PREPARED STATEMENT OF
"ONLINE PRIVACY: RECENT COMMISSION INITIATIVES"
May 18, 2000
Mr. Chairman and Members of the Subcommittee, I am Jodie Bernstein, Director of the Bureau of Consumer Protection of the Federal Trade Commission. I appreciate this opportunity to report on the Commission's recent initiatives in online privacy, and, in particular, the history and implementation of the Children's Online Privacy Protection Act.
I. Introduction and Background
A. FTC Law Enforcement Authority
The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far-reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. With the exception of certain industries and activities, the FTCA provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce. Commerce on the Internet falls within the scope of this statutory mandate.
B. Privacy Concerns in the Online Marketplace
Since its inception in the mid-1990's, the online marketplace has grown at an exponential rate. Recent figures suggest that as many as 90 million Americans now use the Internet on a regular basis. Of these, 69%, or over 60 million people, shopped online in the third quarter of 1999. In addition, the Census Bureau estimates that retail e-commerce reached $5.3 billion for the fourth quarter of 1999.
With this remarkable growth in e-commerce has come increased consumer awareness that online businesses are collecting and using personal data, and increased consumer concern about the privacy of this data. Recent survey results demonstrate that 92% of consumers are concerned (67% are "very concerned") about the misuse of their personal information online. The level of consumer unease is also indicated by a recent study in which 92% of respondents from online households stated that they do not trust online companies to keep their personal information confidential. The Commission's online privacy efforts have been directed in large measure toward engaging the private sector in addressing these concerns, to ensure the continued growth of the online marketplace.
C. The Commission's Approach to Online Privacy - Initiatives since 1995
Since 1995, the Commission has been at the forefront of the public debate on online privacy. The Commission has held public workshops; examined Web site information practices and disclosures regarding the collection, use, and transfer of personal information; and commented on self-regulatory efforts and technological developments intended to enhance consumer privacy. The Commission's goal has been to understand this new marketplace and its information practices, and to assess the costs and benefits to businesses and consumers.
In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy. Based in part on its extensive survey of over 1400 commercial Web sites, the Commission concluded that effective self-regulation had not yet taken hold. The Commission recommended that Congress adopt legislation setting forth standards for the online collection of personal information from children; and indeed, just four months after the 1998 Report was issued, Congress enacted the Children's Online Privacy Protection Act of 1998 ("COPPA"), which authorized the Commission to issue regulations implementing the Act's privacy protections for children under the age of 13. COPPA and the Commission's Rule implementing the Act are discussed in greater detail below.
In the 1998 Report, the Commission deferred its recommendations with respect to the collection of personal information from online consumers generally. In subsequent Congressional testimony, the Commission discussed promising self-regulatory efforts suggesting that industry should be given more time to address online privacy issues. The Commission urged the online industry to expand these efforts by adopting effective, widespread self-regulation based upon the long-standing fair information practice principles of Notice, Choice, Access, and Security, and by putting enforcement mechanisms in place to assure adherence to these principles. In its 1999 report to Congress, Self-Regulation and Privacy Online, the Commission again recommended that self-regulation be given more time, but called for further industry efforts to implement the fair information practice principles and promised continued Commission monitoring of these efforts.
In February and March of this year, the Commission conducted its second survey of U.S. commercial Web sites. The survey assessed websites' compliance with fair information practices by analyzing the nature and substance of their stated policies regarding the collection, use and disclosure of personal information gathered from consumers online. The Commission will report to Congress in the near future on the results of its 2000 survey.
Last week, the Commission issued a final Rule implementing the privacy provisions of the Gramm-Leach-Bliley Act. The Rule requires a wide range of financial institutions to provide notice to their customers about their privacy policies and practices. The Rule also describes the conditions under which those financial institutions may disclose personal financial information about consumers to nonaffiliated third parties, and provides a method by which consumers can prevent financial institutions from sharing their personal financial information with nonaffiliated third parties by opting out of that disclosure, subject to certain exceptions.
