Mr. Chairman and members of the Subcommittee on Communications, I am delighted to be here this morning, and I appreciate your holding this hearing today to address a topic of extreme importance to the American people. I will speak briefly about online privacy protection.
As the Commission's 1999 report to Congress states, only 10% of well-traveled Internet sites in a recent survey have privacy disclosures that speak to all four substantive fair information practice principles of notice, consent, access, and security.(1) Even among the top 100 most frequently visited Internet sites, only some 20% have privacy disclosures addressing these four principles.(2) This chart illustrates the substantial gap that exists between the online collection of personal information, in which 93-99% of the surveyed companies engage, and the opportunity of consumers to transact their online business under fair information principles.
Some industry leaders have undertaken significant efforts to protect online privacy, including Microsoft, Dell Computer, Disney Online, IBM, AT&T, Eastman Kodak, Fox Broadcasting, the Boston Globe, the San Francisco Chronicle, the Wall Street Journal, CyberBills, Educational Communications, Inc., and Worldtravelcenter.com. In addition, the seal programs show promise. But some companies have made a business out of collecting, buying, and selling individually identifiable information online.
I was shocked to discover, shortly after I joined the Commission, that at least one of the several "information brokers" operating in the marketplace had my name and my husband's name, our address, the value of our house, our social security numbers, the years in which they were issued, our mothers' maiden names, the address where we lived before coming to Washington in 1978, our two daughters' names, their husbands' names, their social security numbers, every address where they had lived, and even our 3-year-old grandchild's name and social security number. I might add that there were several mistakes in that report on me.
We in the government, and especially those of us who have experienced a confirmation process or you who have stood for election, know what it is to have our private lives laid bare. But most Americans do not, nor do they want to.
Direct consumer harm is not necessary to justify fair information practices, but is evident, for example, in cases of cyberstalking and identity theft. But, the American public deeply values its privacy, quite apart from notions of direct harm. The studies of which I am aware consistently show a high level of concern about online privacy. For example, a study just released in April by Harvard, MIT, AT&T Labs, and the University of California-Irvine found that 87% of Internet users were concerned about personal privacy threats.(3) One year ago these online privacy concerns were held by 81% of Internet users.(4) So, over the years public concern has increased, not decreased, as shown plainly by this chart.(5)
I respectfully disagree with my colleagues in that I believe that the time is ripe for Congress to enact federal legislation to protect online consumer privacy, at least to the extent of providing minimum federal standards and guaranteeing a private right of action. As a whole, industry progress has been far too slow since the Commission first began encouraging the adoption of voluntary fair information practices in 1996.(6) Notice, while an essential step, is not enough if the privacy practices themselves are toothless. I do believe that Congress is the appropriate place for the debate on the online protection of consumer privacy, and I note that several bipartisan online privacy bills are pending in both the House and the Senate, including the Online Privacy Protection Act that has been introduced by Chairman Burns and cosponsored by Senator Wyden.(7) These bills can serve as starting points to craft balanced privacy legislation.
I am concerned that, without widespread implementation of fair information practices on commercial Web sites and absent effective privacy protections, several results are inevitable.
First, the dissatisfaction of the American people will grow, as it has in the past, in both pitch and intensity.
Second, a patchwork of state laws to protect online privacy will emerge. , As shown in this chart, a number of states, including California, Colorado, Connecticut, Delaware, Florida, Louisiana, Maine, Massachusetts, Minnesota, Montana, Nevada, New Hampshire, New York, Pennsylvania, South Carolina, Tennessee, Virginia, Washington, and Wisconsin have moved in that direction.(8) Consider the confusing environment that could result for consumers, online marketers, and the courts under such a legal patchwork.(9) Consider, also, the extreme burden on online businesses to comply with this patchwork of privacy laws that their web sites certainly will encounter. Such businesses would be required to determine the jurisdictional reach of each state possessing such privacy laws and to develop compliance strategies to satisfy the privacy requirements of each jurisdiction. Further, the entire process may need to be repeated as online businesses grow and expand their product lines or information collection practices, and as other states enacts their own laws.
