The Status of Online Privacy

Computer & Communications Industry Association

Date:
By: 
Orson Swindle, Former Commissioner

Thank you for the opportunity this morning to discuss the issue of online privacy.(1) As some of you have no doubt noted, a couple of weeks ago the FTC dramatically reversed course and became an advocate for government regulation of privacy on the Internet, suggesting that Congress give the Commission expanded rule making authority to make cyberspace safe for consumers. Contrary to comments that "we've not abandoned self-regulation" and that the majority is suggesting "light regulation," I would suggest that this is a major effort to expand the power of the FTC by "rule making."

Asking for rule making authority without telling Congress what we really have in mind, reminds me of that reassuring statement: "Trust me, I'm from the government, and I'm here to help."

I dissented from the Commission's embarrassingly flawed Privacy Report and its conclusory - yet sweeping -- legislative recommendation. In an unwarranted reversal of its earlier acceptance of a self-regulatory approach, a majority of the Commission has recommended that Congress require all commercial consumer-oriented Web sites that collect personal identifying information from consumers to adopt government-prescribed versions of four fair information practice principles ("FIPPs"): Notice, Choice, Access, and Security.(2) The majority has abandoned a self-regulatory approach in favor of extensive government regulation, despite continued progress in self-regulation.

Why has the majority of the Commission decided to discontinue relying on self-regulation? The fundamental rationale given is that not enough Web sites are providing the type of privacy protections that the Commission has decided should be provided, and this is hindering and will continue to hinder the growth of e-commerce. The available data do not support this rationale.

Online companies are by and large providing notice to consumers as to their privacy policies, and consumers can choose whether to deal with these companies based on their privacy policies. For those who believe that allowing consumers to make their own choices is the fundamental objective, the results of the 2000 Survey are very encouraging, although more work certainly needs to be done by industry.

Instead of focusing on consumers' increasing ability to make choices concerning online privacy protections, the majority emphasizes that the 2000 Survey reveals that only 20% of all commercial Web sites (42% of the most popular sites) meet the full FIPPS requirements.

(PR Appendix C, Table 4). But, the main reason for this relatively low percentage is that commercial Web sites have not disclosed to consumers whether they provide access and security. This failure to disclose is not surprising, given the access and security implementation difficulties recently identified by the Advisory Committee on Access and Security.(3)

In this regard, it is important to emphasize that the 2000 Survey did not attempt to measure whether sites actually provide Access and Security; rather, it gauged only whether disclosures addressed these issues. And, the 2000 Survey certainly did not give any credit for "No Access," even though the majority indicates it might consider no access to be "reasonable Access" in some instances.

In it's conclusions that industry fails to meet the "Choice" requirement, the FTC uses a strained definition of "choice" that is more accurately described as "Mandated Choice."

Specifically, the 2000 Survey gave credit for choice only when a Web site (1) gave the consumer a chance to agree to or to authorize communications back to the consumer from the Web site and (2) gave the consumer a chance to agree to or authorize disclosure of the consumer's information to third parties. The Report's recommendation that "choice" be legislated does not mean the kind of choice that informed consumers exercise in a marketplace once they know the terms on which they are dealing with retailers. That is real choice.

Instead, the majority has recommended Mandated Choice that would require Web sites to continue to do business with consumers who do not agree to the uses the site tells them it will make of their personal information. For sites whose business depends on the use of information to provide consumers with discounts or to reduce the cost of services to consumers, the effect of Mandated Choice may be to mandate their exit from the marketplace or at least the reduction of the choices or products and services now available. Thus, in the name of Mandated Choice, consumers would have less choice.

Not satisfied with self-regulation's very encouraging progress concerning privacy policy notices and progress with regard to Choice, the majority recommends that the Congress impose a legislative solution.

Legislation could limit consumer choices and provide a disincentive for the development of further technological solutions. Government regulation may actually give consumers fewer choices and, as technology changes, less privacy.

Legislation should be reserved for problems that the market cannot fix on its own and should not be adopted without consideration of the problems legislation may create by, for example, imposing costs or other unintended consequences that could severely stifle the thriving New Economy.

The majority has recommended that Congress give rule making authority to an "implementing agency" (presumably the Commission) to define the proposed legislative requirements. In my judgment, however, the Commission owes it to Congress -- and to the public -- to comment more specifically on what it has in mind before it recommends legislation that requires all consumer-oriented commercial Web sites to comply with breathtakingly broad laws whose details will be filled in later during the rule making process.

