[Senate Hearing 106-815]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 106-815


 
   PRIVACY IN THE DIGITAL AGE: DISCUSSION OF ISSUES SURROUNDING THE 
                                INTERNET

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                                   on

PRIVACY ISSUES SURROUNDING THE INTERNET, FOCUSING ON INTERNET INDUSTRY 
    POLICY, SECURITY, DATA PROTECTION, LAW ENFORCEMENT, TECHNOLOGY 
                  DEVELOPMENT, AND ELECTRONIC COMMERCE

                               __________

                             APRIL 21, 1999

                               __________

                          Serial No. J-106-19

                               __________

         Printed for the use of the Committee on the Judiciary


                                


                      U.S. GOVERNMENT PRINTING OFFICE
 68-199 CC                   WASHINGTON : 2001



                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman

STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire

             Manus Cooney, Chief Counsel and Staff Director
                 Bruce A. Cohen, Minority Chief Counsel

                                  (ii)



                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Hatch, Hon. Orrin G., U.S. Senator from the State of Utah........     1
Kohl, Hon. Herbert, U.S. Senator from the State of Wisconsin.....  3, 4
Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont...16, 18

                    CHRONOLOGICAL LIST OF WITNESSES

Panel consisting of Katherine Borsecnik, senior vice president, 
  Strategic Businesses, America Online, Inc., Dulles, VA; Michael 
  Sheridan, vice president, Strategic Businesses, Novell, Inc., 
  Orem, UT; Irving Wladawsky-Berger, general manager, Internet 
  Division, IBM Corp., Washington, DC; Jerry Berman, executive 
  director, Center For Democracy and Technology, Washington, DC; 
  Russell T. Bodoff, senior vice president and chief operating 
  officer, BBBOnline, Inc., Arlington, VA; and Gregory Fischbach, 
  chairman and chief executive officer, Acclaim Entertainment, 
  Glen Cove, NY..................................................     7

               ALPHABETICAL LIST AND MATERIALS SUBMITTED

Berman, Jerry:
    Testimony....................................................    65
    Prepared statement...........................................    67
Bodoff, Russell, T.:
    Testimony....................................................    71
    Prepared statement...........................................    73
        Appendix: BBBOnline Privacy Programs, Compliance 
          Assessment Questionnaires and Flow Charts..............    79
Borsecnik, Katherine:
    Testimony....................................................     7
    Prepared statement...........................................     9
        AOL's, Certified Merchants Program.......................    13
Fischbach, Gregory:
    Testimony....................................................   171
    Prepared statement...........................................   172
Sheridan, Michael:
    Testimony....................................................    20
    Prepared statement...........................................    21
Wladawsky-Berger, Irving:
    Testimony....................................................    25
    Prepared statement...........................................    26
        Exhibits: IBM's Privacy Practices on the Web.............    34
        OPA Whitepaper: Online Consumer Data Privacy in the 
          United States..........................................    48

                                APPENDIX
                 Additional Submissions for the Record

Letter to Senators Hatch, Feinstein and Leahy, accompanied by 
  AOL's Terms of Service (which includes the AOL Member 
  Agreement, the AOL Community Guidelines, and the AOL Privacy 
  Policy), as well as a copy of AOL's guidelines for using 
  ``parental controls'' to protect children online, submitted by 
  Jill Lesser, vice president Domestic Public Policy, America 
  Online, Inc., dated April 23, 1999.............................   207



   PRIVACY IN THE DIGITAL AGE: DISCUSSION OF ISSUES SURROUNDING THE 
                                INTERNET

                              ----------                              


                       WEDNESDAY, APRIL 21, 1999

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:03 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Orrin G. 
Hatch (chairman of the committee) presiding.
    Also present: Senators Thurmond, Leahy, Kohl, Feinstein, 
and Schumer.

 OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM 
                       THE STATE OF UTAH

    The Chairman. Good morning, and welcome to today's hearing 
addressing the important and increasingly complicated issue of 
privacy on the Internet.
    It has been no secret that throughout my career in the U.S. 
Senate, I have advocated and sought policies that encourage and 
foster the development of new and better technologies. Included 
among them are medical technologies that help to improve the 
health of Americans and information technologies that bring 
distance learning to many who live in rural areas in Utah and 
across the Nation. The Internet's explosive growth promises to 
impact every aspect of our daily life, as it provides the 
public with useful and often vital information and literary 
content immediately at the mere click of a mouse.
    Internet technology will play an important role in 
educating the population through distance learning and through 
the general delivery of information. The Internet will also 
continue to play an increasingly larger role in our daily 
entertainment, whether it is through the delivery of movies and 
music over the Internet or through the ability to play video 
games with a network of literally millions of players across 
the globe.
    During the last session of Congress, I worked with my 
colleagues on this committee in a bipartisan manner to act on a 
number of matters aimed at fostering the growth of the Internet 
and promoting a competitive environment in this new digital 
environment.
    First, this committee won passage of the Digital Millennium 
Copyright Act, which put in place the most significant 
revisions to the U.S. copyright law since the enactment of the 
1976 Copyright Act. I consider that one of the most important 
bills of the whole last session.
    Second, the Judiciary Committee initiated the still 
ongoing, thorough public examination of important issues 
affecting competition and innovation in the digital 
marketplace. In addition, the committee also provided 
legislative assistance to industry in our national effort to 
prepare for the Y2K problem by crafting and passing legislation 
to allow businesses and local governments to share Y2K 
remediation information with limited fear of liability.
    During this session of Congress, I intend to continue 
working on legislative and oversight efforts that address new 
policy changes of the Internet and the new digital revolution. 
Today's hearing is the first this committee has held on the 
issue of consumer privacy on the Internet. Given the complex 
nature of this issue and all of the various policy 
considerations involved, I do not expect this to be our last 
hearing on this issue.
    Any revolutionary, paradigm-shifting technology presents 
government with new and significant policy changes and 
challenges. The Internet is no exception. I recently read that 
earlier in this century there were concerns about the sale of 
automobiles to the public as it provided crooks with a tool to 
escape the police. Luckily, we found a way to address this 
automobile, ``concern.'' It is my hope that we can do the same 
for any concerns that surround the Internet.
    As Americans spend more of their lives on the Internet, 
they are more concerned about the ability of Web sites, both 
government and commercial, to track their, ``digital steps.'' 
There is no question that in order for the Internet to reach 
its maximum potential as a viable avenue for transacting 
commerce, consumers must be assured that personally 
identifiable information that is collected online is afforded 
adequate levels of protection. But the question remains how do 
we best do that. How do we do it without chilling the 
development of new technologies or the expansion of the 
marketplace?
    There have already been over 50 legislative proposals 
offered this session addressing privacy. I have been skeptical 
of most proposals to date, as they require increased regulation 
of the Internet by government. As I have expressed in the past, 
we must be careful not to stymie the growth of new technologies 
with broad government regulations.
    The purpose of today's hearing is two-fold. First, it is 
intended to educate the public and the members of this 
committee about what the privacy issues are that surround 
consumer use of the Internet and what industry is doing to 
correct these problems.
    Second, it will allow us to begin a dialogue with those 
with an interest in the privacy issue in order to develop a 
meaningful and balanced policy that takes into consideration 
the needs of consumers, law enforcement and industry, one that 
would ensure continued technology development in this important 
area and that ensures electronic commerce is able to reach its 
full potential.
    Now, I believe that it is in the best interests of the 
industry to develop meaningful privacy policies and to provide 
adequate protections for consumer privacy. After all, 
individual consumers will demand that the electronic 
marketplace provide adequate and effective privacy protections.
    Indeed, I have been very encouraged to see, in over the 
past 6 months, the development of a productive and meaningful 
effort by industry to ensure such privacy protection. We will 
hear testimony from some of those involved in that effort 
today. However, I am still concerned about reports that there 
might still remain certain fringe operators of Web sites who 
might not abide by the standards that the industry has set for 
itself. Any successful self-regulatory model needs to have 
adequate resources to enforce the rules that it sets for 
itself.
    To date, the discussions surrounding Internet privacy have 
revolved around two mutually exclusive models as possible 
solutions to this issue. The first, advocated by certain 
consumer rights groups, would give government regulatory bodies 
the authority to regulate conduct on the Internet. And the 
second, advocated by most members of the industry, would 
entrust the industry to regulate itself without any role for 
the government. For the past several months, I have been 
examining different self-enforcement systems that have proven 
successful in other industries and that might serve as a useful 
model for the protection of privacy on the Internet.
    I believe we should explore whether another solution 
exists, one that aims to respect both the need to foster 
continued growth of the electronic marketplace and the need to 
enforce any rules for the protection of consumer privacy. I 
hope we could develop a solution that respects this dynamic and 
diverse Internet industry, a solution that would give the 
industry appropriate power to establish a code of conduct for 
its online presence, while providing for a limited and proper 
government oversight role, which, frankly, given the interest 
received to date in Congress, appears inevitable. This solution 
possibly could be based on the self-regulatory, quasi-
governmental model successfully employed in the securities 
industry.
    Now, I know that can bring a chill over anybody's body in 
just a few seconds, when you look at how bureaucratically over-
regulated in some respects the securities industry is. Yet, 
still, we have probably the most effective securities industry 
regulations of any nation and of history itself.
    As we continue to examine this issue, I invite any 
interested person or persons to work with me and other members 
of this committee to develop a reasonable policy for Internet 
privacy, one that provides adequate privacy protections for 
consumers, and at the same time allows the industry to regulate 
itself in a manner that would allow them to bring new 
innovations to the marketplace. So I am hopeful that we can do 
that.
    Herb, shall we turn to you at this time to represent the 
minority?

 STATEMENT OF HON. HERBERT KOHL, A U.S. SENATOR FROM THE STATE 
                          OF WISCONSIN

    Senator Kohl. Thank you, Mr. Chairman. I would like to 
commend you for holding this hearing today on the very critical 
issue of privacy, which is enormously important in the 
information age that we live in. Public worry over privacy is 
real. A recent survey found that 92 percent of consumers are, 
``concerned'' about threats to their personal privacy, and that 
is a startling figure.
    Today, new technologies, including the Internet, facilitate 
the free flow of vast quantities of information around the 
world. The benefit of this technology is both real and 
tangible. But as with many other things, there is a downside, 
especially when this technology allows sensitive personal 
information, such as medical and credit histories, to be 
collected and often used by third parties.
    Not even the local supermarket is insulated from the 
information age. Nowadays, stores issue cards that can track 
information regarding customer purchases right at the check-out 
counter. Granted, these cards are helpful to consumers who want 
discounts, but they are not so convenient when the cashier 
notifies folks in the check-out line that you need to refill 
your prescription of Prozac.
    In much the same way, the Internet can track and store 
personal data and preferences, oftentimes without the consumer 
even knowing it. When this information is then shopped around 
for a profit, privacy is lost and the problems begin.
    Certainly, self-regulation is preferable to government 
regulation, and many in the computer industry have made 
important strides in this direction. However, striking the 
right balance between access to information and protection of 
personal privacy is a complicated matter. While these hearings 
will help, it is not clear that Congress is equipped to look at 
this issue with the sort of altitude or distance necessary to 
resolve these issues. Nor is it clear that the best actors in 
the private sector will set the standards for the worst.
    So, Mr. Chairman, to my mind the time has come to step back 
and assess privacy concerns from a broader perspective. With 
Senator DeWine, I am considering legislation to create a 
privacy study commission which would provide us with a 
comprehensive overview of the privacy issues we need to focus 
on today and suggestions of how to ensure privacy tomorrow.
    This is not a new idea. In fact, 25 years ago a Privacy 
Study Commission was established by the Privacy Act of 1974. 
The work of that commission is legendary. It led to laws 
protecting financial privacy and credit reporting. But times 
and technology have changed. In light of the new privacy 
challenges facing us today and into the next century, which are 
of a vastly greater magnitude, we need to once again consider a 
commission approach.
    That said, Mr. Chairman, I applaud you and Senator Leahy 
for holding this important hearing, and I look forward to 
working with you in the future to address the real privacy 
concerns of all Americans.
    Thank you.
    The Chairman. Well, thank you, Senator Kohl. We appreciate 
it.
    [The prepared statement of Senator Kohl follows:]

               Prepared Statement of Senator Herbert Kohl

    Thank you Mr. Chairman. I would like to commend you for holding 
this hearing today on the very critical issue of privacy--which is 
enormously important in the ``information age'' of today. Public worry 
over privacy is real. A recent survey found that 92 percent of 
consumers are ``concerned'' about threats to their personal privacy--
that's a startling figure. Another poll reported that 83 percent 
believe they no longer have control over how companies collect and use 
their personal information. No wonder that privacy has caught our 
attention.
    Today, new technologies, including the Internet, facilitate the 
free flow of vast quantities of information around the world. We've 
heard time and time again about the benefits of this ``Internet 
Revolution,'' and these benefits are both real and tangible. But, as 
with many things, there is a downside. For example, newer and faster 
computers make it easier than ever to retrieve medical information in 
an emergency; but, this technology also allows potentially sensitive 
personal information, such as medical and credit histories, to be 
collected and often used by third parties.
    Not even the local supermarket is insulated from the information 
age. Nowadays, stores issue cards that can track information regarding 
customer purchases right at the checkout counter. Granted, these cards 
are helpful to consumers who want discounts. But they are not so 
convenient when the cashier notifies folks in the checkout line that 
you need to refill your prescription for Prozac. [LAUGHTER]
    In much the same way, the Internet can track and store personal 
data and preferences, oftentimes without the consumer even knowing it. 
When this information is then shopped around for a profit, privacy is 
lost and the problems begin.
    These are just some of the privacy concerns of Americans, and they 
are not without consequence. Suspicions regarding Internet privacy, or 
the lack thereof, have limited the growth of electronic commerce. Many 
consumers hesitate to participate in on-line activities for fear of 
having their personal data tracked and stored by unknown parties. There 
is also the very real problem of harmonizing our privacy laws with the 
generally stricter--and often less thoughtful--privacy laws of other 
nations, most notably, the European Union.
    Certainly, self-regulation is preferable to government regulation, 
and many in the computer industry have made important strides in this 
direction. However, striking the right balance between access to 
information and protection of personal privacy is a complicated matter. 
While these hearings will help, it is not clear that Congress is 
equipped to look at this issue with a sort of ``altitude'' or 
``distance'' necessary to resolve these issues. Nor is it clear to me 
that the best actors in the private sector will set the standards for 
the worst.
    So Mr. Chairman, to my mind the time has come to step back and 
assess privacy concerns from a broader perspective. With Senator 
DeWine, I am considering legislation to create a Privacy Study 
Commission, which would provide us with a comprehensive overview of the 
privacy issues we need to focus on today, and suggestions of how to 
ensure privacy tomorrow.
    This is not a new idea. In fact, twenty-five years ago a Privacy 
Study Commission was established by the Privacy Act of 1974. The work 
of that Commission is legendary--it led to laws protecting financial 
privacy and credit reporting. But times and technology have changed. In 
light of the new privacy challenges facing us today and into the next 
century--which are of a vastly greater magnitude--we need to once again 
consider a Commission approach.
    That said Mr. Chairman, I applaud you and Senator Leahy for holding 
this important hearing, and I look forward to working with all of you 
in the future to address the very real privacy concerns of all 
Americans. Thank you.

    The Chairman. Senator Leahy is going to be here. So when he 
arrives, I will probably interrupt to permit him to make 
whatever statement he desires.
    In order to achieve today's dual goal of educating the 
public and the members of this committee on Internet privacy 
issues, we are fortunate to have with us six experts in the 
field of Internet privacy and technology who will testify 
today.
    We will first hear from Ms. Katherine Borsecnik, Senior 
Vice President of Strategic Businesses at America Online. Ms. 
Borsecnik has been with AOL for more than 7 years and has 
played an integral role in developing and implementing AOL's 
online privacy and safety policies. We are delighted to have 
you here.
    Then we will hear from Mr. Michael Sheridan, Vice President 
for Strategic Businesses at Novell, headquartered in my home 
State of Utah. Prior to joining Novell, Mr. Sheridan previously 
worked at Sun Microsystems, where he was co-creator of the 
computer programming language Java. Mr. Sheridan is one of the 
developers of Novell's recently announced digitalme technology.
    Are you living in Utah, Michael, or are you down in 
California?
    Mr. Sheridan. I am actually out here.
    The Chairman. You are out here?
    Mr. Sheridan. Yes.
    The Chairman. Also testifying today will be Dr. Irving 
Wladawsky-Berger, General Manager of IBM's Internet Division. 
Dr. Wladawsky-Berger has been affiliated with IBM since 1970 
and is currently in charge of IBM's Internet and network 
computing strategy, and is referred to at IBM as ``Dr. 
Internet.'' I am not sure that that is good.
    Mr. Wladawsky-Berger. I am not sure either. [Laughter.]
    The Chairman. I would also like to note that Dr. Wladawsky-
Berger is a member of the President's Information Technology 
Advisory Committee, or PITAC.
    Then we will hear from Mr. Jerry Berman, Executive Director 
of the Center for Democracy and Technology. As its mission 
states, CDT works to promote democratic values and 
constitutional liberties in the digital age. Mr. Berman has 
worked tirelessly with free speech and privacy policy working 
groups focusing on Internet policy issues.
    We are certainly glad to have all of you here.
    Next, we will hear testimony from Mr. Russell Bodoff, 
Senior Vice President and Chief Operating Officer of BBBOnLine, 
an independent subsidiary of the Council of Better Business 
Bureaus. Mr. Bodoff is in charge of directing and supervising 
the creation of BBBOnLine's new Privacy Seal Program, which we 
are very interested to hear more about today.
    Our final witness will be Mr. Greg Fischbach, Chairman and 
CEO of Acclaim Entertainment, which develops and distributes 
interactive entertainment software for the Internet and home 
entertainment systems. Mr. Fischbach is also the Vice Chair of 
the Board of Directors of the Interactive Digital Software 
Association.
    So we are really happy to have you here, Greg, Mr. Bodoff, 
Mr. Berman, Mr. Wladawsky-Berger, Mr. Sheridan and Ms. 
Borsecnik. We think this is a terrific panel and I am looking 
forward to hearing what you have to say. I would like to thank 
each of you for taking time out of your busy schedules and 
appearing before the committee. We expect you, as experts, to 
shed light on the issues inherent in the protection of privacy 
on the Internet.
    I feel confident that you share my view that Internet 
privacy issues are too important not to be addressed, and that 
growth of this new medium and its problems must be addressed 
carefully. So I have looked forward to today's hearing as a 
careful and considered first step toward opening a meaningful 
dialogue between Congress and the interested public on the 
issue of Internet privacy.
    So with that, we will begin with you, Ms. Borsecnik, and we 
will look forward to hearing what you have to say. I would like 
you to limit your remarks to five minutes, if you can. I am not 
going to be a stickler on that, but I would appreciate it if 
you can because we do have some questions.

