Introduction
The United States has been a leader in developing new technologies to support the Internet infrastructure and electronic commerce. As electronic commerce becomes more global, however, there are concerns about how new business models and new technologies might compromise the privacy interests of individual consumers. Some consumer advocates have argued that U.S. consumers need more commercial privacy regulation and have endorsed imposing a privacy regulatory regime on the Internet. Others state that the current legal regime is sufficient to protect consumers' privacy interests in today's evolving economy.
This paper provides an overview of the United States' approach to privacy law and enforcement. First, it discusses public concerns about privacy that accompanied the evolution of the Internet. Second, it examines existing U.S. laws that address privacy in various forums. Third, it considers the United States' approach, and the role of the Federal Trade Commission (FTC or Commission) more specifically, toward enforcing existing laws to address privacy concerns. Finally, I offer my views on the privacy regulation debate.
Background
The issue of privacy has been a focus of debate for years, well before general public use of the Internet. In the United States, for example, concerns arose in the 1960s and 1970s about the government's use of citizens' personal records. The response to these concerns was the passage of legislation that would oversee information management practices at the government (public sector) level. More specifically, the Freedom of Information Act (FOIA) and the Privacy Act of 1974 prescribe the manner in which government agencies may collect, manage, and disclose individual records.(2) The Privacy Act of 1974, in particular, mandates that agencies shall collect and store information only about subjects that are appropriate to their mission or task. Government agencies must also maintain the accuracy of their records and take appropriate safeguards to ensure the security of their information.
In the late 1970s and 1980s, privacy also was the focus of international discussion, as demonstrated by the promulgation of the 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data by the Organization for Economic Cooperation and Development (OECD).(3) The Guidelines attempt to establish best practices for the handling of personal information. They propose limits on what information may be collected and the manner in which it may be collected, and state the necessity for transparency in the data-collecting and management process. Furthermore, the Guidelines suggest that consumers have a right to access the information that is collected about them, and that adequate security measures should be incorporated to ensure the integrity of the relevant database. In their broadest form, the Guidelines encompass what have become known as the Fair Information Practice Principles: Notice, Choice, Access, and Security. Since their inception, several nations have adopted the Guidelines as a model for their own commercial privacy laws, policies, and practices.
As Internet use increased in the 1990s, so too did concerns regarding privacy. The Internet differs from conventional retail channels because of the manner and ease of information collection. The use of "cookies," for example, can make passive data collection very easy for firms. A business could monitor what webpages potential shoppers visit on its website and, when combined with certain information, could effectively uncover their preferences regarding various goods and services. Although proactive business persons in the bricks-and-mortar world could engage in similar data collection by following customers around their stores, on the Internet such activities are less obvious, less costly, and more feasible on a wide scale.(4)
The use of clickstream traffic data and of other technological innovations also raises privacy concerns. Retailers argue that using clickstream data in a responsible way allows firms to provide advertisements or promotional offers that match consumers' interests and to attract more consumers to their sites. At the same time, several privacy advocates state that retailers do not obtain consent to collect these data and that the practice is needlessly invasive.(5) In the starkest terms, some parties expressed fears that corporations could amass huge troves of personally-identifiable information that could be used to charge different, personalized prices among consumers or, worse yet, to discriminate against consumers in their offer of goods and services and to inevitably compromise their civil rights.(6)
A wide array of public opinion polls conducted over the past several years reflects consumer concerns about online information collection, the use of cookies and online privacy in general.(7) For example, an August 1997 Money Magazine poll reported that 88% of the public favored a privacy bill of rights that would require companies to tell consumers exactly what kind of information is collected and how it is used. Similarly, a 1997 survey conducted by the Georgia Institute of Technology's Graphic, Visualization, and Usability Center found that 72% of respondents felt that new laws were necessary to protect privacy online. These concerns remained prominent over time, as a Forrester Research survey published in September 1999 found that 67% of respondents were either "extremely concerned" or "very concerned" about releasing personal information online.(8)
Given the ease of online information collection and resulting consumer concerns, privacy advocates state that new legislation mandating certain information management practices for the Internet is essential. Others oppose new legislation, arguing that the United States already has numerous laws that can address consumers' privacy concerns effectively without detracting from the benefits of information sharing.
