"Managing the Privacy Revolution '98"
FTC Commissioner Mozelle W. Thompson(1)
Privacy & American Business Conference
Hyatt Regency Crystal City
December 1, 1998
Thank you for inviting me to speak at this important conference. As you know, in June, the Commission issued its report to Congress on Internet privacy and stated that we would give industry more time, although not much more, and then would examine industry progress and revisit whether legislation is necessary to protect consumers’ privacy online. So, when the conference organizers asked me to discuss whether "Business has Accepted the Challenge to Self-Regulate," I found this topic a "challenge" to address. This is because, after several months of hearing little from industry, I suddenly find that my calendar is getting filled with industry groups that want to come in to tell me about the progress they’re making on self regulation. So until that happens, the jury is still out.
But let me use my time before you today to address an important related question, which is -- why should business accept the challenge to self-regulate? I focus on this topic because, while I sense that industry has made some progress, there are many businesses that have not yet fully grasped the stakes involved in the challenge before them. While online privacy protection is in and of itself is a critical problem, perhaps business has a lot more riding on the outcome of this challenge.
I think a good place to begin is to look at where America is in the world. It is a unique time in American business history. First, we enjoy a robust economy, with an historic period of low interest rates, low inflation, increased industrial efficiency, and innovation.
Second, we have a new government paradigm which is less intrusive, more market-oriented, and one that encourages innovation and self-governance. Further, this government is more interactive, forming partnerships with business, government, and citizen groups, and focusing on effective, pragmatic solutions to public policy questions.
Third, there has been an explosion of new industries based on emerging technologies -- now collectively called the “high tech” industry. This industry not only attracts new money and investment, but also has a powerful influence on other domestic industries. It is an industry where the world looks to the U.S. for leadership and where the U.S. is able to define the pace and direction of innovation. In short, the high tech industry has sought and obtained a role at the "cutting edge" of the American economy. But, as this industry matures, it recognizes the need to cope with the same issues as other industries such as regulation by the EPA, SEC, antitrust regulators, trade regulators and others. In doing so, however, these growth companies have called for greater self governance.
When you put this all together, you arrive at a thriving electronic commerce industry. But is it all it could be? The answer is no. A recent Merchants Association survey shows e-commerce growing 200 percent annually - $13 billion in 1998. But, fifty percent of total revenue is generated from only ten sites and only five percent of visiting consumers make a purchase. It is against this backdrop that we are all now looking at the topic of Internet privacy.
U.S. industry is confronted with a "Public Policy Test." Privacy and security are the top reasons for consumers’ not purchasing online. With the Internet sales not yet reaching its full potential, it is clear that consumer interest in privacy coincides with the business interest in e-commerce and the government interest in establishing new markets. Currently, the important step in all interests being satisfied is one where industry has the primary role in addressing this important public policy concern. By taking responsibility for Internet privacy, however, industry must not only show it can be responsible for the new medium (which is the smaller issue) but also that it can be trusted to take lead in addressing public policy problems generally (a much larger issue).
The FTC experience so far is best reflected in our June report and July testimony to Congress -- each of which revealed that industry progress on self- regulation to protect consumer privacy online has been disappointing. Since then, Congress passed the children’s online privacy bill, which is substantially similar to the FTC’s recommendations in the June report on how to protect children online. As for adults, we indicated in our testimony that we would give industry some additional time and would soon reevaluate progress. While I am pleased to see that self-regulatory programs are in formation, I am also concerned that for the most part they are not yet operational.
Furthermore, since this summer, I have referred to three specific areas of concern:
Industry has undertaken several creative initiatives to reach small and medium sized businesses to participate in self-regulatory schemes. While I applaud these efforts and industry leaders’ acknowledgment of the need for outreach, I have not yet heard what the results of these initiatives have been. In other words, are small and medium-sized businesses seeing the same value in the self-regulatory approaches and coming on board to some of the existing programs?
I have for some time been reminded of the credit card industry as an example and ask -- would consumers feel confident using America’s credit card system if they only had rights to disputes and chargebacks from the top 100 stores? I think the answer would be no.
We have recently learned that some industry groups are preparing to test some consumer privacy enforcement mechanisms. However, we have yet to see what kind of enforcement programs these self-regulatory models contemplate?
Do they involve an independent auditor or other means that effectively address non-compliance by member organizations? Do they also provide consumers with meaningful rights and remedies?
It is also important to recognize that there are real differences in the treatment of publicly available information in America, versus Europe. (We all know that public record information is much more widely available in the U.S.) Under these circumstances, it is not clear how public record information will be protected under various industry self-regulatory proposals.
While access to public record information is sometimes socially beneficial (e.g., transparency), that information may take on a different character when "information brokers" bundle it, combine it with non-public information, and make it available for sale on the web.
So far, it appears that we -- meaning government, industry, and privacy advocates -- have not yet reached consensus on how to deal with public records, an important component of personal information.
In light of all this, you may ask -- where are we on Internet privacy? I think it suffices to say that we are all at a critical juncture, a point where industry is asked to self-regulate at the behest of government and public trust. This choice, while daunting, presents an exciting and unprecedented opportunity for industry to take the lead in shaping public policy for this important new medium. Consumers are expecting that industry and government will work together to find new and better ways to make the Internet safe, inspire consumer confidence, and preserve the innovative spirit of e-commerce. But, the failure of industry to meet this challenge will not only have a negative effect on the future of e-commerce, but also on the public’s confidence in industry’s ability to take the lead in solving important public policy problems. It is this final point that merits careful consideration.
(1)The views expressed are views of Commissioner Thompson and do not necessarily reflect the views of the FTC or any other Commissioner.