The Honorable John McCain
Dear Senator McCain:
In anticipation of the Senate Commerce Committee's April 25, 2002 hearing on S.2201, the Online Personal Privacy Act ("OPPA"), you have asked each Commissioner of the Federal Trade Commission to comment on whether legislation is needed and, if so, what such legislation should contain. As you know, the FTC has long been involved with the issue of consumer privacy and I have also personally devoted a great deal of time and thought to this matter. Accordingly, I appreciate the opportunity to offer my views about privacy legislation and comment on the principal features of the OPPA.
In the past, a particular area of focus for me has been the question of whether federal legislation is necessary. In the Commission's May 2000 Congressional Report, "Privacy Online: Fair Information Practices in the Electronic Marketplace," a majority of the FTC recommended that Congress enact online privacy legislation. In my accompanying statement and written testimony, I expressed my support for thoughtful and balanced online privacy legislation that is coupled with meaningful self-regulation and enforcement of existing laws.(1)
I also stated that such privacy legislation should incorporate the well-established fair information practice principles of notice, choice, access and security and should provide for federal preemption of inconsistent state laws. Further, legislation should be organic and sufficiently flexible to take into account the type and sensitivity of the data at issue.
My conclusion has not changed and, as discussed below, I believe that today's market conditions make an even more compelling case for legislation. Moreover, I support the OPPA because it contains the above described elements and represents a thoughtful, balanced and well-reasoned approach to the privacy issue.
On-line Privacy Legislation Is Needed
Consumer confidence is one of the most important features of American economic strength and, as demonstrated by recent declines in dot-com industries, emerging markets and young industries are particularly vulnerable to consumer uncertainty. It is not surprising then, that those industries involved in the developing electronic marketplace, or "e-commerce," have begun to direct greater attention and more resources to strategies that address consumer confidence. Members of this industry are asking what is needed to allow e-commerce to reach its potential and fully develop into a stable and robust market? One answer is data privacy.
Studies continue to indicate that consumers' foremost concern with respect to e-commerce is the privacy of their personal data. Indeed, last year Forrester Research estimated that consumers' online privacy concerns cost $15 billion of potential e-commerce revenue. Also, 73% of online consumers who refused to purchase online did so because of privacy concerns. Moreover, one need only compare the stock prices of those companies engaged in online profiling, before and after settling complaints about their business practices, to find a clear example of the value to consumers of certainty and confidence in a new market.
To date, the FTC has provided a strong privacy foundation by way of the agency's law enforcement regime combined with our efforts in promoting industry self-regulation. Although consumers and businesses involved in e-commerce have benefitted from these efforts, they are no longer sufficient because there are still online companies that fail to protect consumer information. Without a legislative backdrop, too much of the risk of e-commerce is shifted to the consumer at a time when consumer confidence is critical. Law enforcement measures are by their nature retroactive, focusing on events that have already occurred. Once a consumer has lost his or her privacy - - be it through identity theft, the creation of an unauthorized profile based upon the consumer's online activities or by some other means - - it is generally impossible to make that consumer whole again.
This condition is made more serious because the Internet allows instantaneous, inexpensive and unlimited transmission of data while computer databases permit storage and unprecedented manipulation. Moreover, it is difficult for the consumer to even know that his or her privacy has been violated until, in some cases, years after the fact.(2) Consequently, without legislation, e-commerce will remain an uncertain marketplace in which only those consumers on the fringe will participate.
The absence of legislation also forces the Commission into the unusual position of going after the good actors that have strong privacy policies, while the bad remain largely unreachable by agencies like the FTC, thus leaving these businesses free to violate consumer trust. Without the type of legislative backdrop that the Commission called for in 2000, and which OPPA provides, I am afraid there will continue to be many free riders and companies with inadequate information practices.
Necessary Elements For Effective Privacy Legislation
I believe that the OPPA addresses many of the most delicate problems associated with a legislative privacy framework. First, it contains the fair information principles and allows for flexibility and change. The OPPA avoids a "one size fits all" approach to the notice requirements and provides a reasonableness test for access. The OPPA is also more reflective of a "real world" consumer environment because it employs a sliding scale that affords more protection to more sensitive information.
Second, by preempting state law, the OPPA will prevent the possibility of multiple standards that could "Balkanize" e-commerce and prove overly burdensome to business and too confusing for consumers. Finally, in granting the FTC rulemaking authority, the OPPA will permit strong enforcement, with special sensitivity to industry and consumer needs, while also providing a means for state participation.
Thank you again for providing me with this opportunity to discuss privacy legislation and the OPPA. I also hope that you will continue to consider the FTC a resource as your work progresses on this important issue.
Mozelle W. Thompson
1. This position represented a change from my prior opinion which did not support legislation but, instead, called for industry self-regulatory measures. Compare Statement of Commissioner Mozelle W. Thompson Before Senate Comm. On Commerce, Science and Transp. (May 25, 2000), with Statement of Commissioner Mozelle W. Thompson Before Senate Comm. On Commerce, Science and Transp. (July 13, 1999).
2. These features, coupled with technology that allows websites to surreptitiously collect consumer information, distinguish the on-line consumer environment from the off-line world.