Existing U.S. Federal Laws Concerning Information Practices and Privacy
A number of U.S. laws address various information practices and the privacy of consumers' personally identifiable information, in both the online and the offline worlds. These laws provide a solid legal framework through which agencies, such as the Federal Trade Commission, take enforcement actions to ensure that companies accurately represent their information management practices and that consumers' personal information is not misused.(9) The following list generally describes some of the statutes that pertain to privacy in the United States.(10)
The Federal Trade Commission Act
The Federal Trade Commission Act, 15 U.S.C. § 41, et seq., empowers the FTC to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. Pursuant to this mandate, the FTC can take action against companies that fail to comply with their own privacy policies or otherwise misrepresent their information management practices. The FTC also can address unfair misuse of personal information where the practice (a) inflicts substantial harm on consumers that they cannot reasonably avoid and (b) does not offer offsetting benefits to consumers or competition. 15 U.S.C. § 45(n).
Title V of the Gramm-Leach-Bliley Act (GLBA)
Section A of Title V of the GLBA, 15 U.S.C. § 6801, et seq., enacted in 1999, contains privacy provisions relating to consumers' personal financial information.(11) These provisions restrict when financial institutions may disclose a consumer's personal financial information to nonaffiliated third parties. Financial institutions are required to provide notices to their customers about their information-collection and information-sharing practices. Financial institutions also must provide consumers with an opportunity to "opt-out," i.e., to stop the financial institution from sharing information with nonaffiliated third parties.(12) The GLBA also prohibits financial institutions from disclosing consumers' account numbers to nonaffiliated third parties for use in marketing (unless the disclosure falls within certain specific exceptions). In addition, the Act prohibits any person from using false pretenses to obtain customer information from either the financial institution or the consumer -- an abusive practice referred to as "pretexting."
The Children's Online Privacy Protection Act (COPPA)
The COPPA, 15 U.S.C. § 6501, et seq., was enacted in 1998 to protect the personal information of children under the age of 13 that is collected online.(13) The Act applies to operators of commercial websites if the site is directed to children under the age of 13 or if the operators knowingly collect information from children under the age of 13. The Act prohibits website operators from collecting, using, or disclosing a child's personally identifiable information without first providing notice to the parent and obtaining verifiable parental consent. Upon request, website operators must provide parents with access to specific personal information collected from their children and an opportunity to prevent the further use of that personal information or the future collection of information from their children.
Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act)
The Identity Theft Act, 18 U.S.C. § 1028, 1028(a)(7) made it a federal crime to knowingly transfer or use, "without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Federal law enforcement agencies, including the U.S. Secret Service, FBI, U.S. Postal Inspection Service, and Social Security Administration's Inspector General, investigate violations of the Act. The U.S. Department of Justice prosecutes federal identity theft cases.
The Act directed the FTC to establish the federal government's primary database to collect consumer/victim reports on identity theft.(14)The FTC collects victim complaints and refers them to the appropriate law enforcement agencies for further action. The FTC also provides information to victims to assist them in resolving financial and other problems that result from this crime. In addition, the FTC develops and disseminates consumer education materials for victims of identity theft and those concerned with preventing this crime.(15)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The HIPAA, 42 U.S.C. § 1320d, et seq., and regulations issued by the Department of Health and Human Services (HHS) create standards to protect the privacy of individuals' personal health information.(16) The regulations apply to health plans, health care clearinghouses, and health care providers who transmit health information in electronic transactions. With certain exceptions, covered entities are required to provide notice to individuals of all uses and disclosures of personally identifiable health information, obtain consent before using or disclosing that information, and provide individuals with access to the health information that has been collected about them.
The Cable Communications Policy Act of 1984
The Cable Communications Policy Act of 1984, 47 U.S.C. § 551, restricts the collection, maintenance, and dissemination of subscriber information. More specifically, the Act restricts cable operators from using the system to collect personally identifiable information from consumers without prior notice and consent, which must be granted either electronically or in a written format. The Act also prohibits disclosure of personally identifiable information to third parties without consent (except for government requests pursuant to court order, or disclosures necessary for the fulfillment of cable services). Cable subscribers retain the right to inspect and correct errors in the database.
The Fair Credit Reporting Act (FCRA)
The FCRA, 15 U.S.C. § 1681, et seq., first enacted in 1970 and most recently amended in 1996, is designed to promote the accuracy and ensure the privacy of the sensitive financial information contained in consumer credit reports. The FCRA applies to credit reporting agencies, as well as furnishers and users of credit data. The Act allows credit bureaus to disclose consumer credit reports only to entities that have permissible purposes. The FCRA also provides consumers with the ability to access and correct information in their credit reports. In addition, consumers may opt-out of receiving prescreened offers (i.e., firm, pre-approved offers of credit that are made based on information contained in their consumer reports).
