Protecting Consumers' Privacy: Goals and Accomplishments

At The Networked Economy Summit

Reston, Virginia

Date:
By: 
Timothy J. Muris, Former Chairman

*The views expressed are those of the Chairman, and do not necessarily reflect the views of the Commission or of any other Commissioner. In his delivered remarks, the Chairman may deviate frequently from the printed text of the speech.

INTRODUCTION

Good morning. It is my great honor to serve as chairman of the Federal Trade Commission, the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy.(1) We enforce laws prohibiting business practices that are anticompetitive, deceptive, or unfair to consumers, as well as promote informed consumer choice and public understanding of the competitive process.

The FTC's record is impressive. The agency has fulfilled its mission during rapid changes in the marketplace - the past decade saw the largest merger wave in history, the rapid growth of technology, and the increasing globalization of the economy. Among these many challenges, protecting consumers' privacy has become a top priority of the FTC consumer protection program. Last October, I described my plans for an aggressive FTC agenda - with new resources, new initiatives, and new cases.(2) Over the last eight months, we have put those plans into action. Today, I want to tell you about the progress we have made.

The Information Economy

Our economy generates an enormous amount of data. Most users are honest businesses - getting and giving legitimate information. The information revolution greatly benefits consumers. Many fail to appreciate that the average American today enjoys access to credit and financial services, shopping choices, and educational resources that earlier Americans could never have imagined. Today, we can check our credit card and bank balances over the phone 24 hours a day; we can order books, clothes, or gifts online while we are having our first cup of coffee in the morning, or we can review our finances in a convenient consolidated statement whenever we like.

What I personally find most astounding is what occurs all over America at auto dealers every day. If consumers have good credit, they can borrow $10,000 or more from a complete stranger, and actually drive away in a new car in an hour or less. I call this the "miracle of instant credit." I am told this cannot rightly be called a "miracle" because miracles require a "higher authority" than a credit manager. When you think about it, however, this event is extraordinary.

This "miracle" is only possible because of our credit reporting system. The system works because, without anybody's consent, very sensitive information about a person's credit history is given to the credit reporting agencies. If consent were required, and consumers could decide - on a creditor-by-creditor basis - whether they wanted their information reported, the system would collapse. Credit histories are one of our most sensitive pieces of information. Their use is, and should be, restricted and protected. The Fair Credit Reporting Act(3) provides such protections, as I will discuss below.

Framework

To a large degree, our current privacy agenda builds on the work the FTC has already done in this area. There is, however, a new focus - one that reflects our consumer protection priorities and makes sense for consumers and industry. Let me explain.

Focus on the Misuse of Information

Previous Commission privacy efforts largely focused on the collection of information. There is no denying that surveys tell us that consumers are troubled by the extent to which their information is collected.(4) But, at the same time, consumers willingly part with personal information everyday to facilitate transactions. For example, few consumers seem worried about the many companies that have to share their information to clear checks or, for that matter, to process ATM transactions. They understand that the information must be collected and shared to complete the transaction.

What consumers are most concerned about is that their information, once collected, may be misused in ways that harm them or disrupt their daily lives. These kinds of adverse consequences drive consumer concerns about privacy. Our privacy agenda is focused on stopping the kinds of practices that can cause negative consequences for consumers. For example, many consumers are concerned about physical consequences. Do you know any parents who want information on the whereabouts of their kids to be freely available to anyone? Of course not.

The misuse of information can also cause economic consequences. These can range from the improper denial of credit - or even a job - based on inaccurate or incomplete information. In extreme cases, misuse of information can lead to identity theft. That has been our top consumer fraud complaint for two years in a row. Finally, the misuse of information can cause annoying, irritating, and unwanted intrusions in your daily life. These include the unwanted phone calls that disrupt your dinner hour or the "spam" that clogs your computer.

