Protecting Consumers' Privacy: 2002 and Beyond

Remarks at The Privacy 2001 Conference

Cleveland, Ohio

Date:
By: 
Timothy J. Muris, Former Chairman

*The views expressed are those of the Chairman, and do not necessarily reflect the views of the Commission or of any other Commissioner. In his delivered remarks, the Chairman may deviate frequently from the printed text of the speech.

It is a pleasure to be here today to discuss with you the FTC's privacy initiatives for the coming year. I propose a strong, pro-privacy agenda addressing the real concerns I have heard voiced over the past months about consumer privacy in commercial transactions. This is my third tour of duty at the FTC, but it has been 16 years since I was here. Although many things are familiar, much has changed - the most striking is the agency's focus on privacy.

Before I discuss our privacy agenda, I want to acknowledge the tragic events of September 11th and the immeasurable toll they have imposed on our great country. These attacks have refocused our national and personal priorities as no other event since Pearl Harbor. Our citizens are deeply concerned about security. Indeed, one of government's first and most important jobs is to protect its citizens. We need to examine how to balance our deeply rooted commitment to civil liberties with the fundamental need to protect society from the horror of terrorism.

One thing that will not change is our American spirit. I love baseball - to see a pitcher throw a perfect strike on a warm evening is one of the true American delights. A few weeks ago, in the first game after the attack, the Yankees played the White Sox in Chicago. Chicago sports fans were holding signs "Chicago Loves New York." When you see something like that, you know that we are going to be all right.

Sportswriter Pete Hamill says you can watch a prize fight, but you will not know if someone is really a prizefighter until he gets up after he has been knocked down. We have gotten up.

The President and all our leaders ask us to get back to business - back to doing whatever we do that makes this country run. It is the duty of every American to be accountable, and that is why we are here today. We will keep America running - ahead, not away. Like all of you, I am here doing my job. And my job as Chairman of the Federal Trade Commission is to protect America's consumers. The issues of national security and defense raised by the events of September 11th are of enormous importance, but outside the purview of the Federal Trade Commission. My focus today is on individual privacy in the commercial realm and on what the FTC itself can do.

The FTC plays a vital role in protecting consumer privacy, a role I propose to increase. I will outline the FTC's current and future privacy initiatives, and finally, my thoughts on Internet privacy legislation. Of course, I am one of five Commissioners and do not necessarily speak for my colleagues.

There is no question that consumers are deeply concerned about the privacy of their personal information.(1) There is no question that a lot of information is being collected. There are a lot of questions about how it is being used…and who is using it. In my work with the Administration and with outside groups, I have been impressed by the importance of privacy issues for both President Bush and for the American people.

Privacy has become a large and central part of the FTC's consumer protection mission.(2)

Over the last four months, we have developed a plan for the coming year. It involves every Division of the Bureau of Consumer Protection and increases the resources devoted to privacy issues substantially. A key part of this process was frequent briefings with a newly created Privacy Task Force headed by Howard Beales, Director of our Bureau of Consumer Protection.

I have also held dozens of meetings with groups with diverse perspectives on privacy issues ranging from consumer groups to several trade associations to information technology executives to academics. I was impressed by the widespread agreement on the importance of privacy issues and the importance of the FTC in protecting consumers' privacy. As a consumer protection agency, we respond to the American people. The FTC can reassure consumers that privacy promises will be honored. We are an agency with knowledge about both consumer protection and the way markets address consumer privacy concerns. We will increase our enforcement of laws protecting consumer privacy.