The Federal Videotape Privacy Protection Act
The Federal Videotape Privacy Protection Act, 18 U.S.C. § 2710, enacted in 1988, addresses information about consumers= videotape purchases and rentals. The Act requires companies that sell or rent videotapes to obtain written consent from consumers to disclose the consumers' personally-identifiable information (i.e., information that identifies the consumer as having requested or obtained specific video material or services). Companies may disclose lists of consumer names and addresses only if they first give consumers an opportunity to opt-out of such information disclosure.
Federal Trade Commission Approach to Enforcement and Privacy Issues
The FTC has taken the primary role in enforcing privacy laws, including the FTC Act, COPPA, FCRA and GLBA (for certain financial institutions).(17) The Commission also has been intensely involved in the Internet privacy debate. Over the past several years, the FTC has worked with various parties to examine and learn about privacy issues and has made recommendations to Congress about new legislation.
In an effort to contribute to the general state of knowledge about privacy on the Internet, the Federal Trade Commission conducted or commissioned annual privacy surveys in 1998, 1999, and 2000.(18) The goal of these surveys was to identify what kinds of privacy practices were employed by online firms. More specifically, the surveys were aimed at assessing, first, whether a commercial website had a privacy policy and, second, what kinds of provisions the policy included. For example, did a user have a choice about how his or her information was used? Could consumers have access to their personal information? Did the website discuss the security processes that are employed?
The results of these studies varied greatly from the first study to the last, showing an improvement in firms' privacy practices over time. In 1998, for example, only 14% of all websites in the FTC's "comprehensive sample" (674 sites) disclosed anything about their information practices, while 71% of the most popular sites provided disclosures.(19) The results of the 2000 survey indicated a dramatic improvement, with 88% of sites that were randomly sampled, and 100% of the most popular sites, posting at least one privacy disclosure. With respect to the provisions of notice and choice, 41% of the random sample and 60% of the most popular sites provided these elements to consumers on their websites - a stark contrast with the 1998 results, when only approximately 5% of the random sample and 41% of the most popular sites had similar provisions.
In addition to conducting these surveys, the FTC held workshops and hearings to examine various privacy issues and regulations.(20)For example, the FTC established an Advisory Committee on Online Access and Security, which held a series of hearings in 2000. Drawing together privacy advocates, industry representatives, and academics, the Advisory Committee examined the costs and benefits associated with providing consumers access to their personally identifiable information and maintaining security of the relevant databases, as well as the tools that could be used to accomplish these goals. The Committee found that it was very difficult to quantify the costs and benefits associated with providing access to consumers, and the Committee was unable to make a strong recommendation on how such access and security should be provided.(21) Similar to many issues in the privacy debate, the question of how to practically implement the abstract concept of "access" proved very difficult to answer. Because the technology changes so quickly, it is difficult to identify a solution that might not be too restrictive or rapidly outmoded.
The Commission's position on the need for new privacy legislation has varied as the agency has learned more about how companies use the Internet and their self-regulatory efforts,(22) and has obtained expertise with the practical problems posed by the implementation of privacy legislation, such as the GLBA. Beginning with the 1998 and 1999 surveys, the FTC, with some disagreement among Commissioners, recommended to the United States Congress that there was no need for new legislation that would impose privacy regulations on the Internet.(23) Use of the Internet for marketing and attempts to address online privacy concerns were still in their infancy, and the Commission believed that the private sector would continue on its own toward better privacy practices than what federal regulation might require. More specifically, it seemed inappropriate in these formative years to prescribe regulations that would impose nontrivial costs without also achieving clear benefits.
The FTC's position changed in 2000, however, when a divided Commission formally recommended that the Congress enact laws to codify the Fair Information Practice Principles.(24) The FTC asked Congress to require that all consumer-oriented commercial websites provide notice, choice, access, and security to their customers. This was a dramatic change in the agency's position. Three of the five FTC Commissioners thought that industry had made insufficient progress toward developing genuine, pragmatic privacy protections for consumers.
Although the Commission's position officially changed, two Commissioners (including me) dissented.(25) I expressed concerns that the conclusions reached in the report were not supported by the results from the FTC online privacy surveys. Furthermore, despite recommending new laws, the report made no effort to account for the relative costs and benefits associated with such legislation. I feared that the broad regulatory agenda proposed in the FTC's 2000 report could have detrimental effects on online commerce. Instead, I have advocated self-regulation with a government enforcement backstop. I believe that government, industry, and consumer advocates can work together to find mutually beneficial solutions to the privacy issues and practices causing consumers harm. In addition, I fully encourage increased consumer education and self-empowerment through the use of privacy-enhancing technologies.