Explicit Recognition of Trade Offs

Our focus on stopping misuse of information highlights a second change in approach: the explicit recognition of the trade-offs involved in regulation. Privacy is not, nor ever can be, an absolute right. The events of September 11 make that more clear than ever before. We are willing to make practical compromises between privacy and other desirable goals - like having our briefcase or backpack inspected at the airport or before entering a building or a sports arena.

There are trade-offs in the commercial arena, as well - where information sharing poses some risks, but also offers enormous benefits. Think about the convenience of consolidated statements, the advantages of instant credit approval, the lower costs of processing transactions. These are all benefits that consumers want and expect. We must be careful to ensure that our approach both protects privacy and preserves the important benefits of our information economy.

Focus on Online as well as Offline

Finally, a third change in our approach to privacy is the scope of our concerns. The FTC's previous efforts were focused on addressing consumers' concerns about online data collection. If the concern is reducing the adverse consequences that can occur when information is misused, then it does not matter whether information is originally collected online or off-line. It simply matters if it is misused. The risk of identity theft, for example, is no less real and the consequences no different if a thief steals your credit card number from a website or from the mailbox in the front of your house.

ACCOMPLISHMENTS

Last October, I outlined how we intended to use this framework to target information practices that harm consumers' privacy no matter how the information has been collected. Today I want to tell you about significant progress we have made during the last eight months toward that goal.

Protecting Consumers From Unwanted Telemarketing

One of the most visible parts of our privacy agenda addresses unwanted telemarketing calls. In January, we proposed establishing a one-stop, national "do-not-call" registry.(5) Consumers could eliminate most telemarketing calls just by calling a toll-free number and putting their phone number on the registry. This approach allows consumers to choose whether they want telemarketing calls. This type of approach will benefit consumers more than attempting to regulate the information collection that results in telemarketing sales lists.

Our proposal has received significant attention, from both consumers and the business community. By the time the comment period closed in April, we had received more than 40,000 comments. The comments are public documents - posted on our website at ftc.gov for those of you with some spare time for reading. In fact, the breadth of the comments is significant. We just concluded a three-day public workshop to explore the numerous issues our proposal raises. I look forward to a full analysis of the comments and the workshop discussion to assist in our decision on the rulemaking proposal.

Pre-Acquired Credit Card Numbers

Consumers are also concerned that their financial and personal information will be disclosed in ways that harm them. For example, some telemarketers have exchanged lists of credit card account numbers and used those account numbers to bill consumers for goods or services they did not order. The Gramm-Leach-Bliley Act restricts the sale of this information by financial institutions,(6) but others, including telemarketers, remain free to exchange this sensitive information.

We have taken several steps to protect consumers against this practice. The first, and most significant, is another proposed amendment to the Telemarketing Sales Rule. This amendment would prohibit telemarketers from exchanging credit card numbers and other such pre-acquired account information. Our goal is to ensure that the exchange of information is not used to facilitate unauthorized charges to a consumer's account. As with the proposed "do-not-call" amendments, this change is in rulemaking, and I look forward to reviewing the record. To complement the rulemaking initiative, we brought cases to prevent the misuse of pre-acquired credit card numbers, including a $9 million federal/state settlement with a major telemarketer alleged to have obtained these numbers without the owner's permission.(7)

Attacking Spam

Internet guru Esther Dyson says, "The magic of e-mail is that you can e-mail almost anyone. The tragedy is that almost anyone can e-mail you."(8) The even greater tragedy is that so much of the unwanted spam consumers receive is deceptive. Most consumers cannot wait to delete, block, purge, or trash the constant barrage of spam they receive. At the FTC, we solicit it. In fact, we have established a special email address where consumers can send us their unwanted spam. Our electronic mail box, which we call the "refrigerator," receives about 42,000 samples of spam every day.

In October, I promised to take our spam out of the refrigerator and put it on the enforcement hot plate. We are doing that. Our first cases, announced in February, attacked chain-letter schemes.(9) These not only made phony promises of huge financial returns for small investments, but they also claimed to be approved by the FTC's Associate Director for Marketing Practices. Our sweep was appropriately named "The Eileen spam", and our federal district court actions made clear she did not approve of them.