The Information Economy

Our economy generates an enormous amount of data. Most users are from honest businesses - getting and giving legitimate information. The information revolution provides enormous benefits for consumers. Many fail to appreciate that the average American today enjoys access to credit and financial services, shopping choices, and educational resources that earlier Americans could never have imagined. Today, we can check our credit card and bank balances over the phone 24 hours a day, we can order books, clothes, or gifts online while we are having our first cup of coffee in the morning, or we can review our finances in a convenient consolidated statement whenever we like. What I personally find most astounding is what occurs all over America at auto dealers every day. If consumers have good credit, they can borrow $10,000 or more from a complete stranger, and actually drive away in a new car in an hour or less. I call this the "miracle of instant credit." I am told this cannot rightly be called a "miracle" because miracles require a "higher authority" than a credit manager. When you think about it, however, this event is extraordinary.

This "miracle" is only possible because of our credit reporting system. The system works because, without anybody's consent, very sensitive information about a person's credit history is given to the credit reporting agencies. If consent were required, and consumers could decide - on a creditor-by-creditor basis - whether they wanted their information reported, the system would collapse. Credit histories are one of our most sensitive pieces of information. Their use is, and should be, restricted and protected. The Fair Credit Reporting Act(3) provides such protections, as I will discuss below.

Consumer Concerns About Privacy

Despite the benefits of information sharing, concerns about privacy are real and legitimate. Many consumers are troubled by the extent to which their information is collected and used. Some feel that they have lost control over their own information.(4) If you probe further, what probably worries consumers most are the significant consequences that can result when their personal information is misused.(5)

First, and most serious, are risks to physical security. Parents do not want information on the whereabouts of their children to be freely available. Women may not want their address known for fear of stalkers. Many prefer to list their telephone number using just their first initial and last name. Someone browsing through the phone book will then not know if the person listed at that address is male or female. Millions of people pay not to be listed in the phone book at all.(6)

Others may use a private mailbox to avoid revealing where they live.

Second, is the risk of economic injury. The fear of identity theft plagues the information age. No other practice so vividly captures the fears many consumers have about their privacy. It strikes randomly, leaving lives in shambles. Identity theft can range from unauthorized use of your credit card to someone creating a "duplicate you." I do not mean Austin Powers and "Mini-me," but an actual "duplicate you" - complete with your birthday and social security number and leaving you with a pile of unpaid bills. ID theft tarnishes your credit record, and results in the loss of credit, employment, and housing opportunities. Some victims even find themselves facing criminal charges.

Consumers' third concern is with practices that are unwanted intrusions in our daily lives. Unwanted phone calls disrupt our dinner, and our computers are littered with spam. There are unwanted solicitations for pornography and other products many find objectionable. Individually, the injury is relatively small, but in the aggregate the harm can be great.

An Expanded Privacy Agenda

Focusing on these three consequences or harms demonstrates the need to view privacy concerns through a broad lens. Initially, the agency's privacy program was focused primarily on the Internet, and on what information Web sites collect and use. This was appropriate when the Internet boom was just beginning. Consumers, surfing from the privacy of their homes, may have felt anonymous. This focus, as important as it is, does not address privacy concerns raised by offline information practices and the rapid convergence of online and offline information systems. The risk of identity theft, for example, is a real threat whether the thief steals the information from an online Web site with a list of credit card numbers or from a consumer's mailbox.

Our privacy program will reduce the negative consequences of misuse of information, whatever the source. Today, I announce an ambitious, positive, pro-privacy agenda that begins with a substantial increase in the FTC's commitment to protecting consumer privacy. We plan to increase resources devoted to protecting privacy by 50 percent.

Protecting Consumers From Unwanted Telemarketing

In the 1980's and '90's, telemarketing fraud and other telemarketing problems led to federal legislation.(7) Working with our partners in the states, the FTC chalked up an impressive record of attacking telemarketing fraud. Many consumers are also concerned about the disruption caused by the number and timing of these calls. Today, consumers who want to be left alone must rely on a voluntary system administered by DMA or notify each company not to call.(8)

We can do better. I am recommending an amendment to our Telemarketing Sales Rule that would develop a national, one-stop, "do not call" list.(9) We will also explore giving consumers a middle option - for instance, one that would allow calls, but further limit when calls can be made.

