Online Privacy Protection Testimony of
May 25, 2000
Mr. Chairman and members of the Committee, I am delighted to be here this morning, and I appreciate your holding this hearing to address a topic of great importance to the American people and critical to the growth and success of electronic commerce.
I am pleased the Commission is recommending that federal legislation is necessary to protect consumer privacy. Survey after survey demonstrates that public concerns about privacy have been growing and that these concerns have focused on the power of technologies to collect, store, search, and transmit large amounts of personally identifiable information. I not only share those concerns, I note that threats to consumer privacy are increasing with the merging of the offline and online worlds. In short, things may be getting worse for Americans on the privacy front.
I wish to emphasize four points related to the legislative recommendation the Commission makes to you today:
A. Fair Information Principles Are Widely Accepted
In the Commission's first Privacy Report in 1998, we summarized four widely accepted principles regarding the collection, use, and dissemination of personal information. These core principles of privacy protection are common to government reports, guidelines, and model codes, and predate the online medium:
B. The Vast Majority of Web Sites Collect Personal Data But Do Not Provide Privacy Protections
The percentage of commercial web sites that collect personally identifying information is very high. The 2000 Survey reports that 97 percent of the Random Sample and 99 percent of the Most Popular Group collect personally identifying information, but the percentage providing aspects of these fair information practices is still quite low. The 2000 Survey reports that only 20 percent of the Random Sample and just 42 percent of the Most Popular Group address, at least in part, all four fair information practices. In fact, these results likely overstate the percentage of sites that truly implement the fair information practices in a meaningful way. Our content analysts credited policies if the stated practices applied to any of the information collected, even if it did not apply to all the information collected.(1)
C. Policies Posted By Web Sites Are Confusing and Contradictory
I reviewed some of the privacy policies of the Most Popular Group of web sites in the survey. Frankly, I was disappointed. Almost half of the privacy polices are too long, varying from 3 - 12 pages. Many try to lull the consumer into a false sense of comfort by utilizing opening statements regarding the importance of respecting individual privacy or by referring to third parties as "trusted vendors" or those with whom there is an "established agreement to protect your privacy." Despite the opening statements asserting the importance of the user's privacy, subsequent paragraphs frequently contain contradictory information. After reviewing some of these policy statements, I am left to wonder whether:
The first sentence states:
But, continues several paragraphs later:
Three pages later, the same policy goes on to say:
Would you call this a clear, unambiguous disclosure? I do not. Does it inform the consumer about whether his or her information will be shared and, if so, with whom? I do not believe it does.
Has the site identified with specificity the parties with whom it will share customer information? Is consent meaningful if consumers do not see this notice or have access to it at the time they surrender their personal information?
I wonder through what means consumers will be notified of changes in the policy statement. How will data collected pursuant to one policy be treated under a new policy? Must consumers "check back" from time to time? The disclaimer, quoted above, seems to absolve the site of any responsibility to protect a consumer's information. It reminds me of a letter I once received from a lawyer, which had the following post script: "Dictated, but not read."
H. An Increase in Posted Privacy "Policies" Does Not Correlate with Increased Privacy Protections
Although the survey demonstrates some increase in the percentage of sites posting privacy policies, these policies all too often do not offer privacy protections. While web sites should be offering privacy protections, a whopping 80 percent of the surveyed web sites in the Random Sample failed to implement aspects of notice, choice, access, and security.
E. No Enforcement Tools Exists to Ensure Sites Do What They Say
For years the Commission has urged industry to engage in meaningful self-regulatory efforts. For self-regulation to be credible, there must be an enforcement mechanism that gives consumers confidence that web sites do what they say they do with consumers' personal data. Seal programs and audits can be key enforcement mechanisms. Yet, 92 percent of the surveyed web sites in the Random Group did not have a privacy seal. Our legislative recommendation would reward those sites that have offered meaningful privacy protections and would require all others to meet basic privacy standards. It would also give consumers the assurance that a legal structure is in place to provide confidence that stated privacy polices will be honored.
F. A Standardized Privacy Notice May be Useful: See Chart
How difficult is it to design a conspicuous privacy notice that informs consumers in a standardized, unambiguous, non-contradictory way? Not very difficult. Appended to this testimony is a simple chart that tells the viewer most of what she needs to know about a web site's privacy practices and consumer choices. Web sites can take advantage of the interactive nature of the Internet to design effective mechanisms to provide meaningful notice or privacy policies.
G. Profiling is Invisible and Threatens Consumer Privacy
Profiling is beyond the scope of this report, and I believe it will be the subject of a later Commission report. Profiling poses a serious privacy threat to consumers because it is largely invisible to them. I am concerned about the passive, surreptitious collection of information about consumers and their browsing habits without their knowledge. Our report notes that third party cookies are placed by ad servers on 78 percent of the sites in the Most Popular Group. Of those sites, only 51 percent disclose to consumers that they have allowed third party cookies to be placed (and they usually locate that disclosure at the end of the policy statement). Unless consumers are technically skilled enough to set their browser to alert them to cookies or to decline all third party cookies, the placement of third party cookies generally goes unnoticed by consumers.
H. Online, Offline: What's the Difference?
Finally, I want to commend the FTC staff for the excellent job they have done on this Report. The Bureau of Consumer Protection, with the assistance of the Bureau of Economics, designed and implemented the survey that formed the basis of this report. The survey numbers were reported clearly, fairly, and without bias. My hat is off to them.
I appreciate the opportunity to express my views.
1. The 2000 Survey analysis gave Access credit for informational statements about any one of three elements (review, correction or deletion). However, the Commission previously stated that fair information practices require that consumers be afforded both an opportunity to review information and an opportunity to contest the data's accuracy or completeness. Under this standard, only 11% of the random and 27% of the Most Popular Group would receive credit for providing Access rather than the 18% of the random and 47% of the Most Popular Group calculated using an expansive measure.