Prepared Statement of Before the Washington, D.C. May 25, 2000 Mr. Chairman, I am Robert Pitofsky, Chairman of the Federal Trade Commission. I appreciate this opportunity to present the Commission's views on the privacy issues raised by the collection and use of consumers' personal information by commercial sites on the World Wide Web.(1) I. Introduction and Background A. FTC Law Enforcement Authority The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far-reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.(2) With the exception of certain industries and activities, the FTCA provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce.(3) Commerce on the Internet falls within the scope of this statutory mandate. B. Privacy Concerns in the Online Marketplace Since its inception in the mid-1990's, the online consumer marketplace has grown at an exponential rate. Recent figures suggest that as many as 90 million Americans now use the Internet on a regular basis.(4) Of these, 69%, or over 60 million people, shopped online in the third quarter of 1999.(5) In addition, the Census Bureau estimates that retail e-commerce reached $5.3 billion for the fourth quarter of 1999.(6) At the same time, technology has enhanced the capacity of online companies to collect, store, transfer, and analyze vast amounts of data from and about the consumers who visit their Web sites. This increase in the collection and use of data, along with the myriad subsequent uses of this information that interactive technology makes possible, has raised public awareness and consumer concerns about online privacy. Recent survey data demonstrate that 92% of consumers are concerned (67% are "very concerned") about the misuse of their personal information online.(7) The level of consumer unease is also indicated by a recent study in which 92% of respondents from online households stated that they do not trust online companies to keep their personal information confidential.(8) To ensure consumer confidence in this new marketplace and its continued growth, consumer concerns about privacy must be addressed.(9) C. The Commission's Approach to Online Privacy - Initiatives Since 1995 Since 1995, the Commission has been at the forefront of the public debate concerning online privacy.(10) The Commission has held public workshops; examined Web site information practices and disclosures regarding the collection, use, and transfer of personal information; and commented on self-regulatory efforts and technological developments intended to enhance consumer privacy. The Commission's goals have been to understand this new marketplace and its information practices, and to assess the costs and benefits to businesses and consumers.(11) In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy.(12) The Commission described the widely-accepted fair information practice principles of Notice, Choice, Access and Security. The Commission also identified Enforcement - the use of a reliable mechanism to provide sanctions for noncompliance - as a critical component of any governmental or self-regulatory program to protect privacy online.(13) In addition, the 1998 Report presented the results of the Commission's first online privacy survey of commercial Web sites. While almost all Web sites (92% of the comprehensive random sample) were collecting great amounts of personal information from consumers, few (14%) disclosed anything at all about their information practices.(14) Based on survey data showing that the vast majority of sites directed at children also collected personal information, the Commission recommended that Congress enact legislation setting forth standards for the online collection of personal information from children.(15) The Commission deferred its recommendations with respect to the collection of personal information from online consumers generally. In subsequent Congressional testimony, the Commission discussed promising self-regulatory efforts suggesting that industry should be given more time to address online privacy issues. The Commission urged the online industry to expand these efforts by adopting effective, widespread self-regulation based upon the long-standing fair information practice principles of Notice, Choice, Access, and Security, and by putting enforcement mechanisms in place to assure adherence to these principles.(17) Last year, Georgetown University Professor Mary Culnan conducted a survey of a random sample drawn from the most-heavily trafficked sites on the World Wide Web as well as a survey of the busiest 100 sites.(18) The former, known as the Georgetown Internet Privacy Policy Survey, found significant improvement in the frequency of privacy disclosures, but also that only 10% of the sites posted disclosures that even touched on all four fair information practice principles.(19) Based in part on these results, a majority of the Commission recommended in its 1999 report to Congress, Self-Regulation and Privacy Online, that self-regulation be given more time, but called for further industry efforts to implement the fair information practice principles.