FEDERAL TRADE COMMISSION
WASHINGTON, D.C. 20580
April 24, 2002
The Honorable John McCain
Committee on Commerce, Science, and Transportation
United States Senate
Washington, D.C. 20510-6125
Dear Senator McCain:
You have asked that members of the Federal
Trade Commission provide their individual views on a privacy bill, "The
Online Personal Privacy Act," S.2201, and I am pleased to respond.
It is important to express a key
reservation up front. This statement of my individual views is constrained
by my understanding of the context of your request. Like any other
citizen, I have personal views on fundamental issues in the privacy debate
(e.g., the question of whether it is appropriate to speak of a
"right to privacy" in the context of private consensual transactions as
opposed to intrusions by government; the balance between any privacy
rights of one party and the First Amendment rights of another; and the
question of whether it is realistic to expect that most barriers to
disclosure will prove effective in the long term). However, there is no
reason why you or any other lawmaker should be particularly interested in
my opinions about these value-laden issues, so I understand that you are
asking for my views in the context of the responsibilities and
capabilities of the Federal Trade Commission. In other words, this
response is constrained by an appreciation of the limitations of our
To be blunt, I do not believe it is my
place to advise Congress on the bottom line issue of whether it is or is
not a good idea to legislate on privacy issues. (To the extent I presumed
to do so in the past, I have changed my mind.) The Federal Trade
Commission, in my view, functions best as a facilitator, which attempts
through law enforcement and education(2) to
ensure that consumers are not misinformed about the goods and services
that they buy and that sellers are not disabled by illegal private
constraints. But, in the absence of Congressional direction to the
contrary, we are neutral about the terms of sale that are freely
determined. We have strong institutional confidence in the ability of
adequately informed consumers to make their own choices about what they
want (including, presumably, varying levels of privacy protection) without
interference from government. We are good at specifying what is adequate
disclosure of the terms of sale but we are not good at devising rules for
what the terms of sale should be.
With this awareness of our limitations, I
join with those colleagues who express serious reservations about the
"Online Personal Privacy Act," S.2201. I generally concur in their
conclusions, but write separately to emphasize my particular perspective.
I simply do not believe that S.2201 can be enforced in a coherent way. The
following is a summary list of the reasons:
- 1. I do not
believe it is workable or reasonable to treat privacy differently in the
online world than in the offline world to the extent that the
information collected is the same, regardless of the site of
collection or the means of dissemination. It is obvious that different
modes of disclosure might be required, but it is illogical to regulate
one medium and not the other.
Congress may, in its judgment, determine that it is appropriate to
mandate some form of "notice" to consumers about what will happen to
their personal information. For one thing, mandated notice would
eliminate the present awkward situation whereby a company that
risks prosecution if the information is inaccurate, but one that
volunteers nothing risks nothing.(4)
Recent experience with mandated notice, however, suggests that it is not
enough for Congress simply to require that it be done.(5)
Businesses have to be given more precise guidance about the forms of
notice that will be useful to consumers. This is something that the
Federal Trade Commission, as an institution, knows something about. It
might be appropriate to direct the Commission or some other appropriate
body to survey the quality of notices that are either
voluntarily provided or mandated today, and then recommend a template
for notice that would be meaningful. This project would inform the
policy debate and ultimately, perhaps, provide the framework for
- 3. The issue of "choice" or
"consent" is much more complex than the bill seems to recognize. At
first glance, it seems obvious that the whole purpose of notice is to
enable consumers to make informed choices. It is necessary, however, to
think about the consequences of choice. If there is no cost or
reduced benefit associated with the choice to opt-out (or failure to
opt-in), then the added expense of accommodating these choices will be
borne by consumers less tender of their privacy. (No one suggests that
people who do not want to use their supermarket charge cards because of
the information disclosed should be entitled to the discount anyway.) On
the other hand, if privacy-conscious consumers are disadvantaged too
much, their only practical "choice" is to seek another provider, and
mandated "opt-outs" or "opt-ins" become essentially meaningless. There
would have to be some regulatory regime to determine what is a
reasonable in-between position in these circumstances, and I have no
idea how this could be done across-the-board.
- 4. Under the bill, further
refinements of "access" and "security" would presumably need to be
spelled out in rulemaking proceedings.(6)
As I have said before, "[i]t is not appropriate to defer all the tough
issues for future rule-making."(7) I
personally believe, for example, that there is a vast disparity between
the costs and benefits of an access regime in most situations, and I
further believe that the costs of merely developing and enforcing
across-the-board rules would also vastly exceed the benefits. Congress
may want to consider whether any tailored expansion of present rights is
necessary,(8) but a blanket mandate of
"access" rights is unlikely to result in significant benefits overall.
- These are major objections, but the following issues
are also significant:
- 5. S.2201 distinguishes
"sensitive" from "non-sensitive" personal information.(9)
These categories seem arbitrary. For example, as Chairman Muris points
out in his letter to you of this date, some might feel that information
about the books they read is a lot more sensitive than their political
affiliation. Moreover, information that is merely "inferred" from data(10)
may be just as sensitive as information "about"(11)
certain aspects of an individual.(12)
- 6. The distinction between
"clear and conspicuous" notice and "robust" notice(13)
seems unworkable as a legal mandate. Articulation of the latter
undercuts the significance of the former. If some form of notice is ever
mandated by Congress, it should be both.
- 7. The bill is silent about
the extent to which privacy protections travel with consumers' personal
information. In general, Gramm-Leach-Bliley's privacy provisions require
downstream recipients of covered data only to use the information in a
fashion that is consistent with the consumers' stated privacy
preferences or only for uses that are exempted from the notice and
choice requirements (such as credit reporting). In this sense, the
protections flow with the information. I seriously question whether this
concept can be applied across the economy, but without it, the privacy
protections of the bill may be nullified.