The Privacy Report is devoid of any analysis of the costs of legislation in comparison to the asserted benefits of enhancing consumer confidence and allowing electronic commerce to reach its full potential. Instead, it relies on skewed descriptions of the results of the Commission's 2000 Survey and other studies showing consumer concern about privacy as the basis for a remarkably broad legislative recommendation. It does not consider whether legislation will address consumer confidence problems and why legislation is preferable to alternative approaches that rely on market forces, industry efforts, and enforcement of existing laws.

The Privacy Report fails to pose and to answer basic questions that all regulators and lawmakers should consider before embarking on extensive regulation. Shockingly, there is absolutely no consideration of the actual costs and benefits of regulation; nor of regulation's predictable and unanticipated effects on competition and consumer choice;(4) nor of the experience to date with government regulation of privacy; nor of Constitutional issues; nor of how this vague and vast mandate will be enforced.

Let me spend a few minutes focusing on some of my disagreements with the majority's recommendation.

A little history -- In 1998, the FTC did it's first survey of commercial web sites looking for posted disclosure or notice about a site's privacy policy and practices. The survey found that only 14% of websites provided consumers this information in a meaningful way. That figure rose to 66% in the survey last year, and now stands in excess of 90%. When one looks at the top 100 sites (where consumers traffic most), 100% of them are providing Notice.

This year, the FTC majority and staff focused more critically on the failure of survey sites to achieve similar numbers on implementation of what they describe as the "widely-accepted" four fair information privacy policies. Is this logical in the face of reality? As mentioned earlier, if commercial web sites successfully met the convoluted concept of Choice prescribed by the Commission, this single practice, "Mandated Choice," alone would likely lead to less choice.

Remarkably, the Commission concluded that the industry has failed to adequately provide access and security while simultaneously engaged in a Commission-initiated complex and detailed discussion on those subjects with 40 industry leaders and privacy advocates trying to define what constitutes reasonable access and security. The Committee on Access and Security concluded there is little consensus on definition, methodology, cost, benefits and other issues that seem logical to resolve before measuring success and failure, or certainly before making implementation of them mandatory. This admitted uncertainty on the part of the Committee, however, did not deter the FTC from suggesting to Congress that it be given authority to write rules making implementation mandatory.

Based on the many difficulties of implementing Access and Security, the Privacy Report's use of full FIPPs as the yardstick for success is irrational. It should be noted that even in the sensitive area of protecting personal financial information, the Congress did not insist on all four FIPPs in the G-L-B Act. Once beyond sensitive financial and medical information, the importance of Access arguably diminishes.

Had the 2000 Survey actually given credit for the majority's concession that in some cases "reasonable Access" might mean "no Access," the Access and full FIPPs numbers would be dramatically improved. Moreover, in the FTC's survey format, Access and Security disclosures do not reflect whether a Web site actually provides Access and Security. Yet, the FTC believes it proper to measure "compliance," declare unacceptable performance, and recommend legislation. This is illogical.

Another striking feature of the Privacy Report is that, without analysis, it equates seal programs with enforcement and concludes that self-regulation has failed because the results of this first-time survey of the prevalence of participation in seal programs show that only 8% of Web sites in the Random Sample and 45% in the Most Popular Group display privacy seals.

The weighted analysis figure, which reflects how often consumers surfing the Random Sample Web sites are likely to encounter a privacy seal, is 36%. (PR Appendix C, Table 14a). Despite the fact that nearly one-half of the most frequently visited sites use a seal program, the Report states flatly that "the enforcement mechanism so crucial to the success and credibility of self-regulation is absent." (PR at 35) (emphasis added).

Is it possible that web sites honor customers needs for Access and Security without disclosing that they do? Certainly.

To justify its recommendation for legislation, the Commission makes emotional, careless and questionable use of survey results as well as data from other studies and surveys.

The Privacy Report seeks to justify legislation and regulation on the grounds that privacy concerns are limiting the commercial growth of the Internet while at the same time acknowledging the exponential growth that has occurred in recent years in the online economy. This past week, the Commerce Department indicated that first quarter 2000 sales exceeded the fourth quarter 1999 sales during the "holiday-shopping" season.

Not surprisingly, the attention paid by the media and government to online privacy concerns is reflected in consumer surveys showing a general lack of confidence in online privacy protections. The Privacy Report, however, overstates the extent and significance of consumer concern about online privacy to support its call for government regulation. (PR at 2).

