It's a pleasure to be with you this afternoon. Before I begin my discussion about online privacy regulation and the recent FTC case against TouchTone, let me begin by telling you a little about my personal beliefs about the role of government.(1)
I believe that government should play only a minimal role in our lives. Will Rogers once said, "All government programs have three things in common: a beginning, a middle, and no end." In contrast to that sad reality, we have seen that rationally limited government allows Americans to make their own decisions, including economic decisions. Our current prosperity is no accident: by and large, private markets should be left alone to work their magic. Adam Smith, our Founding Fathers, Milton Friedman and Ronald Reagan had it right -- government that governs best governs least.
Given the tremendous benefits that typically flow from private markets without government involvement, we should always be persuaded that government intervention clearly is necessary before we embark on such intervention. We in government should be ever mindful of the Hippocratic Oath --"do no harm." Before making decisions as to whether government should intervene, I try to always ask myself-- "Does this make sense?"
I would like to begin my remarks by commending the DMA for your leadership in promoting a self-regulatory solution to online privacy issues. Due to your efforts and those of others, I remain optimistic that industry privacy policies and practices will show improvement this year.
Surely, it is within industry's own self-interest to make improvements, since it was made rather clear last summer that the FTC and the Congress were ready to act if you chose to not lead the way. As I have asked repeatedly over the past year, "Are you listening?"
While it is true that consumers are concerned about their online privacy, there are interesting facets to this privacy issue, particular when it comes to the consumer's spending habits. According to data provided by the U.S. Commerce Department(2), consumers spent $3 billion online in 1997 and $9 billion in 1998, and are projected to spend $30 billion in 1999 -- a tripling every year. Last year's online holiday shoppers were asked to rate their experience. Interestingly, the most frequent concerns expressed were: 15% of the shoppers surveyed cited problems with merchandise availability, 14% cited the cost of shipping, and 13% cited slow site performance. Privacy concerns did not show up as one of the greatest concerns.
Does this mean we should not be concerned about improving privacy policies and practices? Most certainly, it does not.
As you know, the FTC is currently awaiting the results of an Internet study sponsored by a broad group of industry members, trade associations and consumer and privacy groups to measure the effectiveness of self-regulation. The study analyzed two different data sets:
(1) a random survey of 250 of the top 7,500 commercial sites, which represent 99.99 percent of all web traffic, and
(2) the top 100 commercial sites, which represent over 80 percent of all web traffic.
The results, which are scheduled to be made public next week, will be compared to a similar study conducted last year by the FTC. The Commission will analyze this new study in an effort to assess the status of industry self-regulation and will report to Congress this summer.
Privacy concerns are real. They also constitute an emotional and popular issue among members of Congress as everyone jumps on the bandwagon of the Internet, e-commerce, and the baseball-and-Mom's-apple pie election issue of doing what is right for constituents, especially the children.
More than 50 bills have been introduced in Congress so far this year that mention the Internet or would have an impact on electronic commerce. In the regulatory camp, some have expressed concern that the recently launched BBBOnline program has not been widely embraced by industry. They have taken the position that self-regulation is important, but insufficient without a legislative and regulatory backup. Others have suggested an enforcement mechanism directed toward those businesses that are indifferent to or overtly avoiding the implementation of privacy policies. Still others have suggested that the test for online privacy policy will be how privacy works "at the margins"-- to some extent, essentially dismissing how well the top 100 sites are doing in protecting the privacy of roughly 80-85 percent of Web users.
Government officials used to say the Internet will not flourish until consumers' privacy concerns are addressed. Now you hear those officials saying that the Internet holds great promise as a marketplace, but consumers will not use it to its full potential unless they feel safe.
Rest assured that any flaw or failure or shortcoming in industry self-regulation efforts will be seized upon by regulatory advocates and bureaucrats. And, don't be surprised to see the goal line moved on occasions.
Such paternalistic and statist thinking is disturbing because neither government nor industry can create utopia or prevent all cases of fraud and invasion of privacy. There is a target rich environment out there. Consumers have to be accountable and bear some level of responsibility for their actions. If a consumer is uncomfortable with a Web site's privacy policy or if the site has no privacy policy for the consumer to review, then that individual has the freedom -- and should have the good common sense -- to go elsewhere on the Web. The market, not the government, should determine whether companies are to be rewarded or punished for their privacy policies (or lack thereof) through the success or failure of the firm's e-commerce efforts. Government can play a positive role by educating consumers and businesses and with appropriate and rational attempts to minimize deception, unfairness and misleading practices. When we (the FTC) find abuses, we should take legal action against the offenders.(3) The FTC's traditional law enforcement role against deception, unfair practices and actions which abuse consumers or disrupt market functions remains a very appropriate way for government to intervene, as long as we do not over-stretch our authority or impose ourselves improperly and unnecessarily.