Despite the Commission majority's recommendation in 2000, no new laws were enacted. With the appointment of Timothy Muris as Chairman of the FTC in 2001, the Commission took a new, pragmatic direction in the privacy debate. After spending months consulting with businesses, consumer groups and academics, Chairman Muris articulated his view that existing laws concerning individual privacy should be effectively enforced to protect consumers from the real harms caused by invasions of privacy. (26) He believed that these efforts would produce greater benefits than what might theoretically follow from new privacy legislation. To that end, Chairman Muris proposed pursuing numerous enforcement and education initiatives, as well as a 50% increase in Commission resources devoted to privacy protection.(27)
Pursuant to the Chairman's privacy agenda, the Commission will monitor companies' privacy promises and practices, in order to ensure that they remain true to their word. Chairman Muris also planned increased enforcement of the COPPA, GLBA, and FCRA. In addition, he stated that the Commission's privacy agenda would not be restricted in focus to online information practices, since privacy practices and abuses offline have the same potential to cause harm. Therefore, the FTC will target practices such as pretexting and will increase law enforcement coordination, education, and victim assistance to deter identity theft. The new agenda also addresses unsolicited commercial e-mail (spam) and telephone solicitations, practices that at many levels rely on the exchange of personal information, often contrary to the wishes of consumers.(28) For example, the Commission has proposed amending the Telemarketing Sales Rule to create a national, one stop "do-not-call" list that consumers could use if they wished to remove themselves from telemarketers' call lists.(29)
On the education front, the Commission will encourage consumers to file their privacy complaints with the Commission by using a specially designed complaint form at our website, www.ftc.gov. This will keep the agency alert and responsive to problems in the privacy realm. In addition, the Commission will continue to hold workshops on privacy-related matters to raise general awareness about privacy tools, practices, and problems faced by consumers and businesses.(30)
The Commission has been implementing the Chairman's agenda, and our efforts have received significant attention from consumers and the business community. For example, the Commission received over 40,000 comments from individuals and entities in response to its proposed national do-not-call list and other proposed changes to the Telemarketing Sales Rule. In addition, in any given week, the FTC receives approximately 3,000 calls from consumers who seek information about identity theft or complain about that practice. With respect to spam, the FTC receives more than 42,000 items of unsolicited commercial e-mail from consumers each day. The FTC uses this database to target entities that send fraudulent, unsolicited e-mail.
Despite the positive aspects of the FTC's new privacy agenda, many legislators at the state and federal levels still believe that there is a need for new privacy legislation. As of June 2002, more than 100 bills dealing with privacy were under consideration in the United States Congress. Two of these bills proposed comprehensive privacy regulation for all commercial Internet sites. Several state legislatures also have been considering various forms of privacy legislation, which could create a patchwork of laws across the states unless a uniform enforcement regime is maintained at the federal level.
Enforcement Actions
The FTC has used its authority under the FTC Act to take action against companies that have misrepresented their information management, security, and privacy practices. Under the FTC Act, the Commission can issue administrative cease and desist orders barring deceptive or unfair practices. If a respondent violates an administrative order, it can be held liable for a civil penalty of up to $11,000 for each violation, as well as such other equitable relief as is deemed appropriate. In appropriate cases, the FTC also can obtain preliminary and permanent injunctive relief from a federal court, barring deceptive or unfair practices and imposing equitable monetary relief (i.e., restitution and recision of contracts) to remedy past violations. The FTC also enforces other statutes, such as the COPPA and GLBA, and may seek injunctions and civil penalties for violations of those Acts (or their implementing regulations). Since 1999, the FTC has brought more than 30 cases involving the FTC Act and other privacy-related statutes. The following are just a few examples of these cases.
GeoCities, Inc.
The FTC brought its first case involving Internet privacy issues against GeoCities in 1998.(31) GeoCities was a popular website that collected personally identifying information from consumers who became members of the site.(32) GeoCities' privacy policy stated that this information would be used only to provide members with advertisements and offers that they requested, and that certain information would not be released to anyone without the consumer's permission. Contrary to its stated policy, GeoCities permitted the information to be used for purposes such as target marketing by third parties. The FTC therefore alleged that GeoCities misrepresented the purposes for which it collected personal information from its customers, in violation of Section 5 of the FTC Act. The FTC also alleged that GeoCities misrepresented that it alone collected and maintained personal information from children. In fact, a third party actually collected and maintained that information.
