The Privacy & American Business National Conference, Omni Shoreham Hotel
The U.S. Congress created the Federal Trade Commission in 1915 to promote a free market economy. While the FTC shares joint responsibility with the Department of Justice for U.S. competition policy and antitrust law enforcement, we are the principle regulatory force at the federal level to protect U.S. consumers from unfair and deceptive business practices. Although privacy is a relatively new FTC concern, I believe that it will become a critical aspect of our consumer protection responsibilities.
Privacy in the United States is an issue of some interest in Europe, in light of the European Union Privacy Directive and its "adequacy" requirements. I gather that consensus among European privacy officials holds that privacy is not adequately protected in the States. For instance, Professor Colin Bennett has cautioned that:
I do not think the privacy situation in the United States is quite that grim. Individual privacy in the United States is protected through a combination of constitutional guarantees, federal and state statutes, regulations, and voluntary industry codes of conduct which apply to the public and private sectors in different ways.
Today, personal information about an individual is being collected at a rate and to a degree unthinkable even five years ago. Currently, much of an individual's personal information can be legally collected, shared, exchanged, sold, and disseminated without notice to or input by the individual. Self-imposed industry codes of conduct are increasingly being implemented to address these privacy problems. Critics argue, however, that voluntary codes of conduct are unenforceable. In addition, privacy laws that were adequate when enacted may have become obsolete or ineffective with the passage of time. In short, the time has come for us to consider whether the existing arrangement properly balances individual personal privacy values with competing information flow benefits. Although I think it is likely that our system could benefit from a tune-up, I am not an advocate for a major overhaul. In this paper I will first describe the U.S. approach to privacy protection and then discuss some of the privacy initiatives currently underway in the United States.
II. The United States Experience with Privacy Rights
The U. S. Constitution does not explicitly mention a right to privacy. Nevertheless, as early as 1890, Samuel Warren and Justice Louis Brandeis began to write about a fundamental right to privacy or the "right to be left alone."(3) In fact, the U. S. Supreme Court has interpreted the Bill of Rights to create, through its penumbras, "a right of personal privacy, or a guarantee [that] certain areas or zones of privacy [do] exist under the Constitution."(4) Since then, federal courts have upheld this right to privacy with respect to family planning matters, workplace privacy, and drug testing. In addition, a number of state constitutions specifically enumerate the right of citizens to be protected from privacy invasions.(5)
Aside from these Constitutional guarantees, the U.S. legislative approach to privacy issues has been traditionally sectoral; that is, privacy law has been developed by government and by industry with respect to particular data types and users. Certain statutes limit the use of personally identifiable data maintained by the government. Other statutes limit the government's use of personal data maintained by industry. With respect to the private sector, however, no single law or regulation establishes a citizen's right to informational privacy. This sectoral approach to policy-making is a recognition that different commercial activities raise different privacy issues. U.S. law attempts to "tailor" its privacy protections to the unique circumstances of each industry. Equally important, this approach also reflects the U.S. commitment to freedom of expression and its derivative value -- freedom of information.
A. Privacy in Government Records
Historically, U.S. citizens have been most concerned about the government's misuse of personal information. This fear is a product of U.S. history and of democratic principles of individualism and free enterprise. For example, Americans in the nineteenth century were fearful about the government's misuse of data collected by the U.S. Bureau of the Census. As a consequence, federal law mandates that census data may be used by the government for statistical purposes only. Public concern over the unauthorized use of tax information by government resulted in a section of the Tax Reform Act of 1976. The Act was passed due to growing concern that federal agencies other than the Internal Revenue Service would use individual tax information for purposes unrelated to the collection of taxes. The Tax Reform Act specifically protects the confidentiality of tax returns and return-related information and limits the dissemination of individual tax data among federal agencies.(6) The statute gives the Internal Revenue Service primary responsibility for enforcement of this statute, and individuals who disseminate or receive protected information are subject to civil and criminal penalties.