A single minimum federal standard of online privacy would decrease the cost and complexity of compliance, while simultaneously establishing essential privacy protections for American consumers. Further, I believe that federal legislation and meaningful self-regulation should operate hand-in-hand.
Third, consumer confidence will be undermined, which will hinder the advancement of electronic commerce and trade. Some types of personal information, such as health and financial information, will require heightened privacy protections. Without the widescale adoption of fair information practices, however, not even an across-the-board minimum standard of protection exists.
Let me conclude by saying that I am troubled by the results of the Georgetown surveys, which show much less progress than I had hoped. I am pleased to say that the Commission will continue its involvement in the privacy arena, and our report sets out a number of initiatives for the coming year.
Thank you for the opportunity to share my views.
Endnotes:
1. Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress, 7 n.10. (July 1999) [hereinafter Report].
2. Report at 7 n.42; see FIPs Compliance Gap, chart infra.
3. Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, Research Technical Report, TR 99.4.3 (Apr. 14, 1999), available at AT&T Labs, Beyond Concern: Understanding Net Users' Attitudes About Online Privacy 3, 5-6 (visited June 22, 1999) <http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm hereinafter AT&T Labs].
4. See id., available at AT&T Labs, supra note 7, at 4.
5. See Growing Public Concern, chart infra; Cranor, supra note 7, available at AT&T Labs, supra note 7, at 5-6 (1999 figure); Louis Harris & Associates, Privacy & American Business, summarized in Privacy Exchange, Consumers & Credit Reporting 1994 (visited July 6, 1999) <http://www.privacyexchange.org/iss/surveys/con_cre.html> at 1 n.1 (1993 figure); Louis Harris & Associates, The Road After 1984, summarized in Equifax, Equifax Executive Summary 1990 (visited July 6, 1999) <http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1990.html> at 1 (1983 figure); Louis Harris & Associates, Dimensions of Privacy, summarized in Equifax, Equifax Executive Summary 1990, supra, at 1 (1978 figure).
6. See Federal Trade Commission, Public Workshop on Consumer Privacy on the Global Information Infrastructure, Staff Rept. (Dec. 1996).
7. S. 809, Online Privacy Protection Act of 1999 (introduced & referred to committee on Apr. 15, 1999).
8. See Proliferating Privacy Patchwork, chart infra; see, e.g., Conn. H. B. 6895, File No. 608, as amended by House Amendment Schedule A (reissued and approved by Legislative Commissioner on May 7, 1999) (passing law to prohibit state from requiring social security numbers of voter registrars); Cal. S.B. 417, Supermarket Club Card Disclosure Act of 1999 (heard June 15, 1999 by Assembly Committee on Consumer Protection, Governmental Efficiency & Economic Development); Del. H.B. 100 (House concurred in Senate amendments with additional amendments and forwarded bill to Senate for concurrence on June 17, 1999) (making videography or photography where reasonable expectation of privacy exists a felony); Wash. H.B. 2220 (to House Committee on Criminal Justice and Corrections on Feb. 22, 1999), amending ch. 9.73 RCW (making visual surveillance where reasonable expectation of privacy exists a misdemeanor); see also Thomas Shapley, A Move to Ban Videos that Invade Privacy, Seattle Post-Intelligencer, Mar. 2, 1999, available at Seattle Post-Intelligencer, Seattle PI-Plus (visited June 24, 1999) <http://www.seattle-pi.com/local/peep02.shtml>; Maine S.P. 93 - L.D. 232 - P.L. 17 (interim enactment on Mar. 19, 1999), amending § 1 20-A MRSA § 6001, as amended by P.L. 1989, c. 911 § 1.
9. The point about courts goes to establishing a uniform legal standard of a "legitimate expectation of privacy." See, e.g., Smith v. Maryland, 442 U.S. 735, 735 (1979).