The Honorable John McCain Dear Senator McCain: Thank you for your letter of April 19, 2002 asking me to comment on Chairman Hollings Senate Bill 2201, "The Online Personal Privacy Act." Your letter asked two questions: First, whether I believe legislation is needed, and if so, what it should contain. Second, you asked for my comments on the principal features of S. 2201. I. Is legislation needed? Yes, legislation is needed to protect consumers' privacy. Absent federal standards to be followed by all persons and entities that collect private information, it is unlikely that consumers will be adequately protected from identity theft, commercial harassment, and hucksterism. In addition, dissatisfaction with and mistrust of online business practices by the American people will continue to grow; an uneven patchwork of state laws will proliferate; and consumer confidence in e-commerce will be undermined. Industry has not been able or willing to effectively self-regulate. While some responsible companies have stepped up to the plate, the financial incentives work against a universal commitment by e-business to provide effective privacy protection for consumers. Business interests will undoubtedly point to a recent Progress and Freedom Foundation survey as evidence that federal legislation is not necessary because websites are collecting less personally identifiable information and privacy notices are prevalent, more prominent, and more complete. These arguments completely miss the mark. First, the survey reveals that nearly all sites surveyed continue to collect personally identifiable information.(1) Second, the mere posting of a privacy policy does not ensure effective consumer protection and often is only pretty packaging of empty content. Just any legislation is not enough. In my view, strong privacy legislation should:
II. Senate Bill 2201 Senate Bill 2201 provides long-awaited, strong protection measures for consumers in the online world. My only concern with this proposed legislation is its limited reach. In my view, federal legislation is necessary to protect the privacy of personally identifiable consumer information in the offline as well as online commercial realms. These marketplaces are often intertwined and indistinguishable. In fact, I believe that the wired world facilitates the effective, constant aggregation of endless varieties of real-time "surfer" information and combines it with commercial information gathered through traditional "offline" means. I would strongly support the expansion of this Bill's consumer protections to the "offline" collection of personally identifiable consumer information. That said, Senate Bill 2201 is a balanced, comprehensive approach to protecting consumer privacy online. By incorporating the concepts of notice, choice, access, security, and enforcement, it creates a level playing field for both consumers and industry. However, I offer the following comments: Preemption I believe that federal legislation should preempt inconsistent and weaker state privacy laws which do not effectively protect consumers and tend to frustrate the development of e-commerce. On the other hand, I generally support the power of states to enact legislation that offers their citizens stronger consumer protections than federal law where the federal law merely establishes a "floor" of minimum protection standards. However, if passage of a federal law "with teeth," is feasible, I believe that both consumers and industry would value the uniformity and predictability that federal preemption offers. Title I - Online Privacy Protection Section 101 I applaud Title I's coverage of personally identifiable information that is collected, used or disclosed. Previous bills focused only on the "collection" of information, yet many privacy breaches occur when information is used or disclosed without the consumer's knowledge or consent after collection. Notice and Consent I strongly support the inclusion of Section 102(b) which requires a consumer's affirmative consent ("opt-in") before, or at the time that, certain sensitive information is collected. An opt-in consent requirement guarantees consumer notice and meaningful choice, and compels the collector to clarify its practices in order to entice the consumer to agree to them. It effectively equalizes the bargaining position of consumers and e-merchants in the market for personal information. While I prefer an opt-in standard for the collection of all personally identifiable information, the Bill's requirement of robust notice and opt-out consent for nonsensitive personally identifiable information improves on the level of notice and choice currently provided by many websites. Also, I support the permanence of consent provision found in Section 102(e), which essentially provides that a consumer's privacy preferences stay with the user despite corporate changes. Section 103's requirement that changes in privacy policies or the existence of privacy breaches be communicated to consumers is particularly commendable. Many websites place the privacy protection burden on consumers to keep track of changes in a website's privacy policy. Section 103 appropriately places that responsibility on the internet service provider, online service provider, or operator of a commercial website. Likewise, the Bill's provision requiring user notification of material changes in the privacy policy allows consumers to utilize updated, relevant information when deciding how or whether to protect their own personal information. Section 103 illustrates the balanced approach of this Bill to the extent it acknowledges that there may be situations where delayed consumer notifications is appropriate. The exceptions contained in Section 104 seem reasonable and again reflect the Bill's inherent respect for the need to balance the vital privacy interests of consumers with the economic and financial interests of e-business. Access The access provision of Section 105 appropriately enables consumers to suggest corrections or deletions of personally identifiable information that the provider or operator has collected or combined with personally identifiable information gathered from other sources. The reasonableness test incorporated in this section strikes an appropriate balance among the competing interests of consumer privacy, the relative sensitivity of different types of personal information, and the burdens and costs imposed on the website operator. Security The security provision in Section 106 is consistent with the approach taken by the Commission in its Gramm-Leach-Bliley Act Security Rulemaking. Rather than dictate a one-size-fits-all solution, it is up to the website to establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of the data it maintains. Title II - Enforcement I am impressed with the range of remedies included under this Title, including the authority to impose civil penalties and establish redress funds for consumers for violations of Title I. In addition, this Title allows private rights of action as well as state actions. Title III - Application to Congress and Federal Agencies To my knowledge, the federal agencies do not trade in private consumer information for commercial purposes. Therefore, I see no justification for Section 302. However, I do believe that federal agencies should provide notice to consumers about their information collection practices consistent with applicable federal law. Title IV - Miscellaneous Section 402 provides that the effective date of the Act will be the day after the date the Commission publishes a final rule under Section 403. While I am pleased that there is no "grace period" for compliance with this Title, I am disappointed that data collectors will be free from liability for data they collected without consumer consent before the Act's effective date. I also hope that Congress will resist obvious delaying tactics, such as proposals for additional studies. Technical concerns Section 403 may need technical modifications to achieve the Bill's goals. Our staff would be pleased to assist you in these efforts. Specifically, Section 403 should reflect that the rulemaking contemplated by the Act is to be conducted pursuant the Administrative Procedures Act rather than through a Magnuson Moss Rulemaking. I appreciate the opportunity to express my views, and I hope they are helpful. Sincerely, Sheila F. Anthony cc: 1. The survey indicated that 90 percent of the random sample, and 96 percent of the most popular sites, collect personally identifiable information compared with 97 percent and 99 percent in 2000. This is hardly a statistically significant decline. In fact, an April 11, 2002, New York Times article (attached) chronicled how some of the Internet's most frequently visited sites are expanding their collection and commercial use of personally identifiable information. |