(20) This week the Commission issued its third report to Congress examining the state of online privacy and the efficacy of industry self-regulation. Privacy Online: Fair Information Practices in the Electronic Marketplace ("2000 Report") presents the results of the Commission's 2000 Online Privacy Survey, which reviewed the nature and substance of U.S. commercial Web sites' privacy disclosures, and assesses the effectiveness of self-regulation. The 2000 Report also considers the recommendations of the Commission-appointed Advisory Committee on Online Access and Security.(21) Finally, the Report sets forth the Commission's conclusion that legislation is necessary to ensure further implementation of fair information practices online and recommends the framework for such legislation.(22) II. Fair Information Practices in the Electronic Marketplace: The Results of the 2000 Survey In February and March 2000, the Commission conducted a survey of commercial sites' information practices, using a list of the busiest U.S. commercial sites on the World Wide Web.(23) Two groups of sites were studied: (a) a random sample of 335 Web sites (the "Random Sample") and (b) 91 of the 100 busiest sites (the "Most Popular Group").(24) As was true in 1998, the 2000 Survey results show that Web sites collect a vast amount of personal information from and about consumers. Almost all sites (97% in the Random Sample, and 99% in the Most Popular Group) collect an email address or some other type of personal identifying information.(25) The 2000 Survey results also show that there has been continued improvement in the percent of Web sites that post at least one privacy disclosure (88% in the Random Sample and 100% in the Most Popular Group).(26) The Commission's 2000 Survey went beyond the mere counting of disclosures, however, and analyzed the nature and substance of these privacy disclosures in light of the fair information practice principles of Notice, Choice, Access, and Security. It found that only 20% of Web sites in the Random Sample that collect personal identifying information implement, at least in part, all four fair information practice principles (42% in the Most Popular Group).(27) While these numbers are higher than similar figures obtained in Professor Culnan's studies, the percentage of Web sites that state they are providing protection in the core areas remains low. Further, recognizing the complexity of implementing Access and Security as discussed in the Advisory Committee report, the Commission also examined the data to determine whether Web sites are implementing Notice and Choice only. The data showed that only 41% of sites in the Random Sample and 60% of sites in the Most Popular Group meet the basic Notice and Choice standards.(28) The 2000 Survey also examined the extent to which industry's primary self-regulatory enforcement initiatives - online privacy seal programs - have been adopted. These programs, which require companies to implement certain fair information practices and monitor their compliance, promise an efficient way to implement privacy protection. However, the 2000 Survey revealed that although the number of sites enrolled in these programs has increased over the past year,(29) the seal programs have yet to establish a significant presence on the Web. The Survey found that less than one-tenth, or approximately 8%, of sites in the Random Sample display a privacy seal. Moreover, less than one-half, or 45%, of the sites in the Most Popular Group display a seal.(30) III. Commission Recommendations Based on the past years of work addressing Internet privacy issues, including examination of prior surveys and workshops with consumers and industry, it is evident that online privacy continues to present an enormous public policy challenge.(31) The Commission applauds the significant efforts of the private sector and commends industry leaders in developing self-regulatory initiatives. The 2000 Survey, however, demonstrates that industry efforts alone have not been sufficient. Because self-regulatory initiatives to date fall far short of broad-based implementation of effective self-regulatory programs, a majority of the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. While there will continue to be a major role for industry self-regulation in the future, a majority of the Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. The proposed legislation would set forth a basic level of privacy protection for consumer-oriented commercial Web sites.(32) Such legislation would establish basic standards of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.(33) Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with the four widely-accepted fair information practices:
The Commission recognizes that the implementation of these practices may vary with the nature of the information collected and the uses to which it is put, as well as with technological developments. For this reason, a majority of the Commission recommends that any legislation be phrased in general terms and be technologically neutral. Thus, the definitions of fair information practices set forth in the statute should be broad enough to provide flexibility to the implementing agency in promulgating its rules or regulations. Finally, the Commission notes that industry self-regulatory programs would continue to play an essential role under such a statutory structure, as they have in other contexts.(35) The Commission hopes and expects that industry and consumers would participate actively in developing regulations under the new legislation and that industry would continue its self-regulatory initiatives. The Commission also recognizes that effective and widely-adopted seal programs could be an important component of that effort. For all of these reasons, a majority of the Commission believes that its proposed legislation, in conjunction with self-regulation, will ensure important protections for consumer privacy at a critical time in the development of the online marketplace. Without such protections, electronic commerce will not reach its full potential and consumers will not gain the confidence they need in order to participate fully in the online marketplace. IV. Conclusion The Commission is committed to the goal of assuring fair information practices for consumers online, and looks forward to working with the Committee as it considers the Commission's Report and proposals for protecting online privacy. 1. The Commission vote to issue this testimony was 5-0. Commissioners Anthony, Thompson, Swindle, and Leary have issued separate statements, which are attached. My oral testimony and any responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any other Commissioner. 2. 15 U.S.C. § 45(a). 3. The Commission also has responsibility under 45 additional statutes governing specific industries and practices. These include, for example, the Truth in Lending Act, 15 U.S.C. §§ 1601 et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. §§ 1666 et seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 30 rules governing specific industries and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of information to prospective franchisees; the Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices; and the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312. In addition, on May 12, 2000, the Commission issued a final rule implementing the privacy provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq. The rule requires a wide range of financial institutions to provide notice to their customers about their privacy policies and practices. The rule also describes the conditions under which those financial institutions may disclose personal financial information about consumers to nonaffiliated third parties, and provides a method by which consumers can prevent financial institutions from sharing their personal financial information with nonaffiliated third parties by opting out of that disclosure, subject to certain exceptions. The rule is available on the Commission's Web site at <http://www.ftc.gov/os/2000/05/index.htm#12. See Privacy of Consumer Financial Information, to be codified at 16 C.F.R. pt. 313. The Commission does not, however, have criminal law enforcement authority. Further, under the FTCA, certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance, are wholly or partially exempt from Commission jurisdiction. See Section 5(a)(2) and (6)a of the FTC Act, 15 U.S.C. § 45(a)(2) and 46(a). See also The McCarran-Ferguson Act, 15 U.S.C. § 1012(b). 4. The Intelliquest Technology Panel, Panel News, available at <http://www.techpanel.com/news/index.asp> [hereinafter "Technology Panel"] (90 million adult online users as of third-quarter 1999). Other sources place the number in the 70-75 million user range. See Cyber Dialogue, Internet Users, available at <http://www.cyberdialogue.com/resource/data/ic/index.html> (69 million users); Cyberstats, Internet Access and Usage, Percent of Adults 18+, available at <http://www.mediamark.com/cfdocs/MRI/cs_f99a.cfm> (75 million users). 5. Technology Panel. This represents an increase of over 15 million online shoppers in one year. See id. 6. United States Department of Commerce News, Retail E-commerce Sales for the Fourth Quarter 1999 Reach $5.3 Billion, Census Bureau Reports (Mar. 2, 2000), available at <http://www.census.gov/mrts/www/current.html>. 7. Alan F. Westin, Personalized Marketing and Privacy on the Net: What Consumers Want, Privacy and American Business at 11 (Nov. 1999) [hereinafter "Westin/PAB 1999"]. See also IBM Multi-National Consumer Privacy Survey at 72 (Oct. 1999), prepared by Louis Harris & Associates Inc. [hereinafter "IBM Privacy Survey"] (72% of Internet users very concerned and 20% somewhat concerned about threats to personal privacy when using the Internet); Forrester Research, Inc., Online Consumers Fearful of Privacy Violations (Oct. 1999), available at <http://www.forrester.com/ER/Press/Release/0,1769,177,FF.html> (two-thirds of American and Canadian online shoppers feel insecure about exchanging personal information over the Internet). 