The Honorable John McCain
Dear Senator McCain:
Thank you for your letter of April 19, 2002, requesting my views on S.2201, the Online Personal Privacy Act.
Personal privacy issues are a key priority at the Commission. Because a variety of practices can have negative consequences, consumer concerns about privacy are strong and justified. Avoiding these consequences requires a strong law enforcement presence, and we have increased by 50 percent FTC resources targeted to addressing privacy problems. Our agenda includes:
The concerns about privacy that motivate our enforcement agenda have led others, including many members of Congress, to propose new laws, such as S.2201, the Online Personal Privacy Act. There are potential benefits from general privacy legislation. If such legislation could establish a clear set of workable rules about how personal information is used, then it might increase consumer confidence in the Internet. Moreover, federal legislation could help ensure consistent regulation of privacy practices across the 50 states. Although we should consider carefully alternative methods to protect consumer privacy and to reduce the potential for misuse of consumers' information, enactment of this type of general legislation is currently unwarranted.(1)
Five points underscore my concern about general, online privacy legislation:
1. Drafting workable legislative and regulatory standards is extraordinarily difficult.
The recently-enacted Gramm-Leach-Bliley Act ("GLB"), which applies only to financial institutions, required the multiple mailings of over a billion privacy notices to consumers with little current evidence of benefit.(2) Our experience with GLB privacy notices should give one great pause about whether we know enough to implement effectively broad-based legislation, even if it was limited to notices.
Unlike GLB, the proposed legislation deals with a wide variety of very different businesses, ranging from the websites of local retailers whose sales cross state lines to the largest Internet service providers in the world. Thus, implementation of its notice requirement will likely be even more complicated.
Moreover, the legislation adds requirements for access not found in GLB. The recommendations of the FTC's Advisory Committee on Online Access and Security make clear that no consensus exists about how to implement this principle on a broad scale.(3) Perhaps reflecting these same concerns, S.2201 grants the FTC broad rulemaking authority. The only legislative guidance is the requirement that the procedures be reasonable. The statute is silent, for example, on how to balance the benefits of convenient customer access to their information with the inherent risks to security that greater access would create. The FTC has no answer to this conundrum. We do not know how to draft a workable rule to assure that consumers' privacy is not put at risk through unauthorized access.
The inherent complexity of general privacy legislation raises many difficulties even with provisions that are conceptually attractive in the abstract. For example, the proposed legislation imposes different requirements on businesses based on whether they collect "sensitive" or "nonsensitive" personal information. Although this may be a conceptually sound approach, we have no practical experience in implementing it, and attempting to draw such distinctions appears fraught with difficulty, both in drafting regulations and assuring business compliance. Under the statute, for example, the fact that I am a Republican is considered sensitive, but a list of books I buy and websites I visit are not.
Similarly, the broad state preemption provision would provide highly desirable national uniformity. Questions about the scope of preemption would inevitably arise, however. How would the preemption provision affect, for example, state laws on the confidentiality of attorney/client communications for attorneys using websites to increase their efficiency in dealing with their clients? Moreover, what are the implications for state common law invasion of privacy torts when the invasion of privacy occurs online?
Another problem is that, except for provisions reconciling the provisions of this bill with the provisions of the Children's Online Privacy Protection Act and certain provisions of the Federal Communications Act, there are no provisions reconciling the proposed legislation with other important Federal privacy legislation. For example, it is unclear how S.2201's requirement of notice and "opt-in" choice for disclosure of financial information collected online would be reconciled with GLB's notice and "opt-out" requirements for the same information. Nor is it clear whether a credit reporting agency's use of a website to facilitate communications with its customers would subject it to a separate set of notice, access, and security requirements, beyond those already in the Fair Credit Reporting Act.
I want to emphasize that I note these examples, not to criticize the drafting of the proposed legislation, but to illustrate the inherent complexity of what it is trying to accomplish.
2. The legislation would have a disparate impact on the online industry.
Second, I am concerned about limiting general privacy legislation to online practices. Whatever the potential of the Internet, most observers recognize that information collection today is also widespread offline. Legislation subjecting one set of competitors to different rules, simply based on the medium used to collect the information, appears discriminatory. Indeed the sources of information that lead to our number one privacy complaint - ID Theft - are frequently offline. Of course, applying the legislation offline would increase the complexity of implementation, again underscoring the difficulties inherent in general privacy legislation.