As technology progressed in the twentieth century so did the American public's concern with government accumulation of information about individuals. The increased data collection and networking possibilities of the computer age lead to the Privacy Act of 1974.(7) The Privacy Act regulates the government's creation, collection, use, and dissemination of records which can identify an individual by name or other personal information. The Privacy Act also requires federal agencies to establish mechanisms to ensure the security and confidentiality of citizen records. The Privacy Act not only provides criminal penalties for knowing violations of the Act, it also provides the citizen with a private right of action, including monetary damages and injunctive relief. The Freedom of Information Act of 1967 (FOIA) regulates third party access to government records, including records containing personal information.(8) FOIA attempts to balance personal privacy values with "openness" or transparency values.(9) FOIA attempts to accomplish this balance in a way that prevents unnecessary disclosure of sensitive personal records held by the government.
Taken together, the Privacy Act and the Freedom of Information Act articulate the fundamental principles of privacy protection as it relates to the government:
sensitive data and personal information needs special protection;
the government is obligated to protect its citizens' personal information;
personal information must be processed with sufficient transparency to inform individuals about the use of that data; and,
appropriate oversight and effective enforcement are necessary to ensure the privacy of personal data.
The Privacy Act does have some limitations. Critics have charged, despite the generally laudable goals of the Privacy Act, that the Act's "routine use" exception and the "law enforcement" exception undermine the values of transparency and enhanced protection for sensitive information. Limited remedies may also diminish enforceability. Finally, the Privacy Act applies only to federal government agencies. It does not cover state and local agencies, Congress, or the private sector. The Act also only protects U.S. citizens and aliens with permanent residence. The Privacy Act does not apply to foreigners, unions, collective associations, or corporations. To that end, the U.S. Office of Management and Budget (OMB) is responsible for the Act's implementation and is considering needed policy changes. Substantive changes in the Privacy Act, however, must await Congressional action.
In the United States, individual states also have responsibility and authority for enacting privacy laws. Indeed, a number of states recognize a constitutional right of privacy, while other states have passed privacy enhancing statutes. Again, the state approach has been sectoral rather than omnibus and, protections vary from state to state. The National Association of (State) Attorneys General (NAAG) has recognized the inconsistencies in state privacy laws. NAAG has formed a privacy task force to work closely with the FTC to address this issue.
B. Communications-Related Information Held by the Private Sector
Americans are also concerned about the government's ability to access information held by the private sector, especially personal communications. As a result, under existing law, government agents must present a warrant to access telephone company facilities to conduct wiretaps. Postal employees may review mail content only for the purpose of determining the intended recipient's address. Postal regulations also limit government access to transactional data about postal based communications. For example, in order to record the return addresses of those who send mail to a particular address, a federal agency must provide the post office with a written statement justifying the mail "cover" on the basis of suspected criminal activity.(10)
One area in which U.S. law may be more comprehensive than that of our European counterparts is electronic communications. The Electronic Communications Privacy Act (ECPA) limits the circumstances under which federal and state government may access the contents of transactional data in both real time communications and stored communications.(11) Specifically, the statute prohibits eavesdropping on oral, wire, and electronic communications. ECPA recognizes that communications systems generate information about system users, so-called transactional data. Thus, the government can obtain basic subscriber information, including name, address, toll records, etc., only with a subpoena. The government must have a search warrant or court order upon a showing of specific and articulable facts demonstrating relevance to a criminal investigation, in order to obtain other transactional data such as a list of addresses to which a particular message was sent.
ECPA distinguishes between voice communications, which can only be intercepted with a court order in connection with specified offenses,(12) and electronic communications, which can be intercepted by court order when a felony is being committed.(13) ECPA also protects the storage of voice and electronic communications which occur as an incident of transmission.(14) Under ECPA, it is unlawful for anyone to intentionally access stored electronic or wire communication, without or beyond authorization, in order to obtain, alter, or prevent authorized access to such communication.(15) Electronic communications providers may not voluntarily disclose the contents of a communication maintained or stored on its system.(16) ECPA allows for disclosure of information under certain exceptions: consent of one party; disclosure to service providers as a necessary incident of providing the service; and disclosure to law enforcement concerning inadvertently obtained evidence of a crime.
Private sector use of transactional data is less regulated. Nevertheless, existing law provides some protection against the private use or resale of telecommunications data. In response to Congressional concerns, most online service providers have voluntarily agreed not to distribute personally identifiable subscriber information to non-governmental authorities. There is some indication that this restraint may be eroding in the online service provider community, and of course, these agreements never covered third party collection of click stream data or postings to bulletin board services. In light of technology developments, the National Telecommunications Information Agency (NTIA) at the Department of Commerce has proposed guidelines for the private use of telecommunications information. NTIA is now conducting a follow-up study to determine compliance with these principles and is expected to issue a report on its findings, and to make recommendations for further action (legislative or regulatory) if compliance is inadequate.