8. Survey Shows Few Trust Promises on Online Privacy, Apr. 17, 2000, available at <http://www.nyt.com> (citing recent Odyssey survey). 9. The Commission, of course, recognizes that other consumer concerns also may hinder the development of e-commerce. As a result, the agency has pursued other initiatives such as combating online fraud through law enforcement efforts. See FTC Staff Report: The FTC's First Five Years Protecting Consumers Online (Dec. 1999). The Commission, with the Department of Commerce, is also holding a public workshop and soliciting comment on the potential issues associated with the use of alternative dispute resolution for online consumer transactions. See Initial Notice Requesting Public Comment and Announcing Public Workshop, 65 Fed. Reg. 7,831 (Feb. 16, 2000); Notice Announcing Dates and Location of Workshop and Extending Deadline for Public Comments, 65 Fed. Reg. 18,032 (Apr. 6, 2000). The workshop will be held on June 6 and 7, 2000. Information about the workshop, including the federal register notices and public comments received, is available at <http://www.ftc.gov/bcp/altdisresolution/index.htm>. 10. The Commission's review of privacy has mainly focused on online issues because the Commission believes privacy is a critical component in the development of electronic commerce. However, the FTC Act and most other statutes enforced by the Commission apply equally in the offline and online worlds. As described infra, n.11, the agency has examined privacy issues affecting both arenas, such as those implicated by the Individual Reference Services Group, and in the areas of financial and medical privacy. It also has pursued law enforcement, where appropriate, to address offline privacy concerns. See FTC v. Rapp, No. 99-WM-783 (D. Colo. filed Apr. 21, 1999); In re Trans Union, Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000). These activities - as well as recent concerns about the merging of online and offline databases, the blurring of distinctions between online and offline merchants, and the fact that a vast amount of personal identifying information is collected and used offline - make clear that significant attention to offline privacy issues is warranted. 11. The Commission held its first public workshop on privacy in April 1995. In a series of hearings held in October and November 1995, the Commission examined the implications of globalization and technological innovation for competition and consumer protection issues, including privacy concerns. At a public workshop held in June 1996, the Commission examined Web site practices regarding the collection, use, and transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children. The Commission held a second workshop in June 1997 to explore issues raised by individual reference services, as well as issues relating to unsolicited commercial e-mail, online privacy generally, and children's online privacy. The Commission and its staff have also issued reports describing various privacy concerns in the electronic marketplace. See, e.g., FTC Staff Report: The FTC's First Five Years Protecting Consumers Online (Dec. 1999); Individual Reference Services: A Federal Trade Commission Report to Congress (Dec. 1997); FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (Dec. 1996); FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996). Recently, at the request of the Department of Health and Human Services ("HHS"), the Commission submitted comments on HHS' proposed Standards for Privacy of Individually Identifiable Health Information (required by the Health Insurance Portability and Accountability Act of 1996). The Commission strongly supported HHS' proposed "individual authorization" or "opt-in" approach to health providers' ancillary use of personally identifiable health information for purposes other than those for which the information was collected. The Commission also offered HHS suggestions it may wish to consider to improve disclosure requirements in two proposed forms that would be required by the regulations. The Commission's comments are available at <http://www.ftc.gov/be/v000001.htm>. The Commission also has brought law enforcement actions to protect privacy online pursuant to its general mandate to fight unfair and deceptive practices. See FTC v. ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 6, 2000) (consent decree) (settling charges that an online auction site obtained consumers' personal identifying information from a competitor site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their business); Liberty Financial Companies, Inc., FTC Dkt. No. C-3891 (Aug. 12, 1999) (consent order) (challenging the allegedly false representations by the operator of a "Young Investors" Web site that information collected from children in an online survey would be maintained anonymously); GeoCities, FTC Dkt. No. C-3849 (Feb. 12, 1999) (consent order) (settling charges that Web site misrepresented the purposes for which it was collecting personal identifying information from children and adults). 