PANEL CONSISTING OF KATHERINE BORSECNIK, SENIOR VICE PRESIDENT, 
STRATEGIC BUSINESSES, AMERICA ONLINE, INC., DULLES, VA; MICHAEL 
 SHERIDAN, VICE PRESIDENT, STRATEGIC BUSINESSES, NOVELL, INC., 
 OREM, UT; IRVING WLADAWSKY-BERGER, GENERAL MANAGER, INTERNET 
 DIVISION, IBM CORP., WASHINGTON, DC; JERRY BERMAN, EXECUTIVE 
DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC; 
 RUSSELL T. BODOFF, SENIOR VICE PRESIDENT AND CHIEF OPERATING 
OFFICER, BBBONLINE, INC., ARLINGTON, VA; AND GREGORY FISCHBACH, 
 CHAIRMAN AND CHIEF EXECUTIVE OFFICER, ACCLAIM ENTERTAINMENT, 
                         GLEN COVE, NY

                STATEMENT OF KATHERINE BORSECNIK

    Ms. Borsecnik. Thank you. I would like to thank you for the 
opportunity to discuss online privacy with you here today. My 
name is Katherine Borsecnik. I am Senior Vice President of 
Strategic Businesses for America Online.
    The online medium is quickly revolutionizing the way we 
learn, communicate and do business. It impacts industries 
fundamentally as diverse as booksellers to brokerage, and 
offers consumers unprecedented convenience. Our customers can 
sign onto AOL and instantaneously do research, send a letter, 
find the best price on an airline ticket--tasks that just a few 
short years ago would have taken them far more time.
    But the technology of the Internet offers users even 
something more unique--the ability to customize or personalize 
their online experience. Consumers can communicate specific 
preferences online that will allow them to receive services or 
information that is targeted to their needs. For example, an 
AOL member can set her online preferences to get the weather 
forecast in her local area, to read news stories about her 
professional interests, or to get a notice about the 
availability of a new CD from her favorite musician.
    But the power of the Internet can only be fully realized if 
consumers feel very confident that their online privacy is 
protected. For me, protecting my customers' privacy is 
essential to earning their trust, without which I cannot 
sustain a business. AOL learned this important lesson through 
our own mistakes not too long ago when an AOL employee 
wrongfully disclosed information to the government about a 
member's screen name.
    AOL has recognized that consumer trust is essential to 
building our business and building the online medium, and we 
have taken a number of important steps to create a privacy-
friendly environment for our customers. Building on the online 
lessons we have learned, and from the information and opinions 
we receive from our members on a daily basis, we have adopted 
privacy policies that clearly explain to our users what 
information we collect, why we collect it, and how they can 
exercise choice about how that information is used.
    We have based our policies on core principles that reflect 
consumer needs and expectations. For example, we never read 
members' private e-mail. We will not disclose to anyone any 
information about where a member goes online, and we will not 
give out a member's phone number, screen name, or credit card 
information unless he expressly agrees.
    We give consumers clear choices about how their personal 
information is used, and we make sure that our members are 
well-informed about what those choices are. For example, if a 
customer decides that he does not want to receive targeted 
marketing materials from us, all he needs to do is check a box 
online that tells us not to send him such information.
    We also make sure that our policies are well-understood and 
implemented by our employees. We provide training about our 
privacy policies and we require all employees to agree to abide 
by our privacy policies as a condition of their employment at 
America Online. We continually review state-of-the-art 
technology to ensure that we use the most advanced technologies 
to defend our customers' data security.
    AOL takes extra steps to protect the safety and privacy of 
children online. We do not collect personal information from 
children without their parents' knowledge or consent. We have 
created a secure environment for children, our Kids Only area, 
and we carefully monitor all the activity in that area, 
including chat rooms and message board posts, to ensure the 
safest possible environment for children, and to ensure that a 
child does not post personal information online that could 
allow them to be identified or contacted offline. Furthermore, 
America Online's parental controls technology enables parents 
to safeguard their children online by allowing them to set 
preferences and limits on who their children may talk to online 
and where they may go and what they may see.
    In addition to adopting and implementing our own policies, 
AOL is committed to fostering best practices among our business 
partners and industry colleagues. One of the strongest examples 
of this effort is our Certified Merchant program, which 
guarantees that our members will be protected and satisfied 
when they are within the AOL environment. Through this program, 
which currently includes over 150 of our merchant partners, we 
offer a money-back guarantee to dispel consumer concerns about 
shopping security and increased consumer trust in this powerful 
new medium.
    We believe that the more we are able to work with our 
business partners and require high standards of them, the more 
likely it is that these standards will become the marketplace 
norm. In fact, we believe that the online industry as a whole 
is taking positive steps toward protecting online privacy. To 
strengthen industry's commitments to online privacy, AOL joined 
with other companies and associations last year to form the 
Online Privacy Alliance, which has grown to include more than 
85 recognized industry leaders.
    AOL believes that companies are responding to the 
increasing marketplace demand for online privacy, and that the 
tremendous growth of e-commerce reflects positive trends on a 
variety of consumer issues, including privacy. In part, we 
think that technology holds the key to ensuring a safe and 
secure online environment. We believe it is critical for us to 
provide the most sophisticated security technologies to our 
customers so they can take steps to secure their own privacy. 
That is why we continue to advocate the widespread availability 
and use of strong encryption, both in this country and abroad.
    Challenges that lie ahead will give us the opportunity to 
prove that the industry and government can work together to 
promote effective online privacy. But ultimately for me at the 
end of the day, it is the consumer who will be the judge of our 
efforts in these areas and whether they are adequate because no 
matter how extraordinary the opportunities for electronic 
commerce are, we know our business will fail if we cannot earn 
the trust of our customers and meet the consumer demands for 
privacy protection.
    We at AOL are committed to doing our part in this effort. 
Our consumers demand it, our business demands it, and we 
appreciate the opportunity to discuss these important issues 
with you and to work with you further on the issues of Internet 
electronic commerce and privacy.
    Thank you.
    The Chairman. Thank you, Ms. Borsecnik. That was great.
    [The prepared statement of Ms. Borsecnik follows:]

               Prepared Statement of Katherine Borsecnik

    Chairman Hatch, Senator Leahy, and Members of the Committee, I 
would like to thank you, on behalf of America Online, for the 
opportunity to discuss online privacy with you today. I am the Senior 
Vice President for Strategic Businesses at AOL, and in that capacity a 
significant amount of my work for the company is devoted to addressing 
issues of online privacy, security, and data protection.
    The online medium is quickly revolutionizing the way we learn, 
communicate, and do business. People are migrating to the Internet to 
meet their commerce and communications needs at an extraordinary rate 
because it is convenient and fast, and offers an ever-growing selection 
of information, goods and services. AOL subscribers can sign on to our 
service and do research, shop for clothes, and buy airline tickets all 
in a matter of minutes.
    In addition, the online environment offers users unique benefits of 
customization and personalization. Consumers can communicate specific 
preferences online that will allow them to receive information targeted 
to their own interests. For instance, AOL members can set their online 
preferences to get the weather forecast for their own zip code, read 
news stories about their own hometown, or receive notices about special 
discounts on their favorite CDs. No other commercial or educational 
medium has ever afforded such tremendous potential for personalization.
    But the power of the Internet can only be fully realized if 
consumers feel confident that their privacy is properly protected when 
they take advantage of these benefits. We know very well that if 
consumers do not feel secure online, they will not engage in online 
commerce or communication--and without this confidence, our business 
cannot grow. For AOL, therefore, protecting our members' privacy is 
essential to earning their trust, and this trust is in turn essential 
to building the online medium. We learned this important lesson through 
our own mistakes not too long ago, when an AOL employee wrongly 
revealed the screen name of one of our members to the government.
    Recognizing the importance of this issue, AOL has taken a number of 
steps to create an environment where our members can be certain that 
their personal information and their choices regarding the use of that 
information are being respected: from creating and implementing our own 
privacy policies and educating our members about them, to promoting 
best practices among our business partners, to engaging in self-
regulatory initiatives and enforcement mechanisms that will raise the 
bar for all companies who do business online.
                           setting an example
    Building on the lessons we have learned and the input we have 
received from our members, we have created privacy policies that 
clearly explain to our users what information we collect, why we 
collect it, and how they can exercise choice about the use and 
disclosure of that information. To that end, the AOL privacy policy is 
organized around 8 core principles:
    (1) We do not read your private online communications.
    (2) We do not use any information about where you personally go on 
AOL or the Web, and we do not give it out to others.
    (3) We do not give out your telephone number, credit card 
information or screen names, unless you authorize us to do so. And we 
give you the opportunity to correct your personal contact and billing 
information at any time.
    (4) We may use information about the kinds of products you buy from 
AOL to make other marketing offers to you, unless you tell us not to. 
We do not give out this purchase data to others.
    (5) We give you choices about how AOL uses your personal 
information.
    (6) We take extra steps to protect the safety and privacy of 
children.
    (7) We use secure technology, privacy protection controls and 
restrictions on employee access in order to safeguard your personal 
information.
    (8) We will keep you informed, clearly and prominently, about what 
we do with your personal information, and we will advise you if we 
change our policy.
    We give consumers clear choices about how their personal 
information is used, and we make sure that our users are well informed 
about what those choices are. For instance, if an AOL subscriber 
decides that he does not want to receive any targeted marketing notices 
from us based on his personal information or preferences, he can simply 
check a box on our service that will let us know not to use his data 
for this purpose. Because we know this issue is so critically important 
to our members and users, we make every effort to ensure that our 
privacy policies are clearly communicated to our customers from the 
start of their online experience.
    We also make sure that our policies are well understood and 
properly implemented by our employees. We require all employees to sign 
and agree to abide by our privacy policy, and we provide our managers 
with training in how to ensure privacy compliance. We are committed to 
using state-of-the-art technology to ensure that the choices 
individuals make about their data online are honored.
    Finally, we try to keep users informed about the steps they can 
take to protect their own privacy online. For instance, we emphasize to 
our members that they must be careful not to give out their personal 
information unless they specifically know the entity or person with 
whom they are dealing, and we encourage them to check to see whether 
the sites they visit on the Web have posted privacy policies.
                       protecting children online
    AOL takes extra steps to protect the safety and privacy of children 
online. One of our highest priorities has always been to ensure that 
the children who use our service can enjoy a safe and rewarding online 
experience, and we believe that privacy is a critical element of 
children's online safety.
    We have created a secure environment just for children--our ``Kids 
Only'' area--where extra protections are in place to ensure that our 
children are in the safest possible environment. In order to safeguard 
kids' privacy, AOL does not collect personal information from children 
without their parents' knowledge and consent, and we carefully monitor 
all of the Kids Only chat rooms and message boards to make sure that a 
child does not post personal information that could allow a stranger to 
contact the child offline. Furthermore, through AOL's ``parental 
controls,'' our members are able to protect their children's privacy by 
setting strict limits on whom their children may interact with online.
    Because of the unique concerns relating to child safety in the 
online environment, AOL supported legislation in the 105th Congress to 
set baseline standards for protecting kids' privacy online. We worked 
with Senator Bryan, the FTC, and key industry and public interest 
groups to help bring the Child Online Privacy Protection Act (COPPA) to 
fruition last year. We believe the enactment of this bill was a major 
step in the ongoing effort to make the Internet safe for children.
                        fostering best practices
    In addition to adopting and implementing our own policies, AOL is 
committed to fostering best practices among our business partners and 
industry colleagues. One of the strongest examples of this effort is 
our ``Certified Merchant'' program, through which we work with our 
business partners to guarantee our members the highest standards of 
privacy and customer satisfaction when they are within the AOL 
environment. AOL carefully selects the merchants we allow in the 
program (currently there are 152 participants), and requires all 
participants to adhere to strict consumer protection standards and 
privacy policies. The Certified Merchant principles are posted clearly 
in all of our online shopping areas, thereby ensuring that both 
consumers and merchants have notice of the rules involved and the 
details of the enforcement mechanisms, which help to foster consumer 
trust and merchant responsiveness.
    Here are the criteria that our merchants have to meet in order to 
become certified and to display the America Online Seal of Approval 
(some screen shots that show how these criteria appear to subscribers 
on our service are attached to this testimony):
    1. Post complete details of their Customer Service policies, 
including: Contact Information, Shipping Information, Returns Policies, 
and Money-Back Satisfaction Guarantee Information.
    2. Receive and respond to e-mails within one business day of 
receipt.
    3. Monitor online store to minimize/eliminate out-of-stock 
merchandise available.
    4. Receive orders electronically to process orders within one 
business day of receipt.
    5. Provide the customer with an order confirmation within one 
business day of receipt.
    6. Deliver all merchandise in professional packaging. All packages 
should arrive undamaged, well packed, and neat, barring any shipping 
disasters.
    7. Ship the displayed product at the price displayed without 
substituting.
    8. Agree to abide by AOL's privacy policy.
    Through our Certified Merchant program, we commit to our members 
that they will be satisfied with their online experience, and we have 
developed a money-back guarantee program to dispel consumer concerns 
about shopping online and increase consumer trust in this powerful new 
medium. We believe that these high standards for consumer protection 
and fair information practices will help bolster consumer confidence 
and encourage our members to engage in electronic commerce.
                  helping to promote industry efforts
    The online industry as a whole is taking positive steps toward 
protecting consumer privacy. In fact, to improve industry's commitment 
to online privacy, AOL joined with other companies and associations 
last year to form the Online Privacy Alliance (OPA), a group dedicated 
to promoting privacy online.
    Since we began our efforts just a few months ago, the OPA has grown 
to include more than 85 recognized industry leaders, and industry 
efforts to protect consumer privacy online have blossomed. The OPA has 
worked hard to develop a set of core privacy principles--centered 
around the key concepts of notice, choice, data security, and access--
and its members are committed to posting and implementing privacy 
policies that embody these principles. Furthermore, the OPA is 
continuing to reach out to businesses nationwide to explain the 
importance of protecting online privacy and posting meaningful privacy 
policies.
    We believe that the OPA member companies are setting a new standard 
for online privacy, and that as consumers become more aware of the 
choices available to them, the marketplace will begin to demand robust 
privacy polices of all companies that do business online. But we also 
understand the need for meaningful enforcement of self-regulation. 
That's why we abide by the OPA requirement to participate in robust 
enforcement mechanisms through our involvement in the TrustE and 
BBBOnline privacy seal programs. We are key sponsors of both the TrustE 
and BBBOnline privacy seal programs, and have worked closely with 
industry representatives and members of the academic community to help 
formulate strict standards for seal eligibility.
                          the challenges ahead
    We believe that companies are responding to the increasing 
marketplace demand for online privacy, and that the tremendous growth 
of e-commerce reflects positive trends on a variety of consumer 
protection issues, including privacy. But our work has only just begun. 
As technology makes it easier for companies to collect and use personal 
information, the adoption and implementation of robust privacy policies 
will become even more important.
    In part, we believe that technology holds the key to ensuring a 
safe and secure online environment. As an online service provider, we 
believe it is critical for us to be able to provide the most 
sophisticated security technologies to our members so that they can 
take steps to protect their own privacy online. That's why we will 
continue to advocate the widespread availability and use of strong 
encryption, both in this country and abroad.
    The challenges that lie ahead will give us the chance to prove that 
industry and government can work together to promote meaningful self-
regulation of online privacy. But ultimately, it is the consumer who 
will be the judge of whether these efforts are adequate. Because no 
matter how extraordinary the opportunities for electronic commerce may 
be, the marketplace will fail if we cannot meet consumers' demands for 
privacy protection and gain their trust.
    We at AOL are committed to doing our part to protecting personal 
privacy online. Our customers demand it, and our business requires it--
but most importantly, the growth and success of the online medium 
depend on it. We appreciate the opportunity to discuss these important 
issues before the Committee, and look forward to continuing to work 
with you on other matters relating to the Internet and electronic 
commerce.

[GRAPHIC] [TIFF OMITTED] T8199.001

[GRAPHIC] [TIFF OMITTED] T8199.002

[GRAPHIC] [TIFF OMITTED] T8199.003

    The Chairman. Mr. Sheridan, before we turn to you, let me 
turn to our Democrat leader on the committee for his statement. 
Senator Leahy.

