I. Introduction
This conference symbolizes a new beginning in the privacy arena. My focus will be on general issues of Internet Privacy and the Federal Trade Commission's role in this area. I hope that some of the principles I discuss will be helpful as you meet the implementation challenges raised by the forthcoming HIPPA ("Health Insurance Portability and Accountability Act") regulations.
As a courtesy to my colleagues on the Commission, I will begin with the usual disclaimer: The views I express here are my own and are not necessarily those of the Commission or any individual Commissioner.
Today I will:
- Describe the Federal Trade Commission's role in the area of Internet privacy,
- Explain why I believe the current online environment poses a serious threat to consumer privacy, and
- Tell you some of my views about federal legislation.
II. Federal Trade Commission's Authority
The Commission enforces the Federal Trade Commission Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.(1) Although commerce on the Internet clearly falls within our statutory mandate, there are limitations on our authority. Certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance, are exempt from the Commission's jurisdiction.(2) In addition, there are further limitations on our authority in the privacy area. For example, there may be circumstances where an individual's privacy is violated or compromised, but the offending conduct does not fit within either a deception or unfairness theory. Further, the limitation of our authority to conduct that is "in or affecting commerce"(3) may not cover consumer privacy breaches that occur on noncommercial websites, such as non-profit or educational sites. Specific legislation from Congress, granting the Commission additional authority and directing that we, for example, promulgate a trade regulation rule, may overcome some of these limitations.
Since at least 1998, the Commission has encouraged industry to take proactive steps in consumer Internet privacy protection by advocating and encouraging the posting of privacy polices on websites incorporating the following four fair information practices:
NOTICE - Provide consumers clear and conspicuous notice of their information practices,
CHOICE - Offer consumers choices about how their personal information will be used,
ACCESS - Offer consumers reasonable access to the information a website collects about them, and
SECURITY - Take reasonable steps to protect the security of the information collected.
This past summer, a majority of the Commission stated in its May 2000 Report to Congress(4) that the results from the Commission's 2000 Internet Privacy Policy Survey demonstrated that industry self-regulatory efforts alone have not been sufficient and recommended that Congress enact legislation to ensure adequate protection of consumer privacy online. Congress has not yet directed that we take any particular action in the area of online privacy generally, other than to provide a number of reports during the past three years. Industry generally continues to oppose federal privacy legislation, although there are a few companies that have stated publicly that some legislation would be useful.
III. Current Environment
I believe that Federal inaction has created a schizophrenic privacy environment. Different rules apply depending upon whether you are under age 13, whether the personal information collected involves medical or financial data, whether you live in the US or Europe, and whether the information is collected online or offline. With regard to certain financial data, different rules apply depending upon whether information is shared with an affiliated or non-affiliated third party. Let me describe a few of these different rules.
The Children's Online Privacy Protection Rule (5) spells out what a website operator must include in a privacy policy, when and how it must seek verifiable consent from a parent, and what responsibilities an operator has to protect children's privacy and safety online.
The Gramm-Leach-Bliley Act (6) governs the privacy of consumers' financial information and applies to a wide range of entities that are "financial institutions." The Commission's Privacy of Consumer Financial Information Rule(7) requires non-bank financial institutions, over which we have jurisdiction, to provide its customers with a notice describing its privacy policies and practices, annual privacy notices, and a reasonable opportunity to "opt-out" of the disclosure of nonpublic personal information to nonaffiliated third parties.
The long awaited Health and Human Service regulations(8) implementing HIPPA will provide much needed certainty in the important area of health privacy. The Commission submitted a comment supporting the proposed regulations, specifically the "opt-in" or express consent requirements for use of sensitive medical information for purposes other than those for which it was collected.(9)
There is also a lot of "privacy" activity at the state level, both in the courthouses and the legislatures. A growing number of privacy lawsuits are being filed, including class actions, under a variety of different theories. At the same time, a large number of state legislative initiatives continue to be introduced each year. In addition, the European Union's Directive on Privacy creates another set of rules for businesses with commercial activities in Europe.
