Re: The Federal Trade Commission's May 2000 Report To Congress on Online Privacy
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
United States Senate
May 25, 2000
Today the Federal Trade Commission recommends that Congress enact legislation to help consumers protect their privacy when transacting business on the Internet. I agree that some legislation is appropriate, but believe that the recommendation in the Report endorsed by a majority is too broad in one respect and too narrow in another. The recommendation is too broad because it suggests the need for across-the-board substantive standards when, in most cases, clear and conspicuous notice alone should be sufficient. The recommendation is too narrow because any legislation should apply to offline commerce as well.
The Report's recommendation is based, in part, on our common belief that the Internet has enormous potential to grow our economy; that this potential is inhibited to some degree by consumers' concerns about their privacy; and that it is an appropriate policy objective to address these concerns and encourage growth. So far, so good. The issue, then, is how best to address these privacy concerns in an evenhanded way. If the Internet is subjected to requirements that do not apply pro tanto to offline commerce, the regulatory imbalance could itself inhibit the growth of the Internet and undercut our common objective.
We also agree unanimously that, whatever government does or does not do, the private sector will have an important role to play. The majority looks at the 2000 Web Survey data and concludes that the private sector has failed to address privacy concerns rapidly enough. I am not convinced that the Survey supports this conclusion, but agree, for other reasons, that some legally mandated privacy protections would be appropriate.
The Survey does not necessarily demonstrate that the market has failed to respond to consumer demand. It only measures "inputs," the prevalence of privacy policies of various kinds; it does not measure "outputs," the impact that these policies have on consumer confidence and consumer behavior. The Survey numbers could be read to support alternative scenarios. For example, the most popular sites generally have more comprehensive disclosures, and this could mean that some consumers favor them because of the disclosures. The fact that gains are modest overall, however, may also indicate that consumers are not quite as fixated on privacy issues as might appear from the public opinion polls cited in the Report. Marketers generally know more about consumer demand than regulators do.
Marketers know, for example, that consumers' actual buying habits are not necessarily consistent with their expressed preferences. Their stated interest in various ancillary protections like privacy may fade or become more nuanced, once they learn more about them and realize that there are costs attached. Consumer opinion on privacy issues appears to be a complex subject,(1) and public opinion polls simply do not provide an adequate predicate for a legislative recommendation of the scope contained in the Report.
There Is a Need for Better Disclosures
There is one aspect of the 2000 Web Survey, however, that I find particularly disturbing. The Survey results do show a steadily rising trend in the number of companies that address privacy, one way or another, but we cannot therefore conclude that consumers are better informed today or would be even better informed if the numbers rose even further. In fact, a site's mere mention of privacy may lead to a misperception that the consumer's privacy is well-protected, and a plethora of varying and inconsistent privacy claims could add to consumer confusion. The Survey tells us that the scope of the disclosures varies widely (see Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress ("Report") at 38-44) and, in my view, vendors and their customers would both benefit from a legislative initiative to require disclosures of greater clarity and comparability.
Market processes, supplemented by traditional remedies against consumer deception, should ultimately provide the most appropriate mix of disclosures and substantive protections, but these forces sometimes work slowly and I am convinced that privacy concerns have some special characteristics that make it prudent to prompt the market to work more rapidly. Some standardization of the disclosures would allow consumers to compare more easily the privacy practices of different vendors. As we learned when considering environmental marketing claims, for example,(2) varied and inconsistent claims lead to consumer confusion. Consumers may not be able to recognize valid and invalid comparisons when they are dealing with unfamiliar concepts. When terms have uniform meaning and basic equivalent information is disclosed for each site, the marketplace should work more efficiently.
Although consumers' knowledge and understanding of these issues is steadily increasing, it still has a long way to go. Not only is the Internet a recent invention, consumers are just beginning to become aware of the potential for data collection both online and offline. Consumers still do not know much about the possible uses of their personal information (and new ones are invented every day), the ramifications of permitting its use, and the costs associated with limiting its dissemination. Because an efficient market presupposes full and accurate information, it is appropriate to mandate more extensive privacy disclosures.
Privacy concerns also differ from concerns about product attributes that consumers may value. An uninformed decision to deal with a vendor that disseminates personal information could have ramifications for years to come, and that decision cannot be retracted. The marketplace may ultimately discipline the less-than-candid vendor, but the potential consumer harm will continue because the personal information may have spread and cannot be retrieved. The privacy loss and consequent harm results from mere participation in the market, with insufficient notice, not from a bad purchase decision. By contrast, if consumers are uninformed about particular product attributes, and regret the purchase, the damage may at most be limited to the value of the purchase.(3)
I therefore agree with the Report insofar as it recommends a legislative prod to ensure better disclosures. Thereafter, I part company.