Such protections will address a significant consumer privacy concern. Rulemaking takes time, however. In the interim, we will increase enforcement of existing Telemarketing Sales Rule provisions that protect the privacy of consumers, including provisions prohibiting telemarketers from calling at odd hours, harassing consumers, and failing to disclose the identity of the seller and the purpose of the call.(10) Although we have appropriately thus far focused our enforcement on fraud, in the future we will also target practices that violate these provisions protecting consumer privacy.

Pre-Acquired Credit Card Numbers

Another important telemarketing privacy concern is the use and possible abuse of a category of information called "pre-acquired account information": - i.e., lists of names and credit card account numbers of potential customers. Many consumers worry that some telemarketers have this information before the consumer decides to enter into a transaction with them. These "pre-acquired" numbers have been used to bill consumers who believe they were simply accepting a free trial, or to bill consumers even when they did not accept the offer. I will recommend to my colleagues that we amend our Telemarketing Sales Rule to ensure that, if sellers have this sensitive credit information, consumers are only charged if they really want to buy the item.(11)

Attacking Spam

We will also heighten our attack on deceptive spam. It is the bane of cyberspace. Unsolicited messages from legitimate businesses may be annoying, but most businesses stop before they alienate their customers. Fraudulent spammers have no such incentive and promote shifty schemes like chain letters, pyramid schemes, and other forms of deceptive, "get-rich-quick" frauds. 

Since 1998, the FTC has maintained a special electronic mailbox to which Internet customers can forward spam.(12) This database currently receives 10,000 new pieces of spam every day. They are collected in a box-like storage device the staff calls the "refrigerator." As part of our new initiatives, we will intensify our efforts against fraudulent spams. It is time to take the spam out of the refrigerator and put the deceptive spammers on ice.

Controlling ID Theft

In 1998, Congress passed the Identity Theft and Assumption Deterrence Act to help combat the problem of identity theft.(13) That law not only gave the FTC the role of tracking identity theft complaints, and referring them to the appropriate credit bureaus and law enforcement agencies, but also charged us to provide victims assistance. To date, we have more than 100,000 complaints and inquiries in our identity theft clearinghouse.(14) As our database grows, there is much more we can do with it. We want to use the data to spot patterns that might help businesses and consumers avoid identity theft. We are also developing criminal referral packages to assist the Justice Department, the Treasury Department, the Secret Service, and local prosecutors.(15)

Although liability for the unauthorized use of credit cards may be limited,(16) fixing the problem and the potential black mark on your credit history can be a nightmare. The time, effort, and stress for victims to clear their names are often significant. To help victims, we soon will join several companies and privacy organizations in announcing a universal fraud complaint form that victims of identity theft can submit to each creditor involved. This form will substantially reduce the burden of submitting an individual form for each individual creditor. It will help victims recoup their losses and restore their legitimate credit records more quickly.

Prosecuting Pretexting

Pretexting is the practice of obtaining personal financial information by fraud. It is the kind of abusive practice that causes consumers to worry about the security of sensitive information. For a price, some so-called "information brokers" call banks and other financial institutions under the "pretext" of being a customer to obtain the customer's account numbers and balances, as well as other personal information.

Since the provisions of the Gramm-Leach-Bliley Act outlawing "pretexting" went into effect in 1999, the FTC has increased its enforcement efforts to stop the misuse of sensitive financial information.(17) We recently obtained injunctions against information brokers in three different cities using evidence obtained through a telephone sting operation.(18) We will expand our activities here to examine other practices that try to obtain personal information through misrepresentations.

Increase FCRA Enforcement

The availability of credit is one of the lifelines of our economy. Above, I discussed the significant contribution the credit reporting industry has made to credit granting. It is a remarkable system. By its very nature, however, it raises privacy issues about how credit reporting agencies and other businesses exchange sensitive consumer information. Congress recognized these concerns in 1970 when it enacted the Fair Credit Reporting Act, the nation's first major privacy protection law. (19) The FCRA is an intricate statute that strikes a fine-tuned balance between privacy and the use of consumer information. At its core, it ensures the integrity and accuracy of consumer reports and limits the disclosure of such information to entities that have "permissible purposes" to use the information.