C. Privacy of Medical Records
Presently, there is no federal legislation which directly protects the privacy of medical records. Most observers agree that traditional doctor/patient confidentiality concepts will not adequately protect health related data in the information age. Increasingly, medical care is provided in a networked environment, and information is readily available -- oftentimes appropriately -- to a large number of health care professionals.(17) Secondly, doctor/patient confidentiality does not protect medical product purchase data or information provided by patients to third parties. Finally, the pharmaceutical industry relies heavily on medical data to evaluate drug efficacy and to promote new product development. Schools, justice systems, employers and the media have access to individual medical information.
As a result, a number of private organizations in the health care industry have promulgated model health information codes that apply beyond physicians. Large physician networks, for example, have established security policies and provided for audits to ensure confidentiality. At the behest of the FTC, the Medical Information Bureau (MIB), which collects medical and other consumer information on 15 million Americans for life and disability insurance companies, voluntarily agreed to provide free copies of reports to consumers who are denied insurance coverage on the basis of an MIB report. On the regulatory front, members of Congress have introduced and gained considerable support for legislation to protect personally identifiable medical information without limiting legitimate access to aggregate data.(18) The Clinton Administration has endorsed a medical privacy bill although it appears unlikely to come up for a vote before the elections. Meanwhile, a number of states, including Massachusetts and Wisconsin, have adopted medical records privacy acts. A number of model codes and model statutes have also been promulgated.
D. Privacy in the Marketplace
The Right to Financial Privacy Act limits government access to bank records.(19) However, financial records generated in the course of a banking relationship belong to the bank, and banks are not statutorily restrained from reselling the information. Although individual banks have policies with respect to data collection and distribution to non-government buyers, no industry-wide privacy codes are currently in place. For the moment, the privacy practices of commercial banks seem to be constrained by high consumer sensitivity about disclosure of financial records and the degree of competition that exists in the banking industry at the branch level. From an FTC consumer protection perspective, it is important to note that we are not receiving complaints about inappropriate disclosure of bank records at this time.
With respect to credit information, the Fair Credit Reporting Act regulates the use of credit information by credit reporting agencies.(20)Congress enacted the FCRA in 1970, and delegated primary enforcement responsibility to the FTC. The Fair Credit Reporting Act requires consumer reporting agencies to adopt strict procedures for providing information to credit grantors, insurers, employers and others. The Act permits credit bureaus to report only information that is timely and accurate. Credit bureaus may only disclose such information for a permissible purpose relating to credit, insurance, employment, and other transactions that consumers enter into primarily for personal, household, or family purposes. The Act also gives consumers certain notice, disclosure and due process protections. The FCRA limits government access to name, address and employment information from credit reports without a court order. The FCRA is an important piece of privacy protection and has been shown to work well. It may, however, no longer make sense to limit its applicability to credit bureaus in this highly networked age.
Widespread use and availability of computer generated records have increased concern about use of consumer information for profiling and marketing purposes. For example, the Video Privacy Protection Act limits the circumstances under which disclosure of consumer video rental information may be made to the government and to the private sector.(21) The Cable Communications Policy Act(22)requires the government to possess a court order to access cable records. Cable companies may distribute these records to third parties if they have notified consumers of their intention to do so, and consumers are permitted to prohibit its proposed re-use.
E. Policy Initiatives at Work
Remember the New Yorker cartoon to the effect that nobody could tell whether you were a dog -- or a lawyer -- on the Internet? That is no longer one of the Net's virtues. The risks and benefits inherent in the new world of online commercial transactions have been the subject of much public debate. Increased use of the Global Information Infrastructure (GII) for commercial transactions will generate vast quantities of data that can be easily and cheaply stored, analyzed, and reused. This transactional data trail poses an incredible risk to personal privacy.
