An FTC Commissioner Looks at Internet Privacy

It is a pleasure to be with you this morning. As is the custom when a FTC Commissioner speaks, I must tell you that I speak only for myself and not the Commission. I would like to discuss for a few minutes this morning the status of industry self regulation of privacy on the Internet; the FTC's role in bringing law enforcement cases; and the children's privacy rule we issued last month. I hope to leave the balance of my time for questions and answers.

The Status of Self Regulation

I believe that protecting personal privacy of consumers is important enough that it ought to be an integral part of the corporate mentality, a corporate goal and on the minds of all business executives. Consumers are concerned. Businesses ought to be concerned. Consumer privacy is important. A failure on the part of businesses to ensure consumer protection in personal privacy will dampen the growth of electronic commerce and result in the loss of customers. In other words, establishing adequate privacy protection for consumers is good for business.

The question is, "How do we get there from here?"

The future of commerce and opportunity for entrepreneurs and consumers on the Internet looks promising, but there are problems with which industry and regulators must deal. Privacy of personal information, especially financial and medical information, is a key public policy issue.

Unless business continues to act to protect consumer privacy, there will surely be regulatory action by government, not to mention consumer rejection. In my opinion, excessive and unnecessary government regulation will disrupt the development of electronic commerce and place onerous and untenable burdens on businesses, especially small businesses.

The better course of action would be for an informed consumer public to demand respect for its privacy and a responsive business community to make sure that it satisfies this demand.

There is another line of thought that would strongly suggest that government needs to step in right now and legislate privacy practices through Internet regulation. For those who advocate regulating the Internet, I ask, "how would we do it?" The devil is in the details. Recent data suggests there are now approximately four million commercial Web Sites, and they are increasing at over 275,000 a month. (1) Imagine a government agency trying to regulate or control something so dynamic. This is a formula for bureaucracy building, government intrusion and a stifling of economic growth -- in other words, many potential unintended negative consequences.

Absent government barging in, a "consumer and private sector-driven" solution will likely evolve based upon the cornerstone of all successful businesses: the customer is always right. Satisfying customers with competitively priced, quality products and services, and operating in a manner that builds consumer confidence is simply responding to market forces. If consumers demand respect for their privacy, good and successful businesses will meet those demands -- and, I think consumers are insisting that this happen.

I applaud the way many in the business world are encouraging privacy self-regulation through their relationships with advertising partners. The Internet has created astounding new revenue streams, and advertising is no exception. A recent survey of approximately 300 Web sites indicates that advertising expenditures for this small subgroup exceeded $360 million in the first quarter of 1999 alone.(2) Such large sources of new revenue can serve as a very effective carrot in encouraging Web sites to provide privacy protections, which can only serve to increase consumer confidence. Corporate leaders like IBM, Microsoft, Disney, Intel, Procter and Gamble, Novell, and Compaq have voluntarily committed to requiring their advertising partners to post high-quality privacy policies in order to receive advertising monies.

In addition, Disney has taken its commitment to consumer privacy a step further by refusing to accept advertising dollars from companies whose Web sites do not post adequate privacy policies. To get a picture of the kind of money that is at stake, a company such as IBM spends approximately $60 million a year on Internet advertising in the United States, and currently advertises on almost 400 Web sites. Disney, on the other hand, either advertises on, or receives advertisements from, almost 1400 sites. These numbers support the notion that this type of advertising leadership is an effective market-based tool in regulating appropriate privacy practices on the Internet - without rigid government intervention.

Last month I sent a letter to the Online Privacy Alliance, Net Coalition.com, the Direct Marketing Association and the Software & Information Industry Association that said in part:

"... almost three months have passed since the FTC reported to Congress that legislation to regulate online privacy was not necessary this year. Industry is to be congratulated for the significant self-regulatory progress that has been made, but as I testified, industry should continue to lead the way if it wants to have the freedom to adopt privacy policies in response to market incentives and not government regulation. It was clear three months ago that imposing additional laws and regulations on the Internet could produce negative results. The critical question was, and remains, "How do we protect consumers and, at the same time, make it possible for the vast potential of the Internet to develop?" As we approach the upcoming Holiday shopping season, when by some estimates consumers will spend three times as much online as they did last year, I encourage industry to wage an aggressive campaign to raise awareness about the need for good online privacy policies among consumers and businesses that sell consumer products on the Internet."

I understand that the Chairman of the Senate Commerce Committee, Senator John McCain, has just sent his own letter to BBBOnline, TRUSTe, OPA and DMA urging the business community to demonstrate their commitment to protecting online privacy as consumers gear up to shop online during the holiday shopping season. Senator McCain wrote of the need for businesses to continue to increase the number and quality of privacy policies posted and expressed his concern about recent news reports of alleged violations of acceptable norms in protecting consumer privacy.