The Report boldly asserts that consumer fear about privacy "likely translates into lost online sales due to lack of confidence in how personal data will be handled" (PR at 2), and concludes that government intervention will reduce such lost sales. There is little empirical support for these conclusions.

Nor are the lost sales projections relied upon by the majority valid justifications for government regulation of privacy. The Report's sweeping statements about consumer privacy fears likely resulting in billions of dollars of lost sales are based primarily on two consumer surveys conducted in mid-1999 or earlier. These surveys were the basis for estimates that sales lost to lack of consumer confidence in privacy protections were $2.8 billion in 1999 and could be as much as $18 billion by 2002.

A lost online sale is not a complete loss to the economy. Again, assuming for the sake of argument that consumers have been dissuaded from making purchases online because of privacy concerns, the most likely response of these consumers would be to purchase the same item from an offline retailer. Conceivably, switching to an offline retailer in this situation may not be the optimal economic outcome, because transaction costs might be lower if consumers make the purchase online. Offline retailers might be able to free-ride on the services provided by online retailers. Nevertheless, the fundamental point remains that overlooking offline sales that offset a lost online sale overstates the economic effect of the lost online sale.

Consumer surveys often are poor predictors of consumers' actual behavior. If consumers' fears about privacy and security in the online world are exaggerated, then the solution is to find a way to reassure consumers by notice and education rather than promulgating rules that may restrict their choices.

The Privacy Report fails to provide a reasoned basis for its legislative recommendation. It relies only on a one-sided interpretation of the 2000 Survey results and the existence of consumer concern about privacy. The Report fails to adequately address the alternatives to legislation. Its discussion of self-regulation does not give appropriate credit to self-regulatory efforts nor does it address the continued development of privacy-related technology.

The Privacy Report's criticism of the self-regulatory model, progress to date, and the efforts at enforcement of standards within industry simply ignores reality, making the underlying intentions highly questionable. Corporate leaders including IBM, Microsoft, Disney, Intel, Procter and Gamble, Novell, and Compaq have voluntarily committed to requiring their advertising partners to post high-quality privacy policies and practices in order to receive advertising monies.

Microsoft has committed to developing business and consumer tools based on the Platform for Privacy Practices Protocol ("P3P"). The business tool known as the Privacy Statement Wizard is intended to enhance the ability of Web site operators to present their privacy statements both as human and as machine-readable documents. Microsoft's "Privacy Manager Wizard" in its earlier form, the "Privacy Statement Wizard," has been on the market for just over a year and has allowed over 15,000 companies to craft their own online privacy practices by answering a questionnaire.

Associations like yours have stepped up to the plate. On May 8, 2000, the CEOs of theglobe.com, Yahoo!, Inc., America Online, Lycos, Inktomi , Excite@Home, eBay, DoubleClick, Amazon.com, and EMusic.com, wrote a letter on behalf of NetCoalition.com to the CEOs of the Top 500 Web sites urging them to take the initiative to ensure that their companies establish and promote the adoption and implementation of rigorous voluntary privacy policies. NetCoalition.com led the way during the 1999 holiday shopping season, sponsoring a "Consumer Privacy Education Campaign" to empower Internet users with practical information about online privacy. The campaign included over 50 million impressions with banner ads and site impressions.

The Online Privacy Alliance ("OPA") continues to play a leading role serving as an industry coordinator and a general information resource. The OPA has taken significant strides toward alerting consumers and businesses about the value of privacy protection, as well as how to provide substantive protective measures.

The American Electronics Association ("AEA") sponsored a series of seminars in January 2000, entitled "E-Commerce Privacy: Building Customer Trust." AEA has established a significant business relationship with BBBOnline in which a significant discount is offered to its 3,400 member companies who gain certification under BBBOnline's strenuous online privacy program.

The Direct Marketing Association ("DMA") Privacy Promise was successfully launched on July 1, 1999. Fewer, than 1% of its members refused to comply. More than 2,000 DMA member companies signed up, making this the largest self-regulatory program, based on numbers of participants.

In April 2000, the Association for Competitive Technology ("ACT") unveiled "Net Privacy: You've Got the Power," a multi-faceted campaign designed to educate consumers on how to protect their privacy online. The campaign was launched with public service advertisements educating readers about online privacy and directing them to www.NetPrivacyPower.org. In addition to the Web site, the campaign includes print advertising, online advertising, direct mail and email.

The U.S. Chamber of Commerce continues to reach out through a variety of communication methods to state and local chambers to educate them about the importance of robust online privacy practices.