We quickly followed these cases by obtaining a temporary restraining order from the U.S. District Court in Chicago to shut down another particularly egregious spam.(10) That business used deceptive spam to sell worthless Internet domain names. The company, TLC Network, sent out thousands of spam, advertising new domain names ending in ".usa" or ".brit" instead of ".com", ".net" or ".org." For a while they even sold ".god."

Although most spams we are attacking are designed to pick consumers' pocketbooks, some do even more damage. In one particularly pernicious scheme, consumers, including children, received spam claiming they had won a free Sony PlayStation 2 or other prize. The spam pretended it was a promotion sponsored by Yahoo, Inc. By following the instructions in the spam, consumers were directed to a website that imitated the authentic Yahoo website. The fake Yahoo website instructed consumers to download a program that would supposedly allow them to connect "toll-free" to a website on which they could claim their PlayStation. Instead, defendants routed consumers to an adult website through a 900-number modem connection that charged them up to $3.99 a minute.(11) It took just five clicks to go from the promise of a PlayStation to the reality of an adult site, with no meaningful disclosure along the way.

A complement to our spam lawsuits is our "remove me" project. We all get unsolicited email with a notice that allows you to "unsubscribe" to remove yourself from this site. Of course, if this process worked, it could help consumers avoid unwanted spam. But, in exploring what we could do about spam, some Internet experts told us that consumers should not opt out of spam. Responding in any manner to spam only confirms their email address as valid, they believe, subjecting them to more spam.

To address this concern, we sent out more than 250 emails. We found that most of the addresses were invalid. In other words, the removal option did not work. We are following up with letters warning those senders that failing to honor promises to remove consumers from spam lists would violate the FTC Act. We will sue those who do not comply. We still would like to know if there are sites that target consumers who try to unsubscribe from more spam. If there are spammers using this technique, then we will sue them.

Prosecuting Pretexting

As part of the new privacy agenda, I also promised a continued focus on the practice called pretexting. So-called "information brokers", under the pretext of being a customer, trick banks into revealing sensitive, confidential financial information. The Gramm-Leach-Bliley Act specifically makes this practice illegal.(12)

Last year, our staff conducted a "surf" of more than 1,000 websites and reviewed over 500 print ads for firms that offered to conduct financial searches. We followed with notices to approximately 200 firms, advising them that their practices must comply with GLB and with other applicable federal laws, including the Fair Credit Reporting Act. Ultimately, we filed 3 cases in U.S. District Court; this spring, we announced settlements in all three.(13) We are now selecting targets for our next round of enforcement. We are expanding our review to include not only those that promote pretexting, but also that knowingly solicit pretexting services.

Increased FCRA Enforcement

The credit reporting industry plays a key role in providing American consumers with access to consumer credit. In doing so, it compiles extraordinarily detailed information about many consumers' credit history. The Fair Credit Reporting Act appropriately protects this information.(14) In October, I pledged to take steps to ensure both high levels of compliance with the FCRA, especially with respect to its requirement that users of consumer reports notify consumers whenever information in a credit report is used to deny them credit, insurance, employment, or other benefits such as housing.

To monitor compliance, we are systematically studying users of these reports. Our first sweep studied 15 landlords in five major cities. What we found was encouraging. Each landlord had procedures in place for providing "adverse action" notices.(15) Some procedures were imperfect, however. Some landlords did not realize that using information in a credit report to change rental conditions - and not just denying a rental - also triggers the Section 615 notice. Some did not understand that the term "consumer report" encompasses more than traditional credit reports and includes information from tenant screening services. Landlords promptly corrected those problems when we told them.

The results of our survey prompted us to launch a consumer education campaign to let other landlords know about the law and how to comply with its provisions. We will continue sweeps in other industries. We hope to find equally high levels of compliance. If not, we will act, including filing lawsuits.

