The U.S. House of Representatives, Subcommittee on Telecommunications, Trade, and Consumer Protection
Mr. Chairman and members of the Subcommittee on Telecommunications, Trade, and Consumer Protection, I am delighted to be here this morning, and I appreciate your holding this hearing today to address a topic of extreme importance to the American people.
As the Commission's report states, only 10% of well-traveled Internet sites in a recent survey have privacy disclosures that cover all four substantive fair information practice principles of notice, consent, access, and security.(1) Even among the top 100 most frequently visited Internet sites, only some 20% have privacy disclosures addressing these four principles.(2) This chart illustrates the substantial gap that exists between the online collection of personal information, in which 93-99% of the surveyed companies engage, and the opportunity of consumers to transact their online business under fair information principles.
Some industry leaders have undertaken significant efforts to protect online privacy. To name a few, they are Disney Online, IBM, Microsoft, AT&T, Eastman Kodak, Dell Computer, Fox Broadcasting, the Boston Globe, the San Francisco Chronicle, the Wall Street Journal, CyberBills, Educational Communications, Inc., and Worldtravelcenter.com. In addition, the seal programs show promise. But some companies have made a business out of collecting, buying, and selling individually identifiable information online.
I was shocked to discover, shortly after I joined the Commission, that at least one of the several "information brokers" operating in the marketplace had my name and my husband's name, our address, the value of our house, our social security numbers, the years in which they were issued, our mothers' maiden names, the address where we lived before coming to Washington in 1978, our two daughters' names, their husbands' names, their social security numbers, every address where they had lived, and even our 3-year-old grandchild's name and social security number. I might add that there were several mistakes in that report on me.
We in the government, and especially those of us who have experienced a confirmation process or you who have stood for election, know what it is to have our private lives laid bare. But most Americans do not, nor do they want to.
The studies of which I am aware consistently show a high level of concern about online privacy. For example, a study just released by Harvard, MIT, AT&T Labs, and the University of California-Irvine in April found that 87% of Internet users were concerned about personal privacy threats.(3) One year ago these online privacy concerns were held by 81% of Internet users.(4) So, over the years public concern has increased, not decreased, as shown plainly by this chart.(5)
I respectfully disagree with my colleagues in that I believe that the time is ripe for Congress to enact federal legislation to protect online consumer privacy, at least to the extent of providing minimum federal standards. As a whole, industry progress has been far too slow since the Commission first began encouraging the adoption of voluntary fair information practices in 1996.(6) Notice, while an essential step, is not enough if the privacy practices themselves are toothless. I do believe that Congress is the appropriate place for the debate on the online protection of consumer privacy, and I note that several bipartisan online privacy bills are pending in both the House and the Senate, including at least one by members of this Committee. These bills can serve as starting points to craft balanced privacy legislation.
I am concerned that, without widespread implementation of fair information practices on commercial Web sites and absent effective privacy protections, several results are inevitable.
First, the dissatisfaction of the American people will grow, as it has in the past, in both pitch and intensity.
Second, a patchwork of state laws to protect online privacy will emerge. Several states, for example, California, Connecticut, Delaware, Washington, and Maine, have moved in that direction.(7) Consider the confusing environment that could result for consumers, online marketers, and the courts under such a legal patchwork.(8)
Third, consumer confidence will be undermined, which will hinder the advancement of electronic commerce and trade. Some types of personal information, such as health and financial information, will require heightened privacy protections. Without the widescale adoption of fair information practices, however, not even an across-the-board minimum standard of protection exists.
Let me conclude by saying that I am troubled by the results of the Georgetown surveys that show much less progress than I had hoped. I am pleased to say that the Commission will continue its involvement in the privacy arena, and our report sets out a number of initiatives for the coming year.
Thank you for the opportunity to share my views.
1. Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress, 7 n.10. (July 1999) [hereinafter Report].
2. Report at 7 n.42; see FIPs Compliance Gap, chart infra.
3. Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, Research Technical Report, TR 99.4.3 (Apr. 14, 1999), available at AT&T Labs, Beyond Concern: Understanding Net Users' Attitudes About Online Privacy 3, 5-6 (visited June 22, 1999) <http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm [hereinafter AT&T Labs].
4. See id., available at AT&T Labs, supra note 3, at 4.
5. See Growing Public Concern, chart infra; Cranor, supra note 3, available at AT&T Labs, supra note 3, at 5-6 (1999 figure); Louis Harris & Associates, Privacy & American Business, summarized in Privacy Exchange, Consumers & Credit Reporting 1994 (visited July 6, 1999) <http://www.privacyexchange.org/iss/surveys/con_cre.html> at 1 n.1 (1993 figure); Louis Harris & Associates, The Road After 1984, summarized in Equifax, Equifax Executive Summary 1990 (visited July 6, 1999) <http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1990.html> at 1 (1983 figure); Louis Harris & Associates, Dimensions of Privacy, summarized in Equifax, Equifax Executive Summary 1990, supra, at 1 (1978 figure).
6. See Federal Trade Commission, Public Workshop on Consumer Privacy on the Global Information Infrastructure, Staff Rept. (Dec. 1996); see also Federal Trade Commission Letter to Senator John McCain 6 n.2 (July 31, 1997); Ronald H. Brown, U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information pt. III.A-B(Oct. 1995), available at National Telecommunications and Information Administration, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (visited June 23, 1999) <http://www.ntia.doc.gov/ntiahome/privwhitepaper.html> at 13-16.
7. See, e.g., Conn. H. B. 6895, File No. 608, as amended by House Amendment Schedule A (reissued and approved by Legislative Commissioner on May 7, 1999) (passing law to prohibit state from requiring social security numbers of voter registrars); Cal. S.B. 417, Supermarket Club Card Disclosure Act of 1999 (heard June 15, 1999 by Assembly Committee on Consumer Protection, Governmental Efficiency & Economic Development); Del. H.B. 100 (House concurred in Senate amendments with additional amendments and forwarded bill to Senate for concurrence on June 17, 1999) (making videography or photography where reasonable expectation of privacy exists a felony); Wash. H.B. 2220 (to House Committee on Criminal Justice and Corrections on Feb. 22, 1999), amending ch. 9.73 RCW (making visual surveillance where reasonable expectation of privacy exists a misdemeanor); see also Thomas Shapley, A Move to Ban Videos that Invade Privacy, Seattle Post-Intelligencer, Mar. 2, 1999, available at Seattle Post-Intelligencer, Seattle PI-Plus (visited June 24, 1999) <http://www.seattle-pi.com/local/peep02.shtml>; Maine S.P. 93 - L.D. 232 - P.L. 17 (interim enactment on Mar. 19, 1999), amending § 1 20-A MRSA § 6001, as amended by P.L. 1989, c. 911 § 1.
8. The point about courts goes to establishing a uniform legal standard of a "legitimate expectation of privacy." Smith v. Maryland, 442 U.S. 735, 735 (1979).