The Case for Standardization of Privacy Policy Formats

Article written July 2001

Date:
By: 
Sheila F. Anthony, Former Commissioner

* Commissioner Anthony's remarks are adapted from several speeches she has made on consumer privacy. The views expressed are those of Commissioner Anthony and do not necessarily reflect the views of the Federal Trade Commission or any other individual Commissioner. The author gratefully acknowledges the assistance of her Attorney Advisor, Katherine Armstrong, in preparation of this article.

Introduction

In 1995, when the Commission first became involved in the public debate on online privacy, it encouraged industry members to come up with an effective self-regulatory scheme. The general industry response was to create long and complicated privacy policies that are difficult for consumers to read and understand. In my view, consumers are not much better off today with incomprehensible privacy policies than they were five or six years ago when there were no privacy policies.

A standardized format for privacy policies, much like the food label required by the Nutritional Labeling and Education Act(1) or the EnergyGuides required by The Energy Policy and Conservation Act of 1975 ("EPCA"),(2) would allow consumers to quickly assess whether a particular site's privacy policy satisfies their privacy goals.

Background

In the Commission's first Report to Congress on Privacy in 1998, the Commission concluded that an effective self-regulatory system had yet to emerge and that additional incentives were required to ensure that consumer privacy would be protected. The Commission deferred judgment on the need for legislation to protect the online privacy of adult consumers.(3) In 1999, a majority of the Commission again concluded that legislation to address online privacy was not appropriate.(4) However, in our 2000 Report, a majority of the Commission concluded that legislation was needed given industry's limited success in implementing fair information practices online, as well as ongoing consumer concerns about Internet privacy.(5)

Since 1995, the number of sites that post privacy policies has sharply increased. As noted in the Commission's 1998 Report a random sample of all commercial websites and (a sample of) the 100 most popular group of websites revealed that only 14 percent of the random sample had any privacy disclosures compared to 71 percent of the most popular group.(6) By the time of our 2000 Report, 88 percent of the sites from a random sample and 100 percent of sites from the most popular group provided some privacy disclosures.(7)

Consumer Views

Consumer surveys reveal that consumers are concerned about protecting their privacy on the Internet. Although the specific survey questions vary, the results of the surveys are strikingly consistent.(8) A recent survey reports that 73 percent of consumers are either very or somewhat concerned about their privacy online.(9) Yet, consumer concern about privacy does not appear to translate into consumer action. The same survey also asked about consumer behavior online. It revealed that only 4% of consumers read policies every time they visit a site, and only 16% read them frequently. Many more (40%) indicate that they only occasionally read the policies, while 22 percent rarely read them and 18% never read them.(10)

How can this apparent inconsistency between the concern voiced by consumers and their inaction be explained? Part of the answer may be that many privacy policies are hard to find, long, contradictory, and confusing. Offline Gramm-Leach-Bliley Act ("GLB") privacy notices fare no better. They are rarely couched in clear and conspicuous language and have been the focus of consumer and congressional complaint.(11)

Internet and GLB Privacy Policies

Location, Length, and Content

Although more and more websites post privacy polices, the "links" to these policies are rarely prominent; they are almost always located at the bottom of the home page, right next to the copyright information. These links are almost never conspicuous on the first screen viewed or at the place the website operator collects personal information.

When online privacy polices are printed out, they are often pages and pages long and contain numerous links to other terms and conditions imposed by the website. One popular website's privacy policy is over 50 pages when it and all the relevant links are printed out.(12) If consumers closely examined the "agreements" required by the policies, I am not sure there would be a true "meeting of the minds." Many of these policies incorporate service agreement terms that grant sweeping rights to companies.

Contradictory language

Many privacy policies contain contradictory language. One GLB policy from an Insurance company provides:

We will not reveal your information to any external organization unless we have previously informed you in disclosures or agreements, have been authorized by you, or are required by law.

A few lines later, the notice provides:

We may, however, facilitate relevant offers from reputable companies.(13)

How is the average consumer to interpret these contradictory statements?

Unannounced Changes

Websites rarely provide information about when the current policies were created or updated and, if updated, exactly what changes were made. Many sites put the privacy protection burden on consumers. They tell consumers that the policies will likely change and instruct them to check back frequently. For example, one popular site provides:

We may e-mail periodic reminders of our notice and conditions, unless you have instructed us not to, but you should check our website frequently to see recent changes.(14)

Other policies provide no choice at all with opening paragraphs such as this:

By visiting [this site] you are accepting the practices described in this Privacy Notice.(15)

Unidentified Third Parties

Many online and GLB privacy policies refer to, but do not describe clearly or even identify their relationships with third parties including "affiliated companies and other business partners." If the truth be known, these third parties could be four, or 400, or 1400 "affiliated companies" in a joint marketing enterprise. A standardized format may provide incentives to clearly describe these relationships.