Controlling Identity Theft

Hijacking someone's identity using personal information, such as Social Security or credit card numbers, is the crime that vividly illustrates why consumers are concerned about their privacy. In some cases, these hijackings are high tech, but in many they are merely opportunistic behavior by criminals. There have been many recent press reports about significant compromises of consumers' personal information. In January, a Seattle man was sentenced to two years and three months in federal prison for stealing identities by using material in garbage cans and mailboxes.(16) In March, a former employee of the Prudential Insurance Company was arrested and charged with stealing the identities of colleagues from a database of 60,000 names and selling them over the Internet.(17) More recently, computers at a California state data center were illegally accessed.(18)

Because this crime can be prosecuted at the local, state, and federal levels, coordination among law enforcement officials is essential. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act(19) to help combat identity theft. That law required the FTC to establish a centralized complaint system, in part to which enable victims to obtain immediate assistance on how to stop ongoing injury and prevent future harm. Last year, we received complaints from more than 86,000 victims.

Our centralized, nationwide database also directly supports law enforcement efforts to prosecute identity theft. Officers and agents in over 300 law enforcement agencies throughout the country can directly access consumer complaints in the database from their desktop PCs. To facilitate their use of the database and other enforcement initiatives, we are training law enforcers on how to investigate identity theft crimes. This training program, developed jointly with the Justice Department and the Secret Service (which generously has detailed an agent to us), was launched in Washington, D.C. in March, followed by two similar programs in May in Des Moines and Chicago. All told, over 300 law enforcers from nearly 100 different agencies participated. Additional training programs are scheduled for San Francisco and Dallas this summer.

To complement law enforcement training and use of the identity theft database, we also work closely with the Secret Service to analyze the clearinghouse data and prepare investigative reports identifying possible targets. These reports are sent to law enforcement agencies nationwide. Just last month, Attorney General Ashcroft announced a sweep of identity theft cases, spearheaded by the Department of Justice. This sweep, undertaken in April, involved federal, state, and local law enforcement officials and resulted in 73 criminal prosecutions against 135 individuals on charges of identity theft.(20)

The other important part of our identity theft program is consumer education and victim assistance. We provide a broad range of educational materials to assist consumers in learning how to avoid becoming a victim. We receive over 3,000 calls a week from victims seeking assistance or general information. In January, we officially announced the Universal Identity Theft Affidavit. A product of partnership between the FTC, several companies and privacy organizations, this one affidavit can be submitted by victims to creditors, saving them time and expense. The affidavit is available online(21) - in Spanish as well as English - and will help victims recoup their losses and restore their legitimate credit records more quickly.

Enforcing the Children's Online Privacy Protection Act

None of the worries we have about privacy is greater than concern for the privacy of our children. In 1998, Congress enacted the Children's Online Privacy Protection Act (COPPA) to prevent the collection of personally identifiable information from young children without their parents' consent.(22) In April, to commemorate the second anniversary of the FTC's Rule implementing COPPA,(23) the Commission announced its sixth COPPA enforcement action,(24) along with new initiatives designed to enhance compliance with the Rule. The Commission released a compliance survey, finding that much progress has occurred since an earlier, 1998 survey.(25) For example, the vast majority - nearly 90 percent - of the sites that collected personal information from children had privacy policies, as opposed to only 24 percent in 1998.(26) As part of the survey, the Commission staff identified noncompliant websites and sent warning letters to those sites, explaining the law's requirements and providing them with the Commission's latest COPPA business education piece.(27) Our enforcement and education efforts will continue.

Enforcing Privacy Promises

Another priority of our privacy program is ensuring that companies abide by their privacy policies. An effective privacy notice provides protection for the consumer and benefits for the business - but only if the promises are kept.

In January, we announced an important settlement with Eli Lilly.(28) Through its Lilly.com and prozac.com websites, Lilly promoted an email reminder service for consumers interested in receiving tailored messages regarding their medication or other matters. Consumers provided Lilly an email address and a password. Its privacy policy stated that the company respects the privacy of visitors to its websites and that those websites have security measures to protect the confidentiality of consumers' information. In notifying consumers that it was discontinuing its service, however, Lilly inadvertently sent out emails identifying all the users of the service.