Responses to My Letter

I am pleased to say that all to whom I wrote have given me an update on their activities. Industry associations are redoubling their efforts to ensure member companies have robust online privacy policies as the holiday shopping season nears. I understand that consumers will see aggressive paid and earned media campaigns about what to look for in a good online privacy policy and practices.

Today, NetCoalition.com today announced a "Consumer Privacy Education Campaign" designed to empower Internet users with practical information about online privacy. NetCoalition.com is comprised of members whose primary business is purely Internet-based including America Online, Yahoo!, theglobe.com, Lycos , Inktomi , Excite@Home, eBay, DoubleClick,, and Amazon.com. The campaign will include tens of millions of impressions with banner ads on America Online, Yahoo!, Excite@Home, Lycos and theglobe.com and the DoubleClick network. It will also include site promotions on eBay, privacy messages in e-mail confirmations from eBay and Amazon and a site promotion on Inktomi.

The campaign will ask four questions: (1) "How can I protect my online privacy?" (2) "How can I find out about an organization's privacy policy?" (3) "What makes a good privacy policy?" and (4) "Where do I go for additional information?" The campaign will provide common sense tips on subjects like: taking responsibility, knowing where to look, reading privacy policies, not giving out your password, deciding how much information you want to disclose, and how a good privacy policy ought to be easily accessible and understood. More than ninety percent of the world's Internet users visit one or more of Netcoaltion's member sites each month so the reach will be broad. I congratulate NetCoalition for today's announcement. You can click on www.NetCoalition.com for more information.

>The Software & Information Industry Association (SIIA) is undertaking three key initiatives. First, SIIA is reaching out to its member companies that do not have privacy policies.  Member company web sites have been surveyed, and those sites that do not have policies will receive a copy of the SIIA Privacy seminar workbook, a checklist to create a privacy policy, links to online resources and a response card to allow SIIA to update its records.   Second, SIIA is partnering with the various seal programs to expand its privacy seminar.  To date, the privacy seminar -- which teaches companies how to write a privacy policy from conception to implementation -- has been offered in more than a dozen cities around the U.S. and Europe.  To expand the reach of the seminars and to help companies working with seal programs, SIIA will be holding the seminar in several other cities (tentatively 20 are envisioned) over the next year.  Finally, SIIA continues to work with its member companies to encourage them to visit leading policymakers to update them on individual company initiatives on privacy efforts. 

The Online Privacy Alliance (OPA) continues to play a leading role serving as an industry-coordinator and a general information resource. The OPA has taken significant strides towards alerting consumers and businesses about the value of privacy protection, as well as how to provide substantive protective measures. Besides defining the properties associated with high-quality policies, the OPA stresses a lesser-known and often-neglected feature of the commonly accepted Fair Information Practices: third-party enforcement mechanisms and the various privacy seal programs.

The Direct Marketing Association (DMA) briefed me on a number of its important new privacy initiatives. The DMA Privacy Promise has been successfully launched with less than 1% of DMA. members refusing to comply. More than 2,000 DMA member companies have signed up making this the largest such program from the numbers of participants. DMA has revised the Privacy Policy Tool to reflect the most current issues, making it easier for companies to explain to consumers their access policies, their enforcement programs, and their relationship with ad servers.

Where Do We Go From Here?

Users of the Internet must be accountable and bear some level of responsibility for their actions. Personal privacy and personal Internet practices are, to a significant degree, matters of individual responsibility. However, industry can and should play a leading role in helping to educate online consumers and by providing useful tools to consumers.

Since the Web has grown so exponentially, I believe we should focus on the top 1,000 sites where roughly 95% of all Internet traffic goes and evaluate what consumers are finding when they get there. The matter of personal privacy protection is not trivial. I have been calling upon industry to make online privacy protection a corporate priority and urging CEOs to discuss privacy protection as one of their top priorities when they make the rounds on Capitol Hill and throughout Washington. Based upon my meetings in the past few weeks, I believe that industry is answering this challenge to lead.

FTC Activities In A Target Rich Environment -- Cyberspace

For certain, there can be proper roles for government to play in a market economy. The exciting and promising new economy of cyberspace (the Internet) is a target rich environment for small businesses and consumers alike -- rich in information, choices, opportunities, entertainment, knowledge and commerce. Unfortunately, it is also a new and fertile field for those who prey on consumers and small businesses with scams, deceit and outright thievery. If market forces fail to correct illegal and unacceptable practices, government action is very likely warranted. Short of unwarranted and excessive regulation, government can play a positive role for small businesses and consumers by providing knowledge and also by appropriate and rational attempts to minimize deception, unfairness and misleading practices on the Internet.

