Office of
Commissioner Leary

UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
WASHINGTON, D.C. 20580

  
 

April 24, 2002

  

The Honorable John McCain
Committee on Commerce, Science, and Transportation
United States Senate
Washington, D.C. 20510-6125

Dear Senator McCain:

You have asked that members of the Federal Trade Commission provide their individual views on a privacy bill, "The Online Personal Privacy Act," S.2201, and I am pleased to respond.

It is important to express a key reservation up front. This statement of my individual views is constrained by my understanding of the context of your request. Like any other citizen, I have personal views on fundamental issues in the privacy debate (e.g., the question of whether it is appropriate to speak of a "right to privacy" in the context of private consensual transactions as opposed to intrusions by government; the balance between any privacy rights of one party and the First Amendment rights of another; and the question of whether it is realistic to expect that most barriers to disclosure will prove effective in the long term). However, there is no reason why you or any other lawmaker should be particularly interested in my opinions about these value-laden issues, so I understand that you are asking for my views in the context of the responsibilities and capabilities of the Federal Trade Commission. In other words, this response is constrained by an appreciation of the limitations of our institutional expertise.(1)

To be blunt, I do not believe it is my place to advise Congress on the bottom line issue of whether it is or is not a good idea to legislate on privacy issues. (To the extent I presumed to do so in the past, I have changed my mind.) The Federal Trade Commission, in my view, functions best as a facilitator, which attempts through law enforcement and education(2) to ensure that consumers are not misinformed about the goods and services that they buy and that sellers are not disabled by illegal private constraints. But, in the absence of Congressional direction to the contrary, we are neutral about the terms of sale that are freely determined. We have strong institutional confidence in the ability of adequately informed consumers to make their own choices about what they want (including, presumably, varying levels of privacy protection) without interference from government. We are good at specifying what is adequate disclosure of the terms of sale but we are not good at devising rules for what the terms of sale should be.

With this awareness of our limitations, I join with those colleagues who express serious reservations about the "Online Personal Privacy Act," S.2201. I generally concur in their conclusions, but write separately to emphasize my particular perspective. I simply do not believe that S.2201 can be enforced in a coherent way. The following is a summary list of the reasons:

1. I do not believe it is workable or reasonable to treat privacy differently in the online world than in the offline world to the extent that the information collected is the same, regardless of the site of collection or the means of dissemination. It is obvious that different modes of disclosure might be required, but it is illogical to regulate one medium and not the other.
 
2. Congress may, in its judgment, determine that it is appropriate to mandate some form of "notice" to consumers about what will happen to their personal information. For one thing, mandated notice would eliminate the present awkward situation whereby a company that volunteers information about its privacy policy(3) risks prosecution if the information is inaccurate, but one that volunteers nothing risks nothing.(4) Recent experience with mandated notice, however, suggests that it is not enough for Congress simply to require that it be done.(5) Businesses have to be given more precise guidance about the forms of notice that will be useful to consumers. This is something that the Federal Trade Commission, as an institution, knows something about. It might be appropriate to direct the Commission or some other appropriate body to survey the quality of notices that are either voluntarily provided or mandated today, and then recommend a template for notice that would be meaningful. This project would inform the policy debate and ultimately, perhaps, provide the framework for legislation.
 
3. The issue of "choice" or "consent" is much more complex than the bill seems to recognize. At first glance, it seems obvious that the whole purpose of notice is to enable consumers to make informed choices. It is necessary, however, to think about the consequences of choice. If there is no cost or reduced benefit associated with the choice to opt-out (or failure to opt-in), then the added expense of accommodating these choices will be borne by consumers less tender of their privacy. (No one suggests that people who do not want to use their supermarket charge cards because of the information disclosed should be entitled to the discount anyway.) On the other hand, if privacy-conscious consumers are disadvantaged too much, their only practical "choice" is to seek another provider, and mandated "opt-outs" or "opt-ins" become essentially meaningless. There would have to be some regulatory regime to determine what is a reasonable in-between position in these circumstances, and I have no idea how this could be done across-the-board.
 
4. Under the bill, further refinements of "access" and "security" would presumably need to be spelled out in rulemaking proceedings.(6) As I have said before, "[i]t is not appropriate to defer all the tough issues for future rule-making."(7) I personally believe, for example, that there is a vast disparity between the costs and benefits of an access regime in most situations, and I further believe that the costs of merely developing and enforcing across-the-board rules would also vastly exceed the benefits. Congress may want to consider whether any tailored expansion of present rights is necessary,(8) but a blanket mandate of "access" rights is unlikely to result in significant benefits overall.
 
These are major objections, but the following issues are also significant:
 
5. S.2201 distinguishes "sensitive" from "non-sensitive" personal information.(9) These categories seem arbitrary. For example, as Chairman Muris points out in his letter to you of this date, some might feel that information about the books they read is a lot more sensitive than their political affiliation. Moreover, information that is merely "inferred" from data(10) may be just as sensitive as information "about"(11) certain aspects of an individual.(12)
 
6. The distinction between "clear and conspicuous" notice and "robust" notice(13) seems unworkable as a legal mandate. Articulation of the latter undercuts the significance of the former. If some form of notice is ever mandated by Congress, it should be both.
7. The bill is silent about the extent to which privacy protections travel with consumers' personal information. In general, Gramm-Leach-Bliley's privacy provisions require downstream recipients of covered data only to use the information in a fashion that is consistent with the consumers' stated privacy preferences or only for uses that are exempted from the notice and choice requirements (such as credit reporting). In this sense, the protections flow with the information. I seriously question whether this concept can be applied across the economy, but without it, the privacy protections of the bill may be nullified.
 