GeoCities settled the charges by agreeing to post a clear and prominent Privacy Notice on its website that describes what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. The settlement also prohibits GeoCities from, among other things, misrepresenting the purpose for which it collects or uses personal information from or about consumers. GeoCities also was required to obtain parental consent before collecting information from children 12 or younger, and to delete any such information already collected unless it obtained affirmative parental consent to retain it.
Toysmart.com
The FTC's 2000 case against Toysmart.com (Toysmart) also involved a misrepresentation of information management practices.(33)The company had posted a privacy policy stating that it would never share its customers' personal information with third parties. When faced with severe financial difficulties, however, Toysmart solicited bids for its customer lists that included or reflected the personal information of its customers. The company's creditors filed a petition to place Toysmart into involuntary bankruptcy, and the customer information was considered an asset of the bankruptcy estate. The FTC filed a lawsuit to prevent the sale of the customer information and alleged that Toysmart had misrepresented its privacy policy. The FTC also alleged that Toysmart violated the COPPA by collecting names, e-mail addresses, and ages of children under 13 without notifying parents or obtaining parental consent.
Toysmart agreed to settle the case, and the settlement forbids the sale of the customer information except under very limited circumstances. Specifically, the settlement mandates the terms under which the consumer information could be sold as part of Toysmart's bankruptcy estate. The consumer information could be sold only to a qualified buyer that (a) was in a market related to Toysmart's market and (b) would abide by the terms of Toysmart's privacy statement. If the buyer sought to change that privacy policy, it would be required to obtain consumers' affirmative consent to the new uses. The negotiated settlement required Toysmart to immediately delete or destroy all information collected in violation of the COPPA.(34)
Eli Lilly and Company
In 2002, the FTC settled a case with Eli Lilly concerning a security breach.(35) Lilly is a pharmaceutical company that manufactures, markets and sells several drugs, including the antidepressant medication Prozac. Lilly operated the website www.prozac.com, which offered an e-mail reminder service. Consumers who registered for the service could receive personal e-mail messages to remind them to take or refill their Prozac medication. On June 27, 2001, a Lilly employee created a new computer program to send subscribers an e-mail message announcing the termination of the service. That e-mail included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of the 669 other subscribers.
According to the FTC complaint, Lilly claimed that it took appropriate measures to maintain and protect the privacy and confidentiality of personal information obtained from consumers on its websites. The FTC's complaint alleged that this claim was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional disclosure of subscribers' personal information.(36) Lilly agreed to settle these charges.
The settlement prohibits Lilly from misrepresenting the extent to which it maintains and protects the privacy and confidentiality of its consumers' information. In addition, the settlement requires Lilly to establish a security program to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity.
Microsoft, Inc.
In August 2002, Microsoft agreed to settle FTC charges concerning the privacy and security of information collected through its Passport websites.(37) Microsoft's Passport privacy policies claimed, among other things, that "Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information." The FTC's proposed complaint alleges that Microsoft misrepresented that it maintained a high level of online security by employing reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services.(38)
The complaint also alleges that Microsoft misrepresented that purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet, even though most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions. In addition, the proposed complaint alleges that Microsoft misrepresented that it did not collect any personally identifiable information other than that described in its privacy policy, even though Passport collected and held, for a limited time, a personally identifiable sign-in history for each user. Finally, the complaint alleges that Microsoft misrepresented that its Kids Passport service provided parents with control over the information their children could provide to participating websites when children were in fact permitted to edit or change certain fields of personal information and change account settings set by the parent.
The proposed consent order prohibits Microsoft from making any misrepresentations about its information practices or the extent to which its products or services maintain, protect, or enhance the privacy and confidentiality of consumers' information. The order also requires Microsoft to implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In addition, every two years Microsoft must have its security program certified by an independent professional as meeting or exceeding the standards in the consent order.(39)
These cases provide a glimpse of some of the actions the FTC has taken to ensure that companies do not misrepresent their information management practices and that consumers' personal information is not misused. Appropriate enforcement of existing laws can genuinely help protect consumer interests. Consistent with Chairman Muris's agenda, the Commission's enforcement activities in the privacy area will continue to be aggressive.