  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE 
                        STATE OF VERMONT

    Senator Leahy. Thank you, Mr. Chairman. As it often 
happens, I am running between two different committees, and I 
apologize for going back and forth because this is an area of 
great interest to me.
    I have told this story before. Since I have been in public 
office, I have clipped and saved and actually framed only about 
two news items about myself, and I will tell you about one of 
the two just to give you an idea of why I think this issue is 
so important.
    I live on a dirt road in Vermont. Our nearest neighbors are 
a mile or so in either direction. One of the neighbors, a 
farmer, who has known me since I was a teenager, prompted a 
whole article in the New York Times. An out-of-State car with 
New York plates pulls up to the farmer. The reporter says, does 
Senator Leahy live up this road? The farmer says, are you a 
relative of his? The man says no. The farmer says, are you a 
friend of his? The reporter says, well, not really. He says, is 
he expecting you? The reporter says no. The farmer looks him 
right in the eye and says, never heard of him. [Laughter.]
    And I have often thought that probably reflects as much as 
anything the sense of privacy we have in Vermont, and so I come 
to this naturally.
    The concern over privacy is reaching an all-time high. In 
1978, 64 percent of Americans reported they were very concerned 
or somewhat concerned about threats to their privacy. As Mr. 
Berman knows, by 1998 this number had skyrocketed. According to 
the Center for Social and Legal Research, 88 percent of 
Americans reported being very or somewhat concerned about 
threats to their personal privacy. So, Mr. Chairman, I thank 
you and Senator Kohl and others for having this hearing.
    Good privacy policies make good business policies. If you 
have new technologies--and those on the panel know the new 
technologies as well as anybody in this country--you know that 
it brings new opportunities for business and consumers. But it 
doesn't do any good if consumers hesitate to use a particular 
technology because they are concerned about what it might do to 
their privacy. That is why privacy policy is good business 
policy.
    Ensuring that we have adequate privacy laws has a more 
significant and important role in our democracy than just 
fostering high-tech businesses. We have to defend online 
freedom from heavy-handed content regulation. The 
Communications Decency Act in 1996 which was found 
unconstitutional--I voted against that because of that.
    Stopping efforts to create government censors is critical 
to allow our First Amendment rights to flourish, but it is not 
enough. For people to feel comfortable in exercising their 
First Amendment rights, they have to be able to keep their 
activities confidential and private. If Big Brother is 
watching, then First Amendment rights are chilled as if 
government is censoring it.
    We have a long tradition of keeping our identities private. 
The Federalist Papers, for example, the most important 
political document written about our Constitution, was authored 
anonymously initially by James Madison, John Jay and Alexander 
Hamilton, and published under a pseudonym. The Supreme Court, I 
believe, said ``anonymity is a shield from the tyranny of the 
majority.''
    The report that I released last month on Vermont Internet 
commerce is telling on this point. The strongest obstacle among 
consumers from shopping and doing business online was their 
fear of the online security risk. This is important because in 
my State, a rural State like mine, the commercial potential of 
the Internet is enormous. We have seen businesses that are 
using it--we have seen their businesses skyrocket, but it is 
still held back by people who fear the security risks, right or 
wrong. That is why promoting the use of encryption is so 
important, so that businesses and consumers can use this 
technology to provide the privacy and security they need.
    I am going to introduce privacy legislation to ensure that 
Americans' Fourth Amendment rights to be secure in their 
persons, houses, papers and effects against unreasonable 
government searches and seizures are given ample protection in 
a networked computer environment. In addition, several 
provisions of the bill will address the concern Americans have 
about the use of their personally identifiable records and 
information by businesses, satellite carriers, libraries and 
book sellers.
    Online businesses are engaging in serious efforts to make 
available to consumers information on privacy policies, and I 
commend and applaud those efforts. But in our current laws, we 
don't apply privacy principles in an even-handed manner. Video 
rental stores and cable operators are subject to privacy laws 
to protect our rights to keep our viewing habits private, but 
no protections exist for the books we borrow from the library 
or buy from a bookstore, or the shows we watch via satellite. 
We should have more privacy for that. For that matter, we 
should have more privacy on our medical records, which can be 
moved all over the country without any restrictions.
    Telephone companies and cable operators are subject to 
legal restrictions on how they may use personally identifiable 
information about their Internet subscribers, but other 
Internet and online service providers are not. The E-RIGHTS 
bill I am introducing would promote a more level playing field 
in terms of the privacy protections available to Internet 
users, no matter whether they obtain their Internet access from 
AOL, their cable company, or their local phone company.
    So we have to look at a number of things. When should the 
FBI be allowed to use cell phones to track a user's movements? 
Should a Kosovo human rights organization that uses a Web site 
to correct government misinformation be able to get a domain 
name without having their names publicly available on a 
database?
    Should we allow Federal prosecutors to act like Special 
Prosecutor Kenneth Starr did and go on fishing expeditions with 
subpoenas issued to bookstores to find out what we are reading? 
That was one of the most chilling things I ever saw, a 
prosecutor going to a bookstore to find out what I was reading. 
And this is not George Orwell; this is the United States of 
America. I mean, of all of Mr. Starr's excesses, this was as 
bad a one as any I saw.
    Should we protect our choices of reading and viewing 
materials the same way we protect our choice of videotapes that 
we rent from our local Blockbuster? You may recall that when a 
Supreme Court nominee was before this committee, somebody had 
found out what videos he was renting. And Senator Alan Simpson 
and I were so outraged by that, we introduced legislation 
saying you can't go into the video stores to find out what they 
are renting. That was probably the only thing that stopped Mr. 
Starr on that. If you maintain your calendar on Yahoo, 
shouldn't you get the same privacy protections as those who 
keep their calendars on their desks or in their PCs' hard 
drive?
    So these are some of the questions. Mr. Chairman, I know we 
have witnesses here, and you have been more than gracious with 
the time. I will put the whole statement in the record, but 
these are significant privacy issues--and I suspect that you 
get people in Utah who are very concerned about their privacy, 
and every State that is represented here. In the electronic 
world, we have to be more concerned.
    The Chairman. Thank you, Senator.
    [The prepared statement of Senator Leahy follows:]

              Prepared Statement of Senator Patrick Leahy

    Concern over privacy is reaching an all time high. In 1978, 64 
percent of Americans reported that they were ``very concerned'' or 
``somewhat concerned'' about threats to their personal privacy. By 
1998, this number had skyrocketed. According to the Center for Social 
and Legal Research, 88 percent of Americans reported being ``very'' or 
``somewhat concerned'' about threats to their personal privacy. I am 
pleased the Senate Judiciary Committee is taking this concern seriously 
and beginning an examination of new Internet-related privacy issues.
           good privacy policies make good business policies
    New technologies bring with them new opportunities, both for the 
businesses that develop and market them, and for consumers. It does not 
do anyone any good for consumers to hesitate to use any particular 
technology because they have concerns over privacy. That is why I 
believe that good privacy policies make good business policies.
     protecting privacy plays an important role in the exercise of 
                         first amendment rights
    Ensuring that we have adequate privacy laws has a more significant 
and important role in our democracy than just fostering high-tech 
businesses. We also must defend on-line freedom from heavy-handed 
content regulation. That was my purpose in voting against the 
unconstitutional Communications Decency Act that became law in 1996.
    Stopping efforts to create government censors is critical to allow 
our First Amendment rights to flourish, but it is not enough. For 
people to feel comfortable in exercising their First Amendment rights--
by speaking, traveling and associating freely online or in physical 
space--they must be able to keep their activities confidential and 
private. When Big Brother is watching, the exercise of First Amendment 
rights is chilled no less than the threat of a government censor.
    It is therefore not surprising that our country has a long and 
honorable tradition of keeping our identities private when we exercise 
our First Amendment rights. ``The Federalist Papers,'' which is 
probably the most important political document ever written about our 
Constitution, was authored anonymously by James Madison, John Jay and 
Alexander Hamilton and published under a pseudonym.
    Healthy advocacy and debate often rests on the ability of 
participants to keep their identities private and to act anonymously. 
Indeed, the Supreme Court has said, ``Anonymity is a shield from the 
tyranny of the majority.''
    Healthy commerce also depends on satisfying consumers' desire to 
keep their business affairs private and secure. A report I released 
last month on Vermont Internet commerce is telling on this point. The 
strongest obstacle among consumers from shopping and doing business 
online was their fear of the online security risks. This is why 
promoting the use of encryption is so important, so that businesses and 
consumers can use this technology to provide the privacy and security 
they want and that best suits their needs.
    I plan to introduce privacy legislation to ensure that Americans' 
Fourth Amendment rights to be secure in their persons, houses, papers 
and effects against unreasonable government searches and seizures are 
given ample protection in a networked computer environment. In 
addition, several provisions in the bill will address the concern 
Americans have about the use of their personally identifiable records 
and information by businesses, satellite carriers, libraries and book 
sellers.
         industry self-regulation efforts should be encouraged
    In contrast to a citizen's relationship with his or her government, 
consumers have a choice of whether they want to deal or interact with 
those in the private sector. In my view, this choice should be 
generally recognized in the law by allowing consumers and businesses in 
the marketplace to set the terms of their interaction. This is an area 
where the Congress should tread cautiously before regulating. Online 
businesses are engaging in serious efforts to make available to 
consumers information on privacy policies so that consumers are able to 
make more educated choices on whether they want to deal. I commend and 
applaud those efforts.
    That being said, however, current laws do not apply privacy 
principles in an even-handed manner. Video rental stores and cable 
operators are subject to privacy laws to protect our right to keep our 
viewing habits private, but no protections exist for the books we 
borrow from the library or buy from a bookstore, or the shows we watch 
via satellite. I am introducing a bill to provide more uniform privacy 
protection for both books and videos, no matter the medium of delivery.
    Similarly, telephone companies and cable operators are subject to 
legal restrictions on how they may use personally identifiable 
information about their Internet subscribers, while other Internet and 
online service providers are not. The E-RIGHTS bill I am introducing 
would promote a more level playing field in terms of the privacy 
protections available to Internet users, no matter whether they obtain 
their Internet access from AOL, their cable company or their local 
phone company.
         this legislation addresses a broad range of emerging 
                        high-tech privacy issues
    For example:

   When should the FBI be allowed to use cell phones to track a 
        user's movements?
   Should Kosovo human rights organizations that use Web sites 
        to correct government misinformation be able to get domain 
        names without having their names publicly available on a 
        database? Should we have the same ability to get an 
        ``unlisted'' domain name (or Internet address) as we are able 
        to get an ``unlisted'' phone number?
   Should we allow other federal prosecutors to act like 
        Special Prosecutor Kenneth Starr and go on fishing expeditions 
        with subpoenas issued to bookstores to find out what we are 
        reading? Should we protect our choices of reading and viewing 
        materials the same way we protect our choice of videotapes that 
        we rent from our local Blockbuster?
   Should people who maintain their calendars on Yahoo! get the 
        same privacy protection as those who keep their calendars on 
        their desk or on their PC's hard-drive? Will people avoid 
        certain network services offered by Netscape or new Internet 
        start-ups because they get less privacy protection for the 
        information stored on the network than on their own PC's?

    These are all important issues, and I have worked to propose 
solutions to each of these and to other questions, as well, in the E-
RIGHTS bill I am introducing. I invite each of the witnesses and others 
with interests in these matters to exchange ideas on these topics. 
There are few matters more important than privacy in maintaining our 
core democratic values.

    The Chairman. We will turn to you now, Mr. Sheridan. We 
respect all the things that you have done to cause angst 
throughout the operating platform community.

                 STATEMENT OF MICHAEL SHERIDAN

    Mr. Sheridan. Good.
    The Chairman. Yes, it is good, and we are delighted to have 
you here.
    Senator Leahy. Good word, ``angst.''
    The Chairman. Yes. We have had a lot of that expressed here 
before this committee, by the way.
    Mr. Sheridan. I can feel it.
    The Chairman. Yes.
    Mr. Sheridan. Mr. Chairman and members of the committee, 
good morning, and thank you very much for giving me this 
opportunity to testify on this important issue.
    My name is Mike Sheridan. I am Vice President of Strategic 
Businesses and a member of the Executive Committee of Novell, 
Inc., which is the world's largest provider of directory-
enabled network software, and which is located in the great 
State of Utah. Prior to coming to Novell in 1988, I worked at 
Sun Microsystems, where I was one of the original members of 
the team that created the Java programming language. I testify 
before the committee today not as an expert in privacy policy, 
but as a technologist who is building software products that 
are relevant to the online privacy debate.
    At Novell, we view online privacy as an extension of 
Internet identity, since it is all about empowering users to 
make decisions about how much information they want to share 
and with whom. It will come as no surprise to you that I 
believe that the first line of defense for online privacy is 
commercial technology. The genius of Net culture is the 
immediacy with which it funnels resources to new areas and the 
furious pace, known as Internet time, at which it develops new 
products. Several new firms have already been established to 
address privacy on the Web and are attracting significant 
amounts of venture capital. To the extent possible, we should 
let the marketplace address privacy concerns, since it will 
deliver the fastest, most flexible and most cost-efficient 
solutions.
    The second line of defense is industry self-regulation. 
Before we regulate the Net, we must let the private sector 
attempt to develop best practices and industry norms that 
satisfy consumers' needs. The Online Privacy Alliance, TRUSTe, 
BBBOnLine and the Platform for Privacy Preferences exemplify 
this effort. We are making steady progress, as witnessed by the 
rather dramatic increase in the number of privacy policies 
posted across the Net. Only after we have given commercial 
technology and self-regulation a chance to work should we turn 
to government intervention and regulation, and even then we 
must be sure that it supports America's leadership of the 
networked economy and needs of consumers.
    The first phase of the Internet was really all about 
getting connected, and companies like AOL made it easy to do 
this and led the way. For the past years, we have focused on 
connecting individuals, schools, government and businesses to 
the Net. The next phase, which is just beginning, will be about 
creating and managing digital identities. Novell believes that 
the best way to build the world of Internet identities is to 
develop products that let individual users create, manage and 
secure them. The directory, a sort of network white pages, is 
at the center of our efforts to do so. Identities and 
directories are two sides of the same coin. Identities describe 
who you are on the Net. Directories process this information so 
that you can connect to the right people, applications and 
services.
    An example of the new technologies that will allow 
individual choice to govern individual privacy is a product 
called digitalme. This product reflects Novell's belief that 
the best way to resolve privacy concerns is to address the 
larger identity issue. Digitalme allows users to enter and 
modify personal data in the directory themselves, and to 
control who has access to it. In other words, it lets people 
specify the personal information they want to reveal, if any. 
By providing such tools that allow users to manage their 
Internet identity, we can educate them about their online 
privacy.
    Because no one technology or company can guarantee privacy 
on the Web, Novell is also working to promote industry self-
regulation. We are currently in discussion with BBBOnLine and 
are already a member of the Online Privacy Alliance and a 
premier sponsor and licensee of TRUSTe. Our privacy policy, 
which is posted on our Web site, was created in accordance with 
the guidelines of these two groups, as well as the U.S. Federal 
Trade Commission and EU Directive on Data Protection.
    Mr. Chairman, the privacy debate has at times been 
difficult for the Internet industry. But it has also been very 
constructive, since it has helped reveal consumer preferences, 
industry responsibilities, and the new landscape of e-commerce. 
We should not cut off this debate by pretending that Internet 
privacy concerns don't exist. Nor should we pass premature 
legislation that assumes we know all of the answers.
    For now, government should encourage private sector 
solutions, investigate and prosecute deceptive business 
practices, and monitor privacy abuses to determine the actual 
harm to consumers. Only after we are satisfied that the private 
sector cannot meet consumers' needs through commercial 
technologies and self-regulation should we consider government 
intervention.
    Thank you very much.
    The Chairman. Thank you, Mr. Sheridan.
    [The prepared statement of Mr. Sheridan follows:]

                 Prepared Statement of Michael Sheridan

    Mr. Chairman and Members of the Committee: I am Mike Sheridan, Vice 
President for Strategic Businesses and a member of the Executive 
Committee of Novell, Inc., which is the world's largest provider of 
directory enabled network software. Prior to joining Novell in 1997, I 
worked at Sun Microsystems where I was one of the original members of 
the team that created Java. I testify before the Committee today not as 
an expert on privacy policy, but as a technologist who is building 
software products that are relevant to the online privacy debate.
    What do we mean by online privacy? At Novell, we view it as an 
extension of Internet identity. It is about empowering users to make 
decisions about how much information they wish to share and with whom.
    With all the press attention that online privacy is getting has 
come a chorus of calls for government legislation and regulations. We 
should exercise great caution in responding to them. We are in the 
early stages of the next big phase of the Internet--a phase that will 
focus on the creation and management of digital identities and 
relationships. It would be a mistake to pass legislation regulating 
privacy on the Net before we fully understand the commercial products 
and services that will be available to us in this new environment.
    The first line of defense for online privacy is commercial 
technology. The genius of Net culture is the immediacy with which it 
funnels talent and resources to new areas--like protection of personal 
privacy--and the furious pace at which it develops new products. 
Entrepreneurs have already established several new firms to address 
privacy on the web, and they are attracting significant amounts of 
venture capital. We must allow the market to address privacy concerns 
to the greatest extent possible since it will deliver solutions that 
are the most flexible, speedy and cost-efficient.
    The second line of defense is industry self-regulation. Before we 
regulate the Net, we must allow the private sector to attempt to 
develop best practices and industry norms that satisfy consumers needs. 
The work of TRUSTe, the Online Privacy Alliance (OPA), BBBOnline and 
the World Wide Web Consortium's Platform for Privacy Preferences (P3P) 
exemplify this effort. Only after we have given commercial technology 
and self-regulation a chance to work should we turn to government 
intervention, and even then we must be sure that they support America's 
leadership in the networked economy and the needs of consumers.
    In my comments today, I will examine three issues that are central 
to the privacy debate: (1) The next phase of the Internet; (2) The 
promise of commercial technology; and (3) The principles for future 
progress.
          1. the next phase of the internet: the identity wave
    The Internet began as a Department of Defense research project and 
for many years was used primarily by scientists at national 
laboratories and research universities. The first big wave of the 
Internet occurred in the mid-1990's with the advent of the world wide 
web and the browser. Suddenly, it was easy to surf the Net, and there 
was a scramble to connect. Companies like Netscape and AOL led the way. 
Businesses wanted to connect to improve their communications and 
productivity. Schools wanted to connect to improve educational 
opportunities; government at all levels wanted to connect to enhance 
their operations; and individuals wanted to connect to the new world of 
digital information. Today, US Internet users number about 80 million. 
The Internet is having an economic impact that is on the scale of the 
industrial revolution, and it is occurring much faster.
    The connection phase will continue for several years as we build 
out the infrastructure of the web, but it is about to be supplanted by 
something else--the identity wave. Now that the problems of getting 
online, getting a browser and using the Net have been largely overcome, 
we are faced with massive scale issues. These scale issues are really 
identity problems. How do I find what I want? How do I control my 
identity when it is scattered over dozens of different sites? How do I 
keep track of all my passwords? How do I authenticate my digital 
relationships? How to manage a system this complex in ways that create 
trust?
    Questions about Internet identity are closely related to privacy, 
but they are not synonymous. Privacy is only one aspect of this 
identity, albeit a very important one. The best way to resolve privacy 
concerns is to address the larger issue of how to manage Internet 
identities.
    The transition from the connection phase of the Internet to the 
identity phase should carry a red flag for public policymakers. Instead 
of being well along a road we already know we are moving into 
unfamiliar terrain. Decentralized decision-making and market solutions 
will serve us better during this transition than centralized government 
policy since they can respond more quickly and more flexibly to 
consumers' needs.