I truly believe that self-regulation is preferable to government regulation, and that industry can best resolve concerns about privacy. But --- repeat BUT --- the private sector must lead the way to address these concerns about privacy through self-regulation. Should the private sector not respond or fail in this endeavor, government bureaucrats and advocacy groups will respond with enthusiasm.
From my point of view, government regulation of privacy does not make sense because it is impractical. Bureaucratic regulation will inevitably be inflexible and outdated and will stifle the growth and innovation of electronic commerce. Hasty action to regulate privacy on the Internet would violate the government analogy of Hippocrates' oath: first and foremost, the government should do no harm.
Let me offer a simple proposal about regulating online privacy. Obviously, I strongly encourage industry self-regulation. Please lead the way. With regard to government involvement, I favor applying the principles underlying the Internet Tax Freedom Act of 1998 to the regulation of online privacy. As you know, the Internet Tax Freedom Act placed a three-year moratorium on Internet taxation, to allow time to determine the effect of taxation on electronic commerce. Using the Internet Tax Freedom Act as a model, Congress should impose a similar moratorium for online privacy regulation and then quickly determine the potential effects of regulation on electronic commerce. Government should not regulate online privacy until we fully understand the intended and unintended consequences of regulation.
Let me briefly touch on children's online privacy, an issue for which we should all have concerns. As you all know, the FTC issued a proposed rule designed to implement the Children's Online Privacy Protection Act of 1998 on April 20. The proposed rule applies to commercial web sites that collect information from children under 13. With certain exceptions, these sites will have to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. These sites will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. The Commission is interested in the feasibility, cost and benefits of various methods of providing verifiable parental consent. In addition, the statute includes a safe harbor program for industry groups and others who wish to create self-regulatory programs to govern compliance. Comments on the proposed rulemaking will be accepted until June 11, and, if there is sufficient interest, a workshop will be held July 20. Please let our staff hear from you if you have not already done so. I will not be taking any questions on this topic today because of the pending rulemaking proceeding.
I would like to spend a little time on a privacy-related matter recently before the Commission--a matter that could have significant ramifications for business. As many of you already know, the Commission recently filed a complaint in federal district court against an information broker, TouchTone. Among its various services provided for a fee, TouchTone offers to obtain for its clients the bank account numbers and balances for anyone that a client selects. TouchTone allegedly gets this information by having one of its employees call the bank and pretend to be the individual account holder -- a practice called "pretexting." Basically, the TouchTone employee pretends that he is a befuddled account holder who misplaced his checkbook, has forgotten his account number, and needs to check on a deposit or his bank balance. The bank's service representative, wishing to be helpful, provides the account number and balance without requiring the caller to provide some type of confidential identifying information, such as a mother's maiden name or, better yet, a PIN number.
The Commission's complaint alleged, first, that pretexting was deceptive and, second, that disclosing private financial information obtained this way was unfair. I objected because even though I would support government action against pretexting, in my view the Commission acted beyond its authority in this particular case. I think the deception theory in the case represents a departure from the Commission's current legal standard of deception, and the case should have been brought administratively rather than in court. You can get a more complete picture by looking at our web site for my dissent and the majority's statement in the TouchTone case released April 22.
Why should you care about TouchTone? After all, you do not use pretexting in your direct marketing efforts. One might view this case as the Trojan Horse of privacy. The unfairness allegation by the FTC advances a new theory of consumer injury based solely on the disclosure of "private" financial information.
The FTC Act specifies that the Commission cannot declare a practice unfair unless it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.
This case could establish the principle that an invasion of a consumer's privacy is injury, with no need to show that any substantial resulting harm to the consumer is likely.
I frankly do not think the FTC should be taking on the role of the information police. Yet, if the court adopts the majority's unfairness theory that is exactly what we may become. I dissented because I fear that TouchTone is a foray into broader privacy regulation where we litigate to regulate.
I look forward to your questions.
1. The views expressed by Commissioner Swindle in this written text and in his oral remarks are his own and do not necessarily reflect the views of the Commission or other Commissioners.
2. Written Remarks by Secretary of Commerce William M. Daley, Press Conference on E-Commerce, Washington, D.C., February 5, 1999.
3. For example, in Geocities, the Commission settled allegations that the company misrepresented the purposes for which it collected personal identifying information from its customers. Geocities represented that it would only use the information for certain limited purposes but it permitted the information to be used for other purposes, such as target marketing by third parties. Accordingly, the Commission alleged that the company engaged in deceptive acts or practices in violation of Section 5 of the FTC Act.