My Views on the Privacy Debate
Privacy is a concern that touches both the online and the offline commercial worlds. Certainly, technological advances and the ease of collecting and storing information online give legitimate cause for concern if used improperly. However, it is important to remember that the majority of personal information is collected and stored offline, rather than online, and that despite its rapid growth, e-commerce still constitutes (by current estimates) only slightly more than 1% of U.S. retail sales.
Nevertheless, consumer concerns about online privacy - whether real or perceived, emotion-driven or not - must be addressed. Otherwise, consumer confidence in the Internet and e-commerce may diminish. Complacency on the issue of online privacy will surely lead to lost opportunity. Nevertheless, solutions that will adequately assuage all privacy concerns are likely to be slow to develop, complicated, difficult in terms of effectiveness, and potentially costly.
I believe that the best means of protecting consumer privacy without unduly burdening e-commerce is through a combination of industry self-regulation and aggressive enforcement. This approach is flexible enough to respond rapidly to technological change and to the tremendous insights that we are gaining from the ongoing dialogue among government, industry, and consumers on privacy issues.
As public awareness of privacy issues has grown, market forces have definitely come into play. A recent Progress and Freedom Foundation study indicates that the most frequently visited websites have clearly recognized that information management policies and privacy practices are necessary parts of everyday business on the Internet.(40) Consumers expect privacy protection and firms realize that it is to their competitive advantage to respond to consumer expectations. In addition, recent years' progress in the development of privacy protection tools is encouraging. The development of "built-in" privacy protections for information technologies is still being explored. Firms are making significant investments in time, ingenuity, resources, and money to best solve and minimize privacy concerns.
Industry is not responding to consumer concerns in a vacuum. The FTC has been actively involved in the privacy debate and has been working with industry members, consumer groups, and others to address privacy concerns. In addition, the FTC and other agencies are enforcing existing laws and regulations to protect consumers' privacy. This will bring about increased compliance with privacy policies and increased attention to privacy issues on the part of corporate leadership. Working together, we will find solutions to meet consumer concerns.
I do not believe that these solutions will be reached simply through the passage of legislation regulating online privacy practices. I believe legislation should be reserved for problems that the market cannot fix on its own, and, as discussed above, the market already is responding to consumers' concerns and demands about privacy. In addition, legislation should not be adopted without consideration of the costs it may impose. Legislation could have unintended consequences that might stifle e-commerce or unduly restrict the free flow of information that provides numerous benefits to consumers. There also is no guarantee that the legislative solution would be effective, especially as technology changes. In the fast-moving world of information technology, it is very unlikely that the government can keep up, regardless of good intentions.
Comprehensive government regulation also will likely have the effect of redirecting industry efforts and resources to a "compliance mode." Investment, creativity, and ingenuity will take a back seat to a "government solution." The application of creative thinking, rapidly changing technology, profit-motivated investment, and good leadership to these evolving privacy issues would likely give way to the relatively static approach of doing what the government decides is best. In the long run, any system of privacy protection is likely to suffer from such a change in approach. We must and can do better than this.
Endnotes:
1. I acknowledge the assistance of Alan Wiseman in preparing this paper. The views expressed within this paper are solely my own and do not necessarily reflect the views of the FTC or any other individual Commissioner.
2. FOIA, 5 U.S.C. § 552; Privacy Act of 1974, 5 U.S.C. § 552a.
3. OECD Doc. (C. 58 final) (Oct. 1, 1980).
4. Of course, as noted in a recent article by Ariana Eunjung Cha (The Hovering Salesclerk Is Replaced by a Computer, The Washington Post, June 16, 2002 at A01), recent developments in "gaze-tracking" technologies make it much easier to monitor potential shoppers' habits and tastes at bricks-and-mortar stores.
5. In July 2000, the FTC endorsed the Network Advertising Initiative=s (NAI) Self-Regulatory Principles Governing Online Preference Marketing, which were aimed at addressing some of the above privacy concerns. See /opa/2000/07/onlineprofiling.htm. The U.S. Department of Commerce also endorsed NAI's Self-Regulatory Principles and encouraged online companies to use privacy policies and develop privacy codes of conduct.
6. Privacy advocates testified about these concerns at the public workshop on "On-Line Profiling" that was co-sponsored by the FTC and the U.S. Department of Commerce on November 8, 1999. See /bcp/profiling/index.htm. Because of self-regulatory efforts such as NAI's (see footnote 5), some of these fears have not been realized.
7. Information about various public opinion polls that address privacy can be found at http://www.epic.org/privacy/survey.
