STATEMENT OF Before the United States Senate Committee May 25, 2000 In 1997 when the FTC began looking at the issue of privacy on the Internet, consumer-based electronic commerce was largely viewed as a place only for the adventurous and technologically savvy. At the same time, however, many also viewed the Internet as a place that could potentially transform the American consumer marketplace by empowering consumers with access to vast quantities of information, as well as goods and services. Since then, we have indeed witnessed great progress in achieving that transformation; yet, we still have a long way to go until Americans fully embrace the Internet and accept its technology as integral parts of their daily lives. Today, industry, government and consumers alike share the common goal of making the Internet as meaningful and productive for those Americans at the center of the market bell curve -- the family in the suburb of Canton, Ohio -- as it is for the technologist in Silicon Valley. To achieve this goal, we must be led by the voice of users and allow the Internet to become "consumer driven." From the beginning of the Commission's Internet work, consumers have expressed strong concern about the privacy of their personal information on the Internet. And as industry has focused its attention on attracting the core of American consumers, public concern about privacy has only grown louder so that today, the issue of data privacy has become a litmus for consumer confidence in the online marketplace. In December 1998, I stated:
To its credit, the most responsible segment of the online economy recognized the importance of the data privacy issue -- both from a public policy standpoint as a test of the technology industry's accountability, as well as from a consumer confidence perspective as a test of industry responsiveness to consumer demand. As a result, the industry leaders have worked with the Commission and consumer groups to provide the market with seal programs, privacy policies and consumer and business education initiatives designed to address the public policy and business challenge posed by the issue of Internet privacy. Furthermore, to date, government has appropriately put industry self-regulatory efforts at the forefront of America's response to the privacy challenge. We recognize the important role that industry plays, and will continue to play, in defining good business practices in electronic commerce. After three years of Internet surveys, public workshops, hearings and reports, however, it has become evident that the public policy challenge posed by the issue of Internet privacy may indeed be larger than any one segment -- industry, government or consumers -- can address alone. People in the Internet community are fond of stating that one Internet year is equivalent to three calendar years. The Commission has carefully and cautiously waited over three Internet years before recommending legislative action. During that time, government, industry and consumers have all learned much more about the substantial challenge involved with providing online privacy. In recognition of this complexity and the importance of Internet privacy as a threshold issue for the future growth of electronic commerce, I believe that now is the appropriate time for well-crafted legislation. In July 1999, I testified before the Senate Commerce Committee where I cautioned that industry faced a formidable challenge in achieving effective self-regulation of Internet privacy. I stated that:
Based upon what I perceived as real progress by industry in having a greater number of web sites bearing a privacy disclosure, I was willing to withhold calling for legislative action to give industry further opportunities to: (1) maximize privacy coverage by reaching out to spur non-participating companies to adopt and implement effective privacy policies; and, (2) to significantly improve the quality of privacy protections by encouraging participating companies to embrace and implement what the Commission, the Organization for Economic Cooperation and Development and industry groups themselves (See e.g. Privacy Principles of the Online Privacy Alliance) have long recognized as the fair information principles of notice, choice, access, security and enforcement. Now, three years after the Commission submitted its initial report to Congress and a year and-a-half after I posed a direct policy challenge to industry, our most recent survey shows that the quality of privacy protections that even the most responsible sites provide, is far from adequate. In fact, our survey shows that forty percent of the most popular (and presumably most sophisticated and responsible) web sites still do not provide consumers with adequate notice and choice -- the most fundamental elements for any privacy policy. I believe these results are especially disappointing because they demonstrate substantial deficiencies in providing what most industry leaders agree should serve as the bedrock of privacy self-regulatory efforts. So where does that leave us? Based not only on our 2000 Survey results but also our three years of working interactively with everyone interested in the online privacy issue, a majority of the Commission has concluded that Federal legislation is now appropriate because:
In making my recommendation, I believe that appropriate legislation should not be viewed as a substitute for well-crafted industry self-regulatory programs. This point is particularly important because industry self-policing could ultimately provide the public with consumer-driven privacy responses. Instead, legislation incorporating directed rule-making and safe-harbors should provide a principled backstop for effective industry efforts. Thus, if basic privacy principles and industry self-regulation define the "Swiss cheese" of online privacy, the Children's Online Privacy Protection Act and our legislative recommendation should be viewed as a means of addressing the holes in the cheese. I believe the Commission's recommendation is also consistent with my view of the cautious, balanced and responsible approach government should take in the fast-moving Internet environment. Our recommendation incorporates the principles of interactivity, flexibility and innovation. Through safe-harbors and a rulemaking process, government will interact with consumers and industry to implement appropriate solutions to this important public policy problem. Moreover, by recommending legislation that "would set forth a basic level of privacy protection for consumer-oriented web sites [and providing] an implementing agency with the authority to promulgate more detailed standards,"(4) government would avoid an inflexible "one size fits all" approach that would preclude recognition that consumers vary their view of privacy obligations depending on how they believe their personal information is being used. Finally, by recommending a rulemaking process, it is possible to encourage, and over time incorporate, technological innovation that can provide consumers with better tools to protect their own privacy. Accordingly, I strongly support the recommendations contained in the Commission's May 2000 Report, Privacy Online: Fair Information Practices in the Electronic Marketplace. Endnotes: 1. December 1, 1998, "Managing the Privacy Revolution '98," Remarks Before the 4th Annual National Conference on Privacy & American Business. 2. July 13, 1999, Statement of Commissioner Mozelle W. Thompson in support of "Self-Regulation and Privacy Online," FTC Report to Congress. 3. May 2000, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 3. 4. May 2000, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 3-4. |