Privacy Policies Not Working

If the goal of the industry's self-regulatory efforts is to provide informed consent for consumers, it has failed. Many online privacy policies and GLB privacy notices appear to have been written by lawyers for lawyers. As a general rule, privacy policies are confusing, perhaps deliberately so, and industry has no incentive to make information sharing practices transparent. If privacy polices were presented in a standard format, a consumer could more readily ascertain whether an entity's information sharing practices sufficiently safeguard private information and consequently whether the consumer wishes to do business with the company.

NLEA's Food Label

The Nutritional Labeling and Education Act of 1990 was the most substantial piece of legislation concerning food and food labeling since the passage of the Federal Food Drug and Cosmetic Act of 1938.(16) The goal of the NLEA reforms was similar to the goal of the 1938 Act: The communication of essential information to enable consumers to choose foods more wisely.(17)

The NLEA required, among other things, that every covered food would have a uniform nutrition label disclosing the amount of calories, fat, salt and other nutrients. The legislative history notes that to make this information meaningful, FDA would be required to issue standards providing that uniform serving size information and information concerning the number of servings be furnished on the food label.(18) Prior to the passage of the NLEA, FDA had been engaged in a regulatory proceeding to modernize and improve the nutrition labeling requirements, but proposed regulations had never been issued.(19) During the mid-1980's, companies began making health claims on foods, even though the FDA had not approved the claims through the drug approval process. At the same time, the Surgeon General advised Americans that diets low in fats, low in salt, and high in fiber can reduce the risk of chronic diseases such as cancer and heart disease. Finally, it was unclear whether FDA had the legal authority to implement regulations that would permit health claims regarding the usefulness of a food in treating a disease, without also requiring that the claim meet premarket approval requirements applicable to drugs.(20)

The NLEA requires that a health claim on conventional foods be stated in a manner that enables consumers to understand the relationship of the substance to the disease and its relative significance in the context of a total daily diet.(21) The format is universal and consumers can easily determine the amount of calories, fat, salt, and other nutrients foods contain. The format is easy to read and understand.

The NLEA's nutrition labeling regulations have been extremely successful. There is high consumer awareness of the labels and some evidence that many consumers are making healthier choices about the food they eat.(22) The Commission issued an Enforcement Policy Statement on Food Advertising in May 1994 that attempted to provide guidance regarding its enforcement policy with respect to the use of nutrient content and health claims in food advertising. The policy statement provides further guidance to advertisers and consumers.

The FTC's Appliance Labeling Rule

The Energy Policy and Conservation Act of 1975 ("EPCA") required the Commission to prescribe labeling rules for the disclosure of estimated annual energy cost or alternative energy consumption information for a number of home appliances. As a result, the Commission promulgated the Appliance Labeling Rule.(23) The Rule requires manufacturers of certain appliances to affix yellow-and-black EnergyGuide labels to these appliances. The labels give consumers information about the energy efficiency of competing models of appliances and enable them to factor the cost of operating an appliance into their buying decisions.

The Statement of Basis and Purposes of the Appliance Labeling Rule(24) noted that:

"[b]y mandating a uniform disclosure scheme for energy consumption information, the rule will permit consumers to compare the energy efficiency for competing appliances and to weigh this attribute against other product features in making their purchasing decisions."(25)

These now-familiar yellow-and-black EnergyGuide labels also show the highest and lowest energy consumption or efficiency estimates of similar appliance models, based on test procedures established by the Department of Energy. This information enables consumers to compare the energy use of models they are considering.

Standardizing Privacy Policy Formats

These examples of standardized labels in the food and energy area demonstrate how complex information can be effectively communicated to consumers. They provide a model to address the current state of privacy policies.

There is general agreement about what information should be included in privacy policies. The Commission's 1998 Report to Congress noted that there are five core principles of consumer privacy protection:(26)

  1. Notice/Awareness
  2. Choice/Consent
  3. Access/Participation
  4. Integrity/Security
  5. Enforcement/Redress

Many online privacy policies address each of these elements, but do not do so in a clear, conspicuous, and understandable way. Website operators could take advantage of the interactivity of the technology to create links from a standardized format to further explanations or examples of how an entity uses or shares information.

Likewise, the Gramm-Leach-Bliley Act requires financial institutions and insurance companies to inform customers of their practices with regard to sharing customers' personal information with both affiliated and nonaffiliated entities. Specifically, the Financial Privacy Act Rules requires:

  1. Notice about the entities privacy policies and practices,
  2. Annual notices,
  3. A reasonable opportunity for the consumer to "opt out" of disclosure of their nonpublic personal information to nonaffiliated third parties.