D. Law Enforcement Actions
The Commission has also brought several law enforcement actions, pursuant to its mandate under the FTCA, to remedy online companies' unfair and deceptive practices with respect to the collection and use of consumers' personal information. In February, 1999, the Commission settled charges that GeoCities, one of the most visited websites, had misrepresented the purposes for which it was collecting personal identifying information from both children and adults. In the Liberty Financial case, the Commission challenged allegedly false representations by the operator of a "Young Investors" site that information collected from children in an online survey would be maintained anonymously. Most recently, in the ReverseAuction.com case, the Commission settled charges that this online auction site had obtained consumers' personal identifying information from a competitor's site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their business. These cases demonstrate the Commission's ongoing commitment to protecting consumers' online privacy as an integral part of its law enforcement mission.
II. Protecting Children's Online Privacy
A. Public Concerns about Children's Online Privacy
Children are among the fastest growing populations on the Internet. The number of children online has almost tripled in just the last two years, growing from nearly 10 million in 1997 to almost 26 million by the end of 1999. That number will continue to rise as the Internet becomes an increasingly integral part of American culture, education, and commerce.
Online marketers have responded to this growth with sites targeting children and offering a diverse array of products, services and other features. Like sites targeted to older consumers, these sites often collect personally identifying information from young consumers. Our 1998 survey found that of the 212 children's websites surveyed, 89% were collecting personal information from children, including names, home addresses, e-mail addresses, and in one case, information about family finances. However, only 24% of those sites posted privacy policies, and only 1% of those sites sought parental permission to collect such information. These practices were in sharp contrast to parents' beliefs about what information should be collected from their children. A 1997 Louis Harris/Allan Westin survey found that 72% of parents objected to the collection of names and addresses from their children, even if that information was used only within the company, and 97% of parents objected if the information was to be released to third parties.
B. Children's Online Privacy Protection Act (COPPA)
Reacting to these concerns, in October 1998 Congress enacted the Children's Online Privacy Protection Act, the first federal legislation specifically to address online privacy. The statute was enacted with the support of a broad coalition of industry, privacy advocates and consumer groups, and drew heavily on the experience of industry self-regulatory groups in attempting to establish workable guidelines for the protection of children's privacy online.
The legislation requires operators of commercial websites directed to children under 13 to:
COPPA required that the Commission issue rules implementing these requirements within one year of its enactment. Like the legislative consideration of COPPA, our rulemaking process, too, drew on the accumulated expertise of online businesses, self-regulatory groups, State Attorneys General, and privacy and children's advocates. We received over 145 comments and held a widely attended workshop to gather information to help us craft a rule that would be both effective and enforceable, yet flexible enough to accommodate the rapid technological innovation that characterizes this ever-changing medium. As required by COPPA, we issued the final Rule in October 1999, and it became effective last month.
COPPA and its implementing rule contain several important features. First and foremost, both the Act and the Rule employ flexible performance standards rather than static rules. This not only provides website operators with flexibility in choosing how to comply, but also leaves room for the growth of new technologies. For example, COPPA's definition of the key concept of "verifiable parental consent" encompasses "any reasonable effort, taking into account available technology," to ensure that a parent receives the required notice and consents to the operator's collection of information. This flexible standard should encourage the development of new products and services that could ease compliance with the Rule. In fact, the Commission has committed to undertake a review in eighteen months to determine whether new and developing technologies are available for use in obtaining "verifiable parental consent" under the Rule.
Another feature of the Act and Rule is a "safe harbor" provision, designed to encourage continued self-regulatory efforts to protect online privacy. Over the years, self-regulatory groups have developed substantial expertise in monitoring, detecting, and addressing online privacy problems. Website operators have long consulted with the self-regulatory groups on the privacy issues they face. Under COPPA, self-regulatory programs can now apply to have their programs accepted as "safe harbors" from Commission or State Attorney General enforcement. Several proposals are currently under review by the Commission.
