FTC Reverses Course, Recommends Comprehensive Privacy Legislation; Senate Committee Expresses Interest

At a May 25 hearing, Members of the Senate Commerce Committee expressed interest in an FTC report criticizing industry self-regulation efforts and calling for new legislation. While the Committee considered no specific legislative approaches at the hearing, most of the Members appeared interested in some type of congressional action that would at least set standards designed to ensure that consumers receive adequate notice of companies4 privacy practices.

The FTC Report

The hearing was prompted by the May 22 release of the FTC’s Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, http://www.ftc.gov/reports/privacy2000/privacy2000.pdf, (the “Report”) the third in a series of Commission reports on the efficacy of self-regulation in protecting consumer privacy on the Internet. The Commission conducted a survey of popular Internet sites and concluded that too few complied with the “four widely-accepted fair information practices”: notice, choice, access and security. In the FTC study, 97 percent of the Web sites in a random sample, and 99 percent of the Internet’s 100 busiest sites collected some type of personal information. However, just 20 percent of the randomly sampled sites, and 42 percent of the busiest sites addressed all four fair information practices.

The Commission recommended that Congress supplement industry self-regulation efforts with legislation that would establish basic standards for the collection of information online. More specifically, the standards would require consumer-oriented commercial Web sites that collect personal information from or about consumers online to provide the following: (1) clear and conspicuous notice of their information collection and distribution practices, (2) choices to consumers as to how their personal information may be used by the company, (3) consumer access to the information a Web site has collected about them and the opportunity to correct inaccuracies and delete information, and (4) reasonable steps to provide for the security of the information they collect from consumers.

FTC Commissioners’ Testimony at the Hearing

Testifying at the hearing, FTC Chairman Robert Pitofsky, Commissioner Sheila F. Anthony and Commissioner Mozelle W. Thompson summarized and reiterated the findings and recommendations of the report. Commissioner Anthony provided a sample privacy policy that would satisfy the FTC’s concerns. A complying Web site would provide the following warning to consumers:

  • We collect personally identifiable information about you.
  • We use your personal information to notify you of our future promotions.
  • We share information about you with third parties for marketing purposes. Click here to see who we share information with.
  • You may review and correct or delete information about yourself (with proper authentication).
  • We provide reasonable security to protect your personal information during its transmission and while it is in our possession.

Commissioners Orson Swindle and Thomas B. Leary faulted the FTC’s underlying Internet study and disagreed with the decision to request congressional action.

Interestingly, the Administration appears to have distanced itself from the FTC’s recommendation. Instead, it has called for more limited legislation designed to enhance the privacy protection provisions of last year’s Gramm-Leach-Bliley Act. See H.R. 4380 and S. 2513. Other proposals currently under consideration in Congress include a bill that would study the issue and report to Congress (H.R. 4049) and a bill that would restrict Web sites from collection and dissemination of consumers’ psychological and behavioral profiles. S. 2360

Committee Members Indicated Their Willingness to Act

Committee Members struck a cooperative and bipartisan tone at the hearing and acknowledged that legislative action might be inevitable, although they did not commit to enacting such legislation during this session. Senator John McCain (R-AZ), Chair of the Committee, lauded businesses for improvements in notifying online consumers about their information practices, but said there was still much work to be done. He provided two examples of Web sites that had notice – Doubleclick.com and Yahoo.com – but complained that the notices were long, confusing, and ineffective. He said that on Yahoo.com consumers must go through eight pages and 167 sentences to ensure their privacy. Senator Conrad Burns (R-MT) commented that privacy concerns are slowing the growth of Internet commerce and said he supports new legislation to guarantee that privacy. Senator Ted Stevens (R-AK) warned that the Internet is complex and urged the Committee not to act hastily. Senator John Ashcroft (R-MO) was adamantly opposed to new legislation, arguing that: (1) existing consumer protection laws already protect online consumers, (2) new regulations could unfairly burden Internet companies and hinder their competition with offline businesses, (3) consumers regularly give personal information to companies when applying for refunds and special promotions, and (4) 90% of Web sites already self-regulate. No other Republican Members were present.

Of the Democratic Members present, Senators Ernest Hollings (D-SC), Ron Wyden (D-OR), Richard Bryan (D-NV), John Rockefeller (D-WV), and Max Cleland (D-GA) all said they support new legislation. Senator John Kerry (D-MA), on the other hand, was generally unsupportive of the FTC’s proposed standards, questioning the ability of Congress to regulate something like the Internet which is still rapidly developing. He said he would introduce his own bill that would establish privacy goals but continue to rely on industry self-regulation.

Business Leaders’ Testimony at the Hearing

None of the business leaders testifying at the hearing urged the Committee to avoid all congressional action, but they did offer suggestions. Jill A. Lesser of America Online agreed that if consumers do not feel secure online they will not engage in online commerce or communication, but she urged the Committee not to ignore self-regulatory successes and not to create a new expansive regulatory regime: “Sweeping regulatory action could very likely curb such market innovation and competition and discourage creative and flexible approaches to privacy protection.” Christine Varney spoke on behalf of the Online Privacy Alliance and highlighted its efforts to increase online privacy through self-regulation. Jason Cartlett, President and CEO of the for-profit dot com company Junkbusters Corp., testified that government intervention is necessary to increase consumer confidence in online commerce. He supported Senator Holling’s Consumer Privacy Protection Act, which is based in large part on the FTC’s recommendations. Jerry Berman, executive director of the Center for Democracy & Technology, testified that legislation is necessary to ensure a consistent standard for privacy, but he added that legislation should support self-regulation and technical developments. Daniel J. Weitzner of the World Wide Web Consortium did not support or oppose legislation, but suggested that Web users need more powerful technical tools to ensure their privacy.

There May Be Legislation, But Probably Not This Term

The Senate Commerce Committee hearing sent a strong signal to industry that Congress is concerned about personal privacy protections on the Internet, but where they will go is unclear. The FTC’s broad proposal may be too much for Congress to swallow in this election year, and the Administration’s proposal to enhance the Gramm-Leach-Bliley Act is problematic because it would not preempt similar state legislation. Nevertheless, the issue is now firmly entrenched on Congress’s radar screen, and some legislative action this year is possible, if only the creation of a commission to study the issue.