The Report's Proposal Is Too Broad
In addition to its expertise on consumer disclosures, the Commission is supposed to have some expertise in the operation of competitive markets -- when they are likely to succeed and when they are likely to fail. The Report does not explain why an adequately informed body of consumers cannot discipline the marketplace to provide an appropriate mix of substantive privacy provisions. These are matters that Congress can and should investigate on its own, but our Report does not provide any help. It is one thing to recognize that the fair information practices (beyond adequate notice) are laudable goals and to encourage their adoption by various self-certifying industry groups. These certifying programs can make a valuable contribution by reinforcing consumers' confidence and reducing consumer costs of obtaining information. It is quite another thing to urge that the practices, in one form or another, be mandated by legislation and by rules.(4)
When the Commission issued the Green Guides, it expressly disclaimed any authority or intention to achieve a substantive result:
These disclosure-oriented guides did have a substantive effect; later public comments indicated that they did "encourage manufacturers to improve the environmental characteristics of their products and packaging," while "allowing flexibility for manufacturers to improve the environmental attributes of their products and to communicate these improvements to consumers."(6) Better information did lead to a better market outcome. In my view, we should follow the precedent of the Green Guides, and not request the authority to issue substantive standards.
The fact that the fair information practices have been favorably regarded in the regulatory community for almost thirty years (Report at 8-9), does not justify mandatory legislation. A provenance from the 1970s is scant cause for comfort, because government regulators, here and throughout the world, had much less faith in free market institutions then than they have today.(7) Moreover, it cannot be claimed that the fair information practices are "widely-accepted" in the business community (Report at 8). Our own Survey of the Internet world demonstrates the contrary, and there is no indication that the principles are widely accepted in the offline world either. I would not be so quick to conclude that we are right and so many others are wrong.(8)
The Report not only fails to explain why adequate disclosures are insufficient, it passes too lightly over issues of complexity. Granted, these are issues more appropriately addressed in a rule-making proceeding, but Congress needs to have a better understanding of what we mean when we ask for authority to set "reasonable" standards. For example, the Report recognizes that "access" is a complicated matter and indicates that any determination of what is "reasonable" should be informed by the discussion of the Advisory Committee on Access and Security (Report at 30-31, 61). At the same time, however, the Report endorsed by the majority states flatly that "the Commission believes that fair information practices require that consumers be afforded both an opportunity to review information and an opportunity to contest the data's accuracy or completeness -- i.e., to correct or delete the data." (Report at 32). This is an extraordinarily broad claim, which could in many cases lead to vast expense for trivial benefit and which provides an ominous portent for the content of any substantive rules.
Even "choice," which at first glance seems only a natural corollary of "notice" is a complicated subject. The Report recognizes, for example, that it may be appropriate to provide affirmative benefits if a consumer agrees to certain personal disclosures (Report at 61). If the collection of data is one thing that makes it possible for a vendor to offer lower prices, consumers who are particularly tender of privacy would otherwise be able to free ride on the value created by those who are not. (If a supermarket issues a card that offers discounts to people who use it, in exchange for compilation of useful data, consumer "choice" surely does not involve the right to get the discount without supplying the data.(9))
On the other hand, if the premium for permission to use information is too generous, or the penalty for refusal too severe, consumer "choice" really involves nothing more than the "choice" to refuse dealings with the vendor. The issue of what is or is not a reasonable price differential is complicated, but may be too difficult to bother with in a situation where a particular vendor competes with a number of others that have their own policies. Does this mean that reasonableness should depend on the market power of the vendor?
Other examples could be cited to illustrate the difficulties involved in fashioning substantive rules about choice, access and security, but there is no need to burden this statement further. Congress can, and should, explore these issues in detail if it takes up this aspect of the Report's legislative recommendation.
I therefore believe that any across-the-board legislative mandate should be confined to notice alone, although disclosure rules might appropriately provide that notice include information about the other categories. In some cases, involving particular kinds of information or particular uses, the risk of harm may be so great that specific substantive standards are required. This is a legislative judgment. Congress can, and already does pass industry-specific legislation to deal with these situations.(10) In addition, I believe it is entirely appropriate for the Commission to impose more specific restrictions as "fencing-in" relief in a consent settlement, in order to discipline the future behavior of business entities that have misused consumer information in the past.
The Report does recognize (Report at 25) that notice is "the most fundamental of the fair information practice principles," but it recognizes it for the wrong reason. Notice is not fundamental "because it is a prerequisite to implementing other fair information practice principles, such as Choice or Access" (Id.); it is fundamental because it helps the marketplace accurately to reflect consumer preferences with respect to the other principles. Consumers, so long as they are informed by clear and conspicuous disclosures, will be able to select the vendors that give them the privacy protections they want and are willing to pay for.