12. The Report is available on the Commission's Web site at http://www.ftc.gov/reports/privacy3/index.htm. 13. 1998 Report at 11-14. 14. Id. at 23, 27. 15. Id. at 42-43. In October 1998, Congress enacted the Children's Online Privacy Protection Act of 1998 ("COPPA"), which authorized the Commission to issue regulations implementing the Act's privacy protections for children under the age of 13.(16) 16. 15 U.S.C. § § 6501 et seq. §§ ' 17. See Prepared Statement of the Federal Trade Commission on "Consumer Privacy on the World Wide Web" before the Subcommittee on Telecommunications, Trade and Consumer Protection of the House Committee on Commerce, U.S. House of Representatives (July 21, 1998), available at <http://www.ftc.gov/os/1998/9807/privac98.htm>. 18. The results for the random sample of 361 Web sites are reported in Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission (June 1999), available at <http://www.msb.edu/faculty/culnanm/gippshome.html> [hereinafter "GIPPS Report"]. The results of Professor Culnan's study of the top 100 Web sites, conducted for the Online Privacy Alliance, are reported in Online Privacy Alliance, Privacy and the Top 100 Sites: Report to the Federal Trade Commission (June 1999), available at <http://www.msb.edu/faculty/culnanm/gippshome.html> [hereinafter "OPA Report"]. 19. See GIPPS Report, Appendix A, Table 8C . 20. Self-Regulation and Privacy Online (July 1999) at 12-14 (available at <http://www.ftc.gov/os/1999/9907/index.htm#13>). 21. In December 1999, the Commission established the Federal Trade Commission Advisory Committee on Online Access and Security, pursuant to the Federal Advisory Committee Act, 5 U.S.C. App. §§ 1-15. Notice of Establishment of the Federal Trade Commission Advisory Committee on Online Access and Security and Request for Nominations, 64 Fed. Reg. 71,457 (1999). The Commission asked the Advisory Committee, a group comprising 40 e-commerce experts, industry representatives, security specialists, and consumer and privacy advocates, to consider the parameters of "reasonable access" to personal information collected from and about consumers online and "adequate security" for such information, and to prepare a report presenting options for implementation of these fair information practices and the costs and benefits of each option. The duties of the Advisory Committee were solely advisory. The Advisory Committee Report and proceedings are available at <http://www.ftc.gov/acoas>. 22. The Commission vote to issue the 2000 Report was 3-2, with Commissioner Swindle dissenting and Commissioner Leary concurring in part and dissenting in part. Both Commissioners' separate statements are attached to the Report. Copies of the 2000 Report and of the report of the Advisory Committee on Online Access and Security are attached. The Reports are also available at < http://www.ftc.gov/reports/privacy2000/privacy2000.pdf and <http://www.ftc.gov/acoas/papers/finalreport.htm, respectively. 23. The list of Web sites was provided by Nielsen//NetRatings based upon January 2000 traffic figures. 2000 Report, Appendix A. 24. 2000 Report at 7, 9 and Appendix A. 25. 2000 Report at 9. 26. Id. at 10. 27. Id. at 12-13. 28. Id. at 13-14. 29. Id. at 6-7. 30. Id. at 20. 31. As noted earlier, supra n.10, and as illustrated by legislative decisions made in the areas of medical and financial privacy, offline privacy issues are also significant. 32. Legislation should cover such sites to the extent not already covered by the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq. 33. 5 U.S.C. § 553. 34. The Commission will soon be addressing the issue of third-party online collection of personal information for profiling purposes in a separate report to Congress. 35. For example, the program administered by the National Advertising Division of the Council of Better Business Bureaus, Inc. ("NAD") is a model self-regulatory program that complements the Commission's authority to regulate unfair and deceptive advertising. The NAD expeditiously investigates complaints made by consumers or competitors about the truthfulness of advertising. An advertiser that disagrees with the NAD's conclusion may appeal to the National Advertising Review Board ("NARB"), which includes members from inside and outside the advertising industry. The vast majority of disputes handled by the NAD and NARB are resolved without government intervention, resulting in greater respect for and enforcement of the law at a substantial savings to the taxpayer. Those disputes that the NAD and NARB are unable to resolve are referred to the Commission. The Commission also has a long record of working with industry to develop and disseminate informational materials for the public. See, e.g., Notice of Opportunity to Participate and Obtain Co-Sponsorship in Agency Public Awareness Campaign re: Children's Online Privacy Protection Rule, available at <http//:www.ftc.gov/os/2000/05/index.htm#12>. |