In October and November 1999, the Software & Information Industry Association ("SIIA") undertook a comprehensive outreach program in which it contacted all of its member companies that did not have a privacy policy linked from the company home page, encouraging them to develop fair information practices and to post a privacy policy online.

The Electronic Retailing Association ("ERA") joined 35 associations in March, 2000 to urge each of their member companies to post a simple, straightforward privacy policy. As a condition of membership, ERA member companies are required to abide by ERA's Online Marketing Guidelines.

Many other associations that have endorsed and promoted self-regulatory solutions to online privacy concerns. My discussion of these organizations is by no means intended to be comprehensive, but merely to demonstrate the extent to which the majority's Privacy Report ignores ongoing, significant industry self-regulation and promotion of privacy online.

The market for privacy protection is growing and companies are responding with a host of technological tools. Those tools can be divided into two types: those that protect or shield a browsing consumer's identity, and those that help the consumer negotiate what information he or she wishes to share.

Obviously, technology can be one part of the solution to consumers' online privacy concerns. Yet, the majority's Privacy Report does not consider the existence or the likely impact of these tools on consumer privacy online before recommending a legislative attempt to address consumer concerns.

The market is working here: consumers are demanding tools to protect privacy, and merchants are competing to provide them.

Let's look briefly at the alleged "widely accepted" fair information privacy practices:

Notice seems less likely to impose tremendous costs and may have many benefits. The 2000 Survey results show that Notice already is widely provided, but there appear to be problems with the clarity and understandability of privacy disclosures. To the extent that Notice is clearly provided, firms can compete on the basis of their privacy policies, and the privacy preferences of one group of consumers need not limit the choices of other groups. Industry adherence to a set of best practice guidelines for Notice should be attempted and assessed before we resort to legislation. To the extent that online companies do not provide clear notice, consumers who care about privacy should shop elsewhere. The workings of the market are preferable to the workings of government.

What are the likely effects on online commerce of Mandated Choice? Would sites have to extend the same level of services and benefits to all consumers, regardless of whether some are unwilling to provide information? To the extent sites rely on the sale or use of information to offset the costs of providing services, would they discontinue services to all or to some consumers? Would all consumers have to pay more for services previously offset by the sale or use of information? Could sites shift costs only to those consumers who demand a higher level of privacy, whether in the form of fees for using the site or by reducing the level of benefits and services offered to those who choose a higher level of privacy? Or is privacy an absolute right so that all participants in online commerce -- retailers and consumers -- should bear the costs of Mandated Choice exercised by some consumers? If so, in the name of "Choice," the majority's proposal may reduce the choices available to consumers in the online market.

These are fundamental policy decisions, not mere issues of implementation that can be resolved later when unelected bureaucrats decide how to regulate the online world. Legislation adopting Mandated Choice will have consequences for online commerce that should be understood before Mandated Choice is written into law.

And, what are the costs associated with mandatory Access procedures?

The FTC basically ignores this nightmare.

Through out its report, the Advisory Committee on Access and Security does discuss the costs and risks of Access. Of particular note, the Committee suggests that "the access principle sometimes pits privacy against privacy. . . . Privacy is lost if a security failure results in access being granted to the wrong person." (Advisory Committee Report at 15). The Committee further comments that "[g]iving access to the wrong person could turn a privacy policy into an anti-privacy policy." (Id. at 4).

In light of this, liability concerns may be preventing sites from providing Access. The Advisory Committee's report also observes that authentication of a consumer's identity before allowing that consumer Access could have considerable costs, including to the consumer's ability to remain anonymous. (Id.) Given the complexities and risks of Access, it is not surprising that Web sites have not implemented Access more broadly. Unlike the Commission, some may have been waiting to consider the findings of the Advisory Committee.

Addressing the issue of Security, the Advisory Committee observes (and the Commission acknowledges in footnote 192 of the Privacy Report), it is impossible to judge the adequacy of Web site security by surveying the presence or absence of security notices on Web sites. (Advisory Committee Report at 15). Many sites may actually provide security, yet not inform consumers that they do so. The Commission majority's Report notes that security disclosures can enhance consumer confidence and are essential to informed consumer choice. (PR at 33 n.192). Indeed, "security notices are ineffective standing alone." (Advisory Committee Report at 21). Why, then, should the Privacy Survey's results measuring the frequency of security disclosures -- not whether security is actually provided -- be given any weight in assessing the progress of self-regulation of privacy online? Yet, that is exactly what the Commission majority did!