  2. the promise of commercial technology: directories and digitalme 
                             TM

    Entire new companies are being formed and many technologies are 
being developed to deal with different aspects of online privacy. I 
cite Novell's approach, not as a panacea, but to illustrate the 
innovative ways that industry is beginning to respond. Novell believes 
that online privacy is an extension of Internet identity and that by 
addressing the broader issue of identity we can resolve many privacy 
concerns.
    The key to building a world of Internet identities is to develop 
products that let individual users create, manage and secure them. The 
directory is at the center of our efforts to do so. A true Internet 
directory is an integrating layer of software that cuts across 
operating systems to provide a platform for network services. Without a 
directory, you cannot find, manage or use your network. Directories are 
what allow network administrators to keep networks up and ready for the 
user, regardless of where he is or what device he has.
    Perhaps the simplest way to think of directories is to compare them 
to the white pages of a telephone book. Just as white pages contain the 
information for telephone identities, directories contain the 
information for Internet identities. But while the white pages are 
nothing more than a reference guide, a directory is a dynamic database 
that makes it easy to manage networks, maintain digital interactions 
and, ultimately, enable widespread electronic commerce.
    Digital identities and network directories are two sides of the 
same coin. Identities describe who you are on the Net; directories 
process this information so that you can connect to the right people, 
applications, services and devices.
    Novell recently announced a new identity product called digitalme 
TM that leverages Novell Directory Services so that 
consumers and businesses can manage their digital identities. Consumers 
are looking for secure ways to manage and protect their personal 
information (such as bookmarks, cookies, preferences, user IDs, credit 
cards and contact information) since these attributes define what they 
can do, where they can go, and who they are on the web. Companies are 
looking for opportunities to differentiate their business by creating 
secure, personalized services that are beneficial to customers.
    digitalme TM has a flexible interface built around 
digital ``cards.'' These virtual meCards can be customized so that 
users share different information about themselves with different sites 
based on their personal preferences. For example, a user may want a 
card for their favorite airline to hold information about their 
frequent flyer number, their e-mail address, their telephone number, 
their business travel patterns and their favorite vacation 
destinations. Voluntarily providing this information would allow the 
airline to customize its interactions with the user so that if low 
fares to the users favorite vacation spot are available, for example, 
the airline can alert them. The same user would provide an entirely 
different set of personal information to his bank or local hospital. 
Since the user knows what information he shares, who he shares it with, 
and when he shares it, he is in more control of his identity on the Net 
and more aware of his Internet privacy.
    digitalme TM is all about user choice. It is downloaded 
voluntarily from the Net, and is designed so users can enter only the 
information that they want to share. If they choose to include highly 
sensitive information a trusted third-party can hold it for them. It 
puts users in control. By giving users control of their identities, it 
allows them to create customized solutions that meet their individual 
needs.
                   3. principles for future progress
    Some seem to have already come to the conclusion that prompt 
government intervention is necessary to address concerns about online 
privacy. Surveys show the protection of personal privacy is the number-
one concern many people have about the Internet. And advocates of this 
view note that it is easier than ever for businesses to gather digital 
information about consumers without their knowledge or consent and to 
use this data to market products, or worse, in discriminatory and 
invasive ways. There is no doubt that the issue of Internet privacy 
raises legitimate questions about the rights of web users. To the 
extent that it leads to the erosion of consumer confidence in the Net, 
it could even retard the growth of electronic commerce.
    Nonetheless, it is too early to make a judgement about the need for 
privacy legislation. Just like the Internet, our understanding of 
digital privacy is still evolving. The success of Free-PC shows that 
many consumers are only too happy to trade their privacy rights given 
the right incentives. And although Internet identifiers can create an 
invasion of privacy, they are also what allowed the FBI to find the 
perpetrator of the Melissa virus and to discover who posted the 
fraudulent Internet articles that artificially inflated the stock price 
of Pairgain Technologies.
    In order to balance these competing concerns, many companies have 
created privacy policies that share a common set of guidelines. Among 
the most important are giving consumers notice before gathering any 
personal data, disclosing how any information that is collected will be 
used, and letting users choose to opt out of personal data transfers 
that are not necessary to complete a transaction.
    Novell's policy, which is posted on our web site at www.novell.com, 
was created in accordance with the guidelines set forth by TRUSTe, the 
Online Privacy Alliance (OPA), the US Federal Trade Commission, and the 
EU Directive on Data Protection. It consists of the following 
guidelines:
    1. In general, people may visit Novell web sites while remaining 
anonymous and not revealing any personal information. Novell will at 
times request basic data--such as name, address and e-mail--in order to 
respond to visitors queries about our products or services, but we will 
not contact you with additional marketing information unless you 
indicate that you want to receive it.
    2. Novell will not disclose your personal information for marketing 
purposes to any third-party company without your consent.
    3. Novell will not collect information from people who identify 
themselves as being younger than 18 years of age.
    4. Novell may use cookie technology only to obtain non-personal 
information from its on-line visitors to improve their on-line 
experience. If you do not wish to have a cookie set when visiting the 
Novell web sites, you may alter the settings on your browser to prevent 
them.
    5. Novell will take appropriate steps to respect and protect the 
information you share with us. Whenever you give Novell sensitive 
information (e.g., credit card numbers), Novell will take commercially 
reasonable steps to establish a secure connection with your web 
browser. Credit card numbers are used only for payment processing and 
are not retained for marketing purposes.
    6. All of the information Novell gathers will be available to you 
at the Novell Identity web page. From this site you can see what kind 
of information Novell has collected from your visit to our web site and 
update the information you have provided us in your personal profile. 
From this site you can also indicate that you would rather be anonymous 
and provide no information about yourself or your visit to our web 
site.
    As the debate about Internet privacy evolves, we should look to the 
following principles to guide our efforts:
1. Rely on market-inspired solutions as much as possible
    The private sector still has a lot of work to do, but we should not 
let the highly publicized privacy problems of the past few months 
distract us from the real progress that has been made. Many 
organizations have invested a lot of time, effort and money to create a 
self-regulatory system in which business takes real steps to protect 
online privacy. OPA, TRUSTe and BBBOnline have educated industry about 
the issue. Novell and several other companies have developed 
technologies that hold promise. AOL has made a huge effort to educate 
consumers. AT&T has funded studies to better understand consumer 
demand. And IBM has withheld advertising dollars from sites that do not 
have privacy policies. As a result of these actions, new products are 
beginning to emerge and privacy policies are steadily proliferating 
across the Net. If the government decides to take legislative or 
regulatory action, it should persist in its role as champion of best 
commercial practice. The private sector is likely to develop faster, 
more flexible and more cost-efficient solutions than the government and 
should be encouraged to do so.
2. Refrain from a one-size-fits-all policy approach
    Just as no one technology or company can solve the privacy issue, 
neither can any one policy. Not all information is equal. Some data--
such as medical and financial data, and information about children--is 
especially sensitive. Other types of data can be quite mundane. 
Moreover, different users have different privacy preferences. 
Aggressive legislation that treats privacy as a uniform problem could 
create more problems than it solves.
3. Keep government intervention consistent with the Internet
    Where government involvement is needed, it should support and 
enforce a predictable, minimalist, transparent and simple legal 
environment. Government should follow a decentralized, technology-
neutral approach to policy that encourages private sector innovation. 
It should refrain from picking technology winners or implementing 
policies that undermine America's leadership of the networked economy.
4. Enforce existing laws and self-regulation
    The government already has an extensive mandate to protect consumer 
welfare and should vigilantly enforce laws that prevent deceptive trade 
practices on the Net. Preventing fraud and false advertising are as 
essential to consumer confidence and the growth of e-commerce as they 
are to ordinary commerce.
                             4. conclusion
    Mr. Chairman, the privacy debate has at times been difficult for 
the Internet industry, but it has also been very constructive since it 
has helped reveal consumer preferences and the new landscape of e-
commerce. Just as importantly, it has highlighted industry 
responsibilities and made us think hard about the appropriate role for 
public policy. We should not cut off this debate by pretending that 
Internet privacy concerns don't exist. Nor should we pass premature 
legislation that assumes we know all the answers. For now, government's 
role is to encourage private sector solutions, investigate and 
prosecute deceptive business practices, and monitor privacy abuses to 
determine the actual harm to consumers. Only after we are convinced 
that the private-sector cannot meet consumers needs through commercial 
products and self-regulation should we consider government 
intervention.

    The Chairman. Mr. Wladawsky-Berger.

              STATEMENT OF IRVING WLADAWSKY-BERGER

    Mr. Wladawsky-Berger. Mr. Chairman, Senator Leahy, and 
members of the committee, thank you for the opportunity to 
comment on the question of privacy in the emerging digital age. 
My name is Irving Wladawsky-Berger and I am the General Manager 
of IBM's Internet Division.
    Let me begin by reiterating that all of us, individuals and 
businesses alike, derive incredible benefit from the free flow 
of information over the Internet. At any hour, day or night, 
people can check the status of a shipment, analyze their 
investment portfolios, or compare prices over a whole universe 
of suppliers. Likewise, businesses gain efficiencies they could 
only dream of before the Internet, efficiencies that restrain 
prices and bring them closer to their customers.
    All this requires information, lots of it. So, clearly, it 
is in everyone's interest that the privacy of information be 
protected. After all, the consumer's embrace of the Internet 
and the electronic marketplace it makes possible will only last 
as long as they try us and all the other participants in that 
marketplace to respect their privacy.
    IBM is no stranger to this issue, and we have been working 
on privacy issues ever since the 1960's. Not surprisingly, 
then, in 1997 we adopted a worldwide privacy policy for our 
thousands of Web pages, and at the same time recognized the 
need for industry to unite on some basic principles and 
actions. In fact, we have played key roles in the establishment 
of the Online Privacy Alliance and the TRUSTe and BBBOnLine 
Privacy Seal programs. We actively support Call for Action, 
which is an educational program to educate consumers on what 
they should look for, for privacy on the Web sites.
    Most recently, IBM announced that, effective June 1, we 
would no longer advertise on United States and Canadian Web 
sites that did not post privacy policies. And as the second 
largest advertiser on the Web, our action, we hope, should 
influence the practices of others. That commitment to privacy, 
and our experience in making the promise of the Net real for 
thousands of customers, gives us an excellent vantage point 
from which to view this issue.
    It seems to us at IBM that the key question to be answered 
at this point is how can our society strike the right balance 
between the value of a free flow of information and privacy. 
How can that flow of information be not just free, but fair as 
well?
    In our opinion, a broad new statute is not the answer. The 
Internet is too global, too instantaneous and too decentralized 
for a fixed, rigid statute to regulate it. The Net and its 
related technologies simply change too quickly to be amenable 
to centralized control. We strongly believe that the best way 
to strike the balance between the free flow of information on 
the Net and privacy protection is through market forces, which 
are invariably the product of consumer preferences.
    This self-regulation would ride atop a broad base of 
consumer protection laws and targeted sectoral regulation. This 
approach envisions a mix of business involvement and 
commitment, government support and targeted action, 
international cooperation among businesses and governments, as 
well as individual responsibility.
    Government should defer to private sector leadership for 
any number of reasons. Number one, the private sector has many 
incentives to respect privacy, not the least of which is self-
interest. The members of the business community simply have too 
much to gain from the freest possible flow of information and 
too much to lose if concerns over privacy limit the growth of 
the networked economy.
    Second, excessive regulation can exclude many small and 
medium firms from the e-business marketplace. We believe that 
one of the most important opportunities in electronic commerce 
is to level the playing field, to allow not just the large 
companies but the smaller companies to participate. We want e-
business to benefit Main Street, not just Wall Street.
    Third, private sector self-regulation can adapt and change 
much more quickly and responsibly than government regulation. 
Fourth, the Internet and the e-business marketplace are fresh, 
new phenomena and should be regulated very, very carefully and 
only with good cause. And, finally, the fifth reason for 
deferring to market forces is the fact that on the Internet 
information is borderless and the Web itself decentralized, 
complicating immeasurably all efforts to impose traditional 
regulation.
    The last few years have seen any number of promising 
marketplace privacy initiatives, and I believe a lot of 
progress is being made. As my colleague from AOL said, one of 
the most promising efforts is the Online Privacy Alliance, a 
cross-industry group established in 1998 to agree on a basic 
framework for privacy policies tailored to individual 
industries.
    My written statement goes more into detail about the 
practices of the Alliance. Let me just very quickly talk about 
what is it based on. Number one, each company should adopt and 
implement a privacy and post it at its Web site. Two, each 
visitor to a site should be informed of what personal 
information is collected at its site, its use, and whether it 
will be disclosed to others.
    Third, visitors to a site should have a choice in whether 
information will be disclosed to others. Fourth, the Web site 
owner should take reasonable steps to keep the information 
secure. And, fifth, the owner should take reasonable steps to 
keep data accurate and to provide individuals as much access to 
their identifiable data as is possible.
    Let me just conclude by thanking you for the opportunity to 
appear before you, and afterwards I will be pleased to answer 
any questions.
    The Chairman. Thank you very much.
    [The prepared statement of Mr. Wladawsky-Berger follows:]

