I am pleased to be here today in Boston - - the cradle of American liberty - - to discuss the impact of technology on the future of e-commerce and the financial services industry. At the outset, I want to emphasize that I believe that the government should play only a minimal role in our lives because this allows Americans to make their own decisions, including economic decisions. When private markets are permitted to operate without government intervention or control, they generally produce more and better products at lower prices for all Americans. Of course, there are some limited circumstances in which government intervention in private markets is needed. Given the tremendous benefits that typically flow from private markets, however, government intervention must be clearly shown to be necessary before it is undertaken. These fundamental principles should guide all of the decisions that our government makes, regardless of whether the decisions involve the offline world or the online world.
Aside from whether to tax online sales - - the issue that Governor Cellucci has already addressed - - the hottest issue of the summer regarding electronic commerce will be whether and to what extent the government should regulate e-commerce to protect the privacy of consumers. I will focus my remarks today on describing three recent FTC initiatives concerning online privacy --- The Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLB) and the FTC Privacy Report 2000 (Privacy Report) --- after which I will suggest that there are a few lessons that I have learned from these initiatives.
Children's Online Privacy Protection Act
In October 1998, Congress enacted the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., which was the first federal statute to address online privacy. COPPA requires operators of Web sites directed to children and other operators who knowingly collect personal information about children(2) to give notice as to the type of information collected, how the operator will use the information, and the extent to which the information will be disclosed to third parties.(3) COPPA also mandates operators obtain "verifiable parental consent" prior to collecting, using, or disclosing personal information that has been obtained from children.(4) COPPA further requires that operators give parents access to the information that has been collected regarding their children, and that operators maintain the security and confidentiality of the information they collect.(5)
In October 1999, the FTC issued a final rule to implement COPPA, the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312. The main issue in the rulemaking proceeding was exactly how operators were to obtain "verifiable parental consent" to their use of personal information relating to a child. COPPA itself defines "verifiable parental consent" to mean:
any reasonable effort (taking into consideration available technology) . . . to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, or disclosure . . . of personal information.(6)
Consistent with this statutory definition, the Rule allows operators great flexibility in choice of method to verify consent - - a parent may be required to submit a consent form, use a credit card, call a toll-free number, use a digital certificate that uses public key technology, or return an e-mail with a password or a PIN.(7) Moreover, consistent with the Congressional direction to consider the state of the art in technology, the Commission decided to conduct a review of the Rule within 18 months after it goes into effect so that the agency can assess whether there are any additional technological means of obtaining consent that should be permitted to obtain consent.
I want to make one very important point about the Rule, the first federal regulation addressing privacy online. It went into effect on April 21, 2000, but there are already press reports that some online companies providing services to children have discontinued collecting information from them because of the high costs of complying with COPPA.(8) Because these reports are anecdotal, it is not clear which requirements are responsible for the reportedly high costs of compliance and how many companies are actually exiting the business. But these reports underscore for me the need to conduct a rigorous analysis of compliance and other costs before the government regulates e-commerce.
Gramm-Leach-Bliley Act
In the fall of 1999 Congress passed the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et. seq. Under the Act, whenever a financial institution enters into a customer relationship with a consumer, it must notify the consumer of the terms of its privacy policy.(9)Specifically, the Act requires that the notice disclose: (1) the categories of persons to whom nonpublic personal information(10) is or may be disclosed; (2) the institution's policies regarding the information of former customers; (3) the categories of nonpublic personal information that it collects; (4) the institution's policies to protect and maintain the confidentiality and security of nonpublic personal information; and (5) any disclosures required under the Fair Credit Reporting Act.(11)
Not only does the Act require that financial institutions provide notice of their privacy practices to consumers when they are new customers, it also requires that they provide the notice to their current customers at least once a year.(12)
The Act further imposes significant restrictions on the ability of financial institutions to transfer the nonpublic personal information of its customers to a non-affiliated third party, for example, a bank sharing the names and addresses of its customers with a wholly-separate merchant. Before a financial institution can share such information with a non-affiliated third party, the institution must provide consumers with a copy of its privacy policy.(13) The financial institution also must give consumers notice of their right to "opt-out," and allow them an opportunity to exercise their right to do so.(14) Although there are some important exceptions(15),
the Act basically requires that financial institutions must allow consumers to decide not to have their nonpublic personal information disclosed to a non-affiliated third party.
Congress directed that the Commission and seven other federal agencies (the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Depository Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission and the Department of Treasury) to promulgate regulations to implement the Gramm-Leach-Bliley Act within six months of its enactment. The federal agencies other than the FTC were required to issue final rules covering the use of nonpublic personal information by the financial institutions that they typically regulate. The FTC was required to issue a final rule to address the use of nonpublic personal information by everyone else covered by the Act - - mortgage lenders, "pay day" lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and non-SEC registered investment advisors.(16) Congress directed that the Commission and the seven other federal agencies consult and cooperate so that their implementing regulations are consistent and comparable.(17)
On May 12, 2000, the Commission issued its final rule. Rule Concerning Privacy of Consumer Financial Information, 16 C. F. R. Part 313. On the same day, the other federal agencies also issued final rules for the financial institutions that they regulate. Consistent with the direction of Congress, the final rules that the Commission and other federal agencies issued are quite similar, although there are some minor variations that primarily arise from the differences in the financial institutions covered.