In June of last year, the Clinton Administration's National Information Infrastructure Task Force (NIITF) Privacy Working Group issued an important document entitled "Privacy and the National Information Infrastructure: Principles For Providing and Using Personal Information."(23) The NIITF Privacy Principles identify three fundamental values that must govern the way in which personal information is acquired, disclosed and used on the Internet -- information privacy, information integrity, and information quality. First, an individual's reasonable expectation of privacy regarding access to and use of his or her personal information should be assured. Second, personal information should not be improperly altered or destroyed. Lastly, personal information should be accurate, timely, complete, and relevant for the purposes for which it is provided and used. Those who gather and use personal information should recognize and respect the privacy interest that individuals have in personal information by assessing the impact on privacy in deciding whether to obtain or use personal information by obtaining and keeping only information that could be reasonably expected to support current or planned activities, and by using the information only for those or compatible principles.
The Principles further state that individuals need to be able to make an informed decision about providing personal information. Therefore, businesses that collect information should disclose the following information: (1) the reasons for the collection of the information; (2) what they expect to use the information for; (3) what steps will be taken to protect its confidentiality, quality and integrity of information collected; (4) the consequences of providing or withholding information; and (5) any rights of redress that are available to individuals for wrongful or inaccurate disclosure of personal information.
Finally, the Principles state that businesses that gather personal information should take reasonable steps to prevent improper disclosure or alteration of information collected, and should enable individuals to limit the use of their personal information if the intended use is incompatible with the notice provided by collectors. Information gatherers should educate themselves, their employees, and the public about how personal information is obtained, sent, stored, processed, and protected, and how these activities affect individuals and society. The NIITF Working Group that issued the Privacy Principles last year acknowledged that the Principles are extremely general and cannot apply uniformly to all sectors. Rather, the Principles are intended to provide the framework from which more detailed guidelines can be tailored to specific circumstances.
Responding to the Working Group's challenge, we at the FTC undertook what's come to be known as the Bureau of Consumer Protection's "Consumer Privacy Initiative." The Bureau is currently engaged in a dialogue with industry and consumers to develop more robust and specific guidelines for the use of personal information generated by online commercial transactions. The goals of the Consumer Privacy Initiative are to foster development of a competitive marketplace for privacy protection, assess the effectiveness of a market-driven privacy system, to participate in the policy-creation dialogue, and to enact regulation or recommend legislation if and when such government acts become necessary.
I approach this issue with three working assumptions. First, government should step in to regulate only when there has been an identifiable market failure or where an important public policy goal cannot be achieved without government intervention. Second, the pace of change in the information industry is unprecedented. Government regulation, on the other hand, moves very slowly, and the predictive skills of government agencies are notoriously limited. As a result, regulatory and legislative solutions to consumer protection issues are unlikely to be either timely or sufficiently flexible with respect to the digital world at this juncture. Third, I believe that the electronic medium itself offers new opportunities for consumer education and empowerment, which, in turn increases the likelihood that self-regulatory regimes can be effective. These assumptions lead me to the conclusion that the government ought to move cautiously in the electronic arena. The government's primary focus at this point should be to support the growth of self-regulatory efforts and online education for the public. Internet commerce won't really take off until consumer confidence in the system is established. Hence, it makes business sense for industry to invest in self-regulation and consumer education.
As part of this Privacy Initiative, the FTC held a two-day workshop in June of 1996 to provide industry, privacy advocates and consumer groups a forum to express their ideas for self-regulation and the use of technology to ensure consumer choice. The workshop began by gathering the facts. Both in a collective sense and on an industry-specific level, the workshop discussed how online businesses were currently using personal information and what the intentions of those industries were for its use. The FTC was apprised of many industry promulgated codes of conduct and standards, including new codes such as the anti-spamming policies issued jointly by the Direct Marketing Association and the Interactive Services Association. We also discussed existing codes that are now being revised to comply with the NIITF Privacy Principles. We examined the familiar fair information practices in offline settings and asked how these principles would be different in the online medium. Two important areas were explored: the use of medical and financial information online. Inevitably, the privacy workshop also discussed international implications of U.S. regulations or industry standards, including the impact of the European Commission's Council Directive on the Protection of Personal Data. What does the EU Privacy Directive require of U.S. businesses? Can industry satisfy the EU's Privacy Directive's "adequacy" requirement through the use of voluntary privacy regimes?