There are numerous benefits in having a standardized format for online and GLB privacy notices. First, industry would be on a level playing field. Businesses could more fairly compete based upon clear articulation of their information practices. With a standardized format there is no incentive for a company to "spin" its privacy policy or to "threaten" consumers if the consumer chooses to exercise the legal right (in the GLB context) to opt out of information sharing. One privacy notice from a bank provides:

However, if you choose not to have your information shared, then we would be prevented from sharing nontransactional personal information within (our) family of affiliate companies. If this is your preference, (we) will be restricted in our ability to inform you about financial services, exclusive products and more. This may negatively impact the level of service to which you've become accustomed.(27)

Since the July 1, 2001 deadline for financial institutions to comply with the notice prong of GLB, much has been written about the confusing nature of the GLB Privacy Notices. All of this could have been avoided with a standardized format.

Second, consumers could easily determine what an entity's information sharing practices are and then determine whether it meets their privacy objectives.

Third, the integrity of data collected will be improved. A recent report from Statistical Research, Inc., notes that one in five Web users have entered false information to gain access to a site.(28)

A standardized format could capture in a consumer-friendly language consumers' three fundamental concerns:

  • What information is collected (actively or passively);
  • How it is used; and
  • Whether and with whom the information is shared.

The details to these and other practices could be addressed through links to additional language.

In addition, technological tools such as P3P can pave the way for seamless implementation of the standardized format. Effective privacy protection must begin with effective notice and such notice requires a consumer friendly format that is easy to locate and easy to read.

Conclusion

The NLEA food labels and the EnergyGuides provide excellent examples of standardized formats that convey complex but important information for consumers. A number of benefits that would flow from standardizing the formats including creating a level playing field for industry and providing consumers with easy to understand information about the information sharing practices of the companies with which they do business. A standardized privacy format could provide consumers more confidence in the online marketplace that will only be good for business in the long run.

Endnotes:

1. Pub. L. 101-535 (1990).

2. Pub. L. 94-163, 89 Stat. 871 (1975), as amended by the National Energy Conservation Policy Act, Pub. L. 95-619, 92 Stat. 3258, (1978), the National Appliance Energy Conservation Act, Pub. L. 100-12, 101 Stat. 103 (1987), the National Appliance Energy Conservation Amendments of 1988, Pub. L. 100-357, 102 Stat. 671 (1988), and the Energy Policy Act of 1992, Pub. L. 102-486, 106 Stat. 2776 (1992), 42 U.S. C. 6291 et seq.

3. See, 1998 FTC Report pages 41-43.

4. 1999 FTC Report at 12 - 13.

5. 2000 FTC Report at 38.

6. 1998 Report, App. D, Table 2.

7. 2000 Report, Appendix C, Table 2a.

8. Last year, a Harris Interactive survey reported that consumers are more concerned with privacy issues than health care, crime, or taxes. A 2000 Pew Internet & American Life Project survey revealed that 84 percent of Internet users are concerned that businesses and/or people they do not know are getting personal information about them and their families.

9. Wall Street Journal/Harris Interactive Survey (March 2001)

10. id.

11. See, New York Times, May 7, 2001, Privacy Policy Notices Are Called Too Common and Too Confusing by John Schwartz; usatoday.com/usatonline/20010709/3465238s.htm , Confusing privacy notices leave consumers exposed; Washington Post, June 17, 2001, Getting a Handle on Privacy's Fine Print by Robert O'Harrow Jr.; Business Week, June 18, 2001, Why Privacy Notices are a Sham, by Mike France; and Privacy Regulation Report, July 9, 2001, Consumer Groups, Congress Press Regulators to Standardize GLB Notices.

12. Amazon.com

13. Travelers Insurance Company

14. Amazon.com

15. id.

16. 16 21 U.S.C. Sections 301-393.

17. 52 Food & Drug L.J. 49 (1997) The Food Label and the Right-to-know, Frederick H. Degnan.

18. House Report 101-538 at page 11.

19. Id at 12 ; See also 44 Fed. Reg. 75, 990 (December 21, 1979).

20. House Report 101-538 at page 12 and 13.

21. 21 USC Section 343(r)(3)(B)(iii).

22. See, Journal of Public Policy & Marketing, Vol. 15(1) 148-156, Spring 1996, The Nutrition Labeling and Education Act - Progress to Date and Challenges for the Future, Bruce Silverglade

23. 16 CFR Part 306.

24. 44 Fed Reg 66444 et seq.

25. id. At 66466.

26. See, 1998 Report at 7.

27. Riggs Bank

28. See, Study: Web-Savvy Consumers Wary of Data Loss, by Christopher Saunders,http://www.internetnews.com/IAR/article/0,,12_781,00.html