The Honorable John McCain
Re: S. 2201 (The Online Personal Privacy Act)
Dear Senator McCain:
I am pleased to provide my views on S. 2201, the Online Personal Privacy Act, which was introduced by Chairman Hollings on April 18, 2002. Although I share the view of the sponsors of this legislation that privacy is important to American consumers, there has been no market failure that would justify the passage of legislation regulating privacy practices concerning most types of information. Even if such a market failure exists, I am not persuaded that the benefits of such legislation, including the proposed Online Personal Privacy Act, exceed its costs.
Indeed, the best means of protecting consumer privacy without unduly burdening the New Economy is through a combination of industry self-regulation and aggressive enforcement of existing laws that are relevant to privacy by the FTC and other appropriate regulatory agencies. This approach is flexible enough to respond rapidly to technological change and to the tremendous insight we are gaining from the ongoing dialogue among government, industry, and consumers on privacy issues.
You have asked for my assessment of whether legislation is needed. I believe legislation should be reserved for problems that the market cannot fix on its own. To my knowledge, there is no evidence of a market failure with respect to online privacy practices, nor are there signs of impending market failure that would warrant burdensome legislation. As a result of a continuing and energetic dialogue among industry, government and consumer representatives, industry is stepping up to the plate and leading the way toward enhancing consumer privacy online. Flexible and efficient privacy tools are increasingly addressing consumer concerns. Indeed, the evidence indicates that the market is responding to consumers' concerns and demands about privacy.
A recent Progress and Freedom Foundation study(1) tells us that there has been a significant decline in the amount of personal information that websites are collecting from visitors.(2) At the same time, there has been an increase in the voluntary adoption of privacy practices. The study indicates that privacy policies have become more common and more consumer-friendly over the past year. In addition, the percentage of the most popular sites offering consumers a choice whether their information can be shared with third parties increased from 77% in 2000 to 93% in 2001. The privacy-enabling technology, Platform for Privacy Preferences (P3P), is being deployed rapidly, and industry has generally become more responsive to the privacy concerns of consumers.
These trends clearly demonstrate that the online marketplace is dynamic, and that firms are working hard to find the Aright@ pattern for information management practices. In addition, the survey results show that the most frequently visited websites (and much of the Internet as a whole) have clearly recognized that information management policies and privacy practices are necessary parts of everyday business on the Internet. Consumers expect privacy protection and firms realize that it is to their competitive advantage to respond to customer expectations. To the extent that consumers have demanded privacy, these results show that the market has provided it.
Contrary to arguments by proponents of legislation that consumers' privacy concerns are retarding the growth of electronic commerce, electronic commerce is growing rapidly without new privacy legislation. Online transactions have roughly doubled each year between 1997 and 1999, and annual consumer purchases have risen from roughly $5 billion in 1998 to $32 billion in 2001. Recent data on online holiday shopping are even more dramatic, rising from roughly $1 billion in 1997 to nearly $14 billion in 2001 - a 1300% increase. E-commerce thus is growing rapidly in the absence of new privacy regulation.(3)
For many years now, it has been my understanding that Congress seeks to weigh the costs and benefits of new legislation, with the goal of avoiding doing more harm than good. To my knowledge, there is no evidence concerning the costs associated with the proposed legislation, nor an assessment of whether those costs are outweighed by the ill-defined economic benefits that might follow. I do not believe legislation should be adopted without careful consideration of the problems it may create.
Perhaps the most glaring cost associated with the bill, and with any online-specific privacy legislation, is that it discriminates in favor of offline commerce. It is important to remember that electronic commerce currently constitutes a very small portion of all commercial activity. It is difficult to understand drawing a distinction between offline and online privacy. I would suggest that it is likely that consumers share similar concerns in both situations. I believe it is essential to consider the costs and benefits of regulating both online and offline privacy before any legislation is enacted.