The Report's Proposal Is Too Narrow
I also disagree with the Report's legislative recommendation to the extent that it treats issues of online privacy as wholly different from offline privacy. At times the Report acknowledges the existence of offline privacy concerns and the erosion of the distinction between online and offline commerce (Report at 8 n.26, 55 n.196), but it justifies special treatment of Internet privacy on the ground that the technology of the Internet has "enhanced the ability of companies to collect, store, transfer and analyze vast amounts of data[.]" (Report at 1).
Of course, some privacy issues are particular to the Internet. This new technology has permitted uniquely invasive tracking of consumer preferences by recording not just purchases, but consumers' movements on the Internet as well. This practice of tracking, including third-party profiling, may be particularly threatening and distasteful to many. (See Report at 37-38, discussing so-called "cookies"). Any legislative or regulatory scheme can and should ensure that consumers are adequately informed about these Internet capabilities.
However, the majority's recommendation is not focused on the special characteristics of e-commerce or on particular categories of sensitive information collected online. Instead, the majority would apply the fair information practice principles to any personal information collected by any commercial web site, even though the identical information can be collected offline. The distinction between online and offline privacy is illogical, impractical and potentially harmful.(11) Let me examine each of these points in turn.
Recognition of the privacy concerns specific to e-commerce should not obscure the fact that in significant respects online privacy concerns are identical to those raised by offline commerce. The same technology that facilitates the efficient compilation and dissemination of personal information by online companies also allows offline companies to amass, analyze and transfer vast amounts of consumers' personal information.(12) Offline companies collect and compile information about consumers' purchases from grocery stores, pharmacies, retailers, and mail order companies, in particular.
It is also not possible to distinguish offline and online privacy concerns on the basis of the nature of the information collected. With the exception of online profiling, it is the same information. The Report's recommendation would require Amazon.com to comply with the fair information practice principles but not the local bookstore which can compile and disseminate the same information about the reading habits of its customers. The consumer polls, upon which the Report places such significant reliance, demonstrate that consumer concerns about the disclosure of personal information are not dependent on how the data has been collected.(13)
Finally, the Report's focus only on online privacy issues could ultimately have a detrimental impact on the growth of online commerce, directly contrary to the Report's objectives. It is clear from the Advisory Committee's Report on Access and Security and from limited portions of the Commission's own Report that implementation of the fair information practices will be complex and may create significant compliance costs. Online companies will be placed at a competitive disadvantage relative to their offline counterparts that are not forced to provide consumers with the substantive rights of notice, choice, access and security. Traditional brick and mortar companies that have an online presence or are considering entry into the electronic marketplace will be forced to assess how the cost of regulation will affect their participation in that sector.
A better approach would be to establish a level playing field for online and offline competitors and to address consumers' privacy concerns through clear and conspicuous privacy disclosures. Any privacy concerns that are unique to a particular medium or that involve particular categories of information (however collected) can continue to be addressed through separate legislation.(15)
The Report's recommendation limits itself to online privacy for reasons that seem primarily historical. The Commission first looked at the online world at a public workshop in 1995, followed by subsequent workshops in 1996 and 1997. Then, starting in 1998, Commission staff conducted annual surveys of Internet sites and their privacy policies to measure in a rough way the state of industry self-regulation. Each survey has been reported to Congress. The Report's legislative recommendation flows from that series of surveys. The surveys have provided a lot of useful information, and undoubtedly spurred industry attention to online privacy issues, but the scope of these particular surveys should not dictate the parameters of a legislative proposal.
The Commission has ample information available to support a broader recommendation, and Congress will have ample opportunity to develop its own legislative record. The fair information practices so frequently referenced in the Report were, after all, originally developed to address concerns regarding the collection of information offline. And the Commission itself has had significant exposure to offline privacy issues. For example, the Commission has enforced the Fair Credit Reporting Act since its enactment in 1970.(16) This statute addresses consumer concerns about the collection and dissemination of sensitive data by credit bureaus. Although the Act predates the advent of the fair information practices, its provisions mandate some of these same requirements.(17)
The Commission also undertook in 1997 a study of the "look-up" service industry, computerized database services that collect and sell consumers' identifying information. The workshop and subsequent report to Congress focused on the benefits of these services as well as the risks, including consumers' privacy concerns.(18) Although the Internet increased access to these informational products, the information at issue was primarily collected offline. Finally, just last week, the Commission issued its final rule implementing the privacy provisions of the Gramm-Leach-Bliley Act, a rule that focuses on the treatment of consumer information by financial institutions -- again without regard to how the information was collected.(19)
Even if the Commission majority, who endorse the Report, determined that our experience was insufficient to assess offline privacy concerns, a better course would have been to invite further Congressional inquiry. As it is, the Report's advocacy of legislation limited to the online world suggests that public remedies should be bounded by the scope of the studies we have chosen to conduct. This is thinking upside down.