The FTC's complaint alleged that Lilly's privacy policy promised to take appropriate steps to protect the security of consumer's information. Lilly's failure to implement security procedures led to the unintentional disclosure of the e-mail addresses of consumers who used their Prozac.com website.(29) This is not information anyone wants disclosed. If broadcast, it could have serious adverse consequences. Concern about unauthorized disclosure of such sensitive information surely goes to the heart of consumer's concerns about privacy.

It is important to understand what the Lilly case does and does not mean. Lilly does not mean that every security breach violates the FTC Act. Unfortunately, we will never eliminate security breaches. Instead, we see security as an ongoing process of identifying potential problems, putting procedures in place to minimize them, and responding to problems as they emerge. When security breaches occur, we will analyze the type of information involved and how the breach happened. We will always ask two important questions: did the company have a system in place that was appropriate for the sensitivity of the information? And, did it follow its own procedures?

The Lilly case highlights the importance of security to protecting privacy. Reasonable security measures must be in place to prevent the release of sensitive information if privacy promises are to have real meaning. We will continue to explore if there are other security infractions with consumer's medical, financial, or other sensitive information that we should address.

Consumer Information Security

Security is important whenever companies have sensitive consumer information. Just last month, we finalized the Safeguards Rule to implement the Gramm-Leach-Bliley Act that requires financial institutions to establish and maintain a security program to protect the personal information they collect.(30) Like Lilly, the rule recognizes that security is a process. It requires financial institutions to assess the risks they face, and take appropriate steps to control these risks.

There is also another dimension of security - the steps that consumers themselves can take. All of us can protect our privacy by taking basic security measures - such as turning off your computer when finished and using good judgment when it comes to sharing personal information. These are common sense protections. We have learned to help secure our cars from intruders by removing the keys - now we need to do the same with our computers.

The Commission is addressing the myriad of privacy and security issues in a number of ways. In December 2001, Commissioner Orson Swindle became head of the U.S. delegation to the OECD Experts Group for Review of the 1992 OECD Guidelines for the Security of Information Systems.(31) We anticipate the Guidelines will be issued in the next few months. On May 20th and 21st, Commission Swindle led an FTC workshop to explore security issues in more detail.(32) The workshop was well attended, and underscored some valuable insights into security issues. One clear message of the workshop is the need to create a "culture of security." We should emphasize the necessity of protecting ourselves both at home and at work against escalating computer crime.

Privacy Notices

If we have work to do on security, there is also more that needs to be done on "notice". I mentioned earlier that a crucial part of our privacy agenda is to enforce privacy promises. An effective privacy notice should provide important information for consumers - and important benefits for business. Unfortunately, we do not yet know how to obtain these goals.

Thus far, our most extensive experience with privacy notices stems from the Gramm-Leach-Bliley Act. The GLB Privacy Rule requires that a broadly defined group of "financial institutions" send privacy notices to their customers every year.(33) Last year - the first year they were required to do so - these institutions sent more than a billion notices. Although the direct and indirect costs of this massive effort are still uncertain, they had to be substantial. The experience with these notices has been almost universally regarded as unsatisfactory. To most consumers, they were simply junk mail. To borrow a line from a former Commissioner when he was attacking a proposal to require care labels on plants: "These notices were as useful to most Americans as socks on a rooster."(34)

To explore the lessons learned from the GLB experience, we held a workshop last December, appropriately titled "Get Noticed." The FTC and the seven federal financial regulatory agencies charged with implementing the statute hosted the workshop. The key finding of the workshop hardly had the ring of Eureka: drafting effective privacy notices is as much a communications challenge as a regulatory one.