8. While these results might indicate that privacy is a central concern among the American public, it is important to remember that many expressions of public opinion are highly responsive to rapid changes in one's environment. For example, in the weeks following the tragedy of September 11, 2001, a Wall Street Journal/NBC News poll found that 78% of Americans surveyed would support surveillance of Internet communications if it would contribute to greater security. More recently, in light of possible threats about detonation of a "dirty bomb" in Washington, D.C., a June 2002 poll found that 79% of Americans surveyed believed that it was more important for the Federal Bureau of Investigation (FBI) to investigate possible threats than to avoid privacy intrusions.
Moreover, public opinion surveys may not predict consumers' actual behavior. As I noted in my dissent from the Commission's privacy report in 2000, "[t]he growth of online commerce despite growing consumer awareness and concern about online privacy suggests that many consumers do not act upon their fears or that they have generalized fears that are overcome by the provision of additional information by the sites with which they choose to do business." Dissenting Statement of Commissioner Orson Swindle, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress at 16 (May 2000),/reports/privacy2000/swindledissent.pdf.
9. The federal agencies responsible for enforcing privacy laws vary depending on the particular law and industry. For example, in addition to the FTC, several agencies that regulate the financial sector - including the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Securities and Exchange Commission - enforce the privacy provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801. In addition, at the state level, most State Attorneys General enforce "baby FTC Acts" that are patterned after the federal statute and similarly prohibit deceptive or misleading representations.
10. This summary provides only a broad overview of each law, and it is important to review the referenced statutes for complete information about the laws' scope and application. In addition, other statutes that address privacy issues or regulate the use of personal data are not included in this summary. See, e.g., Family Educational Rights and Privacy Act, 20 U.S.C. ' 1232g (regulating educational institutions' informational records); Drivers Privacy Protection Act, 47 U.S.C. ' 2721, et seq. (regulating the disclosure of personal information contained in records maintained by a state's Department of Motor Vehicles). In addition to pertinent federal laws, states have and enforce their own privacy laws, including state constitutional provisions, statutes, and common law torts.
11. Each of the federal banking agencies and federal functional regulators listed above in footnote 9, is required to issue regulations that implement the GLBA. See, e.g., FTC's Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313, adopted May 24, 2000; FTC's Safeguards Rule, 16 C.F.R. Part 314, adopted May 20, 2002; see also Trans Union LLC v. FTC, No. 01-5202, 2002 U.S. App. LEXIS 14321 (D.C. Cir. July 16, 2002) (upholding the GLBA privacy regulations of the FTC and other federal agencies against challenges by Trans Union).
12. The GLBA provides specific, limited exceptions under which a financial institution may share customer information with a third party and the consumer may not opt-out.
13. The FTC's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, adopted Nov. 3, 1999, implements COPPA.
14. More information about the FTC's Identity Theft Clearinghouse can be found at www.consumer.gov/idtheft.
15. See, e.g., Identity Theft: When Bad Things Happen to Your Good Name; Robo de Identidad: Algo malo puede pasarle a su buen nombre (Feb. 2002).
16. HIPAA implementing regulations are found at 45 C.F.R. Parts 160 and 164 (issued in 2000 and recently adopted with modifications, see 67 Fed. Reg. 53181 (Aug. 14, 2002)).
17. The FTC also serves as the primary government enforcement backstop for the U.S.-EU Safe Harbor Framework, pursuant to its enforcement authority under the FTC Act. The Safe Harbor Framework facilitates the free flow of data from the European Union (EU) to entities in the U.S. that certify to the U.S. Department of Commerce that they follow "Safe Harbor Principles" with regard to flows of personally identifying information from the EU.
18. In 1999, Professor Mary Culnan provided the FTC with the Georgetown Internet Privacy Policy Survey, Privacy Online in 1999: A Report to the Federal Trade Commission (June 1999).
19. The "comprehensive sample" was drawn from a broader sample of more than 1400 websites.
20. The FTC's public workshops involving privacy and/or security include the "Workshop on Consumer Privacy on the Global Information Infrastructure" (6/4/96); a public workshop on "Consumer Privacy Issues" (3/4/97); a "Consumer Information Privacy Workshop" (6/10/97); the "Children's Online Privacy Protection Rule Public Workshop" (7/20/99); a public workshop on "Online Profiling" (11/8/99); a public workshop on the "Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues" (12/11-12/00); a public workshop on "The Information Marketplace: Merging and Exchanging Consumer Data" (3/13/01); an interagency public workshop on "Get Noticed: Effective Financial Privacy Notices" (12/4/01); and a public workshop on "Consumer Information Security" (5/20-21/01). Information about these workshops can be found at /privacy/reports.htm.