3. We have insufficient information about costs and benefits.
Third, although we know consumers value their privacy, we know little about the cost of online privacy legislation to consumers or the online industry. Again, the experience under GLB indicates that the costs of notice alone can be substantial. Under S.2201, these costs may be increased by the greater number of businesses that must comply, by uncertainty over which set of consent procedures apply, and by the difficulty of implementing access and security provisions.
4. Rapid evolution of online industry and privacy programs is continuing.
Fourth, the online industry is continuing to evolve rapidly. Recent surveys show continued progress in providing privacy protection to consumers.(4) Almost all (93 percent) of the most popular websites provide consumers with notice and choice regarding sharing of information with third parties. Some of the practices of most concern to consumers, such as the use of third party cookies, have declined sharply. Moreover fewer businesses are collecting information beyond email addresses. These changes demonstrate and reflect the more important form of choice: the decision consumers make in the marketplace regarding which businesses they will patronize. Those choices will drive businesses to adopt the privacy practices that consumers desire.
Perhaps most important for the future of online privacy protection, 23 percent of the most popular sites have already implemented the Platform for Privacy Preferences (P3P). This technology promises to alter the landscape for privacy disclosures substantially. Microsoft has incorporated one implementation of P3P in its web browser; AT&T is testing another, broader implementation of this technology. By the time the Act's disclosure regulations might reasonably take effect,(5) the technological possibilities for widespread disclosure may differ substantially. Although S.2201 anticipates this development by requiring the National Institute of Standards to promote the development of P3P technology, legislation enacted now cannot take advantage of such nascent technology. Moreover, it may inadvertently reduce the incentives for businesses and consumers to adopt this technology if disclosures are required using other approaches.
5. Diversion of resources from ongoing law enforcement and compliance activities.
Finally, there is a great deal the FTC and others can do under existing laws to protect consumer privacy. Indeed, since 1996, five new laws have had a substantial impact on privacy-related issues.(6) We should gain experience in implementing and enforcing these new laws before passing general legislation. Implementation of yet another new law will require both industry and government to focus their efforts on a myriad of new implementation and compliance issues, thus displacing resources that might otherwise improve existing privacy protection programs and enforce existing laws. Simply shifting more resources to privacy related matters will not, at least in the short term, correct this problem. The newly-assigned staff would need to develop the background necessary to deal with these often complex issues. The same is likely true for business compliance with a new law. Without more experience, we should opt for the certain benefits of implementing our aggressive agenda to protect consumer privacy, rather than the very significant effort of implementing new general legislation.
We share the desire to provide American consumers better privacy protection and to ensure that American businesses face consistent state and Federal standards when handling consumer information. Nonetheless, we believe that enactment of this general online privacy legislation is premature at this time. We can better protect privacy by continuing aggressive enforcement of our current laws.
Timothy J. Muris
1. There may be areas in which new legislation is appropriate to address a specific privacy issue. This letter addresses my concerns about broad, general legislation governing online privacy issues.
2. I am unaware of any evidence that the passage of GLB increased consumer confidence in the privacy of their financial information. In contrast to GLB's notice requirements, certain GLB provisions targeting specific practices have directly aided consumer privacy. For example, the law prohibits financial institutions from selling lists of account numbers for marketing purposes, and makes it illegal for third parties to use false statements ("pretexting") to obtain customer information from financial institutions in most instances.
5. Again, GLB is instructive. It was almost two years between the enactment of the statute and the effective date of the privacy rules promulgated thereunder.
6. Fair Credit Reporting Act, 15 U.S.C. § 1681 (amended 9/30/96); Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320 (enacted 8/21/98); Children's Online Privacy Protection Act, 15 U.S.C. § 6501 (enacted 10/21/98); ID Theft Assumption & Deterrence Act, 18 U.S.C. § 1028 (enacted 10/30/98); GLB, 15 U.S.C. § 6801 (enacted 11/12/99). Moreover, since 1996, the FTC has been applying its own statute to protect privacy.