Regulation of Privacy on the Internet: Where Do You Want to Go Today?

address to the Reston Chamber of Commerce

Date:
By: 
Orson Swindle, Former Commissioner

It's a pleasure to be with you today. Before I address the topic of my speech, "Regulation of Privacy On the Internet: Where Do You Want to Go Today?", let me tell you a little about the FTC and my personal beliefs about the role of government.(1)

I believe that government should play only a minimal role in our lives. I believe Will Rogers said, "All government programs (and regulations) have three things in common: a beginning, a middle, and no end." Limited government allows Americans to make their own decisions, including economic decisions. When private markets are permitted to operate without government intervention or control, they generally produce more and better products at lower prices for all Americans. Our current prosperity is no accident: by and large, private markets should be left alone to work their magic. Adam Smith, our Founding Fathers, Milton Friedman and Ronald Reagan had it right -- government that governs best governs least.

Of course, there are some limited circumstances in which government intervention in private markets is needed. Given the tremendous benefits that typically flow from private markets without government involvement, we should always be persuaded that government intervention clearly is necessary before we embark on such intervention. We in government should be ever mindful of the Hippocratic Oath --"do no harm." Before making decisions as to whether government should intervene, I ask myself this question, "Does this make sense?"

Congress has given the Commission the authority to act in certain situations in which government intervention in private markets may be needed. The Clayton Act of 1914 prohibits certain transactions or types of conduct that may substantially lessen competition, while the Federal Trade Commission Act bars unfair methods of competition and unfair or deceptive acts or practices. The role of the FTC is to enforce these laws against conduct or transactions that may harm competition. Any change in the law is up to Congress, but I must say that I believe that Clayton Act and the FTC Act are sufficiently flexible and apply to the modern economy. With today's rapidly changing economic and technical environment, the proper implementation of these laws requires those of us charged with enforcement authority to be informed, forward looking and possessed of some sound common sense.

Let me talk to you about online privacy, and I will begin with children's privacy. Based upon the Commission's legislative recommendation last year, Congress passed the Children's Online Privacy Protection Act of 1998. The statute requires Web sites directed to children, those portions of adult sites directed to children, and sites that know a visitor is under 13 to offer notice of information collection policies and obtain verifiable parental consent. A children's site cannot collect personal identifying information from children without prior verifiable parental consent (with an exception for one-time online contact in response to a child's request for information), nor can children be induced to provide more information as condition of participating in a game or activity. Children's sites must provide parents a choice with respect to any further use of their children's information and provide access to information collected from their children. Sites must take reasonable steps to protect the confidentiality, security, and integrity of personal information. The Commission is in the process of reviewing a staff recommendation to publish a notice of proposed rulemaking about children's privacy for public comment.

The FTC has been involved with online privacy through public workshops dating back to 1996. As I said at the outset, the Commission has enforcement authority over deceptive practices in the offline and online world. Failure to follow your own publicly stated privacy policies can be a deceptive practice as we saw in the GeoCities settlement the Commission approved last year. GeoCities stated one thing and allegedly did another with the information it collected. That is a deceptive practice.

The FTC is currently awaiting the results of an Internet study sponsored by a broad group of industry members, trade associations and consumer and privacy groups to measure the effectiveness of self regulation. The study, which was conducted last month, examined two data sets:

    1. a random survey of 250 of the top 7,500 commercial sites, which represent 99.99 percent of all web traffic, and
       
    2. the top 100 commercial sites, which represent roughly 80 percent of all web traffic.

The results, which will be made public next month, will be compared to a similar study the FTC conducted last year. The Commission will analyze this new study in an effort to assess the status of industry self-regulation and will report to Congress this summer.

I recently met an extraordinarily enthusiastic and bright CEO in the high-tech world named Scott McNealy, CEO of Sun Microsystems. He says what he thinks. For example, McNealy recently said, "You have zero privacy anyway. Get over it." While McNealy was politically incorrect when he made that statement, he has a point. Neil McAllister recently wrote in the San Francisco Chronicle: "Privacy is the haute crusade of civic-minded Netizens everywhere. It's a comforting romantic notion to think we're fighting the good fight against some corporate Big Brother who wants to take away our individuality. Unfortunately, in this case, [Intel Pentium III] fighting for "the cause" seems more like tilting at windmills."

BBBOnline announced last month its long anticipated seal program for online privacy. Some have expressed concern that the BBBOnline program has not been widely embraced by industry and self regulation and have taken the position that self-regulation is important but insufficient without a legislative and regulatory backup. Others have suggested an enforcement mechanism directed toward those businesses that are indifferent to or overtly avoiding the implementation of privacy policies.

Such paternalistic and statist thinking is disturbing because government cannot create utopia and prevent all cases of fraud. Consumers have to be accountable and bear some level of responsibility for their actions. If a consumer is uncomfortable with a Web site's privacy policy or if the site has no privacy policy for the consumer to review, then that individual has the freedom -- and should have the good sense -- to go elsewhere on the Web. The market, not the government, should determine whether companies are to be rewarded or punished for their privacy policies (or lack thereof) through a growth or lessening of electronic commercial transactions.

Where government can play a role is to make sure consumers do not base their choices on a lie -- to police against fraud and other distortions of the functioning of the market. While it is true that consumers are concerned about their online privacy, it is questionable just how much it is affecting personal spending habits. According to data provided by the U.S. Commerce Department, consumers spent $3 billion online in 1997 and $9 billion in 1998, and are projected to spend $30 billion in 1999 -- a tripling every year.

Self-regulation takes time. The Direct Marketing Association, the seal programs being offered by the Better Business Bureau's BBBOnline program and by TRUSTe, the Online Privacy Alliance and industry should all be commended. Self-regulation is preferable to government regulation, and the private sector must lead the way. I remain optimistic based upon the series of meetings I have had with industry over the past few months. For instance, IBM announced that as of June 1, the company will pull its advertising from any Web site in the U.S. or Canada that does not post clear privacy policies. To give you some idea of that reach, IBM advertises on approximately 360 sites and plans to spend about $60 million on Web advertising next year. IBM's leadership may inspire others to take similar steps.

To answer the opening question from my own perspective: I want to see an Internet privacy initiative under which industry takes the lead to address citizens' concern about privacy through self-regulation devoid of government intrusion. From my point of view, government regulation of privacy does not make sense because it is impractical. Bureaucratic regulation will inevitably be inflexible and outdated and will stifle the growth and innovation of electronic commerce. Hasty action to regulate privacy on the Internet would violate the government analogy of Hippocrates' oath: first and foremost, the government should do no harm.

Let me close with a simple statement of where I want to go today with the regulation of online privacy. I favor applying the principles underlying the Internet Tax Freedom Act of 1998 to the regulation of online privacy. As you know, the Internet Tax Freedom Act placed a three-year moratorium on Internet taxation, to help determine the effect of taxation on electronic commerce. Using the Internet Tax Freedom Act as a model, government should impose a three-year moratorium on online privacy regulation to determine the potential effects of regulation on electronic commerce. Government should not regulate online privacy until we fully understand the intended and unintended consequences of regulation.

Thank you for your attention, and with that I will attempt to answer your questions.

1. The views expressed by Commissioner Swindle in this written text and in his oral remarks are his own and do not necessarily reflect the views of the Commission or other Commissioners.