www.truste.org/about/about_committee.html ).
26. CPA WebTrust, the online privacy seal program created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, currently has 19 licensees (program description available at http://www.cpawebtrust.org ). The Electronic Software Rating Board's ESRB Privacy Online program was launched on June 1, 1999 (description available at http://www.esrb.org ).