The FCRA addresses accuracy by requiring credit bureaus to follow specific procedures such as investigating information disputed by consumers within a certain period of time.(20) Moreover, users of consumer reports must notify consumers if their reports were used to deny them loans, insurance, or jobs.(21) When such problems occur, consumers are entitled to a free copy of their report and to have any errors corrected.(22) In 1996, Congress expanded the law by extending some of the accuracy and correction provisions to those who provide information into the system.(23)

We will increase our Fair Credit Reporting Act enforcement to protect privacy and ensure that all players in the credit reporting system comply with these vital obligations.

Enforcing Privacy Policies

We will also enforce privacy promises. One of the agency's successes has been encouraging Internet sites to post privacy notices. In 1998, only 2 percent of all sites had some form of privacy notices.(24) By 2000, virtually all of the most popular sites had privacy notices.(25) Industry's significant response to consumer concerns about privacy has been impressive. From my many meetings with business community members, it is clear that industry will continue to make privacy a priority. Having encouraged commercial Web sites to post these notices, the FTC needs to ensure compliance. Privacy promises made offline should be held to the same standard.

The FTC has brought several cases challenging violations of promises made in online privacy policies such as the disclosure of information to third parties and the collection of personally identifiable information from children.(26) We will expand our review of privacy policies and make it more systematic. We will seed lists with names to ensure that restrictions on disclosures to third parties are honored. We will also work with seal programs and others to get referrals of possible privacy violations. Finally, as I will discuss shortly, we will improve our own complaint handling system to target cases more effectively.

Problems that arise in bankruptcy or reorganization are of particular concern.(27) Companies that promise confidentiality may decide to sell or transfer personal information they have collected. If confidentiality promises are to be meaningful, then they must survive when the company is sold or reorganized. We will also increase our scrutiny of information practices that involve deceptive or unfair uses of sensitive data - such as medical or financial information or data involving children.

Moreover, we will keep a close eye on claims touting the privacy or security features of various products or services. When companies deliberately market a product as one that enhances privacy or security, they are targeting consumers who not only care about these protections but are also willing to pay for them. We will ensure that sellers deliver on those promises. Further, because American companies are now competing in an international market, the FTC will give priority to complaints that U.S. companies fail to provide privacy protections they promised under the European Union Safe Harbor Principles.(28)

Enforcing The Children's Online Privacy Protection Act

None of the worries we have about privacy is greater than concern for the privacy of our children. In 1998, Congress enacted the Children's Online Privacy Protection Act (COPPA) to prevent the collection of personally identifiable information from young children without their parents' consent.(29) We are working hard to ensure compliance with this statute. This year we filed four civil penalty actions to enforce COPPA, and we have additional matters under investigation.(30)

Improving Privacy Complaint Handling

We will pursue several new initiatives not involving law enforcement that were suggested in my meetings with outside groups. One involves the FTC's sophisticated system for handling consumer complaints. Our Consumer Response Center receives over 10,000 consumer contacts a week,(31) which it maintains in a comprehensive, searchable database. We share many of our fraud complaints with other federal, state, and local law enforcement agencies. This database, containing first-hand information about the real problems consumers experience, is a tremendous resource. We need to make it more of a tool to protect privacy.

We will improve collection, use, and public reporting about the privacy complaints in the database so they are more useful in identifying and addressing privacy issues. We are refining our data collection to allow our complaint counselors and forms to identify and record privacy problems. We are hard at work on this effort, to which we have given high priority.