Law Enforcement Cases

The FTC's traditional law enforcement role against deceptive or unfair practices is one way for government to intervene. For example, let's look briefly at the Geocities (3) case as an example of FTC action dealing with alleged deceptive and misleading practices involving personal privacy. Geocities is a very popular web site, now associated with Yahoo!, which permits users to develop their own web sites among many other entertaining things.

As with most web sites, Geocities collects information from visitors. To its credit, Geocities, http://geocities.yahoo.com, posted a "privacy statement" telling its customers about collecting information and assuring them that the information was solely for its internal use. Regrettably, Geocities allegedly failed to follow its own privacy policy and is alleged to have shared this information with third parties for purposes such as target marketing. The Commission took appropriate legal action against Geocities and recently settled the alleged violation of consumer protection laws, namely, deceptive and unfair practices in its business dealings with consumers. If necessary, the Commission is prepared to act in a similar manner again and again.

Since our first Internet case in 1994, the FTC has brought 100 federal law enforcement actions against over 250 defendants. Most of these cases have involved the traditional kinds of fraud such as business opportunity schemes, credit repair scams, pyramid schemes, and false claims for health-related products, to name a few.

Children's Online Privacy Rule

Passage of the Children's Online Privacy Act was the result of a cooperative effort by government, industry, and advocacy groups. The Commission received and considered significant input from industry and advocacy groups in drafting the final Rule (over 140 comments and considerable testimony at public workshop on the issue of verifiable parental consent.) The Rule provides significant protections for children online while providing businesses with the flexibility to choose methods of compliance that work best for them.

The Rule requires operators of Web sites or online services to:

• give notice of their information practices;

• obtain parental consent before collecting or disclosing information from children;

• not condition a child's participation in online activities on the provision of more personal information than is reasonably necessary to participate in those activities; and

• allow parents to review information provided by their children and direct that the operator no longer use and/or delete the information.

The Rule applies to the online collection of children's personal information by:

• operators of Web sites or online services directed to children;

• operators of Web sites or online services that have actual knowledge that a particular visitor to the site or service is a child; and

• persons on whose behalf such information is collected or maintained.

The Rule requires that operators give notice of their information practices on the website and directly to parents of children from whom they wish to collect personal information.

• The link to the notice must be in a clear and prominent place on the home page and at each area where children provide information.

• A link that is in small print at bottom of the page or that is indistinguishable from a number of adjacent links will not be considered "clear and prominent."

Parental Consent Mechanisms

The Act requires operators to obtain verifiable parental consent before collecting, using, and/or disclosing information from children. Under the Act, operators may use "any reasonable effort (taking into consideration available technology). . . to ensure that a parent of a child. . . authorizes the collection use and disclosure" of personal information from the child.

• Based on the current state of available technology (including evidence that digital signature and other seamless methods will not be available for widespread use for 1-2 years), the Rule will allow operators to temporarily vary their consent methods based the intended use of the child's information. This is known as the "sliding scale" approach.

• For activities that pose the greatest risks to children (making children's information publicly available or disclosing it to third parties), more reliable methods of consent are required.

• These include use of a print-and-send form, a toll-free telephone number staffed by trained personnel, a credit card in connection with a transaction, a digital signature, or an e-mail accompanied by a PIN number or a password obtained through one of the other methods listed.

• For internal uses of children's information, operators may use e-mail based mechanisms, so long as additional steps are taken to increase the likelihood that the person providing consent is the child's parent. Such steps include: sending a confirmatory e-mail to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.

• The "Sliding scale" will "sunset" two years after the Rule's effective date, unless Commission review (at 18 months) shows that "available technology" has not progressed as expected. At that time, the more reliable methods of consent will be required for all transactions.

Safe Harbor

Under the Act's safe-harbor provision, operators who comply with Commission-approved self-regulatory guidelines are deemed to be in compliance with the proposed Rule, and therefore the Act.

Summary

Concerns about consumer privacy are here to stay. I urge corporate leadership to make protection of consumer privacy a corporate goal and an integral part of the way the company does business. It will be good for business. I am encouraged with the progress industry leaders and associations are making toward a self-regulatory solution to this problem. I am pleased to learn of their holiday shopping season efforts to make consumers more and more aware of the importance of personal privacy, the concerns of the business for its customers, and the innovations soon coming to help consumers better protect themselves on the Internet.

Consumer awareness, innovative technical tools, corporate commitment and industry self-regulation will do a far better job at protecting consumer privacy than will more government regulation.

We have much work to do--much work to do together. Let's allow the market place to work, and let's continue the progress and cooperativeness that is now underway.

Thank you.

Endnotes:

1. Internet statistics source: http://www.netcraft.com/Survey/Reports.

2. "Online Ad Spending Grows," The Washington Post, October 21, 1999.

3. GeoCities, C-3849 (Feb. 12, 1999) (consent order challenging misrepresentations about the Web site's use of personal information collected from children and adults.)