Privacy Online: Fair Information Practices in the Electronic Marketplace
May 25, 2000
Mr. Chairman and Members of the Committee, I am Orson Swindle, a Commissioner of the Federal Trade Commission. I appreciate the chance to testify today on the issue of online privacy.(1)
I have dissented from the Commission's embarrassingly flawed Privacy Report and its conclusory -- yet sweeping -- legislative recommendation. In an unwarranted reversal of its earlier acceptance of a self-regulatory approach, a majority of the Commission has recommended that Congress require all commercial consumer-oriented Web sites that collect personal identifying information from consumers to adopt government-prescribed versions of four fair information practice principles ("FIPPs"): Notice, Choice, Access, and Security.(2) The majority has abandoned a self-regulatory approach in favor of extensive government regulation, despite continued progress in self-regulation.
Why has the majority of the Commission decided to discontinue relying on self-regulation? The fundamental rationale given is that not enough Web sites are providing the type of privacy protections that the Commission has decided should be provided, and this is hindering and will continue to hinder the growth of e-commerce. The available data do not support this rationale. The 2000 Survey shows that 88% of all commercial Web sites (100% of the most popular sites) displayed at least one privacy disclosure to consumers, up from a mere 14% of all sites (71% of the most popular sites) in 1998. (Privacy Report ["PR"] at 10, Appendix C, Table 2a). Thus, online companies are by and large providing notice to consumers as to their privacy policies, and consumers can choose whether to deal with these companies based on their privacy policies. For those who believe that allowing consumers to make their own choices is the fundamental objective, the results of the 2000 Survey are very encouraging, although more work certainly needs to be done by industry.
Instead of focusing on consumers' increasing ability to make choices concerning online privacy protections, the majority emphasizes that the 2000 Survey reveals that only 20% of all commercial Web sites (42% of the most popular sites) meet the full FIPPS requirements. (PR Appendix C, Table 4). But the main reason for this relatively low percentage is that commercial Web sites have not disclosed to consumers whether they provide access and security. This failure to disclose is not surprising, given the access and security implementation difficulties recently identified by the Advisory Committee on Access and Security.(3)
In this regard, it is important to emphasize that the 2000 Survey did not attempt to measure whether sites actually provide Access and Security; rather, it gauged only whether disclosures addressed these issues. And the 2000 Survey certainly did not give any credit for "No Access," even though the majority indicates it might consider no access to be "reasonable Access" in some instances.
If these access and security disclosure requirements are eliminated, the percentage of all Web sites meeting the FIPPS requirements rises significantly to 41% of all commercial Web Sites (60% of the most popular sites). But even this 41% figure is understated because it uses a strained definition of "choice" that is more accurately described as "Mandated Choice." Specifically, the 2000 Survey gave credit for choice only when a Web site (1) gave the consumer a chance to agree to or to authorize communications back to the consumer from the Web site and (2) gave the consumer a chance to agree to or authorize disclosure of the consumer's information to third parties. The Report's recommendation that "choice" be legislated does not mean the kind of choice that informed consumers exercise in a marketplace once they know the terms on which they are dealing with retailers. That is real choice. Instead, the majority has recommended Mandated Choice that would require Web sites to continue to do business with consumers who do not agree to the uses the site tells them it will make of their personal information. For sites whose business depends on the use of information to provide consumers with discounts or to reduce the cost of services to consumers, the effect of Mandated Choice may be to mandate their exit from the marketplace or at least the reduction of the choices or products and services now available. Thus, in the name of Mandated Choice, consumers would have less choice.
The majority has recommended that Congress give rulemaking authority to an "implementing agency" (presumably the Commission) to define the proposed legislative requirements. In my judgment, however, the Commission owes it to Congress -- and to the public -- to comment more specifically on what it has in mind before it recommends legislation that requires all consumer-oriented commercial Web sites to comply with breathtakingly broad laws whose details will be filled in later during the rulemaking process.
The Privacy Report is devoid of any consideration of the costs of legislation in comparison to the asserted benefits of enhancing consumer confidence and allowing electronic commerce to reach its full potential. Instead, it relies on skewed descriptions of the results of the Commission's 2000 Survey and studies showing consumer concern about privacy as the basis for a remarkably broad legislative recommendation. It does not consider whether legislation will address consumer confidence problems and why legislation is preferable to alternative approaches that rely on market forces, industry efforts, and enforcement of existing laws.
For the sake of time, I will not cover my entire dissent, but I would like to draw your attention to additional points that it makes:
In conclusion, the Privacy Report fails to pose and to answer basic questions that all regulators and lawmakers should consider before embarking on extensive regulation that could throttle the New Economy. Shockingly, there is absolutely no consideration of the costs and benefits of regulation; nor of regulation's predictable and unanticipated effects on competition and consumer choice;(4) nor of the experience to date with government regulation of privacy; nor of Constitutional issues; nor of how this vague and vast mandate will be enforced.
Industry self-regulation is working. Effective privacy protection is more than a numbers game, and the private sector is continuing to address consumer concerns about privacy because it is in industry's interest to do so. Let us not make the search for the perfect the enemy of the good. The best way to build consumer trust and to ensure the continued growth of the Internet is through a combination of education, strong industry self-regulation, and strong FTC enforcement under existing legal authority. It is premature and counterproductive for the Commission to radically change course and call for broad legislation.
1. My oral testimony and any responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any other Commissioner.
2. While this is a reversal for the Commission, Commissioner Anthony has consistently preferred a legislative approach. See Statement of Commissioner Sheila F. Anthony, Concurring in Part and Dissenting in Part, Self-Regulation and Privacy Online (July 1999), available at <http://www.ftc.gov/os/1999/9907/index.htm#13>.
3. In 1999, the Commission established an Advisory Committee on Online Access and Security to provide advice and recommendations to the Commission regarding implementation of reasonable access and adequate security by domestic commercial Web sites. That Committee provided the final version of its report to the Commission on May 15, 2000, describing options for implementing reasonable access to, and adequate security for, personal information collected online and the costs and benefits of each option.
4. I note that the regulations promulgated to implement the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. § 6501 et seq., require detailed Notice; Access, including the ability to review, correct, and delete information maintained by the site; and a form of opt-in mandated Choice (verifiable parental consent). 16 C.F.R. §§ 312.4, 312.6(a)(1), 312.6(a)(2), 312.5(a), 312.5(b). The regulations went into effect on April 21, 2000, and already press reports state that some small online companies have stopped providing services to children because implementation of COPPA's requirements is too costly. See, e.g., "New Children's Privacy Rules Pose Obstacles for Some Sites," The Wall Street Journal at B-8 (April 24, 2000) (reporting one attorney's estimate that it will cost her clients between $60,000 and $100,000 annually to meet COPPA standards); "New privacy act spurs Web sites to oust children," William Glanz, The Washington Times (April 20, 2000), available at <http://www.washtimes.com/business/default-2000420233432.htm>. See also "COPPA Lets Steam out of Thomas," Declan McCullagh, Wired News (May 16, 2000), available at <wysiwyg://1/http://www.wired.com/news/politics/0,1283,36325,00.html>.