The more successful consumer notices were those that used some basic communications principles. First, they started with a clear and concise statement of purpose that tells readers why the document is important to them. Second, they used plain language instead of legalese. Third, they used graphics and visual elements to create interest, separate information into manageable pieces, and made the information easy to find and read. Fourth, they were tested on consumers for feedback on what worked and what did not.

Unfortunately, it appears that this approach was not widely followed - at least in the first year. Too many of the GLB notices seemed to have been written for the regulators who prescribed them and for the lawyers who would dissect them, not for the consumers who need to read them.

Our experience under GLB illustrates the inherent tension in the function of privacy notices. First, we want them to be a disclosure document: highlighting the most important terms a consumer needs to know about the business' privacy policies. Second, we want privacy notices to be a contract: a very detailed document that defines precisely how a business can, and cannot use information. Given the complexities of data sharing in the information economy, these goals present a formidable challenge. Unfortunately, effective privacy notices involve trade offs between communication and detail. We cannot completely achieve both in a simple document.

The tension between these two functions is difficult to resolve, especially in the absence of better information than we now have about what consumers really want to know and how they use this information. The conflicting goals also help explain why, despite the importance of notice to consumers and the marketplace, legislative efforts to mandate notice have fallen short in providing information to consumers.

Privacy Legislation

The same concerns about privacy that motivate our enforcement agenda have led others, including many in Congress, to propose new laws to protect consumer privacy. There are potential benefits from general privacy legislation. If such legislation could establish a clear set of workable rules about how personal information is used, then it might increase consumer confidence in the Internet. In addition, federal legislation could help ensure consistent regulation of privacy practices across the 50 states.

These are important goals. The question is: do we know enough now to fashion workable general privacy legislation that will provide cost efficient protection for consumer privacy? Our experience shows we do not. For example, although we know consumers value their privacy, we know little about the cost of online privacy legislation to consumers or the online industry. Our experience under GLB indicates that the costs of notice alone can be substantial. Moreover, as discussed earlier, the benefits that consumers received from these notices are unclear. We should not rush to repeat the GLB experience on a broader scale until we have a much better understanding of what approaches to protecting privacy will work and how they will work.

I am also troubled that many current legislative proposals would apply only to online information collection. Legislation subjecting one set of competitors to different rules, simply based on the medium used to collect the information, is likely to distort the market. Indeed the sources of information that lead to our number one privacy complaint - ID Theft - are frequently offline. If the goal of privacy legislation is - as it should be - to reduce the potential misuse of consumer information, then it makes little sense to focus only on online information. Applying legislation offline, however, adds an enormous layer of complexity that is very poorly understood.

Recent survey data showing that the online industry is already moving rapidly to respond to consumer concerns about privacy strengthens my concerns about the costs and workability of general online privacy legislation. The recent survey announced by the Progress and Freedom Foundation ("PFF") shows continued progress in providing privacy protection to consumers without potentially unworkable legislative requirements.(35)

We analyzed 13 of the most important criteria used in the PFF Survey and compared them to the results in past surveys. For those websites consumer's use most, our comparison showed progress on 11 of the 13. The response to consumer concerns about potential third-party tracking of their surfing was particularly robust. Just under half (48%) of sites allow third party cookies, down from 78% a year earlier. Moreover, ninety-three percent (93%) offered consumers choice about whether their information will be disclosed to third parties, up from 77% in just a year. Another key measure of websites' response to consumer privacy concerns is the amount of personal information they collect. Here again the survey shows progress. For the most popular sites the percentage of sites collecting personal information other than email address fell 12% (96% to 84%).

These changes demonstrate and reflect the more important form of choice: the decision consumers make in the marketplace regarding which businesses they will patronize. Those choices can drive businesses to adopt the privacy practices that consumers desire.

Perhaps most important for the future of online privacy protection, 23 percent of the most popular sites have already implemented the Platform for Privacy Preferences (P3P). This technology promises to alter the landscape for privacy disclosures substantially. Microsoft has incorporated one implementation of P3P in its web browser; AT&T is testing another, broader implementation of this technology.