           Prepared Statement of Dr. Irving Wladawsky-Berger

    Mr. Chairman, Senator Leahy, and Members of the Committee, thank 
you for giving me the opportunity to comment on the question of privacy 
in the emerging Digital Age.
    My name is Irving Wladawsky-Berger and I am the General Manager of 
IBM's Internet Division. In that capacity I am responsible for IBM's 
Internet strategy, and for driving its implementation across the 
company. I am also privileged to serve on the President's Information 
Technology Advisory Committee.
    As you may know, IBM is the largest information technology company 
in the world, with over $81 billion in 1998 revenue and over 290,000 
employees worldwide.
    We believe this gives us a unique vantage point from which to 
comment on privacy in the digital age, working as we do with leaders of 
large, medium and small companies and with governments worldwide, 
helping them navigate the historic shift to a networked world, and 
offering them business solutions in the form of expertise, services and 
technology.
           i. the value of information in the information age
    With every passing day it becomes more certain that the Internet 
will take its place alongside the other great transformational 
technologies that first challenged, and then fundamentally changed, the 
way things are done in this world. But with all respect, let me begin 
my comments by suggesting that, while technological advances in our 
industry continue at an amazing pace, it is information not technology, 
that is at the heart of this revolution.
    Information has never been more important than today, when we are 
engaged in a fundamental transformation of commerce, education, health 
care, and government--indeed, just about every institution in society 
that serves individual Americans either as consumers or citizens. For 
every business, information has assumed an increasingly strategic role. 
Information is their competitive advantage. It is what allows them to 
differentiate themselves from all the others in the marketplace who are 
trying to serve the public.
    Leveraging the Internet and other networks so that businesses can 
better work for all their constituents is what we in IBM call e-
business. Indeed e-business is our key market strategy.
    We have worked in the marketplace with many thousands of our 
customers around the world to help them implement e-business 
strategies. And, one of the things we have learned in the process is 
that the more information is available to business, government and 
other institutions, and the more intelligently it is used, the better 
the job they do serving their customers, dealing with business 
partners, and running an effective organization. The cumulative effects 
of all these improvements are greater convenience for consumers, more 
satisfied constituents, and lower costs that can be passed on to 
customers in the form of price reductions.
    For example, customer self-service applications let consumers 
obtain whatever information they need anytime of the day or night, 
whether it is locating a package they have shipped, analyzing the 
status of their investments, or getting expert advice about a purchase 
they are contemplating. Moreover, with the amount of information in the 
World Wide Web growing at a prodigious rate, businesses are 
increasingly capable of using automated ``personalization'' techniques, 
leading questions based on the customer's known needs and wants, to 
help consumers better navigate through the growing sea of information.
    Similar personalization techniques permit retailers to cement 
relationships with customers by offering promotions on items shoppers 
are most likely to want. In fact, the Safeway supermarket chain in the 
United Kingdom typically gets a remarkable fifty percent-plus response 
rate to their direct promotions based on this simple premise: offering 
discounts on items they know customers are likely to buy anyway--and 
Safeway knows what they are likely to buy because of the information 
people have entrusted to them.
    This same retailer, in devising additional customer loyalty 
programs, discovered that people hate to write shopping lists and 
invariably forget certain items. So, in cooperation with our research 
labs, they are piloting a program in which customers get shopping lists 
matched to their buying patterns. The lists are downloaded to a 
portable device the customer picks up as he or she enters the 
supermarket. This same device scans the items as the customer selects 
them, thus significantly reducing the time spent checking out.
    Health care is an area of enormous promise as well. We are working 
with practitioners around the world to establish high-security health 
information networks that connect physicians, laboratories and 
hospitals. With much more timely health information available, patients 
can receive faster, more effective treatment, and the significantly 
lower administrative expenses could help restrain medical costs.
    But the real promise of these health care networks is the 
possibility of subjecting all that information to highly sophisticated 
supercomputing analysis--what we call Deep Computing, since it is 
similar to that developed in our research labs for our Deep Blue chess 
playing application--and developing a truly ``intelligent'' assistant 
able to deliver expert medical advice to health care professionals. 
Such expert assistance could be available over networks to 
practitioners everywhere, in a famous urban medical center or a small 
rural practice.
    In addition, such sophisticated information analysis can infuse far 
better forecasting and planning into business processes of all sorts. 
For example, our research laboratories are working with an airline to 
apply Deep Computing techniques to the scheduling of crew assignments. 
That improves not only the airline's efficiency, but working conditions 
as well by matching assignments as much as possible with the 
preferences of their flight personnel.
    That's a great convenience for the flight crews certainly, but it 
also saves the airline over $80 million annually, costs that would 
otherwise find their way into airline fare schedules to be paid by the 
consumer.
    In the final analysis, if the digital age is about anything, it is 
about using information to empower individuals, be they consumers or 
citizens.
   ii. addressing privacy expectations: ibm's longstanding commitment
    Incredible prospects exist for enriching the lives of customers, 
patients, citizens, or just plain individuals by using their 
information for their benefit, not for their exploitation. And the 
opportunity to obtain and use that information constitutes a 
competitive advantage for business. With all that at stake, it stands 
to reason that the business community has keen incentive to meet 
people's privacy needs.
    This is why IBM takes people's concern for the privacy of their 
information very, very seriously. IBM understands that consumers will 
continue to embrace the Internet, and the electronic marketplace it 
makes possible, only to the degree that they trust those who use the 
technology to respect the privacy of their personal information. 
Equipping consumers with knowledge and choice about how their personal 
information is used is key to building such confidence and trust.
    We strive to lead by example via our own policies and behaviors. 
And we have done so for three decades--a long term commitment to 
individual privacy, one that predates, in many ways, the policies of 
industry and government.
1960's
    IBM adopted our first formalized and global privacy policy, on 
handling of employee data, establishing employee access to their 
personnel folder, well before the practice became common in the 
workplace.
1970's and 1980's
    We formulated specific guidelines and principles, applicable 
worldwide, on the handling of employee and other data (such as medical 
records). We instituted management training to ensure compliance. IBM 
also participated via business groups in the formulation in 1980 of the 
Organization for Economic Cooperation and Development (OECD) Guidelines 
on the Protection of Privacy and the Transborder Flow of Personal Data. 
These Guidelines underlie much of the international community's 
thinking about privacy protection and IBM supports the spirit and 
intent of the OECD Guidelines.
1990's
    As the decade of the Internet began, it was characterized by much 
hype and a lot of trial and error, but now by the end of the decade the 
Net emerged as a new mass medium that is transforming how we work, buy, 
sell, play and learn. As use of the Internet and other networked 
technologies grew, the need for IBM to renew and refocus its commitment 
on today's privacy issues became clear.
    Therefore, in 1997 we adopted and implemented a worldwide privacy 
policy for our thousands of web pages operating as part of ibm.com. A 
copy of our corporate privacy policy statement from www.ibm.com is 
attached as an Exhibit. Within IBM, we supported adoption of our Web 
privacy policy with executive communications and the establishment of a 
new executive position responsible for our internal privacy practices, 
reporting to IBM's Chief Information Officer.
    And we recognized the need for independent third-party backups to 
company policies, and thus sponsored the formation and launch of both 
the TRUSTe and BBBOnline privacy seal programs. We also played a key 
role in the organization and launch of the cross-industry Online 
Privacy Alliance, the principles of which I describe below. TRUSTe and 
BBBOnline are independent non-profit groups that can provide consumer 
assistance and dispute handling for privacy-related questions, and in 
the case of BBBOnline can respond to any and all consumer queries or 
complaints. We backed up our own policy by enrolling in the TRUSTe 
program last year.
    IBM also organized or sponsored a number of customer briefings on 
the issue. In 1998 alone, for example, we hosted a conference in New 
York City for over 100 senior executives from various business and 
government organizations. We hosted Secretary of Commerce Bill Daley 
for a roundtable with over 30 senior executives. With the Software 
Publishers Association (now the Software and Information Industry 
Association) we co-sponsored a series of a dozen workshops on web 
privacy policies.
    Recognizing the needs some businesses will have in this area for 
expert assistance, we also formed a dedicated consulting team in our 
IBM Global Services division to guide organizations (large and small) 
through the process of creating and implementing practices that comply 
with applicable privacy policies or regulations. This team relies on 
the concept of a ``Privacy Architecture'' to help organizations adopt 
the appropriate mix of policies and technologies to manage the privacy 
and security commitments they make.
    We also supported efforts to educate consumers on how to protect 
their privacy online, most notably funding an effort by Call for 
Action, a consumer assistance organization, to publicize its ``ABCs of 
Privacy.'' I've included a sample sticker pamphlet as an Exhibit, and 
you can find more of their information on www.callforaction.org. To 
their credit, Circuit City supported Call for Action's efforts during 
the 1998 Holiday season by allowing the organization to distribute this 
material through their 500-plus stores in the United States.
    And most recently, IBM last month stepped forward and announced 
that, effective June 1, we would no longer advertise on U.S. and 
Canadian Web sites that did not post privacy policies. As the second 
largest advertiser on the Web, we believe that our action will 
influence the practices of other market players. Attached as an Exhibit 
is the letter sent by our advertising agency, OgilvyOne, to over 350 
Web site owners, informing them of our policy.
    iii. spreading the adoption of online fair information practices
    The key question before all of us at this point is how our society 
as a whole--business, government and individuals--will strike the right 
balance between the free and fair flow of information and the 
reasonable expectations of privacy. In particular, what is the right 
balance between legitimate government action and the rewards and 
sanctions of the marketplace?
    IBM, led by our CEO Lou Gerstner, has thought about this question a 
great deal, drawing on our decades of experience with privacy, 
technology, and business practices. Frankly, we want rapid progress in 
adoption of ``fair information practices'' by organizations that handle 
personal data--so that the e-business marketplace, and consumer 
acceptance of it--will continue to grow at double-digit rates. We also 
appreciate that U.S. policy makers and other important stakeholders 
also want rapid progress--especially since electronic commerce has been 
recognized as a major economic driver of the U.S. economy's success 
entering the 21st century.
    A new statute is not the answer. It would be relatively easy, I 
suspect, for some to fall into the trap of thinking that enacting a 
simple statute that tries to make those who operate on the Internet, 
through whatever means, ``respect privacy.'' But that would give a 
false guarantee to our citizens--a single ``one size fits all'' 
approach could never really meet their expectations for privacy 
protection, especially in such a complex and fast moving medium as the 
Internet.
    The Internet presents some special challenges that stem from its 
wonderful and unique attributes. All at once it is: global, 
instantaneous, and decentralized. Information flows through many 
packets in order to get routed to its final destination, relying on a 
very international distribution system that is by its nature 
decentralized and under no one's ultimate control. The Net and its 
related technologies change quickly as well. For example, the Internet2 
and Next Generation Internet initiatives, under development now in the 
United States, will soon make it possible to share richer stores of 
data, much more quickly than before. New technologies and new online 
startups are challenging us all with their continual changes and new 
business models.
    We strongly believe, therefore, that given these attributes the 
best way to strike the balance between information flow and privacy 
protection on the Net is through private sector leadership--what many 
call ``self-regulation''--built atop a base of broad consumer 
protection laws and targeted sectoral regulation. In order to succeed, 
we need a mix of business involvement and commitment; government 
support and targeted action; international cooperation among businesses 
and governments; and individual responsibility.
    IBM strongly supports such a ``layered'' approach to privacy 
protection. Where specific, sectoral concerns are identified and are 
not adequately addressed by self-regulation, some amount of legislation 
or regulation may be needed. For example, IBM has for several years 
supported the enactment of medical records privacy legislation--medical 
data are among the most sensitive data an individual can share, and for 
that type of data we support a comprehensive statutory framework.
    But with respect to the Internet and electronic commerce generally, 
we believe that self-regulatory efforts should be given more time to 
address the reasonable privacy expectations of consumers. There are a 
number of reasons to defer to private-sector leadership:
The private sector has many incentives to respect privacy
          Frankly, since businesses have so much to gain, and so much 
        to lose, if privacy concerns limit the growth of the networked 
        economy, I believe that the members of the business community 
        need to establish themselves as worthy stewards of privacy. We 
        should be encouraged by business' efforts in the last year or 
        so (which I describe below) and we should also recognize that 
        it takes time to grow any movement.
          The great majority of the business community recognizes that 
        its real interests lies in maintaining the trust and confidence 
        of their customers--and therefore it is smart business to 
        respect the privacy of personal information.
          A number of high-profile examples from the last few years 
        illustrate my point--ranging from AOL, to Geocities, and to the 
        rapid actions taken by Intel and PC makers (including IBM) to 
        address consumer concerns about privacy implication of the new 
        Pentium III chip.
          An appropriate role of government vis a vis the private 
        sector in this context would be for all levels of government to 
        lead by example and adopt fair information practices as much as 
        possible. Recent examples involving the reported sale of 
        drivers' license records are good reminders of the importance 
        of providing individuals with ``notice'' and ``choice'' over 
        what is done with information they disclose to others. Clearly, 
        the nature of government's responsibilities carries with it 
        duties to secure public safety and investigate potentially 
        harmful actions--but those investigations ought to be executed 
        within our Constitutional protective framework.
Excessive regulation can deter Main Street and others from joining the 
        e-business marketplace
          While we agree that the government has a role in protecting 
        the privacy of its citizens, we worry that a pervasive 
        regulatory regime would be cumbersome and stifling, especially 
        for mid-size and small businesses. We want e-commerce to 
        benefit Main Street as well as Wall Street. We want to make 
        sure that businesses of all sizes, from the largest to the very 
        smallest, participate in the networked economy. And, we worry 
        that excessive regulation, with its increased costs, could 
        exclude many from the opportunity represented by the Internet.
Private-sector self-regulation can adapt and change much more quickly 
        and responsively than government regulation
          The genius of our nation's Founders produced a political 
        system in which legislation usually develops deliberately and 
        slowly, while policy makers weigh the concerns of opposing 
        factions and competing interest groups. Self-regulation, on the 
        other hand, has the advantage of speed, and the benefit of 
        being able to adapt more quickly to technological changes and 
        consumer and other expectations.
          The core forces driving the Internet and e-businesses, of 
        themselves, enable more flexibility in addressing privacy 
        concerns. Empowering technologies such as the Platform for 
        Privacy Preferences, under development as an industry standard 
        by the World Wide Web Consortium, will continue to put in the 
        hands of consumers the power to control their information. 
        Simple technology-related tools one can use today, such as 
        anonymizers and cookie cutters--while not perfect--can be used 
        by all who want to use them. And finally, new business models 
        are springing up that allow people who freely choose to provide 
        information, to get something of value in return. Do you want a 
        free PC today? Or a coupon for products? You decide.
          In my view, the best example of private sector responsiveness 
        is the TRUSTe web privacy program. Just launched in 1997, the 
        program has already comprehensively updated its privacy 
        policies and practices in order to be consistent with the 
        fundamental principles espoused by the Online Privacy 
        Alliance--the latest ``best practices'' in online privacy. A 
        regulatory agency would not have been able to accomplish such 
        significant change in that time frame.
The Internet--and the e-business marketplace--are new phenomena and 
        should be regulated very, very carefully and only with good 
        cause
          One school of thought says that a new mass medium has been 
        born when it's used by 50 million people. Radio took nearly 40 
        years to cross that threshold. TV took 13 years; cable TV, 10 
        years. The Internet did it in less than five. By one very 
        conservative estimate the number of Internet users worldwide 
        will surge to 210 million in 1999. Internet commerce will more 
        than double, to $68 billion in 1999. And spending on online 
        advertising grew to nearly $1.6 billion in 1998, an annual 
        growth rate of 83 percent.
          Clearly, the Internet is taking off, but so are self-
        regulatory efforts. I'll turn to a description of these efforts 
        next, but my point is: the U.S. private sector came together in 
        mid-1998, in consultation with government, to agree on robust 
        self-regulation for online commerce. Barely one short year 
        later, we are seeing encouraging early returns, that should 
        elicit additional support for these efforts from policy makers. 
        IBM urges the Committee to encourage such efforts, while being 
        extremely suspect of imposing additional regulation.
          Where additional government involvement is deemed necessary, 
        it should address a specific, identified harm or concern--e.g. 
        so called ``identify theft'' or the rights of citizens against 
        government seizure of online information. An additional role 
        for government, as called for in the recently issued 
        recommendations of the President's Information Technology 
        Advisory Committee, is to support research on fundamental 
        attitudes and technologies related to privacy.
On the Internet, information flows freely across borders; the 
        decentralized nature of the medium complicates efforts to 
        address privacy via traditional regulation. It also highlights 
        the importance of U.S. government actions
          National borders do not reflect the basic fabric of the 
        Internet, where information flows freely across borders. Its 
        distributed, decentralized nature means that traditional 
        regulation will have a hard time succeeding in meeting the 
        expectations of citizens that their data will be protected and 
        keep as private as they specify.
          The United States today leads all other nations in our use 
        and development of the Net--I can confirm that personally, 
        based on my dealings with people all over the world. It is 
        clear--based on a number of measures--that we lead in the 
        technology, attitudes and practices that are key to succeeding 
        in the New Economy. Other nations watch what we do in this 
        space, and whatever steps our government takes in regulating 
        Internet-related, activity will be carefully studied and 
        potentially copied. To date, our government's willingness to 
        allow the medium to grow led primarily by market forces and 
        technological advances has been a very important precedent 
        abroad, leading governments that are more inclined to impose 
        pervasive regulation to hesitate and in some instances refrain.
          Of course, I do not believe that there is no role for 
        government regulation. But I do believe that the best approach 
        involves careful, tailored legislation that allows maximum time 
        and flexibility for self-regulatory efforts to work.
            iv. responding to the self-regulation challenge
    In line with the U.S. system of private-sector leadership supported 
by statutory requirements, we are seeing a number of promising 
initiatives.
    A number of industry-specific groups have developed privacy 
principles and initiatives. In the information technology industry, for 
example, groups such as the Computer Systems Policy Project, the 
Information Technology Industry Council, and the Software and 
Information Industry Association have all adopted privacy principles 
for their members' use and guidance. Attached as an Exhibit are 
examples from the CSPP and ITI principles--for example, the CSPP 
developed a full-page ad for USA Today that explained their principles, 
and mailed the information with a letter from eight CEOs to the Fortune 
1000 companies of the United States.
    One of the most promising examples of self-regulation, and one 
which IBM strongly supports, is a cross-industry group that came 
together in 1998 to agree on what constitutes a basic framework of 
privacy policies that could be tailored to the needs of individual 
industries. These eighty-plus companies and major trade groups of the 
Online Privacy Alliance have created guidelines for privacy policies 
and an enforcement framework with real teeth that each of the Alliance 
companies (including IBM) has pledged to implement. In doing so we 
consulted with privacy experts, government and advocacy groups, and 
arrived at a framework that received generally positive support. 
Attached as an Exhibit for the Committee's reference are the Alliance 
Mission, Members, and Guidelines, also found at 
www.privacyalliance.org.
    The basic principles that the Alliance companies support for online 
commerce are, in abridged form:

          1. Adoption and Implementation of a Privacy Policy--every Web 
        site should post such a policy statement.
          2. Notice and Disclosure of Information Practices--the 
        statement should give the Web site visitor notice of what 
        personally identifiable information is collected at the site, 
        the use of that information and whether it will be disclosed to 
        third parties.
          3. Choice/Consent--over whether information is shared or 
        disclosed to others--the individual generally should have a 
        choice, at least the ability to opt out, about whether 
        information about them is disclosed or used for other purposes.
          4. Data Security--reasonable steps should be taken to keep 
        data secure from unauthorized users or access.
          5. Data Quality and Appropriate Access--reasonable steps 
        should be taken to keep data accurate and up-to-date, and as 
        appropriate and feasible access to personally identifiable data 
        should be given to the Web site visitor.
          6. Enforcement of the Guidelines by an Easily Available and 
        Usable Mechanism--all Alliance companies pledge to employ self-
        enforcement mechanisms that provide consumers with easily 
        understood and used recourse.

