STATEMENT OF CHAIRMAN PITOFSKY
Privacy Online: Fair Information Practices in the Electronic Marketplace
May 22, 2000

The Commission today issues its third report on the extent to which self-regulation is providing or is likely to provide protection for consumers against unjustified invasions of privacy in the online world.(1) There is now wide agreement on the required elements of privacy protection, referred to as the Fair Information Practice Principles. With respect to personally identifiable information, an adequate privacy program should include:

1. Notice -- clear and conspicuous -- of what information is collected from consumers, how it will be used by the collecting parties and whether it will be disclosed to other entities;

 

2. Choice which offers the opportunity for consumers to decide whether they want their personally identifiable information to be used for any purpose other than completion of the transaction. Choice encompasses both internal and external uses of such information.

 

3. Reasonable access by consumers to review the information collected on them and a reasonable opportunity to correct any errors or delete the information.

 

4. Adequate security within the company as to how information will be handled.

The conclusions of this report, which I support, are as follows:

In some respects, self-regulation continues to improve levels of consumer protection. For example, the percent of Web sites in the random sample of the busiest sites posting at least one "privacy disclosure"(2) is now 88 percent. That is up from 66 percent in 1999 and 14 percent in 1998.(3) Also, with respect to those sites displaying some kind of privacy policy, 62 percent of sites in the random sample have a privacy policy compared to 44 percent in 1999.(4) These data represent continued improvement. Of course, the analogous figures for the 100 busiest sites (the "most popular group") are strong: 100 percent display at least one privacy disclosure; 97 percent post a privacy policy.(5)

 

In many other respects, however, progress in self-regulation has been disappointing. The 88 percent figure - comprising Web sites that post at least one disclosure about their information practices -- represents only thin protection. That figure includes some sites with mere statements such as "this is a secure order form." It also includes sites that in fact post "privacy policies" that may provide more information but still fall short of satisfying all the "Notice" elements of Fair Information Practices.(6)

 

For these reasons, a more telling figure reported is "Notice," which entails posting a privacy policy that addresses what personal information is collected, how it is used internally and whether it is disclosed to others. Notice is the fundamental building block and cornerstone to any privacy policy. Nonetheless, in the random sample, just 55 percent satisfied this Fair Information Practice element, though this figure reaches 89 percent in the most popular group.

 

Also, when we probe beneath the surface and assess compliance with the Fair Information Practice Principles, a less than encouraging picture emerges. For example, only 20 percent of the Web sites in the random sample implement each of the four principles.(7) The fact that only one in five of the busiest commercial Web sites provides basic privacy protections is disappointing. Also, in the most popular group, the percent of sites satisfying the four criteria is only 42.(8)

 

Even if we use a less exacting analysis, recognizing in part the difficulties associated with satisfying Access and Security standards, which the Advisory Committee's report cogently highlighted, the numbers remain troubling. Taking Access and Security out of the picture, and looking solely at the data for sites that implement only the principles of Notice and Choice, we find, for the random sample, we have 41 percent compliance; 60 percent in the most popular group.(9)

 

Finally, the results of the seal program survey were particularly striking - 8 percent in the Random Sample; 45 percent in the most popular group display a seal.(10) These numbers speak for themselves. Efforts to monitor and enforce standards have barely scratched the surface.

The question is not whether industry self-regulation has passed or failed a test. The question rather is whether the progress of online implementation of Fair Information Practice Principles continues to suggest that no legislation is warranted. Notwithstanding tangible gains, based on the overall data, a majority of the Commission finds that self-regulation alone, without some legislation, is unlikely to provide online consumers with the level of protection they seek and deserve. Accordingly, a majority of the Commission recommends that Congress consider legislation to complement self-regulation.

Despite this conclusion, I want to emphasize that there will continue to be an important role for self-regulation in ensuring the protection of privacy. The private sector has every incentive to engage in effective self-regulation so that electronic commerce reaches its full potential. I continue to support self-regulatory initiatives and believe they are vitally needed to complement any legislation in this area.

Also, it is imperative that any such legislation not be unduly burdensome or expensive. It must energize, rather than hamper, the important aspects of consumer welfare provided by a fully developed online commercial market place. In particular, many important issues remain that will need to be addressed by Congress and others. The Advisory Committee's report spotlights the complexities surrounding implementation of "Access." Substantial questions remain as to how much access is "reasonable," to what types of information access should be afforded, and at what cost to the business community and to consumers. The answers to these questions are not self-evident and will require careful consideration. Also, while issues surrounding "Adequate Security" may prove less daunting, they too present challenges.

In addition, the Commission has become increasingly aware, as discussed in portions of the Advisory Committee report, that it is difficult to distinguish between consumers' privacy rights in the online universe, where consumers may provide personal identifying information in connection with purchase of a product on the Internet, and the offline world, where there are many arrangements whereby consumers provide personal information such as in connection with filling out warranty cards or applying for magazine subscriptions. Clearly, numerous offline commercial activities can also be accomplished online. We did not set out to study in detail the information practices in the offline area, and therefore will note only that there may be little reason to distinguish among consumer privacy rights online and offline in the future.

In sum, consumers should not have to forfeit their privacy online in exchange for the rich benefits of e-commerce. A well-crafted approach, in fact, will benefit the growth of e-commerce and provide important protections to consumers. The Commission's legislative recommendation does not, in my view, signal a rejection or failure of self-regulatory initiatives. Rather, based on what I have seen to date, legislation is now needed to ensure consumers' online privacy is adequately protected. I strongly urge self-regulation to complement any legislative actions in this area.

Endnotes

1. The two earlier reports on the subject are: Self-Regulation and Privacy Online, (July 1999) (available at <http://www.ftc.gov/os/1999/9907/index.htm#13>); Privacy Online: A Report to Congress ("1998 Report") ( available at http://www.ftc.gov/reports/privacy3/index.htm).

2. A privacy disclosure could be either a unified privacy policy or discrete information practice statement such as "this is a secure order form" or "we may share your personal information with third parties."

3. Report at Figure 1.

4. Report at 10; App C, Table 2a.

5. App. C, Table 2a.

6. App. C, Table 4.

7. App. C, Table 4.

8. Id.

9. Id.

10. App. C, Table14a.