Fear, uncertainty, and doubt pervade the online environment today, both from the perspective of consumers and that of businesses. Survey after survey demonstrate that public concerns about privacy have been growing and that many of these concerns focus on the power of technologies to collect, store, search, and transmit large amounts of personally identifiable information. For example, a recent Harris Interactive study showed Internet users are more concerned with privacy issues (56%) than health care (54%), crime (53%) or taxes (53%). Also, the Pew Internet & American Life Project May - June 2000 Poll reports that 84 % of Internet users are concerned that businesses and/or people they do not know are getting personal information about them and their families. This is consistent with Alan Westin's November 1999 survey showing that 92% of consumers are concerned (67% "very concerned") about the misuses of their personal information online.
Fear exists for good reason. The incidence of "Identity Theft" is growing at an astonishing rate. The Internet provides access to personally identifying information, through both illicit and legal means, and the explosion of financial services offered on-line provides a shield of anonymity to the would-be identity thief. The FTC's toll free hotline,(10) which was established so that consumers could report identity theft and obtain counseling to resolve identity theft issues, averaged over 1,000 calls per week during the months of July and August 2000. In addition to identity theft, it seems that everyday I read another frightening tale of the illicit online capture and misuse of a consumer's most intimate personal financial information.
There also exists a high level of online uncertainty in the area of information privacy. A few years ago, almost no sites even posted privacy policies. Now, many sites post a policy but it is often buried at the bottom of a home page and almost always is long, complex, and vague. Consumer fear and uncertainty could inhibit the growth of E-commerce and its potential benefits.
Last summer, in testimony before Congress, I reviewed a number of privacy polices and quoted several passages from those policies that were contradictory and ambiguous. In preparing my remarks for today, I took a look at those polices again. After a quick review, I noted a number of troubling trends.
First, the policies are changing, but consumers may not know it. It appears that the privacy polices themselves are very fluid, but consumer choice is not. Many sites tell consumers that they will likely change their policy from time to time and to check back. For example, one popular site provides:
We may e-mail periodic reminders of our notices and conditions, unless you have instructed us not to, but you should check our Web site frequently to see recent changes.
I am concerned that the burden is on the consumers to check the privacy policy each time they visit the site and attempt to discern whether changes were made and what the changes mean to them or to the information that has already been collected from them.
Second, some of the privacy policies I looked at are long, heavy-handed documents that do not really provide choice to consumers. For example, one popular site's privacy policy appears to be just four pages long when printed, but it contains over 15 specific "click through" opportunities for further explanations or information. When all these pages are printed out, the entire privacy policy is actually over 50 pages in length! The opening paragraph of this same privacy policy begins by saying:
By visiting [this site] you are accepting the practices described in this privacy notice.
I question whether consumers are really being provided with meaningful choice.
Third, many privacy policies have adopted what I call the "kitchen sink" approach. These policies do not necessarily describe what the site currently does with personal information. Instead, they describe conduct or relationships that may occur or exist in the future. These descriptions often go on for pages and pages and cover numerous possible scenarios. Many privacy policies are beginning to look like legal documents that only crafty lawyers can fully understand.
Another disturbing trend is the frequency with which sites link to other sites to create a seamless experience for the consumer. It becomes very difficult for the consumer to determine which site or privacy policy controls a particular transaction or experience. On a related note, many privacy polices refer to "affiliates," "partners," or "third parties" who are never identified and whose privacy policies may trump. These relationships may be fluid as well, especially in the current murky world of mergers and ubiquitous joint ventures.
Finally, many consumers are unaware that personal and other information about them is collected through the use of cookies. A cookie is a small piece of information sent by a web site's server to be stored on an individual consumer's hard drive. Later that information can be read back, identifying a repeat visitor.(11) Cookies are used for a number of reasons: to personalize information, to help with on-line sales and service, to track individual visitors of popular links, or to create overviews of online demographics.(12) Third parties can also place cookies.