21. Final Report of the Federal Trade Commission Advisory Committee on Online Access and Security (May 15, 2000),/acoas/papers/finalreport.htm.
22. Some of the most prominent self-regulatory initiatives undertaken by industry are the third-party certification "seal programs" such as those of TRUSTe and BBBOnline. A company that displays either of these seals guarantees to post a privacy policy on its website and to manage its customers' information in accordance with its posted policy.
23. Federal Trade Commission, Online Privacy: A Report to Congress (June 1998), /reports/privacy3/index.htm ; Federal Trade Commission, Self-Regulation and Privacy Online: A Federal Trade Commission Report to Congress (July 1999),/os/1999/9907/privacy99.pdf.
24. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), /reports/privacy2000/privacy2000.pdf.
25. See Dissenting Statement of Commissioner Orson Swindle, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), /reports/ privacy2000/swindledissent.pdf; Statement of Commissioner Thomas B. Leary, Concurring in Part and Dissenting in Part, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), /reports/privacy2000/ learystmt.pdf. Commissioner Leary dissented in part because the Commission's legislative recommendation suggested the need for across-the-board substantive standards (when, in most cases, he believed that clear and conspicuous notice should be sufficient). He also believed that any legislation should apply to offline, as well as online, commerce.
26. Remarks of Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond (Oct. 4, 2001),www.ftc.gov/speeches/muris/privisp1002.htm ("Muris Remarks").
27. Id.
28. Id.
29. See Notice of Proposed Rulemaking, 67 Fed. Reg. 4492 (Jan. 30, 2002).
30. Muris Remarks, supra footnote 26.
31. GeoCities, Inc., Docket No. C-3849 (Feb. 12, 1999). For more information, see /opa/1998/9808/geocitie.htm.
32. GeoCities offered its members personal home pages. To acquire a webpage, consumers completed an online application form that asked for several items of personal information.
33. FTC v. Toysmart.com, LLC, and Toysmart.com, Inc., Civ. Action No. 00-11341-RGS (D. Mass. 2000). For more information, see/opa/2000/07/toysmart2.htm.
34. The final consent decree was not entered because the case was dismissed when Toysmart's assets were sold and the purchaser destroyed the consumer information.
35. Eli Lilly and Co., Docket No. C-4047 (May 8, 2002). For more information, see /opa/2002/01/elililly.htm.
36. For example, Lilly allegedly failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the e-mail.
37. In the Matter of Microsoft Corp., File No. 012-3240 (proposed consent order accepted Aug. 8, 2002). For more information, see/opa/2002/08/microsoft.htm. Passport is an online authentication service that allows consumers to sign in at multiple websites with a single username and password. Passport Wallet and Kids Passport are add-on services that provide online purchasing and parental consent services.
38. Specifically, the proposed complaint alleges that Microsoft failed to implement and document procedures that were reasonable and appropriate to: (1) prevent possible unauthorized access to the Passport system; (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
39. The proposed consent order has been placed on the public record for 30 days for receipt of comments by interested persons. After 30 days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.
40. Although the FTC released its last online privacy study in 2000, the Progress and Freedom Foundation (PFF) in 2002 released the results of a follow-up study that it conducted in 2001. The PFF attempted to assess the current state of online privacy practices by U.S. firms, replicating the survey methodology used by the FTC in its 2000 study. The PFF study indicated that online privacy policies became more common and more consumer-friendly in 2001. At the same time, the percentage of the most popular sites offering consumers a choice about whether their information could be shared with third parties increased from 77% in 2000 to 93% in 2001. The study also found that the privacy-enabling technology, Platform for Privacy Preferences (P3P), was being deployed rapidly.
The PFF study also considered what kinds of information were being collected, and by what method. It found that among the 100 most popular sites, the proportion collecting personal information actually decreased from 96% in 2000 to 84% in 2001. Even more dramatically, the proportion of those sites employing "cookies" fell from 78% to 48% in the past year. These results suggest that not all businesses empowered with new technological tools will seek to collect massive amounts of data. Business models and the marketplace will continue to evolve as appropriate to bring new products and services to market and to respond to consumer concerns and preferences. William F. Adkinson, Jr., Jeffrey A. Eisenach and Thomas Lenard, Progress and Freedom Foundation, Privacy Online: A Report on the Information Practices and Policies of Commercial Websites, http://www.pff.org/pr/pr032702privacyonline.htm.