Consumer Workshops and Reports on Privacy Related Issues

Just as there was broad agreement among the groups I met with on the value of FTC enforcement actions, there was also broad agreement that we should continue our education, monitoring, and encouragement of industry-led efforts - through informal outreach with the seal programs, industry groups, and others, and by developing guidance and educational materials for both consumers and businesses. We will continue the agency's exploration of the privacy implications of new and emerging technologies through workshops, reports, and other public meetings.(32) Just last week, we announced that we will conduct, with the financial regulatory agencies, a workshop on Gramm-Leach-Bliley notices. Much concern has been voiced about the readability of the notices and about consumers' reactions to them. The workshop, which will be held on December 4th, will allow us to examine these issues and to focus on what government and industry can do to make notices more useful. The workshop will not only provide information to improve the G-L-B notices, but also information useful to all businesses that provide privacy notices. In the first week, more than 200 people registered for this important workshop.

Another important issue involves Internet security practices. Ensuring the security of sensitive information is fundamental to privacy, whether that information is collected online or offline. The groups with whom I met voiced general agreement about the importance of security, but there is less clarity about what the FTC can or should do. I think that the FTC can help encourage strong but workable security for personal information collection, perhaps through workshops.(33)

Finally, after many years, the Platform for Privacy Preferences ("P3P") is coming online. This cutting edge technology, one of many industry-driven initiatives, promises to give individuals much greater control over the collection of information, allowing them to specify their privacy preferences electronically and screen out sites that do not meet those preferences. This approach is much more manageable than today's site-by-site, notice-by-notice regime. We will monitor the implementation of this new technology and assess its impact.

The Need for Online Privacy Legislation

At my confirmation hearings I was asked whether, in light of these strong consumer concerns about privacy, we need broad-based online privacy legislation. My reply was, "I need to study the issue." I have learned that there are clearly good arguments for such legislation: online privacy legislation could increase consumer confidence in the Internet by establishing a clear set of rules about how personal information is collected and used. Moreover, federal legislation could help ensure consistent regulation of collection practices across the 50 states.

These are desirable goals. Nevertheless, it is too soon to conclude that we can fashion workable legislation to accomplish these goals. We need to develop better information about how such legislation would work and the costs and benefits it would generate. First, legislating broad-based, privacy protections is extraordinarily difficult. The recent experience with Gramm-Leach-Bliley privacy notices should give everyone pause about whether we know enough to implement effectively broad-based legislation based on notices. Acres of trees died to produce a blizzard of barely comprehensible privacy notices. Indeed, this is a statute that only lawyers could love - until they found out it applied to them. We can do better. For one thing, we need to examine our experience under Gramm-Leach-Bliley, as our December 4th workshop will do. We should at least digest this experience to ensure that any future privacy legislation accomplishes more than what has been described as creating a "digital mattress tag."(34)

The challenges for new legislation are daunting. You need only look at the recommendations of the FTC advisory committee on access and security to know that no consensus exists about implementing privacy principles.(35)

Moreover, the application of access and security would vary significantly by business. No one expects a department store to protect information about your shoe size with the same level of protection as a credit card number.

Second, I am concerned about limiting legislation to online practices. Whatever the potential of the Internet, most observers recognize that information collection today is more widespread offline than online. Legislation limited to online practices perhaps seemed attractive when Internet commerce was expanding almost limitlessly. Today, however, it is increasingly difficult to see why one avenue of commerce should be subject to different rules than another, simply based on the medium in which it is delivered.

Third, the slowing of the growth of the Internet emphasizes the need to understand the cost of online privacy legislation. Although there is dispute about this issue, compliance with Internet privacy legislation will have some costs, and consumers ultimately will pay for them. Although there are also benefits from online privacy legislation, we need much better data than we have about the benefit/cost tradeoff before we proceed.

Perhaps most importantly, I think there is a great deal we can do under existing laws to protect consumer privacy. That is what this privacy agenda is all about. At this time, we need more law enforcement, not more laws. Whether we ultimately need more laws requires further study. We will enforce current laws vigorously, using more of the FTC's resources. We will stop those practices that are most harmful to consumers. We will use our full arsenal of tools - cases, changes to our Telemarketing Sales Rule, workshops, and education - to pursue our strong pro-privacy agenda addressing real privacy concerns.