The information gleaned from the use of cookies can be anonymous or it can be combined with other identifying information provided to the site when the consumer signs up for newsletters, subscribes to online services, or makes purchases. The potential for "profiling" - gathering data about individuals - exists when cookies are used to put together personally identifiable with "anonymous" information. Generally, the placement of cookies is an invisible process. If you are technically competent, you can set your Internet browser to alert you to the placement of cookies and to reject them. The Pew Internet Survey revealed that less than half of Internet users are aware of cookies, and therefore do not even consider manipulating their browser settings, a task beyond many of us Internet novices.
Recently, the Network Advertising Initiative, an organization comprised of the leading Internet advertisers, developed a framework for self-regulation of the online profiling industry. In reporting to Congress this past July,(13) a majority of the Commission found these principles to reasonably implement the four previously listed fair information practices. Nevertheless, the Commission also recommended that federal legislation is still needed in this area to fully ensure that consumers' privacy is protected online.
There are some technological solutions to these privacy problems in the form of software tools and online protective services. It appears that many sites are not availing themselves of these technological tools, either because they do not want to make the financial investment or they do not want to create an environment where more could be required of them. As for consumer use of technological solutions, I believe that many consumers are unaware that such tools and protective services even exist. More importantly, I do not believe that the entire burden of protecting one's online privacy should rest with the consumer.
IV. Federal legislation
I believe that federal legislation is essential for consumers and businesses alike. I am pleased that a majority of the Commission now shares that view and has recommended that Congress enact legislation to protect online consumer privacy, at least to the extent provided by a set of minimum federal standards.
Without federal standards, several results are inevitable: Dissatisfaction of the American people will continue to grow in both pitch and intensity; the uneven patchwork of state laws will continue; and consumer confidence in E-commerce will be undermined. But, just any legislation is not enough. Let me share with you my personal wish list for effective Federal privacy legislation:
1. I believe that preemption of state laws is essential, but only for weaker state laws.
2. In my view, effective federal legislation should not only incorporate the concepts of notice, choice, access, and security, but also a fifth one - enforcement.
3. To be effective, I believe that legislation should be free from exemptions for special interests or industries. In fact, I believe that legislation should not be limited only to "commercial" websites, but to include nonprofit sites as well.
4. I believe that consumers should have the opportunity to affirmatively agree to the collection or sharing of any personal information online. This "opt-in" standard should be the default. Most polices use an "opt-out" method that means that the information is collected unless affirmative steps are taken by a consumer to say no. You can be certain that if "opt-in" is the standard, web sites would have to make their privacy policies understandable and prominent at the point where the personal information is disclosed or collected.
5. Standardization of privacy policies would benefit both consumers and businesses alike. The nutritional content label is a good example of a format that provides an array of important information in a concise coherent manner. If privacy policies were standardized in format and content, consumers would be able to compare one company's privacy policy to that of another's. Businesses would also know what is expected of them and what their competitors are saying.
6. Lastly, I believe that sites should be required to alert consumers to material changes in a site's privacy policy, describe the change, and get affirmative consent from the consumer to continue information collection.
V. Conclusion
Let me conclude by saying that I believe federal legislation is essential as a floor to provide basic privacy protections for American consumers, but that alone is not enough. Industry must develop technology that gives both consumers and web site operators more control over their privacy. Finally, self-regulatory efforts must continue and improve, even if federal legislation is enacted and especially if it is not.
Endnotes:
* The views expressed are those of the Commissioner and do not necessarily reflect the views of the Federal Trade Commission or any other Commissioner or staff.
1. 15 U.S.C. § 45 (a).
2. See 15 U.S.C. §§ 45(a)(2) and 46(a); see, e.g., 15 U.S.C. §1012(b).
3. See 15 U.S.C. §45(a)(1).
4. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000).
5. 16 C.F.R. Part 312.
6. 15 U.S.C.§§ 6801 - 6809, 6821-6827.
7. Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313.
8. Proposed Rule published 64 FR 59918 (November 3, 1999).
9. Letter by Direction of the Commission to The U.S. Department of Health and Human Services, Assistant Secretary for Planning and Evaluation, February 17, 2000.
10. The hotline number is 1877-ID-THEFT (438-4338).
11. See <http://www.cookiecentral.com>
12. Id.
13. Online Profiling: A Federal Trade Commission Report to Congress, Part 2: Recommendations (July 2000).