C. Implementing the COPPA Rule
Now that the Rule is in effect, the Commission is attempting to address two key issues: business and consumer education and enforcement.
The Commission has used a variety of creative, novel and cost effective ways to educate parents, children and website operators about the provisions of the COPPA. As it has in all its education efforts, the Commission has made extensive use of the Internet to disseminate its messages. In November, shortly after the final Rule was announced, a Compliance Guide was posted on the FTC website. E-mails were sent to major children's sites, participants in COPPA workshops, and commentors in the rulemaking to alert them to the guidance. In addition, the Commission is holding informal seminars to educate online businesses about the need to comply with COPPA.
In February, the FTC issued a Consumer Alert geared to parents, introducing them to the new law. The Alert was sent to more than 14,000 news media, as well as to websites, parent organizations and schools through organizations like the PTA and the National Association of Elementary School Principals. The media mailing alone resulted in more than 100 interviews with Commission staff about the provisions of the Rule. Articles appeared in hundreds of newspapers, including the print and web editions of USA Today, the Wall Street Journal and the New York Times, and on radio and television networks and stations. Media exposure no doubt contributed to the fact that the Consumer Alert was accessed more than 32,000 times on the FTC's website in April alone.
At the same time, the FTC developed a Kidz Privacy website where information about COPPA was placed. Major national corporations and privacy advocacy groups joined in our outreach efforts. Among the participants: AOL, Center for Democracy and Technology, Center for Media Education, Chancery Software, CyberAngels, Disney/Go.com Network, Headbone.com, Lycos, Microsoft, NetFamilyNews, NetNanny Software, Surfmonkey.com, and Wiredkids. All these sites link to the FTC site. In addition, Chancery Software designed and printed 40,000 bookcovers and bookmarks with children's online privacy tips to distribute to school children. To ensure that all organizations interested in protecting children's privacy online have the opportunity to participate in the COPPA Public Awareness Campaign, the Commission is publishing a notice in the Federal Register with details on how to participate.
In addition to sections for kids, adults, business and the media, the Kidz Privacy website also includes radio public service announcements and a banner public service announcement that can be downloaded and placed on any website. The banner would enable viewers at any site on the web to click directly to the Kidz Privacy site. In May and September, radio public service announcements will air which refer listeners to the FTC website and the Commission's Consumer Response Center for more information.
The Consumer Response Center provides education and assistance to individual consumers and businesses who contact us by calling our toll free helplines (877-FTC-HELP and 877-ID-THEFT), by writing us, or by using our online complaint form at www.ftc.gov. CRC counselors provide information, assist consumers in resolving their complaints where possible, and enter complaints into the Commission's extensive complaint database which is used for law enforcement. The CRC is now responding to some 40,000 contacts a month, covering a broad spectrum of inquiries and complaints. With the implementation of COPPA and growing consumer awareness and concern about privacy, we may begin to receive more inquiries and complaints in this area.
We have been impressed by the substantial commitment the online industry has made to implementation of the statute and their commitment to the fair information practices principles that underlay it. Nonetheless we believe that along with education, enforcement will play a critical role in the Act's success. Initially, we expect to receive referrals from industry self-regulatory groups, privacy advocates, competitors, and consumer groups. We also will analyze complaints collected by the CRC to identify rule violations. In addition, the Commission intends, as it has done on many occasions, to hold "surf" days in which FTC staff work together with other enforcement agencies to identify sites that are not in compliance with the law. The Commission also is holding joint training sessions with our State law enforcement partners, to help facilitate active and coordinated enforcement of the Rule.
For the most part, website operators have been working diligently to comply with the Rule. In some instances the benefits go beyond the online environment. For example, one offline magazine which also operates a website has revised its policies on publishing the full names and ages of children making submissions to its magazine, and now posts those submissions using only the child's first name and age.
The Commission will continue its efforts, in close cooperation with its private sector partners, to expand its consumer and business education campaigns, and to assure broad compliance with the law. We look forward to working with the Subcommittee to address these online privacy issues and are pleased to answer any questions you may have.