    Many Alliance companies are working with ``seal programs''--
independent third parties like the Better Business Bureau's BBBOnLine, 
and TRUSTe--that monitor a company's compliance with its privacy policy 
and confer, as it were, a seal of approval. These seals are not empty 
standards--both BBBOnline and TRUSTe aim to impose requirements that 
are consistent with the Online Privacy Alliance's standards.
    Industry has made real progress in the last year. According to 
Media Metrix, the independent Web ratings agency, when someone visits a 
Web site this month chances are over 90 percent that it will be 
operating under the guidelines of the Online Privacy Alliance. More 
data will soon be available about industry's progress, when Georgetown 
University releases a new survey of Web practices next month. I don't 
know what all of those data will show, but one thing is clear to me: 
for the large majority of Web users in the United States visiting 
commercial web sites, they will click on sites that post privacy 
policies. And if that's not a good test of the successful start of 
self-regulation, then what is?
                            iv. conclusions
    The ``layered'' approach that I've advocated in this testimony is 
nothing new for the United States: Attached as an Exhibit is a White 
Paper and legal analysis prepared by the Online Privacy Alliance that 
explains the ``layered approach'' to protecting data privacy in the 
United States.
    As this White Paper states:

        The layered approach to data privacy protection--in which 
        publicly announced corporate policies and industry codes of 
        conduct are backed by

          (a) the enforcement authority of the Federal Trade Commission 
        and state and local agencies;
          (b) specific sectoral laws that protect the privacy of 
        particular types of information, enforceable by state and 
        federal agencies; and
          (c) private civil actions for injunctive or monetary relief 
        brought by individuals or classes of consumers

        --differs from the comprehensive government regulatory schemes 
        typically used in Europe. Notwithstanding the absence of any 
        regulatory agency dedicated to the enforcement of privacy 
        standards, however, the ``layered'' public-private enforcement 
        approach has a long and successful history in the United 
        States.
        For example, many professions that traditionally have been 
        trusted to safeguard the confidentiality of personal data--
        lawyers, doctors and accountants, for example--abide by self-
        regulatory codes backed up by government or judicial 
        enforcement mechanisms, and the result has been a high level of 
        protection that has stood the test of time.
        The framework of self-regulation in the United States, 
        buttressed by the threat of governmental or private 
        enforcement, has succeeded both in protecting personal 
        information and in affording adequate redress to those 
        individuals whose privacy has been invaded. Accordingly, a 
        layered approach--as adapted to address the unique conditions 
        of the Internet--should achieve a level of data privacy 
        protection online that satisfies the principles of the 
        [European Union Data Privacy] Directive.

Online Privacy Alliance, Legal Framework White Paper at 2 (Nov. 1998).
    In an economy as networked, global, and competitive as the one we 
are building, customers usually can impose sanctions and punish a 
company much faster and more effectively than government. In a free and 
competitive marketplace, customers will gravitate toward those brands 
that provide them the best possible service, and whose brand they can 
trust. By the same token, with our free and ever-increasing flow of 
information, empowered people will quickly realize who they should 
avoid.
    Clearly, the less government obtrudes into the marketplace the 
greater will be the flow of Web transactions delivering goods and 
services, health care, government services, financial services * * * 
indeed everything that depends on trust. And flowing from that will 
come new opportunities, new businesses, and new jobs in all sectors of 
the economy.
    Privacy is not a cut and dried issue. What is and is not private 
changes from person to person. For one person the scope of privacy is 
very narrow, for another very broad. For some people privacy is 
negotiable and they may be willing to trade information about 
themselves in return for something of value.
    Certainly a pervasive regulatory regime could assure the public 
that nothing improper would happen to their personal information by 
making sure that nothing at all would happen to their personal 
information * * * nothing bad certainly but nothing good either.
    At the other extreme is the laissez-faire solution which might 
suffice in a perfect world, but as the Founders knew, human nature is 
far from perfect. Somewhere between those two poles lies the answer * * 
* some balance between legitimate government action and the rewards and 
sanctions of the marketplace.
    Frankly, I am inclined to find the balance much closer to the 
marketplace.
    After all the great majority of the business community recognizes 
that its real interests lie in maintaining the trust and confidence of 
their customers--and therefore in respecting the privacy of personal 
information. That's why any government privacy policy should provide 
maximum latitude for stringent self-regulation * * * the kind of 
discipline that business is already adopting.
    Thank you again for the opportunity to appear before you. I would 
be pleased to answer any questions you may have.

[GRAPHIC] [TIFF OMITTED] T8199.004

[GRAPHIC] [TIFF OMITTED] T8199.005

[GRAPHIC] [TIFF OMITTED] T8199.006

[GRAPHIC] [TIFF OMITTED] T8199.007

[GRAPHIC] [TIFF OMITTED] T8199.008

[GRAPHIC] [TIFF OMITTED] T8199.009

[GRAPHIC] [TIFF OMITTED] T8199.010

[GRAPHIC] [TIFF OMITTED] T8199.011

[GRAPHIC] [TIFF OMITTED] T8199.012

[GRAPHIC] [TIFF OMITTED] T8199.013

[GRAPHIC] [TIFF OMITTED] T8199.014

[GRAPHIC] [TIFF OMITTED] T8199.015

[GRAPHIC] [TIFF OMITTED] T8199.016

[GRAPHIC] [TIFF OMITTED] T8199.017

Legal Framework White Paper: Submitted with the Comments of the Online 
   Privacy Alliance On the Draft International Safe Harbor Principles

                          [November 19, 1998]

   OPA White Paper: Online Consumer Data Privacy in the United States

                              Introduction

    This autumn marks the entry into force of the European Union's 
Directive 95/46/EC, which establishes minimum requirements for the 
protection of personal data across the Community and requires member 
states to prohibit the transfer of personal data to countries where 
such data is not subject to adequate safeguards. The Directive takes a 
broad legislative approach to data protection that is not mirrored in 
federal and state statutes in the United States. Nevertheless, similar 
concerns about personal privacy in the digital age affect consumer 
choices, corporate practices, and, ultimately, legal policies--
governmental, self-regulatory, and judicial--in the United States. This 
paper, submitted by the Online Privacy Alliance (``OPA''), illustrates 
how the collective effect of ``layered'' regulatory and self-regulatory 
measures creates ``adequate'' safeguards for the protection of personal 
information collected online in the United States.
    The OPA is a cross-industry coalition of more than 70 global 
companies and associations concerned with protecting the privacy of 
individuals online. As described below, the OPA and its members have 
adopted standards of conduct tailored to the online environment and 
intended to ensure that personal information collected online by OPA 
members receives the level of protection contemplated by the Directive. 
The OPA has grappled with the unique challenges to and opportunities 
for data privacy protection that are presented by the enormous and 
constant data flow in the online environment and has addressed these in 
a way designed to reflect the realities of the Internet while 
satisfying the principles of the Directive and U.S. data privacy 
policies. The OPA has set forth guidelines for online privacy policies, 
a framework for self-regulatory enforcement, and a special policy 
concerning collection of information from children. OPA requires its 
members to adhere to these guidelines and policies, which are available 
on OPA's website at http://www.privacyalliance.org.
    The layered approach to data privacy protection--in which publicly 
announced corporate policies and industry codes of conduct are backed 
by (a) the enforcement authority of the Federal Trade Commission and 
state and local agencies; (b) specific sectoral laws that protect the 
privacy of particular types of information, enforceable by state and 
federal agencies; and (c) private civil actions for injunctive or 
monetary relief brought by individuals or classes of consumers--differs 
from the comprehensive government regulatory schemes typically used in 
Europe. Notwithstanding the absence of any regulatory agency dedicated 
to the enforcement of data privacy standards, however, the ``layered'' 
public-private enforcement approach has a long and successful history 
in the United States. For example, many professions that traditionally 
have been trusted to safeguard the confidentiality of personal data--
lawyers, doctors, and accountants, for example--abide by self-
regulatory codes backed up by government or judicial enforcement 
mechanisms, and the result has been a high level of protection that has 
stood the test of time. The framework of self-regulation in the United 
States, buttressed by the threat of governmental or private 
enforcement, has succeeded both in protecting personal information and 
in affording adequate redress to those individuals whose privacy has 
been invaded. Accordingly, a layered approach--as adapted to address 
the unique conditions of the Internet--should achieve a level of data 
privacy protection online that satisfies the principles of the 
Directive.
    In recent years the U.S. government has been increasingly concerned 
about ensuring protection of personal information both online and off. 
The U.S. government has embraced the layered approach to online data 
protection and consistently has advocated that self-regulatory 
efforts--in the form of industry codes of conduct and self-policing 
trade groups and associations--serve as the primary safeguard to 
protect the electronic privacy of personal information.\1\ This belief 
in the efficacy of self-regulation reflects U.S. confidence that 
industry standards will rise to meet the challenge of meaningful data 
protection, rather than become watered down by a ``race to the 
bottom.'' Indeed, as discussed below in Part I, the Federal Trade 
Commission and the U.S. Department of Commerce have identified five key 
elements of a successful regime for data privacy protection in order to 
define for U.S. industry the standards the government expects industry 
to meet.
---------------------------------------------------------------------------
    \1\ See White House Task Force, Framework for Global Electronic 
Commerce (July 1, 1997).

        (1) notice of the ways in which information will be used;
        (2) consent to the use or third-party distribution of 
        information;
        (3) access to data collected about oneself;
        (4) security and accuracy of collected data; and
        (5) enforcement mechanisms to ensure compliance and obtain 
        redress.\2\
---------------------------------------------------------------------------
    \2\ See Privacy Online at 7-11 (describing principles in detail); 
U.S. Department of Commerce, Privacy and Electronic Commerce (June 
1998); see also White House Task Force, Framedwork for Global 
Electronic Commerce (July 1, 1997). The FTC's core privacy principles 
represent the most recent and comprehensive U.S. effort to identify the 
fundamental elements of data protection. The FTC framework does not 
exist in a vacuum, however. The National Telecommunications and 
Information Agency (``NTIA''), the U.S. Information Infrastructure Task 
Force, and the Commerce Department each have addressed issues related 
to the protection of personal information and have all reached similar 
conclusions as to what constitutes effective data protection. See 
Framework for Global Electronic Commerce (describing results of various 
studies). The core principles announced by the FTC represent a 
synthesis of these earlier efforts and the OECD Guidelines. See Federal 
Trade Commission, Privacy Online: A Report to Congress 7 & nn. 27, 28 
(FTC June 1998), available at http://www.ftc.gov/reports/privacy3.

Thus, the U.S. commitment to self-regulation presumes--and will 
encourage--the development through industry initiatives of meaningful 
privacy measures that generally adhere to these core privacy 
principles.
    The U.S. government, furthermore, has made clear that the failure 
of a company to abide by privacy standards to which it professes to 
adhere can subject the company to the enforcement authority of the 
Federal Trade Commission (or of state and local agencies) and 
consequent legal penalties. This possibility of government enforcement 
should provide ample incentives for companies to live up to their 
guarantees of privacy. See Part I infra. Moreover, as demonstrated in 
Part II, both federal and state laws provide an additional layer of 
privacy protection: They establish numerous types of safeguards for 
data privacy in various sectors of the economy by imposing legal 
restrictions on the collection and use of particular types of 
information. These various laws demonstrate the commitment of both the 
federal and state governments to intervene and protect privacy if self-
regulatory efforts in a particular sector need reinforcement.
    The OPA privacy guidelines and attendant enforcement mechanisms 
(discussed in Part III) are designed to work with this regulatory 
backdrop to protect the privacy of consumers' online data consistent 
with the principles set forth in the Directive. OPA-prescribed 
enforcement mechanisms, such as seal programs, provide a means to 
guarantee that members comply with clearly identified self-regulatory 
standards. Companies that identify themselves as adhering to the OPA 
self-regulatory scheme also may be at risk of FTC (as well as state and 
local) enforcement actions if they fail to follow the OPA privacy 
principles; many of these companies also will be obligated to comply 
with various sectoral data protection laws at the federal and state 
levels. Thus, compliance with the OPA guidelines should provide 
assurance to EU data protection authorities that personal information 
collected online will be adequately protected within the United States, 
and that such protection is enforceable.
    OPA and its members have every incentive to adopt strong standards 
for data protection and privacy. Political, technological, and economic 
trends are all driving companies to the high end, not the low end, of 
privacy protection. Recent polls indicate that public concern about 
online privacy is the number one reason that consumers not currently 
using the Internet--still a substantial majority of U.S. consumers--do 
not go online,\3\ and a substantial number of consumers who do use the 
Internet choose not to purchase goods sold through websites that do not 
disclose their privacy policies.\4\ Congress and the Administration are 
well aware of the tide of public opinion, and recent events--most 
notably, the rapid passage by the U.S. Congress of the Children's 
Online Privacy Protection Act--leave no doubt that the U.S. government 
will take action if the online industry does not uphold its 
responsibility to impose meaningful standards for the use and 
protection of online customer data.
---------------------------------------------------------------------------
    \3\ See Business Week/Harris Poll: Online Insecurity, Business 
Week, Mar. 16, 1998, at 102.
    \4\ See Prepared Statement of the Federal Trade Commission on 
``Consumer Privacy on the World Wide Web,'' before the Subcommittee on 
Telecommunications, Trade and Consumer Protection of the House 
Committee on Commerce, July 21, 1998; Privacy Online at 3-4.
---------------------------------------------------------------------------
    U.S. advocacy of a layered self-regulatory approach to data privacy 
protection is therefore both a carrot and a stick. Private industry has 
been given an opportunity to preserve Internet commerce from government 
regulation--the carrot. However, if self-regulation does not work, or 
if industry contents itself with meaningless or self-serving standards, 
the U.S. government stands ready to impose whatever statutory 
guidelines are necessary for the successful protection of information 
gathered online--the stick.
    This emphasis on meaningful self-regulation has produced real 
progress in the promulgation of substantive guidelines to govern the 
use of personal information in certain industries. For example, the 
major players in the growing market for individual reference services 
(``IRS'')--companies that, for a fee, provide financial and other 
personal information about individuals--have worked with the Federal 
Trade Commission to adopt a code of conduct that imposes strict 
limitations on the use and sale of personal information by those 
companies. Similarly, the OPA privacy guidelines demonstrate that the 
self-regulatory framework outlined by the FTC offers a viable method of 
protecting personal data collected over the Internet.
    OPA strongly believes that the interests of its members will best 
be served by working within that self-regulatory framework to assure 
the public that personal data will be adequately protected. Online 
markets are expected to expand dramatically in the coming years, and 
consumers--particularly those who have yet to buy products or services 
online--have demonstrated that they in fact care a great deal about the 
privacy policies of the online companies with whom they do business. 
New technologies, which will allow a consumer to bargain explicitly for 
a desired degree of privacy protection, will only heighten public 
awareness of privacy concerns and reinforce the public's expectation 
that responsible companies will adhere to the privacy principles 
espoused by OPA today.\5\ Internet markets will not reach their full 
potential until and unless consumers trust that online businesses will 
not misuse personal data that must be collected to consummate 
commercial transactions (e.g., shipping addresses, contact information, 
credit card numbers). Thus, every commercial online business has an 
incentive to win that trust by safeguarding the privacy of its 
customer's personal information, and those forward-looking companies 
that set the standard for data protection on the Internet--companies 
like OPA's members--will earn a competitive advantage in the 
marketplace.
---------------------------------------------------------------------------
    \5\ Even today, web browsers can be set to decline ``cookies'' so 
as to prevent a website from writing files to a user's disk that permit 
the site owner to track usage of the website by that user, and 
filtering programs permit users to prevent access to specified sites, 
which may include those with unacceptable privacy policies. In the 
future, automatic protocols like P3P will allow Internet users to 
negotiate desired levels of privacy protection or to avoid altogether 
those sites that do not provide sufficient protection for personal 
information.
---------------------------------------------------------------------------
       i. the federal trade commission: enforcing self-regulation
    Private self-regulatory bodies like the OPA--which establish a 
framework of self-imposed data protection rules to govern the conduct 
of all entities in a given industry that agree to operate according to 
those standards--can effectively regulate the behavior of their members 
and thereby safeguard the private information of consumers. Rather than 
having to investigate the idiosyncratic information practices of a 
given company, consumers will learn to associate a prominently 
displayed seal or notice with a well-known standard of data 
protection--much as U.S. consumers today know that the ``UL'' 
(Underwriters Laboratories) symbol on electronic appliances \6\ 
guarantees that a device's design meets a time-tested safety threshold. 
Thus, companies that agree to abide by a recognized self-regulatory 
standard gain the reputational advantage of being able to advertise a 
consumer-trusted seal of approval--and those that do not bear a stigma 
that can be expected to affect their performance in the marketplace. 
Internal enforcement mechanisms guarantee that members live up to their 
promises by threatening violators with the penalty of losing the 
organization's stamp of approval.
---------------------------------------------------------------------------
    \6\ The ``UL'' symbol serves a function similar to the ``CE'' 
symbol on products sold in Europe.
---------------------------------------------------------------------------
    But the efficacy of collective self-regulation in the United States 
does not depend on the private sector alone. The Federal Trade 
Commission (``FTC'') may use its enforcement authority under section 5 
of the Federal Trade Commission Act, which prohibits ``unfair or 
deceptive trade practices'' in interstate commerce, to prosecute 
companies that do not uphold the standards of a privacy seal or notice 
that they display for customers. The FTC has broad jurisdiction over 
companies doing business in the United States as well as substantial 
enforcement powers. FTC remedies include injunctive relief and other 
forms of redress and compensation, and thus impose an independent, 
objective incentive on companies to take industry standards 
seriously.\7\ State and local consumer protection agencies and consumer 
advocates, as well as state attorneys general (the latter analogous to 
the federal Department of Justice), complement the FTC's authority by 
keeping a watchful eye on regional industries and smaller businesses.
---------------------------------------------------------------------------
    \7\ See Federal Trade Commission, Individual Reference Services: A 
Report to Congress 29 & n.297 (FTC Dec. 1997).
---------------------------------------------------------------------------