Conclusion

I appreciate your letting me discuss the work of the FTC. Some of you may not know I was trained in economics as well as law. George Bernard Shaw said, "If you take all the economists in the world and lay them end-to-end, they would not reach a conclusion."

I have reached a conclusion. Thank you for letting me share it with you.

Endnotes:

1. That concern has been expressed in a number of public opinion polls. See, e.g., IBM/Harris Interactive, Multi-National Consumer Privacy Survey (Oct. 1999); Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, AT&T Labs-Research Technical Report TR 99.4.1 (Mar. 1999); Alan F. Westin/ORC International, ChoicePoint Public Opinion Survey: Public Records and the Responsible Use of Information (2000).

2. See, e.g., Federal Trade Commission Staff Report, The FTC's First Five Years: Protecting Consumers Online (Dec. 1999).

3. See Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.

4. See, e.g., Alan F. Westin/ORC International, ChoicePoint Public Opinion Survey: Public Records and the Responsible Use of Information (2000); IBM/Harris Interactive, Multi-National Consumer Privacy Survey (Oct. 1999); Privacy Leadership Initiative/Harris Interactive, Consumer Privacy Attitudes and Behaviors Survey: Wave II (July 2001).

5. See, e.g., IBM/Harris Interactive, Multi-National Consumer Privacy Survey (Oct. 1999).

6. Nearly 30 percent of U.S. households have at least one non-listed or non-published telephone number. Survey Sampling, Inc., Unlisted Rates of the Top 100 Metropolitan Statistical Areas (Aug. 23, 2001), available athttp://www.ssisamples.com/ssi.x2o$ssi_gen.product?id=71.

7. See Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. § 6101 et seq. (including the Telemarketing Sales Rule).

8. Once informed that the consumer wants no additional calls, telemarketers are prohibited by the FTC's Telemarketing Sales Rule from calling that consumer again.

9. As with any rulemaking, I will carefully consider the record developed during the proceeding before making a final decision on the merits.

10. Section 310.4(c) of the Telemarketing Sales Rule restricts calling times to the hours of 8:00 A.M. to 9:00 P.M. local time at the called person's location unless prior consent has been granted. Section 310.4(a) and (b) addresses abusive telemarketing acts or practices generally, including harassing patterns of calls. Section 310.4(d) requires the telemarketer to make oral disclosures of the identity of the seller and purpose of the calls promptly and in a clear and conspicuous manner.

11. As noted earlier, I will carefully consider the record developed during the rulemaking proceeding before making a final decision on the merits.

12. uce@ftc.gov

13. See Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C. § 1028. This Act makes the FTC a central clearinghouse for identity theft complaints. Under the Act, the FTC is required to log and acknowledge such complaints, provide victims with relevant information, and refer their complaints to appropriate entities (e.g., the major national consumer reporting agencies and other law enforcement agencies).

14. Our general toll-free number (1-877-FTC-HELP) for consumer complaints receives about 10,000 calls each month, including many ID theft calls. We also get complaints from the Social Security Administration, which shares its complaint data with our clearinghouse.

15. The FTC itself cannot bring criminal prosecutions.

16. Section 133 of the Truth in Lending Act limits a cardholder's liability for unauthorized use of his or her credit card. 15 U.S.C. § 1643.

17. See Subtitle B of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6821-27. The statute provides for civil remedies to be enforced by the FTC, and for criminal penalties enforced by the Department of Justice in cases where the pretexter knowingly or intentionally violated or attempted to violate the law. Id. §§ 6822-23. The statute contains certain exceptions, including for state-licensed private investigators to the extent their activities were (1) "reasonably necessary to collect child support from a person adjudged to be delinquent ... by a Federal or State court," and (2) were authorized by court order. Id. § 6821(c)-(g).