The FTC's Rule fleshes out the requirements of the Gramm-Leach-Bliley Act. The Rule imposes extensive and complicated requirements concerning the disclosure of privacy policies and opt-out rights.(18) The Rule includes specific provisions that address how these disclosures must be provided online and how opt-out rights can be exercised online.(19) The Rule also imposes extensive and complicated requirements limiting the transfer of nonpublic personal information to non-affiliated third parties.(20)
Don't worry; I'm not going to go through the details of the requirements that the FTC's Rule imposes. However, I would note that the Commission has extended the deadline for compliance with the Rule until July 1, 2001, because there are likely to be substantial costs for financial institutions - - including those operating online - - associated with modifying their practices to comply with such a broad and intricate rule.(21) These costs are likely to be particularly acute for small businesses with fewer resources and less flexibility in budgeting to address these costs.
As financial institutions begin to make changes to come into compliance with the rules implementing the Gramm-Leach-Bliley Act, I am certain that we will hear from them about their costs of compliance and from consumers as to whether they have been able to obtain the control over their nonpublic personal information that Congress intended. I hope that both businesses and consumers inform us directly and specifically how the Act and the FTC's implementing regulations are actually working, especially because the costs and benefits of these restrictions may change markedly as more of the business of financial institutions is conducted online.
Privacy Report
Just a few weeks ago, a majority of the Commission (by a 3-2 vote) recommended to Congress that it pass legislation that would allow an implementing agency (presumably the FTC) to promulgate privacy requirements for all commercial consumer-oriented Web-sites.(22) Specifically, the majority of the Commission recommended that such Web sites be required to meet government-imposed standards for each of the four so-called "fair information practice principles - - Notice, Choice, Access, and Security. The majority justified its call for government-imposed online privacy standards on the grounds that self-regulation to address online privacy had failed, as demonstrated by the fact that not enough Web sites are providing the extent of privacy protections that the majority believes are necessary. The majority reasoned that government therefore should step in and impose online privacy standards so that consumers will be more willing to make purchases online, which, in turn, should promote the growth of e-commerce.
I dissented from the majority's recommendation for a variety of reasons. Unlike the majority of the Commission, I do not believe that self-regulatory efforts to address privacy online have been inadequate. As a result of self-regulatory efforts, many Web sites currently are providing notice to consumers as to their privacy policies. Specifically, 62% of Web sites in a random sample posted a privacy policy, and 97% of the most popular Web sites posted such a policy. Receiving notice of privacy policies allows consumers to make their own decisions whether to do business with a site. Online businesses certainly have more work to do relating to privacy issues, for example, making their disclosures of privacy policies clear and conspicuous. But, I want to emphasize that in the past two years online businesses have made real and sustained progress on their own in resolving online privacy issues. Even without government intervention, many American consumers already are being given a choice as to how online businesses will use their personal information. In my view, the government should respect the ability of adult consumers to make privacy choices for themselves.
I also was unwilling to recommend that the government impose standards for privacy online because there was no real effort to demonstrate that the benefits of federal regulation of online privacy would exceed its costs. As noted above, the majority relied on the argument that because consumers were unwilling to make online purchases due to privacy concerns, e-commerce would benefit from the imposition of government standards. The FTC, however, never compiled or generated any solid empirical evidence concerning to what extent consumers are not purchasing online because of privacy concerns, much less that they would purchase if the government imposed privacy requirements. I am skeptical that a rigorous empirical analysis would have proven that privacy concerns are causing significant lost online sales. The well-documented extraordinary growth in online sales and the powerful incentive for sellers in a free market economy not to adopt practices that unnecessarily deter buyers from purchasing certainly suggest the "lost sales argument" is a dubious one. But more importantly, if the government is going to assert that federal privacy regulation of e-commerce will benefit for online businesses and consumers, the government should have persuasive evidence to support such an assertion.
Even more troubling than its inability to document the benefits from mandating online privacy requirements, the majority of the Commission made absolutely no effort whatsoever to determine what it would cost online businesses to comply with these requirements. There is no such thing as a free lunch. Before an agency recommends that Congress pass legislation to impose regulatory requirements, it should make a concerted effort to compile and analyze data on the costs of such requirements. This analysis is particularly important with regard to e-commerce because regulatory compliance costs may be high enough to serve as a barrier to entry and many prospective online entrants are small businesses.
