Privacy in the Electronic Age

The Privacy & American Business Conference

Washington, D.C.

Date:
By: 
Christine A. Varney, Former Commissioner

Good morning. It's a pleasure to be here -- even at this early hour -- to talk with you about the increasingly important issues surrounding personal privacy in the information age.

More than twenty-five years ago, DOD's Advanced Research Projects Agency undertook development of an experimental computer network -- known as "ARPNet" -- the technological embryo of what we now know and love as the Internet. In time, the Net's "backbone" -- linked computers at government facilities like NSF, NASA, DOE and DOD -- expanded to connect users to a worldwide network supporting activities in government, universities, and industry labs. Today, we're all moving online to participate in a revolution that will profoundly alter the way we deliver, access, and use information. According to a poll released yesterday by the Nielsen Media Research group for CommerceNet, 37 million people in the US and Canada -- about 17 percent of the population -- have access to the Internet through home or office computers. Of that number, 24 million adults have actually logged on to the Internet in the last 90 days. And, indeed, if there is consensus about anything in Washington, it's the fact that the technological convergence of previously distinct telecommunications, information, and mass media industries now underway will drive world economics as we move from the 20th to the 21st Century.

This conference takes place at a critical juncture. The phenomenal growth of on-line systems such as the World Wide Web has opened up a vast arena for commercial transactions. The new technology has made it possible for consumers and businesses to capture and use commercial information in ways that were unimaginable just a few years ago. Consumers have available to them a staggering array of information with which to make purchasing decisions. Business, on the other hand, has available to it consumer marketing information and transactional data that is much richer, more detailed and more personalized than ever before. The new technology benefits consumers and businesses alike. In my view, the new technology also imposes significant privacy protection obligations on all parties to on-line commercial transactions.

The risks and benefits inherent in the new world of on-line commercial transactions have been the subject of much public debate. In April, the Federal Trade Commission, on which I serve, sponsored a workshop on Consumer Protection and the Global Information Infrastructure. The session devoted to privacy issues was particularly enlightening, bringing together representatives of industry, consumer groups and privacy advocates to begin to define the privacy issues raised by on-line commercial transactions. One thing emerged clearly from the April meeting: increased use of the NII for commercial transactions will generate vast quantities of data documenting transactions that can be easily and cheaply stored, analyzed, and reused. This transactional data trail poses an incredible risk to personal privacy. Any attempt to address the issue of consumer privacy in this context must take into account the concerns of all who have a stake in the continued growth of the on-line commercial environment.

In June of this year, the Clinton Administration's National Information Infrastructure Task Force (NIITF) issued an important document entitled "Privacy and the National Information Infrastructure: Principles For Providing and Using Personal Information."

These "Privacy Principles" reflect a recognition that the nature of the electronic medium itself must shape development of a workable privacy policy. Specifically:

  1. consumers, government and business have a shared responsibility for the fair and secure use of personal information;
  2. the technology of the NII has the potential, as yet unexploited, to empower individuals to take steps to protect that information themselves;
  3. openness about and accountability for the process of collecting and using personal information is crucial on the NII; but,
  4. openness and accountability will not be meaningful until electronic consumers become educated about the ways in which their personal information is being used in Cyberspace, and by whom.

The NIITF Working Group that issued the Privacy Principles in June recognizes that the Principles are extremely general and cannot apply uniformly to all sectors. Rather, the Principles are intended to provide the framework from which more detailed guidelines can be tailored to specific circumstances. Last week, for example, the NIITF issued a report on the specific adaptations needed in the telecommunications industry. The FTC has likewise initiated a dialogue with industry and consumers to develop more robust and specific guidelines for the use of personal information generated by online commercial transactions.

Overview of the NII Privacy Principles

The Privacy Principles identify three fundamental concerns that must govern the way in which personal information is acquired, disclosed and used on the Net -- information privacy, information integrity, and information quality.

First, an individual's reasonable expectation of privacy regarding access to and use of his or her personal information should be assured. Second, personal information should not be improperly altered or destroyed. And, third, personal information should be accurate, timely, complete, and relevant for the purposes for which it is provided and used.

Those who gather and use personal information should recognize and respect the privacy interest that individuals have in personal information by (1) assessing the impact on privacy in deciding whether to obtain or use personal information; and, (2) obtaining and keeping only information that could be reasonably expected to support current or planned activities and use the information only for those or compatible principles.

Because individuals need to be able to make an informed decision about providing personal information, the businesses that collect information should disclose: (1) why they are collecting the information; (2) what they expect to use the information for; (3) what steps will be taken to protect its confidentiality, quality and integrity of information collected; (4) consequences of providing or withholding information; and (5) any rights of redress that are available to individuals for wrongful or inaccurate disclosure of personal information.

Businesses that gather personal information should take reasonable steps to prevent improper disclosure or alteration of information collected, and should enable individuals to limit the use of their personal information if the intended use is incompatible with the notice provided by collectors.

Information gatherers should educate themselves, their employees, and the public about how personal information is obtained, sent, stored, processed, and protected, and how these activities affect individuals and society.