18. FTC v. Information Search, Inc. and David Kacala, No. AMD-01-1121 (D. Md. preliminary injunction entered May 4, 2001); FTC v. Victor L. Guzzetta d/b/a Smart Data Systems, No. CV-01-2335 (E.D.N.Y. preliminary injunction entered Apr. 19, 2001); FTC v. Paula L. Garrett d/b/a Discreet Data Systems, No. H 01-1225 (S.D. Tex. preliminary injunction entered May 1, 2001).

19. See Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.

20. Id. § 611 (15 U.S.C. §  1681i).

21. Id. § 615(a) (15 U.S.C. §  1681m).

22. Id. § 612(b) (15 U.S.C. §  1681j(b)).

23. Consumer Credit Reporting Reform Act of 1996 (Public Law 104-208, Omnibus Consolidated Appropriations Act for Fiscal Year 1997; Title II, Subtitle D, Chapter 1).

24. Federal Trade Commission, Privacy Online: A Report to Congress (June 1998).

25. In two years, notices went from 2 percent to 62 percent. In 2000, virtually all of the top 100 sites had notices. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000).

26. FTC v. Toysmart.com, No. 00-11341-RGS (D. Mass. filed July 10, 2000) (alleging that company misrepresented that personal information collected from consumers on company Web site would never be shared with third parties); Liberty Financial Companies, Inc., FTC Dkt. No. C-3891 (consent order entered on Aug. 12, 1999) (settling charges that Web site allegedly misrepresented that children's personal information collected in online survey would be maintained anonymously); GeoCities, FTC Dkt. No. C-3849 (consent order entered on Feb. 12, 1999) (settling charges that Web site misrepresented the purposes for which it was collecting personal identifying information from children and adults).

27. FTC v. Toysmart.com, No. 00-11341-RGS (D. Mass. filed July 10, 2000).

28. The FTC can challenge as unfair or deceptive misrepresentations that a company complies with the European Union Privacy Safe Harbor Principles. See http://www.export.gov/safeharor/sh_documents.html.

29. See Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq.

30. United States v. Looksmart, Ltd., No. 01-606-A (E.D. Va.) (consent decree for $35,000 civil penalty entered on Apr. 23, 2001) (settling charges that collection of personally identifiable information from children under 13 years of age without parental consent and sharing that information with others without parental consent violated the Children's Online Privacy Protection Act Rule); United States v. BigMailbox.com, Inc., No. 01-605-A (E.D. Va.) (consent decree for $35,000 civil penalty entered on Apr. 23, 2001) (same); United States v. Monarch Servs., Inc., No. AMD 01 CV 1165 (D. Md.) (consent decree entered on Apr. 20, 2001) (same). United States v. Lisa Frank, Inc., No. 01-1516-A (E.D. Va. filed Oct. 1, 2001) ($30,000 civil penalty).

31. Sixty percent of these are consumer complaints. Other calls are inquiries or requests for information.

32. The Federal Trade Commission hosted a public workshop on March 13, 2001 that explored how businesses merge and exchange detailed consumer information and how such information is used commercially. In December 2000, the Federal Trade Commission hosted a two-day public workshop to examine emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise.

33. On August 7, 2001, the Commission published for comment a proposed rule under the Gramm-Leach-Bliley Act, Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information. See 66 Fed. Reg. 41162 (Aug. 7, 2001). As proposed, the rule would require firms to have an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue. It would also require financial institutions to implement certain basic elements, such as employee training.

34. See, e.g., Kent Walker, "Where Everybody Knows Your Name: A Pragmatic Look at the Costs of Privacy and the Benefits of Information Exchange," 2000 Stan. Tech. L. Rev. 2, ¶141 (2000), at http://stlr.stanford.edu/stlr.articles./00_stlr_2.

35. Final Report of Federal Trade Commission Advisory Committee on Online Access and Security, published as Appendix D of Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000).