Thank you to Governor Gilmore, Chairman Bliley, and George Mason University for hosting this very timely summit. Before I begin, let me say that I speak only for myself and not for the Federal Trade Commission.
Protecting Sensitive Personal Information
The FTC has supported legislation requiring privacy protections for the most sensitive types of personal information, including the Children's Online Privacy Protection Act (information collected from children) the privacy provisions of the Gramm-Leach-Bliley Act (personal financial information) and Health and Human Services proposed privacy rules governing medical records.
FTC Internet Cases
The FTC has plenty of existing authority to bring enforcement actions against companies that are acting in a deceptive or unfair manner on the Internet. Since our first Internet case in 1994, the FTC has brought over 100 Internet-related cases involving over 300 defendants. The Commission has obtained injunctions stopping illegal schemes, collected over $20 million in redress for victims, and obtained orders freezing another $65 million in cases that are still in litigation. Most of these cases have involved the migration of traditional kinds of fraud to the Internet, such as business opportunity schemes, credit repair scams, pyramid schemes, and false claims for health-related products, to name a few.
The GeoCities(1) case is an example of FTC action dealing with alleged deceptive Internet practices As do most websites, GeoCitiescollects information from visitors. To its credit, GeoCities, posted a "privacy statement" telling its customers about how information about them was collected and assuring them that the information was solely for its internal use. Unfortunately, GeoCities allegedly failed to follow its own privacy policy and shared information with third parties for purposes such as target marketing. The Commission took appropriate legal action against GeoCities and settled the alleged violation of consumer protection laws, namely, deceptive practices in its business dealings with consumers.
The Internet and the Internet Economy
You heard a lot yesterday about different global perspectives of the Internet and the border less nature of electronic commerce. Let me give you some figures. There are now approximately 5 million commercial websites, proliferating at over 500,000 per month.(2)According to a survey by Inktomi and the NEC Research Institute, the Web has passed the landmark number of one billion pages. George Gilder wrote recently in the Wall St Journal that Internet traffic grows at a pace of a thousandfold every five years and Web pages multiply at a pace of a million a day. How big is all of this? According to a survey by the University of Texas, The Internet Economy generated an estimated $500 billion in revenue in 1999, accounting for 2.3 million jobs.
Online Usage and Retail Sales
As the numbers indicate, the growth of the Internet and e-commerce has been without precedent. The Commerce Department reported last week that consumers spent $5.3 billion in online retail sales during the 1999 Holiday shopping season. That number excludes financial services or purchases such as airline tickets which are not considered traditional retail. Jupiter Communications estimates that consumers spent $7 billion shopping on the Internet during the 1999 Holiday shopping season. Jupiter estimates that annual consumer sales on the Internet are expected to explode from $15 billion in 1999 to $78 billion by 2003.
FTC 2000 Online Privacy Survey
The FTC is in the process of conducting a survey of U.S. Commercial Web sites to determine the extent to which these sites are collecting personal information from online consumers and implementing fair information practices of notice, choice, access and security. The survey will include a random sample weighted by traffic drawn from a list of the busiest sites on the Web, as compiled by Nielsen//Net Ratings, for the month of January 2000, as well as a census of all of the 100 busiest sites on the Nielsen//NetRatings list.
Advisory Committee on Online Access and Security
The FTC has appointed an advisory committee on online access and security consisting of 40 experts to make recommendations to the Commission defining the costs and benefits of reasonable online access and security. The Advisory Committee will issue it's final report to the Commission on May 15. The FTC will issue our annual report to Congress on our findings and conclusions of the privacy survey and the recommendations of the Advisory Committee in late Spring.
Should Self Regulation Be Allowed To Work
There are many voices inside and outside of government advocating government regulation of online privacy. In 1999, a study by Professor Mary Culnan at Georgetown University showed the posting of privacy policies had increased in one year from 14 percent to 66 percent. Among the top 100 sites, representing 95% of all Internet traffic, the number of sites posting privacy policies was over 90 percent. You will hear more from Steve Cole later about the success of the BBBonline privacy seal program. Along with TRUSTe, the third-party seal programs are beginning to gain traction in the marketplace.
I believe that government regulation is premature. How in the world would we do it? I favor a self-regulatory model that allows the marketplace to meet consumers demand to protect online privacy while allowing the maturation of the technology tools to give consumers control over their online privacy. Legislation motivated by the passions of an election year could disrupt the development of electronic commerce and place onerous and untenable burdens on businesses. Imagine the compliance costs and barriers to entry that regulation would thrust upon small businesses trying to make a go of it in the new world of electronic commerce.
Consumers are concerned about invasions of their personal privacy and security online. In a recent Gallop poll, nearly seven in 10 online shoppers are concerned about Web security. Interestingly, an overwhelming majority, 76% of the respondents favored industry based solutions while only 24% supported a government solution.
Concerns about consumer privacy online are real and unless industry continues to act to protect consumer privacy through self-regulation, there will surely be regulatory action by government. Companies must put privacy protections in place to provide real notice and choice for customers.
Lou Gerstner, Chairman of IBM, said about online privacy last week, "The clock is ticking on this one. I would urge every CEO in this country to personally, personally inspect their company's privacy policies, find out where they stand and get on with it." IBM, Microsoft, Disney, Intel, Procter and Gamble, Novell, and Compaq have voluntarily committed to requiring their advertising partners to post high-quality privacy policies in order to receive advertising monies.
Satisfying customers online privacy concerns in terms of products and services and operating in a manner that builds consumer confidence is simply responding to market forces. Perhaps the most obvious reason for business to protect consumer privacy is that "it's good for business."
I agree with Lou Gerstner that online privacy needs to be a corporate priority. The Federal Trade Commission plays a positive role for businesses and consumers by providing knowledge and also by attacking fraud and deception on the Internet. We have much work to do together. Let's continue to allow the Internet to grow and the self-regulatory model to develop and not get caught up in a rush to regulate in an election year.
Endnotes:
1. GeoCities, FTC Docket No. C-3849 (Feb. 12, 1999) (consent order challenging misrepresentations about the Web sites's use of personal information collected from children and adults.)
2. Internet statistics source: http://www.netcraft.com/Survey/Reports.