Security disclosures, particularly regarding the security of credit card information, might help increase consumer confidence. Yet this is a far cry from legislatively mandating the provision of "reasonable security" by Web sites and asking regulators to decide later what security is and is not "reasonable." The honest companies will provide security to satisfy their customers; the dishonest ones will simply not comply. There was no agreement among the Advisory Committee members that the government should mandate security standards or that the Commission should be setting security standards.(5)

Lastly, there is the matter of why all the focus is on the online world of commerce and not on offline privacy practices. As Commissioner Leary thoughtfully explains in his concurring and dissenting statement appended to the Privacy Report, online regulation of privacy has implications for the offline world. The Privacy Report acknowledges, but does not analyze, the issue in an ominously vague footnote promising that "significant attention to offline privacy issues is warranted." (PR at 3 n.23).

Where Do We Go From Here?

Congress may wish to enact more limited legislation or it may continue to rely on enforcement agencies and corporate leadership. If legislation cannot be avoided, then a basic standard for a readily understandable, clear and conspicuous Notice -- combined with a campaign by industry and government to continue to educate consumers about the tools at their disposal -- seems in order. This would go a long way to protect consumer privacy by ensuring that consumers could compare privacy policies and make informed choices based on their privacy preferences.

If there is to be legislation, it should go no further than Notice.

A Notice requirement would provide the FTC the ability to bring an action against sites acting deceptively based upon their notice.

Broad legislation beyond Notice could limit consumer choices and provide a disincentive for the development of further technological solutions and may actually give consumers fewer choices and, as technology changes, less privacy. The unforeseen costs of implementing the sweeping proposals of the FTC will likely become a barrier to entry into the market place for many entrepreneurs, thus lessening competition, limiting choices for consumers and undermining the incredible potential of electronic commerce.

Consumer concerns about the privacy of their personally identifying information is legitimate, and, in the past, has been dealt with rather loosely by many in industry. There has been profound change in the past couple of years. Privacy concerns are growing and industry is responding. Awareness stimulates concerns. Concerns result in demands and disgruntled customers. The market place responds to demands, and successful firms truly do seek to satisfy customers. Clearly, industry has the motivation and the skills to solve this problem better than government bureaucrats for all the right and obvious reasons.

This issue will not go quietly into the dark. Politicians are up for election. Bureaucrats and regulators always want to do more. Industry is learning and responding. Progress is being made. I am urging corporate leadership to make consumer privacy protection a part of their corporate culture and a major corporate goal. And, finally, we should all pray every day that Congress doesn't create more problems than it attempts to solve.

Thank you.

Endnotes:

1. My oral testimony and any responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any other Commissioner.

2. While this is a reversal for the Commission, Commissioner Anthony has consistently preferred a legislative approach. See Statement of Commissioner Sheila F. Anthony, Concurring in Part and Dissenting in Part, Self-Regulation and Privacy Online (July 1999), available at </os/1999/9907/index.htm#13>.

3. In 1999, the Commission established an Advisory Committee on Online Access and Security to provide advice and recommendations to the Commission regarding implementation of reasonable access and adequate security by domestic commercial Web sites. That Committee provided the final version of its report to the Commission on May 15, 2000, describing options for implementing reasonable access to, and adequate security for, personal information collected online and the costs and benefits of each option.

4. I note that the regulations promulgated to implement the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. § 6501 et seq., require detailed Notice; Access, including the ability to review, correct, and delete information maintained by the site; and a form of opt-in mandated Choice (verifiable parental consent). 16 C.F.R. §§ 312.4, 312.6(a)(1), 312.6(a)(2), 312.5(a), 312.5(b). The regulations went into effect on April 21, 2000, and already press reports state that some small online companies have stopped providing services to children because implementation of COPPA's requirements is too costly. See, e.g., "New Children's Privacy Rules Pose Obstacles for Some Sites," The Wall Street Journal at B-8 (April 24, 2000) (reporting one attorney's estimate that it will cost her clients between $60,000 and $100,000 annually to meet COPPA standards); "New privacy act spurs Web sites to oust children," William Glanz, The Washington Times (April 20, 2000), available at <http://www.washtimes.com/business/default-2000420233432.htm>. See also "COPPA Lets Steam out of Thomas," Declan McCullagh, Wired News (May 16, 2000), available at <http://www.wired.com/news/politics/0,1283,36325,00.html>.

5. Concurring Statement of Stewart Baker, Steptoe & Johnson LLP, appended to Advisory Committee Report.