The Privacy Principles impose significant new obligations on individuals to obtain relevant information about why the information is being collected, what the information will be used for, what steps will be taken to protect that information, the consequences of providing or withholding information, and any rights of redress that they may have. They should have notice and a means of redress -- and they should utilize the means provided -- if they are harmed by improper use or disclosure of personal information by the information gatherer or by a third party's decision that is based on inaccurate, outdated, incomplete or irrelevant personal information.

Application of the Privacy Principles 
To Online Commercial Transactions

The Privacy Principles provide a thoughtful, but very general, approach to privacy concerns. Significantly, the Principles emphasize disclosure about, rather than prohibition against, the use of personal information. Moreover, the Principles focus on issues of individual consumer responsibility, and the sorts of empowerment needed by individuals in order to exercise such responsibility. But the Privacy Principles raise as many questions as they answer.

For example, the Principles do not address the continuing controversy about the adequacy of opt-out schemes, although such requirements are not necessarily inconsistent with the principles. Moreover, the Principles will not be helpful to businesses or consumers until we have agreed on a method for determining just what constitutes a "compatible purpose" or "adequate disclosure" or "reasonable preventative steps" in the context of any particular transaction.

The FTC has undertaken a major Privacy Initiative to develop, in cooperation with industry and consumers, some answers to these and other questions, and to begin to incorporate these Principles into our consumer protection mission. The FTC also intends to explore -- in cooperation with state consumer protection officers -- what governments' contribution to this "shared responsibility" should be. I believe that the FTC may have an especially useful role to play in the consumer education and empowerment aspects of these principles.

An important goal of the FTC's Privacy Initiative is to avoid cumbersome regulation by facilitating the development of a set of voluntary principles to govern the use of consumer information in on-line transactions. This effort will take place in three phases. Using the April workshop as a starting point, the Bureau of Consumer Protection is currently soliciting input in the form of commentary and resource materials from consumers, industry, academics, privacy advocates and others who are concerned about consumer privacy in on- line transactions. We hope to learn what kinds of personal consumer information are currently being collected on-line, how industry is storing and using this information now, and what we can expect on-line businesses to do with this information in the future. From this knowledge base, we will examine the degree of consumer awareness in this area, and whether current and planned industry practices adequately safeguard consumer privacy. A lively mix of interested parties have already provided much food for thought, and we would welcome contributions from each of your organizations.

This week we enter the Initiative's second phase. In order to enrich everyone's understanding of the issues, the Commission has established an online list-serve to facilitate thoughtful electronic debate about the rules that should apply in the use and dissemination of consumer information on- line. I am personally very excited about this experiment in "conversational government." Beginning later this week, subscription information will be available on the Commission's World Wide Web Site at www.ftc.gov (WWW (dot) FTC (dot) Gov).

We hope to wrap up the Privacy Initiative next Spring with hearings on the voluntary guidelines that emerge from this public dialogue.

The Privacy Initiative is very much a work in progress. Let me share with you some of the questions that have emerged so far from our information- gathering efforts.

In the area of data-gathering and use by on-line businesses, the new technology has made it possible not only to store personal information provided by consumers but also to track consumers" decisions as they move through on-line sites -- whether or not they complete transactions . Should this sort of transactional data be used differently than the personal information affirmatively provided by consumers?

The personal and transactional information that can be captured on-line differs both qualitatively and quantitatively from the information a merchant obtains when an in-person transaction is completed. Should the nature of the information gathered limit the uses to which such information may be put by business? Are there, for example, types of information that should not be used for target marketing purposes? Should information gathered for the purpose of consummating a transaction be used for market research? What are the limits on a business' ability to resell/rent personal consumer information to other businesses?

Is it appropriate to think of a consumer's interest in his or her personal or transactional information as a "right"? If so, what is the responsibility of business with regard to that right? If not, to what extent should the consumer have control over personal and transactional information? How should the consumer's control be exercised? What constitutes voluntary consent to the use of personal or transactional information that has been gathered on-line? How much is the consumer entitled to know about the uses to which personal or transactional information will be put? At what stage in a commercial relationship should the consumer be asked for consent? To what extent should consumers have access to the information about and the ability to correct or modify information that is being gathered about them?

Finally, the Commission has a particular interest in educating consumers about their rights and responsibilities with respect to transactions they undertake on-line. I submit that each of your organizations should also be actively pursuing consumer education programs. Consumers cannot be asked to take responsibility for safeguarding their own privacy interests, or expected to exercise choice in the on-line context in a responsible way, until they know just what is at stake. If I have anything to say about it, the voluntary guidelines we create should include provisions for industry led consumer education. We look to you for assistance in answering questions regarding consumer awareness. How much, for example, do consumers know about use of personal information gathered online? What do consumers need to know in order to use the on-line commercial context wisely? What should be the role of business in the education of consumers in general and in the context of a particular consumer's decision-making on-line?

I urge you to be involved in this process; your perspective is critical to the success of this project, and I look forward to working with each of you on this important initiative. I'd be happy to take spend the remaining time responding to your questions or comments.