Next, the workshop focused on policy-making. A key issue was what choices should a consumer have about how personal information is used and in what ways can the security and accuracy of personal information be assured online? A second issue involves an acknowledgment that there are costs to privacy. We are all familiar with the old opt-in versus opt-out debate: should we as a society permit businesses to use personal information unless and until the individual affirmatively "opts-out" or should we require businesses to receive an individual's permission prior to gathering her personal information, in other words, the individual must "opt-in." The essence of this debate is who should bear the burden of protecting individual privacy online: should the burden of privacy protection be placed on industry or on the individual? At least with respect to the online world, it's time to think outside of this box.
What emerged from the FTC workshop were repeated themes relating to "notice and choice," the two E's (education and empowerment), and emerging self-help mechanisms soon to be available to the consumer. Panel members, including industry representatives and privacy advocates seemed to converge on these three privacy principles, at least, for this stage of the Internet revolution. While industry representatives urged a 'wait and see' approach by the federal government on Internet regulation, privacy advocates were more cautious about the notion of industry self-regulation without legal remedies.
The workshop also introduced existing and emerging privacy technologies that would empower the consumer online. At our hearings, software developers demonstrated some highly innovative technologies, including the Platform for Internet Content Selection (PICS) technology. PICS technology would enable the consumer to define for herself the privacy level she desires based on Web content, transaction type, services rendered in return for relinquishing personal information, and the uses to which that information would be applied. For these technological solutions to be effective, consumers and industry must be aware of their respective rights and responsibilities with regard to the use of personal information in online transactions. The FTC also felt it was important to study the various methods in Cyberspace which can provide effective "point of purchase" consumer education, the point in time at which consumers are likely to be most receptive to retaining privacy information. I am extremely optimistic that these strategies will enhance consumer privacy without the need for bureaucratic intervention.
The following day, we focused on the collection of data from children online. The panel started with a factual finding of what information is currently collected about children online and how it is being used. We then moved to a discussion about whether limits should be placed on online collection and use of personal information about children. This is a pretty hot topic in Washington these days. The FTC recently received a petition from the Center for Media Education calling for an investigation of electronic advertising aimed at children and the collection of data from and about children online. It is clear that there is a need for government, industry, and the public to reach some consensus about the legitimacy of consumer "choice" when the consumer is a child. FTC staff are now preparing a report on the workshop, and I would like to hold follow-up hearings at the end of this year or early next year. The direct marketing and advertising industries in the U.S. have been tremendously cooperative in this area and appear to be genuinely committed to developing and implementing self-regulatory codes. To the extent that this commitment is carried out, I believe it's premature to regulate the just emerging world of online commerce.
I would like to now turn to what this all means for privacy in the United States. As we have seen, the government and the private sector have become more active with respect to privacy in recent years. Congress is debating several statutory solutions to problems associated with medical information, the collection of data from and about children, communications privacy, and consumer privacy issues arising, or expected to arise, in connection with electronic commerce. At the FTC privacy workshop, several companies demonstrated impressive technology that consumers can, or will soon be able to, use to protect personal information online. Likewise, trade associations representing the advertising, marketing, and online services industries announced new or revised privacy codes and consumer education programs for the information age. Similarly, NTIA recently issued a White Paper on telecommunications privacy, and is now meeting with telecommunications providers to determine if they are adhering to the privacy principles outlined in the report. Why are such initiatives under way now? There are a number of explanations for this phenomenon. First, the GII has made it easier to collect, analyze, and distribute data. At the same time, government and consumers are not only becoming more technologically savvy but are also more aware of the data-gathering capabilities of electronic media. As a consequence, greater government and consumer demand for privacy enhancing products and policies has emerged. This can be viewed as an example of the free market in operation.
Government could facilitate the development of a privacy market in three distinct ways. First, the government should get its own house in order by ensuring that government data collection remains consistent with the NIITF Privacy Principles in the face of changing technology. The Office of Management and Budget (OMB) is responsible for enforcing the Privacy Act, for example, and might profitably review that statute along with federal agency adherence to it in light of the NIITF Privacy Principles. OMB could report its findings and recommend legislation, regulation or executive orders to solve any problems it discovers. This kind of review could provide a model for the private sector to undertake similar audits.