Existing Remedies Should Be Actively Pursued
Legislation to mandate more comprehensive and clear privacy disclosures should ensure in the long run that the marketplace provides consumers with their desired level of privacy protection. Legislation and rule-making may take considerable time, however, and in the interim some consumers may suffer long-lasting harm because they have not been adequately informed about privacy issues. In order to reduce these potential harms, I would recommend that the Commission take some immediate steps.
First, the Commission should more actively employ its existing authority under Section 5 to prohibit unfair or deceptive practices. We can not only challenge outright violations of express privacy policies,(20) but also challenge policies that deceive because they impliedly offer more protection than they deliver. As noted earlier, although the Survey results demonstrate an increase in the number of privacy disclosures, they also indicate that these disclosures often involve inconsistent or confusing claims. (Of course, enforcement actions should only be brought in cases of clear-cut deception, so that companies which attempt in good faith to provide information, up to now on a voluntary basis, would not be chilled from doing so.) Stepped-up enforcement in this area, as elsewhere, serves a double purpose: it addresses specific situations and sends a message both to consumers and businesses.
Beyond this, the Commission should redouble its efforts to educate consumers directly about the benefits and potential risks associated with the collection and dissemination of their personal information. Without additional authorization, we can help consumers to better understand the meaning of various privacy disclosures. Informed consumers will ultimately be the most effective agents for protection of privacy, online and offline, by rewarding companies that offer the preferred levels of protection.
1. Jupiter Communications, Proactive Online Privacy: Scripting An Informed Dialogue to Allay Consumers' Fears, at 3-7 (June 1999).
2. See Guides for the Use of Environmental Marketing Claims (the "Green Guides"), 16 C.F.R. pt. 260 (1999). When the Commission requested public comment on these Guides three years later, commentators generally agreed that they benefit both consumers and industry, inter alia, by promoting consistency and accuracy in claims, helping consumers to make accurate decisions, and thereby bolstering consumer confidence. See Guides for the Use of Environmental Marketing Claims, Final Rule, 61 Fed. Reg. 53,311 (1996).
3. This limitation may not apply to products that are hazardous to health and safety, and this is one reason why there are also affirmative disclosure requirements to deal with these risks.
4. I acknowledge that previous Commission reports to Congress, which advocated a "wait and see" policy, have suggested that legislation could be appropriate if the fair information practices were not more broadly adopted. I would not have endorsed that aspect of the previous reports either, had I been here.
5. Request for Public Comments on Issues Concerning Environmental Marketing and Advertising Claims and Pending Petitions, 56 Fed. Reg. 24,968 (1991).
6. Guides for the Use of Environmental Marketing Claims, Final Rule, 61 Fed. Reg. 53,311, 53,313 (1996).
7. See, e.g., Daniel Yergin and Joseph Stanislaw, The Commanding Heights: The Battle Between Government and the Marketplace that is Remaking the Modern World (1998).
9. This use of an offline example is deliberate because the logic is not dependent on the mode of collection. See discussion, infra pp. 10-12.
10. Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq.; Telecommunications Act of 1996, 47 U.S.C. §§ 222 et seq.; Video Privacy Protection Act of 1988, 18 U.S.C. §§ 2710 et seq.; Cable Communications Policy Act of 1984, 47 U.S.C. §§ 551 et seq.; Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq.
11. Chairman Pitofsky has expressed some of these views in one of his own speeches. See Robert Pitofsky, Electronic Commerce and Beyond: Challenges of the New Digital Age, Speech before the Woodrow Wilson Center, Sovereignty in the Digital Age Series, Washington, D.C. (Feb. 10, 2000).
12. Abacus, a consortium of mail order companies, is a good example of the ability of merchants to compile and share detailed data about consumers' purchasing habits. See In re Trans Union, Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000).
13. See IBM Multi-National Consumer Survey, prepared by Louis Harris Associates Inc., at 22-24 (October 1999).
14. Dana James, Synchronizing the Elements; Traditional Companies, Yearning to Catch Up on the Basics, Find Value in Merging Online, Offline Databases, Marketing News, Feb. 14, 2000, at 15.
15. See supra note 10.
16. 15 U.S.C. §§ 1681 et seq.
17. The Commission recently issued its decision in In re Trans Union, Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000), an enforcement action concerning the dissemination by a credit bureau of certain information to target marketers. The decision considered not only the privacy implications of this practice but also the availability of other information collected offline.
18. See Individual Reference Services: A Federal Trade Commission Report to Congress (Dec. 1997).
19. See Privacy of Consumer Financial Information, Fed. Reg. (2000) (to be codified at 16 C.F.R. pt. 313).
20. See FTC v. ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 6, 2000); GeoCities, FTC Dkt. No. C-3849 (Feb. 12, 1999).