                    A. The Federal Trade Commission

1. FTC enforcement authority
    The FTC is an independent administrative agency that has been 
delegated broad enforcement authority under a variety of statutes 
designed to promote fair competition and protect the interests of 
consumers. Certain of these statutes--like the Fair Credit Reporting 
Act (discussed below)--specifically empower the FTC to investigate and 
prosecute violations of U.S. law governing the treatment of specific 
types of information relating to an individual's credit and finances. 
Others--like the recently passed Children's Online Privacy Protection 
Act of 1998 (also discussed below)--grant the FTC authority to regulate 
certain data protection practices and dictate minimum standards for the 
collection and distribution of discrete types of personal information 
(e.g., data relating to children). More generally, the FTC possesses 
broad authority under section 5 of the Federal Trade Commission Act to 
investigate and halt any ``unfair or deceptive'' conduct in almost all 
industries affecting interstate commerce.\8\ This authority includes 
the right to investigate a company's compliance with its own asserted 
data privacy protection policies. Pursuant to section 5, the FTC may 
issue cease and desist orders and may also order other equitable 
relief, including redress of damages.
---------------------------------------------------------------------------
    \8\ Industries exempt from the FTC's enforcement authority under 
section 5 are in general subject to specific regulatory schemes that 
tend to be both comprehensive and rigorous. See, e.g., 47 U.S.C. 
Sec. 45(a)(2) (exempting banks and savings and loan institutions).
---------------------------------------------------------------------------
    While the FTC possesses only limited authority to prescribe 
regulations that have the force of positive law, it can determine 
(subject to judicial review) that a given practice is unfair or 
deceptive and therefore contrary to the public interest. Furthermore, 
if the agency through its adjudicatory procedures determines that a 
given practice constitutes unfair or deceptive conduct (usually in the 
form of issuing a ``cease and desist order''), other parties who engage 
in similar conduct are subject to civil penalties if they have actual 
knowledge of the FTC's determination.\9\ Typically, a company will 
choose not to run the risk of a full-scale FTC investigation and 
prosecution and will instead enter into a ``consent order'' with the 
agency in which a company agrees to comply with objective, judicially 
enforceable requirements. Thus, the agency often can set a de facto 
minimum standard of behavior through vigorous investigation of 
companies that engage in questionable conduct, exercising considerable 
influence over a wide variety of industry practices that the agency 
deems important to consumers and the public interest. The FTC's recent 
policy statements and reports leave no doubt that one such area of 
special concern for the agency is the commercial collection and 
distribution of personal information.
---------------------------------------------------------------------------
    \9\ See 47 U.S.C. Sec. 45(m)(1)(B).
---------------------------------------------------------------------------
2. The FTC's core privacy principles
    As noted above, in a June 1998 report to Congress, the FTC 
identified five core principles of privacy protection that it will deem 
to represent fair and adequate information practices: \10\
---------------------------------------------------------------------------
    \10\ See Federal Trade Commission, Privacy Online: A Report to 
Congress (FTC June 1998), available at http://www.ftc.gov/reports/
privacy3.

          (1) Notice: Consumers must be given notice at the time data 
        is collected of (a) what kinds of information are being 
        gathered, (b) whether requests for information may be refused, 
        (c) the uses that will be made of that data, (d) the persons or 
        entities who will receive or have access to that data, (e) the 
        measures taken to ensure confidentiality and accuracy of the 
        data, and (f) whether an individual may limit the dissemination 
        or use of collected personal information.
          (2) Consent: Individuals should be afforded a choice about 
        the ways in which collected information may be used and whether 
        that information may be distributed to third parties.
          (3) Access: Individuals should have access to the data that 
        is collected about them and should have some means to correct 
        inaccurate or incomplete information.
          (4) Security: Companies that collect personal information 
        should take reasonable steps to ensure the security and 
        accuracy of that information; in particular, measures should be 
        adopted to prevent unauthorized access to any personal data.
          (5) Enforcement: Individuals must have some mechanism to 
        enforce compliance with an objective code of personal 
        information practices and to obtain redress for violations of 
        that standard.

    As demonstrated by the GeoCities case (discussed below), the FTC 
has taken enforcement action to ensure that a company complies with its 
stated data protection standards.\11\ As companies increasingly adopt 
and announce privacy policies, therefore, their practices become 
subject to FTC enforcement. Even where a company has not publicly 
embraced privacy standards, the FTC has cautioned that ``in certain 
circumstances, information practices may be inherently deceptive or 
unfair, regardless of whether the entity has publicly adopted any fair 
information practice policies,'' leading to the possibility of an FTC 
enforcement action under section 5 of the FTC Act.\12\ For example, 
prior to the recent adoption of the Children's Online Privacy 
Protection Act, the FTC issued an opinion letter concluding that ``it 
is likely to be an unfair practice'' to collect personal identifying 
information from children without a parent's prior consent.\13\ As 
principles of data privacy protection become more ingrained and 
accepted, other privacy practices similarly could become sufficiently 
widespread and expected that a company's failure to comply with such 
practices--at least absent notice to consumers--might be deemed unfair 
by the FTC.\14\
---------------------------------------------------------------------------
    \11\ See Privacy Online at 40 (``[F]ailure to comply with stated 
information practices may constitute a deceptive practice * * * and the 
Commission would have authority to pursue the remedies available under 
the [FTC] Act for such violations.'').
    \12\ Privacy Online at 40 (emphasis added).
    \13\ See Letter from Jodie Bernstein, Director, Bureau of Consumer 
Protection, Federal Trade Commission, to Center for Media Education, 
July 15, 1997, available at http://www.ftc.gov/os/9707/cenmed.htm.
    \14\ State and local consumer protection agencies also scrutinize 
the extent to which companies engage in deceptive or misleading 
practices by failing to adhere to announced codes of conduct, and thus 
provide additional oversight. See, e.g., Cal. Bus. & Prof. Code 
Sec. Sec. 17200, 17500 (West 1998) (revised in 1998 to apply explicitly 
to Internet commerce); N.Y. Gen. Bus. Law Sec. Sec. 349, 350 (Consol. 
1998); People v. Lipsitz, 663 N.Y.S.2d 468 (N.Y. Sup. Ct. 1997) 
(applying N.Y. consumer protection statute to false advertising on 
Internet); Andrew Countryman, ``America Online Deal Reached with 44 
Attorneys General,'' Chicago Tribune, May 29, 1998 (describing deal 
reached between AOL and state attorneys general regarding AOL business 
practices). In particular, state and local agencies may be better 
positioned than the FTC to examine the behavior of smaller and regional 
companies and to respond to the complaints of individual consumers. See 
John Borland, ``States Prepare To Examine New Internet Legislation,'' 
CMP TechWIRE, Jan. 12, 1998 (describing anticipated state legislation 
to protect Internet consumers). Thus, the enforcement powers and 
activities of local and state officials and agencies supplements the 
authority of the FTC and provides an additional layer of protection for 
personal information.
---------------------------------------------------------------------------

     B. Enforcing Privacy Protection under Section 5 of the FTC Act

    A recently settled FTC enforcement action against a website 
operator demonstrates the FTC's use of section 5 of the FTC Act to 
assure that companies operate in accordance with their announced 
information protection practices--thereby putting teeth in self-
regulatory programs.\15\ This represents the FTC's first resolution of 
a privacy action in the Internet context by way of a consent order, and 
illustrates the flexibility of existing U.S. law to adapt to new 
industry sectors in a timely way.
---------------------------------------------------------------------------
    \15\ See In the Matter of GeoCities, File No. 9823015 (FTC 1998); 
see also Michael D. Scott, GeoCities Targeted by FTC in Internet 
Privacy Enforcement Action, Cyberspace Lawyer 5-11 (Sept. 1998).
---------------------------------------------------------------------------
    In the GeoCities case, the FTC challenged the accuracy of certain 
representations in the website operator's privacy notice regarding the 
use of marketing information collected from persons registering at the 
site. The FTC's complaint further alleged that GeoCities implied that 
it operated a website for children without disclosing to the children 
or their parents that the website was in fact operated by an 
independent third party. The company denied these allegations but 
promptly instituted information policies and procedures in accord with 
standards proposed by the FTC, as ultimately reflected in a proposed 
consent order.
    Under the terms of the consent order, the company agreed to provide 
clear and prominent notice to consumers of its actual information 
practices, including what information is collected through its website, 
the intended uses for that information, any third parties to whom that 
information will be disclosed, the means by which a consumer may access 
information collected from herself or himself, and the means by which a 
consumer may have that information removed from the company's 
databases.\16\ The company agreed that it would not misrepresent the 
identity of any third party that collects data from a website promoted 
or sponsored by the company. The company agreed to contact all 
consumers from whom it previously collected personal information and 
afford those individuals an opportunity to have data removed from the 
databases both of the company and any third parties.\17\
---------------------------------------------------------------------------
    \16\ At all points at which information is collected, the company 
must post either this notice or a link informing consumers that data is 
being collected and directing them to a complete explanation of the 
company's information practices.
    \17\ The company agreed as well to cease doing business with any 
third party that refuses to agree to comply with the data removal 
provisions of the consent order.
---------------------------------------------------------------------------
    Finally, the company agreed to implement procedures to obtain a 
parent's express consent prior to collecting and using a child's 
identifying information; moreover, the company may not collect or use a 
child's identifying information if it has actual knowledge that the 
child does not have the permission of a parent (or guardian) to 
disclose that information. The consent order's provisions concerning 
information gathered from children are virtually identical to those 
found in the more recently enacted Children's Online Privacy Protection 
Act.
    As a result of this enforcement action, the company must comply on 
an ongoing basis with the binding rules of conduct specified in the 
consent order. Beyond that, this highly publicized FTC enforcement 
action concerning a prominent website operator serves as a benchmark 
for other companies establishing information practices for their 
websites.

C. An Industry Model for Facilitating FTC Enforcement of Core Privacy: 
                          The IRSG Principles

    FTC enforcement is also a powerful tool with respect to enforcement 
of industry-wide codes of conduct as opposed to company-specific 
standards or practices. Collective self-regulatory groups can use 
marketplace dynamics to encourage (or coerce) adherence to a common set 
of industry ``best practices''--no company can afford to be tarred as a 
recalcitrant that is unconcerned with the privacy concerns of the 
public (as illustrated on several occasions in recent years when 
companies withdrew commercial offerings or practices that were publicly 
criticized as overly intrusive \18\). Moreover, in contrast to the 
self-regulatory efforts of individual companies, self-regulatory groups 
can adopt joint mechanisms to investigate and resolve consumer 
complaints and thus collectively can enforce each company's compliance 
with a given industry's best practices. FTC oversight--in conjunction 
with that of state and local authorities--complements such self-
regulatory enforcement mechanisms by providing an independent legal 
incentive for each member company, and the group as a whole, to live up 
to its promised standard of behavior. The FTC has made clear that, in 
signing on to an industry group's data protection principles, ``a 
signatory represents that its information practices are consistent 
with'' those principles and that action inconsistent with them subjects 
a company to liability ``under the FTC Act (or similar state statutes) 
as a deceptive act or practice.'' \19\
---------------------------------------------------------------------------
    \18\ See, e.g., Individual Reference Services at 1, 13 & n.1 
(describing consumer outrage at Lexis-Nexis's ``P-Trak'' service, which 
allowed subscribers to identify an individual's social security number; 
Lexis quickly changed its policies).
    \19\ Id. at 29 & n.297.
---------------------------------------------------------------------------
    The data privacy standards announced by the Individual Reference 
Services Group (``IRSG'')--an association of fourteen major companies 
in the individual reference services industry--exemplify a self-
regulatory approach emphasizing an industry group's seal of approval. 
The individual reference services industry gathers personal information 
about individuals from a number of sources, both public (e.g., state 
driving records) and private (e.g., credit information) and provides 
that information for a fee to private parties and the government. To 
protect the often sensitive personal data with which IRSG members deal 
on a day-to-day basis, the group has adopted binding standards for the 
protection of personal information. The IRSG developed these rules with 
the advice and participation of the FTC, and the agency has endorsed 
them as a promising mechanism to ``lessen the risk that information 
made available through [individual reference] services is misused * * * 
[and] address consumers' concerns about the privacy of non-public 
information in the services' databases.'' \20\ The FTC further 
recommended that the IRSG's self-regulatory efforts be given an 
opportunity to demonstrate their effectiveness in conjunction with the 
FTC's own enforcement activities (and those of sectoral regulatory 
authorities).\21\
---------------------------------------------------------------------------
    \20\ Id. at 31.
    \21\ See id.
---------------------------------------------------------------------------
              ii. sectoral regulation of privacy interests
    In addition to the umbrella authority of the FCC over data privacy, 
the United States has extensive laws regulating the collection and use 
of consumer data in particular sectors of the economy. This sectoral 
approach demonstrates the commitment of the U.S. government--at both 
the federal and state level--to regulate the privacy of sensitive data 
and to step in and provide governmental support for self-regulatory 
regimes.