Second, government could play an important role in consumer and business education and, to some extent, this is already happening. The government could use agencies with responsibility for privacy as "bully pulpits" to raise consumer and business awareness of the issue. Consumer education is likely to raise demand for informational privacy protection to its optimal level. Business education is necessary to introduce technology entrepreneurs to consumer protection theory, which in turn could help industry anticipate the privacy implications of a new product. The expense associated with consumer and business education would be minimized if the industries that will benefit most directly from increased consumer confidence in the GII were to accept some responsibility for this program.
Third, government could enhance self-regulation by exploring enforcement deficiencies with industry. This would address the most often-heard complaint about self-regulation: that industry codes of conduct are praiseworthy but unenforceable. Industry representatives often respond that competition law in the United States limits their enforcement efforts. More work is needed to understand whether, and how, other values, including competition, undermine enforcement activities. Government and industry might then work together to resolve any such conflicts pro-competitively.
One of the conclusions we can draw from the excellent response among industry and privacy advocates to the privacy workshop is that consumer privacy online is very much on everyone's mind. It is highly possible that in the online world, privacy may become a market commodity, given adequate levels of government initiatives and public education. As the number of transactions and services increase on the GII, consumer demand for privacy protections could continue to rise and a robust, competitive marketplace for privacy protections may very well develop. Under this scenario, the market itself could serve the same function as a privacy entity.
1. United States Federal Trade Commission. The views expressed are those of the Commissioner and do not necessarily reflect the views of the Federal Trade Commission or any other individual Commissioner or staff.
2. Colin J. Bennett, A Standard for Privacy on the Global Information Infrastructure?, in The Sixth Conference on Computers, Freedom and Privacy, March 27-30, 1996, at 83.
3. Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harvard Law Review 193 (1890).
4. Roe v. Wade, 410 U.S. 113, 152, 93 S.Ct. 705, 726 (1973); see also Griswold v. Connecticut, 381 U.S. 479, 85 S.Ct. 1678 (1965).
5. See, e.g., Cal. Const., art. I, § 1; Ariz. Const., art. II, § 8; Ill. Const., art. I, § 6.
6. Tax Reform Act of 1967, 26 U.S.C. § 6103 (1989 & Supp. 1996).
7. 5 U.S.C. § 552a (1996).
8. 5 U.S.C. § 552 (1996).
9. For a more extensive discussion of the competing interests of maintaining the privacy of personal information and a necessary public openness of personal information see Colin J. Bennett, Regulating Privacy - Data Protection and Public Policy in Europe and the United States, 101- 106 (1992).
10. 39 U.S.C. § 3623(d).
11. Electronic Communications Privacy Act of 1986, 18 U.S.C. §2510 - 2522, § 2701 (1996), as amended by Act of October 25, 1994.
12. 18 U.S.C. § 2516(1) (1996).
13. 18 U.S.C. § 2516(3) (1996).
14. 18 U.S.C. § 2701 (1996).
16. 18 U.S.C. § 2711(2) (1996).
17. Quebec's experiment with "smart cards" (cards with computer chip memory which can store identification, financial, insurance, and medical information) demonstrate the benefits of the free flow of medical records among health care providers. Smart cards are being used in limited circumstances in the United States. See Smart Cards Change the Way We Do Business, Government & Education, U.S. WEST Publication (1995) or visit http://www.w3.uswest.com/GV/articles/smart2.htm; see also Richard Mitchell, The Public Awaits the Debut of Smart Cards, Credit Card Management, Feb. 1996, at 59-60.
18. Several bills are currently pending in the Senate and the House relating to the confidentiality of personal medical records. See, e.g., S. 1360, 104th Cong., 1st Sess. (1995) (Medical Records Confidentiality Act of 1995); H.R. 435, 104th Cong., 1st Sess. (1995) (Fair Health Information Practices Act of 1995). For a list of other Congressional bills currently pending see the attached Appendix of Current and Pending Legislation on Privacy Rights and Technology.
19. Right to Financial Privacy Act of 1978, 12 U.S.C. § 3401 - 34 (1996).
20. Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681 et seq. (1996).
21. Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (1996).
22. Cable Communications Policy Act of 1984, 47 U.S.C. § 551 ( 1996).
23. Visit http://www.iitf.nist.gov/ipc/ipc-pubs/niiprivprin_final.html (June 6, 1995).