- 8. As Chairman Muris notes,
some of the provisions of S.2201 attempt to reconcile the legislation's
privacy protections with other federal statutes that allow limited but
beneficial information sharing. However, as currently drafted, S.2201
might limit a variety of legitimate and beneficial information sharing
which covered entities engage in and which Congress would like to
continue. It is not clear, for example, whether information about
transactions completed online could be communicated to credit bureaus.
Without appropriate exclusions, any proposed privacy rules could have a
serious anti-consumer impact.
- 9. This bill would add to
the emerging patchwork of federal privacy regulations that apply to
personal information(14) and may
ultimately result in ambiguous, conflicting, or impractical requirements
for businesses, and greater confusion for consumers as well. For
example, S.2201 provides that "sensitive" and "non-sensitive"
information would be subjected to different levels of protection.
Dissemination of "sensitive" information would be subject to consumer
notice, opt-in choice, access and security. "Non-sensitive" information
would be protected by "robust" notice, opt-out choice, access and
security. The specifics of these requirements would all be defined in a
future rulemaking. At the same time, "non-public" personal information
collected by financial institutions (whether online or offline) would be
subjected to Gramm-Leach-Bliley's distinct notice, choice and security
Businesses that seek to comply with both of these
regulations would be required to differentiate between online and offline
information as well as any possible differences between the notice,
choice, and security requirements in the two regulatory schemes.
Additionally, our experience to date with Gramm-Leach-Bliley suggests that
consumers may need less rather than more complex privacy
disclosures in order to understand and execute their rights. It is
unrealistic, at this point, to assume that consumers will comprehend the
various categories of information as well as the protections that are
attached to each category of information.
- 10. The bill provides that
"penalties" would be imposed for a violation of the statute, and that
"redress" would be distributed to consumers in an amount not to exceed
$200 (for breaches involving non-sensitive personal information). This
confuses two separate concepts. Penalties are calculated without regard
to consumer injury or ill-gotten gains, and are paid to the Treasury.
Redress is intended to make consumers whole.
- 11. Wholly apart from the
burden issues identified above, the bill does not seem to recognize the
potential conflict between access and security. Broad access rights will
lead to the centralization of data which could result in very
significant security breaches. This is a highly technical subject, on
which there is no consensus among experts.(15)
I appreciate the opportunity to provide these comments
and would be pleased to respond to any further questions.
Thomas B. Leary
The Honorable Ernest Hollings
Committee on Commerce, Science, and Transportation
United States Senate
Washington, D.C. 20510-6125
1. My previous
statements on privacy issues are enclosed with this letter.
Commission also provides a forum for the exchange of views among outside
individuals and groups.
apparently, an overwhelming majority do, according to the most recent
evidence. William F. Adkinson, Jr., Jeffrey A. Eisenach and Thomas Lenard,
Progress & Freedom Foundation, "Privacy Online: A Report on the
Information Practices and Policies of Commercial Websites" <www.pff.org/pr/pr032702privacyonline.htm>.
4. The vendor
may, of course, incur marketplace risk.
Act, 15 U.S.C. §§ 6801-6810; and Interagency Public Workshop: Get Noticed:
Effective Financial Privacy Notices (December 4, 2001) <http://www.ftc.gov/bcp/workshops/glb/index.html>.
6. S.2201, Section 403.
7. Federal Trade
Commission, "Online Profiling: A Report to Congress" (Part 2) (Statement
of Commissioner Thomas B. Leary, Concurring in Part and Dissenting in
Part)(July 2000) <http://www.ftc.gov/os/2000/07/onlineprofiling.htm#LEARY>.
The Fair Credit Reporting Act , 15 U.S.C. §§ 1681 et
seq., and the Children's Online Privacy Protection Act of 1998, 15
U.S.C. §§ 6501 et seq., are among the federal laws that grant
Sections 102 and 401.
In the Matter of Eli Lilly and Co., FTC File No. 012-3214 (January
18, 2002) <http://www.ftc.gov/opa/2002/01/elililly.htm>.
This case involved the improper disclosure of the identity of people who
had regularly obtained information about a certain psychotropic
medication, but did not disclose whether they actually took the
Sections 102 and 401.
14. Among the
many federal privacy laws are: Gramm-Leach-Bliley Act, 15 U.S.C. §§
6801-6810 (covers financial institutions, non-public personally
identifiable information and requires notice of information practices and
an opt-out for sharing information with third parties); Children's Online
Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 et seq. (covers
Web site operators, prohibits collection, use and disclosure of children's
online information without verifiable parental consent and provide for
parental access rights and imposes security requirements); Fair Credit
Reporting Act, 15 U.S.C. §§ 1681 et seq. (covers credit bureaus
and providers and users of credit data and grants consumers access rights
and opt-out rights for certain uses of credit data); and Health Insurance
Portability and Accountability Act of 1996, Pub. L. No. 104-191, 262(a),
110 Stat. 1936 (1996) (codified as amended in scattered sections of 18,
26, 29 and 42 U.S.C.A.); 42 U.S.C.A. §§ 1320d to 1320d-8 (West Supp.
1998)(covers a variety of health-related entities and health information
and contains requirements that include notice, varying degrees of choice,
access, and security).
Report of Federal Trade Commission Advisory Committee on Online Access and
Security, published as Appendix D of Privacy Online: Fair Information
Practices in the Electronic Marketplace: A Federal Trade Commission Report
to Congress (May 2000) <http://www.ftc.gov/acoas/papers/finalreport.htm>.