To evaluate other costs associated with the notice and choice requirements of the Online Personal Privacy Act, the Commission's experience with the Gramm-Leach-Bliley Act (GLB Act) is instructive. The GLB Act requires that financial institutions issue privacy notices to their customers and, in certain circumstances, provide them with the opportunity to opt out of disclosures of nonpublic personal information to nonaffiliated third parties. To comply with the GLB Act last year, firms incurred great expense in disseminating privacy notices, yet very few consumers opted out. Among the difficulties encountered in complying with the GLB Act was the challenge of communicating complex information to consumers. Industry would face these same challenges in communicating notice and choice in the online context, and a requirement to provide "robust" notice to consumers does little to solve these problems. It also would be difficult for static regulation to keep pace with technology. For example, regulation mandating notice provided on a website may be inapplicable to Web-enabled handheld devices, such as cell phones.
A requirement to provide "reasonable access and security" is difficult to define. In its May 2000 report, the Commission's Advisory Committee on Online Access and Security was unable to reach consensus as to the amount and type of access that should be provided to consumers.(4) Given the complexity of this issue, I do not believe that it is a suitable topic for broad-based legislation or regulation. More important, the Commission already has the ability to address security breaches through the enforcement of existing statutes.(5)
In addition, I am not aware of reliable information about the likely costs associated with providing access and, in particular, the costs of maintaining a clickstream database that could be easily accessible to consumers and easily altered.(6) I therefore question whether the $3.00 fee allowed by S. 2201 for consumers to obtain access to their information would be sufficient to cover the expense. Although some firms -- obviously the larger ones -- might be able to absorb the costs associated with this access mandate, other firms might be unable to provide the service for a minimal fee and would be unable to continue business with their current model. This possibility seems terribly unfair to small business and harmful to competition in electronic commerce.
Finally, in an attempt to empower consumers, this legislation gives them a private right of action. While this measure is aimed at increasing compliance with the law, I fear that a private right of action may result in unintended consequences. More specifically, increased private litigation over information management policies may chill further innovation on the part of businesses that may fear that any change in their information management practices will be met with lawsuits.
In summary, the electronic marketplace is still evolving. Industry and government have been working diligently to address consumers' privacy concerns. Businesses have made admirable progress over the past several years and have no intention of standing down. Industry leaders are directly involved in seeking solutions to meet consumer demands and concerns. From a business standpoint, it just makes good sense. Now is not the time for the federal government to legislate and effectively halt progress on these self-regulatory efforts. New, complicated, and ambiguous laws will force innovation and investment to take a back seat to compliance and bureaucratic process. At the end of the day, we will have made far less progress in finding solutions to privacy concerns than we would have if we had simply relied on government and private sector cooperation and market forces.
Thank you for the opportunity to offer my views on these issues. I look forward to working with you in the future.
1. Adkinson, William F. Jr., Jeffrey A. Eisenach, Thomas M. Lenard, Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites. Washington, D.C.: Progress & Freedom Foundation (2002). Available at: <http://www.pff.org/publications/privacyonlinefinalael.pdf>.
2. Among the most popular 100 sites, the proportion collecting personal information fell from 96% in 2000 to 84% in 2001. Similar to this finding, the proportion of those firms employing "cookies" fell from 78% to 48% in the past year.
3. It is interesting to compare the growth of electronic commerce to the growth in the use of debit cards. Between 1988 and 1996, debit transactions slowly rose from virtually nothing to less than $50 billion annually. As consumers' experience with these cards increased, however, debit card spending jumped to $300 billion in 2000. This massive growth in debit card transactions was not caused by federal regulatory action, but resulted from consumers' positive experiences with the cards.
4. In 1999, the Commission established an Advisory Committee on Online Access and Security to provide advice and recommendations to the Commission regarding implementation of reasonable access and adequate security by domestic commercial websites. The Committee's final report to the Commission on May 15, 2000, described options for implementing reasonable access to, and adequate security for, personal information collected online and the advantages and disadvantages of each option.
5. See In the Matter of Eli Lilly and Co., FTC File No. 012 3214 (consent agreement accepted, Jan. 17, 2002) (alleging that Eli Lilly unintentionally disclosed personal information collected from consumers by not taking appropriate steps to protect the confidentiality and security of that information).
6. Under the proposed legislation, clickstream data, as collected by third-party cookies, are considered to be personally identifiable information to which consumers should have access.