Finally, from the FTC's standpoint, there also is a more practical aspect of this debate. As our privacy agenda demonstrates, there is a great deal the FTC and others can do under existing laws to protect consumer privacy. Indeed, since 1996, five new laws have had a substantial impact on privacy-related issues.(36) Much of the legislation currently pending would give the FTC broad responsibilities for implementing it. These new responsibilities, including rulemaking, report writing, and other administrative duties, will divert substantial resources away from the law enforcement efforts I have described today.

CONCLUSION

In closing, I remember one of my favorite cartoon characters, the infamous Charlie Brown. He was doing some target practice with his bow-and-arrow. He would pull the string back as far as he could and let the arrow fly into the fence. Then he would run over to the fence with a piece of chalk and draw a target around the arrow.

It might have worked for Charlie Brown, but not for us. We have our targets in place. We are sending out many arrows. Our law enforcement and related initiatives indicate that our aim is darned good.

Endnotes:
1. The FTC has broad law enforcement responsibilities under the Federal Trade Commission Act, 15 U.S.C. § 41 et seq. With certain exceptions, the statute provides the agency with jurisdiction over nearly every sector of the economy. Certain entities, such as depository institutions and common carriers, as well as at the business of insurance, are wholly or partially exempt from FTC jurisdiction. In addition to the FTC Act, the FTC has enforcement responsibilities under more than 40 additional statutes and more than 30 rules governing specific industries and practices. 
2. Remarks of Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond (Oct. 4, 2001), available atwww.ftc.gov/speeches/muris/privisp1002.htm
3. 15 U.S.C. § 1681 et seq. 
4. That concern has been expressed in a number of public opinion polls. See e.g., Alan F. Westin/Harris Interactive, Privacy On and Off the Internet: What Consumers Want (Nov. 2001); IBM/Harris Interactive, Multi-National Consumer Privacy Survey (Oct. 1999); Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, AT&T Labs-Research Technical Report TR 99.4.1 (Mar. 1999). 
5. Proposed amendments to Telemarketing Sales Rule, 67 Fed. Reg. 4491 (2002), announced January 22, 2002, available atwww.ftc.gov/os/2002/01/16cfr310.pdf
6. 15 U.S.C. § 6801. 
7. FTC v. Ira Smolev, No. 01-8922 CIV ZLOCH (S.D. Fla. filed Oct. 23, 2001); TechnoBrands, Inc., and Charles J. Anton. Docket No. C-4041; FTC v. Technobrands, Inc., No. 3:02-CV-86 (E.D. Va. filed Feb.15, 2002). 
8. Cited by Ellen Goodman, Whamming the Spammers, Boston Globe, Feb. 10, 2002, available atwww.brightmail.com/external_cache/Whamming_the_spammers_.shtml
9. FTC v. Boivin, No. 8:02-CV-77-T-26 MSS (M.D. Fla. Jan. 15, 2002); FTC v. Estensen, No. A3-02-10 (D.N.D. Jan. 15, 2002); FTC v. Larsen, No. 8:02-CV-76-T-26 MAP (M.D. Fla. Jan. 16, 2002); FTC v. Lutheran, No. 02 CV 0095 K (RBB) (S.D. Cal. Jan. 18, 2002); FTC v. Va, No. 02-60062-CIV-ZLOCH (S.D. Fla. Jan. 18, 2002); FTC v. Pacheco, No. 02-CV-31L (D.R.I. Jan. 22, 2002). 
10. FTC v. TLD Network, No. 02C-1475 (N.D. Ill. Feb. 28, 2002). 
11. FTC v. BTV Industries, No. CV-S-02-0437-LRH (PAL) (D. Nev. filed Mar. 27, 2002). 
