Survey Finds Only 20% of the Busiest Commercial Sites Implement All Four Fair Information Practice Principles; Legislation Needed to Extend Progress of Self-Regulation
Self-regulation alone has not adequately protected consumer online privacy, and as a result, legislation is now needed to supplement self-regulatory efforts and guarantee basic consumer protections, according to Privacy Online: Fair Information Practices in the Electronic Marketplace, a Federal Trade Commission report to Congress issued today. In the report, the third in a series of Commission reports on the effectiveness of self-regulation in protecting consumer privacy on the Internet, the Commission concludes that while self-regulatory efforts have achieved some real progress, the lack of broad-based implementation of such consumer protections online requires legislative action in order to fully protect consumers' personal information and build public confidence in electronic commerce.
"While the Commission applauds the efforts by the private sector to address the issue of online privacy," said Chairman Robert Pitofsky, "the survey results show that such efforts have not been enough. As this year's survey makes clear, the number of web sites meeting basic standards of privacy protection is far too low, endangering consumer confidence in this fast-growing, pro-consumer marketplace."
The Report recommends that Congress enact legislation to ensure a minimum level of privacy protection for online consumers, establishing "basic standards of practice for the collection of information online." This legislation would require consumer-oriented commercial Web sites "that collect personal identifying information from or about consumers online" to "comply with the four widely-accepted fair information practices: "Notice, Choice, Access and Security."
The recommendations to Congress are supported by the findings of the FTC's 2000 Survey of the most-visited sites on the Internet. The Commission's survey was based on two target groups: a random sample of all Web sites with at least 39,000 unique monthly visitors; and the 100 most popular U.S. commercial Web sites. The results showed that only 20 percent of the random sample sites were found to have implemented all four fair information practices. And among the most popular group, only 42 percent did so. Even when the report looked at the percentage of sites implementing the two critical practices of Notice and Choice, only 41 percent of the random sample and 60 percent of the most popular sites provided such privacy disclosures.
The Report praises industry efforts to date, but points to survey results showing that the adoption of the industry's self-regulatory enforcement initiatives - online privacy seal programs - have yet to establish a significant presence on the Web. According to the report, "the Survey found that less than one-tenth, or approximately 8%, of sites in the Random Sample, and 45% of sites in the Most Popular Group, display a privacy seal." The Report concludes that self-regulatory efforts alone "cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders," but states that industry initiatives should continue to play an important role within any statutory structure, and "widely-adopted seal programs could be an important component of that effort."
The Commission concluded that proposed legislation, in conjunction with self-regulation, will allow electronic commerce to reach its full potential and allow consumers to gain "the confidence they need in order to participate fully in the electronic marketplace."
The Commission vote to release the report was 3-2, with Commissioner Orson Swindle dissenting, and Commissioner Thomas B. Leary concurring in part and dissenting in part.
Commissioner Swindle called the majority's recommendation "an unwarranted reversal of its earlier acceptance of a self-regulatory approach" despite what he described as "continued, significant progress" in self-regulation. In a 27-page dissent, he warned that "[t]he Privacy Report stands as the majority's 'justification' for [its] recommendation to legislate privacy -- a dramatic reversal in position for the Commission and a mandate for the commercial online world to comply with the government's interpretation of all four fair information practice principles. Yet the Report is extremely flawed in its presentation of fact, its analytical logic, and its conclusions. This is no way to create good law." He urged that "[l]egislation should be reserved for problems that the market cannot fix on its own and should not be adopted without consideration of the problems legislation may create by, for example, imposing costs or other unintended consequences that could severely stifle the thriving New Economy."
"Most disturbing," Swindle continued, "the Privacy Report is devoid of any consideration of the costs of legislation in comparison to the asserted benefits of enhancing consumer confidence and allowing electronic commerce to reach its full potential. Instead, it relies on skewed descriptions of the results of the Commission's 2000 Survey and studies showing consumer concern about privacy as the basis for a remarkably broad legislative recommendation. It does not consider whether legislation will address consumer confidence problems and why legislation is preferable to alternative approaches that rely on market forces, industry efforts, and enforcement of existing laws."
He concluded that "[t]he current recommendation . . . defies not just logic but also fundamental principles of governance. In recognition of some of the complexities of regulating privacy -- particularly Access and Security -- the Commission asks Congress to require all commercial consumer-oriented Web sites to comply with extensive, yet vaguely phrased, privacy requirements and to give the Commission (or some other agency) a blank check to resolve the difficult policy issues later. This would constitute a troubling devolution of power from our elected officials to unelected bureaucrats."
Commissioner Leary concurred with the majority that the Survey suggests that "some legislation is appropriate," but he believed "that the recommendation in the Report endorsed by a majority is too broad in one respect and too narrow in another. The recommendation is too broad because it suggests the need for across-the-board substantive standards when, in most cases, clear and conspicuous notice alone should be sufficient. The recommendation is too narrow because any legislation should apply to offline commerce as well."
He added that "vendors and their customers would both benefit from a legislative initiative to require disclosures of greater clarity and comparability." However, "[t]he Report does not explain why an adequately informed body of consumers cannot discipline the marketplace to provide an appropriate mix of substantive privacy provisions." Moreover, a "focus only on online privacy issues could ultimately have a detrimental impact on the growth of online commerce" because "[o]nline companies will be placed at a competitive disadvantage relative to their offline counterparts."
Chairman Pitofsky and Commissioners Sheila F. Anthony and Mozelle W. Thompson issued separate public comments which are not part of the Report.
Copies of "Privacy Online: Fair Information Practices in the Electronic Marketplace" are available at the FTC's web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580; 877-FTC-HELP (877-382-4357); TDD for the hearing impaired 1-866-653-4261. To find out the latest news as it is announced, call the FTC NewsPhone recording at 202-326-2710.
(FTC File No. P004806)
Office of Public Affairs
Bureau of Consumer Protection