Not only did the Commission fail to conduct any real empirical analysis of the costs and benefits of the regulation of e-commerce it was recommending, it also gave no consideration to what extent technology may resolve privacy concerns without any need for government regulation. Just one example -- Microsoft has committed to developing business and consumer tools based on the Platform for Privacy Practices Protocol, otherwise known as P3P. The business tool known as the Privacy Statement Wizard is intended to enhance the ability of Web site operators to present their privacy statements both as human and as machine-readable documents. A related consumer tool, the Privacy Manager Wizard, is intended to enhance consumers' abilities to state their privacy preferences. If Web sites state their privacy practices in machine-readable form, then the personal computers of consumers who have set their privacy preferences can automatically determine whether the consumer would not want to do business with the site because of its privacy practices. This technology provides online businesses and consumers with a very efficient method of determining whether they want to do business with one another. An earlier version of the Privacy Statement Wizard has been on the market for just over a year and has already allowed over 15,000 companies to craft their own online privacy practices by answering a simple questionnaire. Even though such technological advances would appear to hold great promise and should ultimately be an important piece of the privacy puzzle, the Commission gave no consideration at all to such technologies before recommending legislation that would require government mandated privacy policies for all commercial consumer-oriented Web sites.
Lessons Learned
I would like to conclude with a few thoughts as to what we can learn from COPPA, the Gramm-Leach-Bliley Act, and the Commission's Privacy Report:
- There is a very strong political interest in Washington, within the Congress and the FTC to increase the nature and extent of federal regulation of e-commerce, and privacy of consumers has been the vehicle of choice to justify this expansion.
- Perhaps driven by the strong political interest in expanding federal regulation of e-commerce, relatively little hard data is being generated and analyzed as to the actual costs and benefits of privacy regulations. Imposing regulatory requirements without conducting such an inquiry raises the specter of hindering the growth of e-commerce and causing unintended, adverse consequences in the marketplace.
- At the same time that there is a recognition of the tremendous benefit to the economy and society from the Internet and e-commerce, the government has been too reluctant to consider whether technological advances may be an important part of finding solutions to problems online
- Industry CEOs had best step up to lead. They must personally assure Members of Congress that solutions are happening and will continue to evolve and that protecting consumer personal privacy is paramount corporate goal and a critical aspect of the corporate culture.
- Industry leaders must do a better job explaining to consumers the marvelous benefits of their products and services and the world of electronic commerce.
Finally, to summarize the main lesson from each of the FTC e-commerce initiatives that I've discussed:
- COPPA - - "4 Fair Information Privacy Practices Can Happen in the Blink of an Eye"
- Gramm-Leach-Bliley Act - - "It Can Happen to You"
- FTC Privacy Report 2000 - - "You Ain't Seen Nothing Yet!"
Endnotes:
1. My remarks today are my own and do not necessarily reflect the views of the Commission or any other Commissioner.
2. "Personal information" for purposes of COPPA includes name, physical address, e-mail address, telephone number, social security number, a persistent identifier associated with an individual, and other information about the child or his parent when collected online and combined with other identifying information. 15 U.S.C. § 6501(8); 16 C.F. R. § 312.2.
3. 15 U.S.C. §§ 6502(a)(1) and (b)(1)(A)(i).
4. 15 U.S.C. § 6502(b)(1)(A)(ii).
5. 15 U.S.C. §§ 6502(b)(1)(B)(iii) and (D).
6. 15 U.S.C. § 6501(9).
7. 16 C.F.R. § 312.5(b)(2).
8. See, e.g., "New Children's Privacy Rule Poses Obstacles for Some Sites," The Wall Street Journal (April 24, 2000) at B-8 (reporting one attorney's estimate that it will cost her clients between $60,000 and $100,000 annually to meet COPPA standards); "New privacy act spurs Web sites to oust children," William Glanz, The Washington Times (April 20, 2000); "COPPA Lets Steam Out of Thomas," Declan McCullagh, Wired News (May 16, 2000).
9. 15 U.S.C. § 6803(a).
10. "Nonpublic personal information" is "personally identifiable information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution." 15 U.S.C. § 6809(4)(A). Simple examples of nonpublic personal information would be the account information of a bank's depositors or account information of borrowers from a bank.
11. 15 U.S.C. § 6803(b).
12. 15 U.S.C. § 6803(a).
13. 15 U.S.C. § 6802(a).
14. 15 U.S.C. § 6802(b).
15. For example, if a non-affiliated third party will market the financial institution's own products, then the institution need only provide notice of its privacy policy, not a right to opt-out of the transfer. Section 502(b)(2) of the Act. Another example is that if the non-affiliated third party is using the information only for certain limited and specified purposes (such as servicing or processing a financial product or service; maintaining or servicing a consumer's account; protecting the confidentiality or security of the institution's records, and complying with the law), then the financial institution need not provide either a notice of its privacy policy or a notice of the option to opt-out. Section 502(e)(1)-(8) of the Act.
16. 15 U.S.C. §§ 6804(a)(1) and 6805(a)(7); see 16 C.F.R. § 313.1(b).
17. 15 U.S.C. § 6804(a)(2).
18. See 16 C.F.R. §§ 313.4- 313.7.
19. See, e.g., 16 C.F.R. §§ 313.7(a)(1)(iii) and 313.10(a)(iii) (online means of offering and exercising option to opt-out of information transfer).
20. 16 C.F.R. §§ 313.10-313.15.
21. 16 C.F.R. § 313.18(a).
22. Federal Trade Commission, "Privacy Online: Fair Information Practices in the Electronic Marketplace - A Report to Congress" (May 22, 2000).