12. See Subtitle B of the Gramm-Leach-Bliley Act, 15 U.S.C. § § 6821-27. The statute provides for civil remedies to be enforced by the FTC, and for criminal penalties enforced by the Department of Justice in cases where the pretexter knowingly or intentionally violated or attempted to violate the law. Id. § § 6822-23. The statute contains certain exceptions, including for state-licensed private investigators to the extent their activities were (1) "reasonably necessary to collect child support from a person adjudged to be delinquent ... by a Federal or State court," and (2) were authorized by court order. Id. § 6821(c)-(g). 
13. FTC v. Information Search, Inc., No. AMD-01-1121 (D. Md. Mar. 15, 2002); FTC v. Guzzetta, No. CV-01-2335 (E.D.N.Y. Feb. 25, 2002); FTC v. Garrett, No. H 01-1225 (S.D. Tex. final order pending). 
14. 15 U.S.C. § 1681 et seq. 
15. See www.ftc.gov/opa/2002/01/fcraguide.htm
16. See Staff, Newswatch Pacific Northwest, The Seattle Times, Jan.17, 2002 at B3. 
17. See Jacob Fries, U.S. Says Ex-Prudential Worker Stole Colleagues' ID's and Sold Them Online, N.Y. Times, March 2, 2002 at B2. 
18. See www.sco.ca.gov/eo/personal/assistance.htm.
19. 18 U.S.C. § 1028. This Act makes the FTC a central clearinghouse for identity theft complaints. Under the Act, the FTC is required to log and acknowledge such complaints, provide victims with relevant information, and refer their complaints to appropriate entities (e.g., the major national consumer reporting agencies and other law enforcement agencies). 
20. See www.usdoj.gov/ag/speeches/2002/050202agidtheftranscript.htm
21. See www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf
22. 15 U.S.C. § 6501 et seq. 
23. FTC Children's Online Privacy Protection Rule, 16 C.F.R. § 312 (2002). 
24. United States v. The Ohio Art Company, No. 3:02CV7203 (N.D. Ohio filed April 19, 2002)(consent decree requiring payment of $35,000 civil penalty). 
25. See www.ftc.gov/os/2002/04/coppasurvey.pdf
26. Id. At the same time, the survey shows that many sites are not fully complying with all the requirements of the Rule. For example, only about half of the sites complied with COPPA-specific notice requirements, such as informing parents of their right to review information collected from their child, to have it deleted, and to refuse to allow further collection of information. 
27. You, Your Privacy Policy and COPPA, available at http://business.ftc.gov/documents/bus51-you-your-privacy-policy-and-coppa-how-comply-childrens-online-privacy-protection-act, instructs website operators on how to draft a COPPA-compliant privacy policy. 
28. In re Eli Lilly & Company, Docket No. C-4047. The Commission finalized the order on May 10, 2002 (seewww.ftc.gov/opa/2002/05/fyi0225.htm). 
29. The settlement required Lilly to establish a program to protect consumers' personal information against threats to its security and confidentiality. Importantly, it applied to both online and offline practices. 
30. 67 Fed. Reg. 36,484 (May 23, 2002). See also www.ftc.gov/opa/2002/05/safeguardrule.htm
31. See www.ftc.gov/opa/2001/12/swindleoecd.htm
32. See www.ftc.gov/bcp/workshops/security/index.html
33. FTC Privacy of Consumer Financial Information Rule, 16 C.F.R. § 313 (2002). 
34. This is a quote famously ascribed to former FTC Commissioner Mayo Thompson (D. 1973- 1975), in characterizing the utility of an FTC staff proposal to initiate a rulemaking requiring care labels for plants sold to consumers. 
35. The Progress and Freedom Foundation recently released the results of its 2001 Privacy Survey, available atwww.pff.org/pr/pr032702privacyonline.htm
36. Fair Credit Reporting Act, 15 U.S.C. § 1681; Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320; Children's Online Privacy Protection Act, 15 U.S.C. § 6501; Identity Theft Assumption and Deterrence Act, 18 U.S.C. § 1028; GLB Act, 15 U.S.C. § 6801. Moreover, since 1996, the FTC has been applying its own statute to protect privacy.