8. As Chairman Muris notes, some of the provisions of S.2201 attempt to reconcile the legislation's privacy protections with other federal statutes that allow limited but beneficial information sharing. However, as currently drafted, S.2201 might limit a variety of legitimate and beneficial information sharing which covered entities engage in and which Congress would like to continue. It is not clear, for example, whether information about transactions completed online could be communicated to credit bureaus. Without appropriate exclusions, any proposed privacy rules could have a serious anti-consumer impact.
 
9. This bill would add to the emerging patchwork of federal privacy regulations that apply to personal information(14) and may ultimately result in ambiguous, conflicting, or impractical requirements for businesses, and greater confusion for consumers as well. For example, S.2201 provides that "sensitive" and "non-sensitive" information would be subjected to different levels of protection. Dissemination of "sensitive" information would be subject to consumer notice, opt-in choice, access and security. "Non-sensitive" information would be protected by "robust" notice, opt-out choice, access and security. The specifics of these requirements would all be defined in a future rulemaking. At the same time, "non-public" personal information collected by financial institutions (whether online or offline) would be subjected to Gramm-Leach-Bliley's distinct notice, choice and security standards.

Businesses that seek to comply with both of these regulations would be required to differentiate between online and offline information as well as any possible differences between the notice, choice, and security requirements in the two regulatory schemes. Additionally, our experience to date with Gramm-Leach-Bliley suggests that consumers may need less rather than more complex privacy disclosures in order to understand and execute their rights. It is unrealistic, at this point, to assume that consumers will comprehend the various categories of information as well as the protections that are attached to each category of information.

10. The bill provides that "penalties" would be imposed for a violation of the statute, and that "redress" would be distributed to consumers in an amount not to exceed $200 (for breaches involving non-sensitive personal information). This confuses two separate concepts. Penalties are calculated without regard to consumer injury or ill-gotten gains, and are paid to the Treasury. Redress is intended to make consumers whole.
 
11. Wholly apart from the burden issues identified above, the bill does not seem to recognize the potential conflict between access and security. Broad access rights will lead to the centralization of data which could result in very significant security breaches. This is a highly technical subject, on which there is no consensus among experts.(15)

I appreciate the opportunity to provide these comments and would be pleased to respond to any further questions.

Sincerely,

Thomas B. Leary

cc:
The Honorable Ernest Hollings
Chairman
Committee on Commerce, Science, and Transportation
United States Senate
Washington, D.C. 20510-6125

1. My previous statements on privacy issues are enclosed with this letter.

2. The Commission also provides a forum for the exchange of views among outside individuals and groups.

3. And, apparently, an overwhelming majority do, according to the most recent evidence. William F. Adkinson, Jr., Jeffrey A. Eisenach and Thomas Lenard, Progress & Freedom Foundation, "Privacy Online: A Report on the Information Practices and Policies of Commercial Websites" <www.pff.org/pr/pr032702privacyonline.htm>.

4. The vendor may, of course, incur marketplace risk.

5. Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6810; and Interagency Public Workshop: Get Noticed: Effective Financial Privacy Notices (December 4, 2001) <http://www.ftc.gov/bcp/workshops/glb/index.html>.

6. S.2201, Section 403.

7. Federal Trade Commission, "Online Profiling: A Report to Congress" (Part 2) (Statement of Commissioner Thomas B. Leary, Concurring in Part and Dissenting in Part)(July 2000) <http://www.ftc.gov/os/2000/07/onlineprofiling.htm#LEARY>.

8. The Fair Credit Reporting Act , 15 U.S.C. §§ 1681 et seq., and the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 et seq., are among the federal laws that grant access rights.

9. S.2201, Sections 102 and 401.

10. S.2201, Section 401.

11. S.2201, Section 401.

12. See, In the Matter of Eli Lilly and Co., FTC File No. 012-3214 (January 18, 2002) <http://www.ftc.gov/opa/2002/01/elililly.htm>. This case involved the improper disclosure of the identity of people who had regularly obtained information about a certain psychotropic medication, but did not disclose whether they actually took the medication.

13. S.2201, Sections 102 and 401.

14. Among the many federal privacy laws are: Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6810 (covers financial institutions, non-public personally identifiable information and requires notice of information practices and an opt-out for sharing information with third parties); Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 et seq. (covers Web site operators, prohibits collection, use and disclosure of children's online information without verifiable parental consent and provide for parental access rights and imposes security requirements); Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq. (covers credit bureaus and providers and users of credit data and grants consumers access rights and opt-out rights for certain uses of credit data); and Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 262(a), 110 Stat. 1936 (1996) (codified as amended in scattered sections of 18, 26, 29 and 42 U.S.C.A.); 42 U.S.C.A. §§ 1320d to 1320d-8 (West Supp. 1998)(covers a variety of health-related entities and health information and contains requirements that include notice, varying degrees of choice, access, and security).

15. Final Report of Federal Trade Commission Advisory Committee on Online Access and Security, published as Appendix D of Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000) <http://www.ftc.gov/acoas/papers/finalreport.htm>.