                     A. Principal Federal Statutes

1. Fair Credit Reporting Act
    One of the primary federal statutes that protects consumer privacy 
is the Fair Credit Reporting Act (``FCRA''), which regulates the 
collection and dissemination of a wide range of information about 
consumers. The purpose of the FCRA, as articulated by Congress, is ``to 
require that consumer reporting agencies adopt reasonable procedures 
for meeting the needs of commerce for consumer credit, personnel, 
insurance, and other information in a manner which is fair and 
equitable to the consumer, with regard to the confidentiality, 
accuracy, relevancy, and proper utilization of such information.'' \22\
---------------------------------------------------------------------------
    \22\ U.S.C. Sec. 1681(b) (emphasis added).
---------------------------------------------------------------------------
    In general, the Act regulates the collection and dissemination of 
``consumer reports,'' which include information concerning topics such 
as a consumer's credit worthiness and other personal characteristics, 
by ``consumer reporting agencies''--any person (or entity) who 
regularly engages in assembling or evaluating these types of 
information. Such agencies may disseminate consumer report information 
only to third parties having a specifically delineated permissible 
purpose for the information, such as a credit transaction or a 
determination whether to issue an insurance policy. The FCRA also 
provides further protections, such as the right of consumers to access 
and obtain correction of data collected and maintained by consumer 
reporting agencies. On the other hand, the FCRA also provides certain 
exceptions to its reach, including, for example, situations in which a 
merchant makes use of data it obtains based on first-hand experience 
with a consumer.
    The scope of the FCRA's privacy protections is dependent primarily 
on the definitions of ``consumer reports'' and ``consumer reporting 
agencies.'' The FCRA defines ``consumer reports'' broadly to include 
``any written, oral, or other communication'' to a third party of 
information ``bearing on a consumer's credit worthiness, credit 
standing, credit capacity, character, general reputation, personal 
characteristics, or mode of living which is used or expected to be used 
or collected in whole or in part'' for one of several general 
purposes.\23\ In particular, information bearing on one of the 
specified characteristics is a consumer report if it is collected, 
used, or even expected to be used for purposes including credit, 
employment, insurance, or a legitimate business need in connection with 
a business transaction with the consumer.\24\ Moreover, the collection 
or use of the information does not have to be only or even primarily 
for one of these purposes--it is enough that the information is used, 
collected, or expected to be used only in part for one of the specified 
purposes.\25\
---------------------------------------------------------------------------
    \23\ Id. Sec. 1681a(d).
    \24\ Id. Sec. Sec. 1681a(d), 1681b(a)(3)(F).
    \25\ See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915 F.2d 
1264 (9th Cir. 1990).
---------------------------------------------------------------------------
    This definition of ``consumer reports'' sweeps a variety of 
different types of information under the protective umbrella of the 
FCRA. Data that is collected or used for the purpose of determining 
credit eligibility or for deciding whether to provide insurance 
coverage is included.\26\ So are reports that are compiled or used to 
ascertain whether a particular individual is eligible for 
employment.\27\ A list of consumers who have passed bad checks that is 
supplied to merchants also falls within the category of ``consumer 
reports.'' \28\ The FTC has taken the position that targeted marketing 
lists also can constitute ``consumer reports'' within the meaning of 
the FCRA.\29\
---------------------------------------------------------------------------
    \26\ FTC Official Staff Commentary, 16 C.F.R. Pt. 600 app. Sec. 603 
item 6.
    \27\ Id.
    \28\ See Estiverne v. Saks Fifth Avenue & JBS, 9 F.3d 1171 (5th 
Cir. 1993).
    \29\ See Trans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996) 
(noting the FFC's position but remanding for further factual 
development).
---------------------------------------------------------------------------
    At the same time, the FCRA does provide certain limitations on the 
definition of a consumer report. As noted above, information does not 
fall within this category if it is based solely on the disclosing 
party's first-hand experience with the consumer.\30\ Thus, a merchant 
who discloses the amount and type of its transaction with a consumer is 
not disseminating a ``consumer report'' for purposes of the FCRA. This 
exception may allow dissemination of information without FCRA 
protection in some circumstances; however, if the recipient of the 
merchant's firsthand information then sought to pass it on to a third 
party, the information would be protected as a consumer report 
(assuming, of course, that it met the other requirements of the 
definition).\31\ Recent amendments to the FCRA also provide that 
information communicated to an affiliated entity is not a consumer 
report if it was ``clearly and conspicuously disclosed'' to the 
consumer that such disclosure might occur and the consumer had the 
opportunity to ``opt out'' beforehand.\32\
---------------------------------------------------------------------------
    \30\ 15 U.S.C. Sec. 1681a(d)(2)(A)(i).
    \31\ FTC, Compliance with the Fair Credit Reporting Act 42 (1977).
    \32\ 15 U.S.C. Sec. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------
    The FCRA generally regulates the collection and dissemination of 
``consumer reports'' only when done by a ``consumer reporting agency.'' 
The latter term encompasses any person who for money or on a 
cooperative nonprofit basis ``regularly engages in whole or in part in 
the practice of assembling or evaluating consumer credit information or 
other information on consumers for the purpose of furnishing consumer 
reports to third parties.'' \33\ Examples of consumer reporting 
agencies include credit bureaus such as Equifax, employment agencies 
that routinely obtain information on job applicants from former 
employers, tenant screening companies that assist landlords in checking 
prospective tenants, and check approval companies that guarantee checks 
for merchants.\34\ On the other hand, an entity that gathers or 
evaluates consumer data on a one-time or other infrequent basis is not 
subject to the FCRA.
---------------------------------------------------------------------------
    \33\ Id. Sec. 1681a(f).
    \34\ FTC Official Staff Commentary, 16 C.F.R. Pt. 600 app. 
Sec. 603(f) items 4, 6(f).
---------------------------------------------------------------------------
    A consumer reporting agency may legally furnish a consumer report 
to third parties (in the absence of consent \35\) only if it has reason 
to believe that the third party has one of the permissible purposes 
listed in the statute. This generally includes someone who requests 
information in connection with (1) a credit transaction, review or 
collection of a credit account, or evaluation of a credit application 
\36\; (2) a determination whether to issue or cancel an insurance 
policy or how to set the rates and terms of such a policy \37\; (3) a 
response to a court order \38\; or (4) a legitimate business need in 
connection with a business transaction involving the consumer (such as 
renting an apartment or a consumer's offer to pay by check).\39\ In 
addition, a consumer report may be disclosed to a third party for 
purposes of an employment decision relating to promotion, reassignment 
or retention, but only if the consumer authorizes such disclosure in 
writing beforehand.\40\ Marketing is not a permissible purpose. The 
consumer reporting agency must maintain reasonable procedures designed 
to ensure that consumer reports are furnished only for the listed 
purposes.\41\
---------------------------------------------------------------------------
    \35\ 15 U.S.C. Sec. 1681b(a)(2).
    \36\ Id. Sec. 1681b(a)(3)(A).
    \37\ Id. Sec. 1681b(a)(3)(C).
    \38\ Id. Sec. 1681b(a)(1).
    \39\ Id. Sec. 1681b(a)(3)(E); FTC Official Staff Commentary, 16 
C.F.R. Pt. 600 app. Sec. 604(3)(E) item 3.
    \40\ 15 U.S.C. Sec. Sec. 1681b(a)(3)(B), 1681b(b).
    \41\ 15 U.S.C. Sec. 1681e(a).
---------------------------------------------------------------------------
    The FCRA also provides further restrictions on the dissemination of 
``consumer reports.'' For example, a consumer must consent ahead of 
time to the release of a consumer report for purposes of employment, 
credit, or insurance if the report contains medical information.\42\ 
The consumer must have the option to opt out of being included in any 
lists for unsolicited credit and insurance offers.\43\ The FCRA 
additionally prohibits the reporting of ``obsolete information''; the 
Act sets forth specific time frames after which particular types of 
data are deemed obsolete.\44\
---------------------------------------------------------------------------
    \42\ Id. Sec. 1681b(g).
    \43\ Id. Sec. 1681b(e).
    \44\ Id. Sec. 1681c(a).
---------------------------------------------------------------------------
    The Act further mandates that consumer reporting agencies establish 
``reasonable procedures to assure maximum possible accuracy.'' \45\ The 
Act seeks to promote accuracy and reliability in part by creating a 
framework under which a consumer has the right to obtain the 
information maintained about him or her and require the consumer 
reporting agency to correct inaccurate information. Specifically, the 
FCRA requires that every consumer reporting agency disclose upon 
request to a consumer the ``nature and substance'' of the information 
about the consumer in the agency's files, the sources of that 
information, and the identity of those who have obtained a report about 
the consumer in the past year.\46\ A consumer may dispute the 
completeness or accuracy of any information maintained by the agency 
and require the agency to ``reinvestigate'' the accuracy of the 
information at no charge to the consumer.\47\ The consumer reporting 
agency generally must complete such reinvestigations within 30 
days.\48\ If the agency concludes that the disputed information is 
inaccurate or unverifiable, it must modify or delete the 
information.\49\ If, on the other hand, the agency decides that the 
information is accurate, but the consumer continues to dispute that 
conclusion, the agency must include the consumer's statement of dispute 
in any subsequent consumer report.\50\
---------------------------------------------------------------------------
    \45\ Id. Sec. 1681e(b).
    \46\ Id. Sec. 1681g(a).
    \47\ Id. Sec. 1681i(a)(1).
    \48\ Id.
    \49\ Id. Sec. 1681i(a)(5).
    \50\ Id. Sec. 1681i(c).
---------------------------------------------------------------------------
    The Act provides a robust enforcement scheme. Consumers can bring 
civil actions for damages and attorneys fees for negligent or willful 
violations of the Act.\51\ Punitive damages are also available in the 
case of willful violations.\52\ The Act provides for parallel 
enforcement at the federal level by the FTC, which can bring actions to 
enjoin further violations and/or to impose civil penalties.\53\ Knowing 
and willful violations of the Act also can lead to criminal penalties, 
including imprisonment.\54\ Finally, most states have analogous credit 
reporting statutes giving rise to private rights of actions and 
providing enforcement powers to the state attorney general.\55\
---------------------------------------------------------------------------
    \51\ Id. Sec. Sec. 1681n, 1681o.
    \52\ Id. Sec. 1681n(a)(2).
    \53\ Id. Sec. 1681s.
    \54\ Id. Sec. Sec. 1681q, 1681r.
    \55\ See, e.g., Cal Civ. Code Sec. 1785 et seq.; Conn. Gen. Stat. 
36-432 to 435.
---------------------------------------------------------------------------
2. Children's Online Privacy Protection Act of 1998
    Recently, in response to a study by the FTC concluding that 
additional regulation was needed to protect the privacy of children, 
the U.S. Congress enacted the Children's Online Privacy Protection Act 
of 1998. The Act directs the FTC to promulgate regulations that govern 
the collection, use, and disclosure of ``personal information'' 
obtained online from a child (defined as anyone under the age of 13) by 
an operator of a commercial website or online service directed to 
children, as well as any operator with actual knowledge that it is 
collecting personal information from a child.\56\ ``Personal 
information'' is defined to include ``individually identifiable 
information,'' such as a child's name, address, phone number, social 
security number, e-mail address, or any other ``identifier that * * * 
permits the physical or online contacting of a specific individual.'' 
\57\ The Act further reaches any other information collected online 
that is combined with any of the above identifiers.\58\ For example, if 
a website were to assemble a file including a child's name, address, 
and a list of past purchases, the information about purchases would be 
deemed subject to the Act.
---------------------------------------------------------------------------
    \56\ Children's Online Privacy Protection Act of 1998, 
Sec. Sec. 1302(l), 1303(b)(1).
    \57\ Id. Sec. 1302(8).
    \58\ Id. Sec. 1302(8)(G).
---------------------------------------------------------------------------
    Congress directed the FTC to promulgate regulations concerning the 
collection, use, and disclosure of this personal information about 
children. These regulations must require, inter alia, that website and 
online service providers subject to the Act

          (1) provide notice on the website of what information is 
        collected, how the operator uses the information, and if/when 
        it discloses the information;
          (2) obtain verifiable parental consent for the collection, 
        use, or disclosure of such information;
          (3) permit a parent to obtain any data his/her child has 
        provided to the operator;
          (4) allow the parent to require the operator to delete such 
        data and/or not to collect further data; and
          (5) ``establish and maintain reasonable procedures to protect 
        the confidentiality, security, and integrity of personal 
        information collected from children.'' \59\
---------------------------------------------------------------------------
    \59\ Id. Sec. 1303(b)(1).

The Act establishes several narrow exceptions to its reach. For 
example, its requirements do not apply either to information collected 
from a child online that is used on a one-time basis to respond to a 
request and is not maintained in retrievable form or to a request for 
the name of a parent when made for the sole purpose of obtaining 
consent to collect information about the child.\60\ The Act also 
contains a ``safe harbor'' provision under which an operator is deemed 
to comply with the FTC regulations if it follows a set of self-
regulatory guidelines approved in advance by the FTC (after an 
opportunity for the public to comment) as meeting the requirements of 
the FTC regulations.\61\
---------------------------------------------------------------------------
    \60\ Id. Sec. 1303(b)(2).
    \61\ Id. Sec. 1304.
---------------------------------------------------------------------------
    A violation of the regulations promulgated by the FTC under the Act 
is deemed to be a violation of Section 5 of the FTC Act,\62\ the 
penalties for which are described above. Moreover, the Act provides 
that certain other specified agencies also shall enforce the Act and 
the FTC regulations against companies that those agencies regulate; for 
example, the Department of Transportation must enforce the Act with 
respect to airlines, and the Federal Reserve Board is charged with 
enforcement against its member banks.\63\ In addition to these forms of 
federal enforcement, the Act authorizes state attorneys general to 
bring enforcement actions for injunctive and/or monetary relief for any 
violation of the FTC regulations.\64\
---------------------------------------------------------------------------
    \62\ Id. Sec. 1303(c).
    \63\ Id. Sec. 1306(b).
    \64\ Id. Sec. 1305.
---------------------------------------------------------------------------
3. Other federal statutes that protect the privacy of consumer 
        information
    Numerous other federal statutes also protect the privacy of 
particular types of information and provide regulatory and/or judicial 
enforcement mechanisms:

   Electronic Funds Transfer Act, 15 U.S.C. Sec. 1693 et seq.--
        This Act requires institutions that provide electronic banking 
        services to inform consumers of the circumstances under which 
        automated bank account information will be disclosed to third 
        parties in the ordinary course of business. The Act is enforced 
        by the Federal Reserve Board, and violations can result in 
        civil and/or criminal penalties.
   Electronic Communications Privacy Act, 18 U.S.C. Sec. 2510 
        et seq.--This statute prohibits the unauthorized interception 
        or disclosure of many types of electronic communications, 
        including telephone conversations and electronic mail, although 
        disclosure by one of the parties to the communication is 
        permitted. Violators of this statute are subject to criminal 
        penalties and civil liability.
   Video Privacy Protection Act, 18 U.S.C. Sec. 2710--This 
        statute forbids a video rental or sales outlet from disclosing 
        information concerning what tapes a person borrows/buys or 
        releasing other personally-identifiable information. The Act 
        further requires such outlets to provide consumers with the 
        opportunity to opt out from any sale of mailing lists. The Act 
        is enforced through civil liability actions.
   Telephone Consumer Protection Act of 1991, 47 U.S.C. 
        Sec. 227--This provision mandates that any company making a 
        telephone sales call first consult its list of those who have 
        elected not to receive such calls. The statute grants the 
        Federal Communications Commission (``FCC'') the authority to 
        prescribe regulations necessary to protect residential 
        subscribers' privacy rights. The Act also bans unsolicited fax 
        messages. It is enforced by the FCC and through civil suits 
        that can give rise to substantial penalties.
   The Cable Communications Policy Act of 1984, 47 U.S.C. 
        Sec. 551 et seq., as amended by The Cable Television Consumer 
        Protection and Competition Act of 1992--This Act establishes 
        written disclosure requirements regarding the collection and 
        use of personally identifiable information by cable television 
        service providers and prohibits the sharing of such information 
        without prior consent. The Act also provides consumers with the 
        right to access cable company records for purposes of 
        inspection and error correction. The statutory provisions are 
        enforceable through private rights of action for damages.
   Communications Act, 47 U.S.C. Sec. 222--This provision 
        requires telecommunications carriers to protect the 
        confidentiality of customer proprietary network information, 
        such as the destinations and numbers of calls made by 
        customers, except as required to provide the customer's 
        telecommunications service or pursuant to customer consent. 
        These requirements are enforced by the FCC.
   Federal Aviation Act, 49 U.S.C. Sec. 40101, et seq.--
        Department of Transportation regulations promulgated under 
        authority of this Act generally require airlines to keep 
        passenger manifest information, such as the names and 
        destinations of passengers, confidential and prohibit use of 
        this data for commercial or marketing purposes.\65\ These 
        regulations are enforced by the Department of Transportation.
---------------------------------------------------------------------------
    \65\ See 14 C.F.R. Sec. Sec. 243.7, 243.9.
---------------------------------------------------------------------------
   Health Insurance Portability and Accountability Act of 1996, 
        42 U.S.C. Sec. 1301, et seq.--This Act provides that the 
        Secretary of Health and Human Services must promulgate 
        regulations regulating the privacy of individually identifiable 
        health information if Congress itself does not enact 
        legislation on this subject by August 1999. The Secretary has 
        already issued a set of recommendations to Congress that 
        include provisions such as restricting the disclosure of 
        patient identifiable information and providing patients with 
        notice about how such information will be used and to whom it 
        will be disclosed.
   Office of Thrift Supervision Policy Statement on Privacy 
        \66\--This policy statement advises savings associations on how 
        to best protect consumer privacy. Among other things, the 
        statement urges savings associations to provide notice to 
        consumers as to how personal information will be used and in 
        what circumstances such information may be disclosed to third 
        parties.
---------------------------------------------------------------------------
    \66\ Office of Thrift Supervision, Statement of Privacy and 
Accuracy of Personal Customer Information (Nov. 1998).
---------------------------------------------------------------------------
   Right to Financial Privacy Act of 1978, 12 U.S.C. Sec. 3401, 
        et seq.--This Act mandates that the federal government present 
        proper legal process or ``formal written request'' to inspect 
        an individual's financial records kept by a financial 
        institution (including a credit card company) and give 
        simultaneous notice to the consumer to provide him/her with the 
        opportunity to object. Both government agencies and financial 
        institutions that violate this Act are subject to civil court 
        actions.

                        B. State Law Protection

    In addition to sectoral privacy protection at the federal level, 
states provide both statutory and common law privacy protection with 
respect to numerous types of data, particularly in the financial and 
credit sectors. These state laws sometimes complement similar 
safeguards at the federal level by providing alternative remedies and 
enforcement schemes. In other cases, the state laws provide protection 
for types of data that federal laws do not reach.
1. State statutes
    A number of states have statutes that generally concern privacy of 
financial data. Illinois, for example, regulates the circumstances in 
which a bank may disclose a customer's financial records, including any 
information ``pertaining to any relationship established in the 
ordinary course of a bank's business.'' \67\ In addition to the state 
analogues to the FCRA discussed above, a number of state statutes 
specifically address the use of consumer credit information, 
particularly for marketing purposes. Maine, for example, generally 
forbids any sale or disclosure of mailing lists or account information 
of credit card holders to a third party without an explicit opt-in by 
the consumer.\68\ Florida and Hawaii also have opt-in schemes for 
dissemination of credit card lists, except that they allow disclosures 
to a third party as long as that party is prohibited from divulging 
consumer information except to carry out the purpose for which the 
cardholder provided the information.\69\ California requires that, 
before a credit card issuer discloses marketing information to any 
person, the issuer must inform the cardholder of such disclosure by 
written notice that provides an opportunity to opt out of the 
program.\70\
---------------------------------------------------------------------------
    \67\ Ill. Rev. Stat. ch. 202, Sec. 5/48.1; see, e.g., Minn. Stat. 
Sec. 13A.01; N.J. Stat. Ann. Sec. 17:16K-3.
    \68\ Me. Rev. Stat. Ann. tit. 9-A, Sec. 8-304.
    \69\ Fla. Stat. ch. 817.646; Haw. Rev. Stat. Sec. 708-8105.
    \70\ Calif. Civ. Code Sec. 1748.12(b).
---------------------------------------------------------------------------
    State statutes also extend privacy protections to other sectors of 
the economy. A number of states, for example, restrict the collection 
and disclosure of information gathered by insurance companies. These 
statutes, based on the Insurance Information and Privacy Protection 
Model Act promulgated by the National Association of Insurance 
Commissioners, often require insurance companies and agents to provide 
a policyholder or applicant notice concerning the types of personal 
information that may be collected about him or her from a third party 
and the individual's rights to access and correct information in the 
company's files.\71\ Many state statutes also protect the privacy of 
medical information by, for example, providing patients a general right 
of access to their medical records \72\ and protection from disclosure 
of medical records by licensed health-care providers.\73\
---------------------------------------------------------------------------
    \71\ See, e.g., Cal. Ins. Code Sec. 791; Conn. Gen. Stat. Ann. 
Sec. 38-501; Ill. Rev. St. ch. 215, Sec. 5/1001.
    \72\ See, e.g., Cal. Health & Safety Code Sec. 1795; Colo. Rev. 
Stat. Sec. 25-1-801.
    \73\ See, e.g., Fla. Stat. chs. 455.241, 395.017.
---------------------------------------------------------------------------
2. State common law
    States also provide privacy protection through a number of common 
law doctrines. On a general level, virtually all states recognize a 
tort of invasion of privacy. This tort is generally divided into four 
categories: intrusion upon seclusion of another, appropriation of 
another's name or likeness, unreasonable publicity given to another's 
private life, and publicity placing another in a ``false light'' before 
the public.\74\ The most relevant form of this tort in the context of 
protecting an individual's private data is giving unreasonable 
publicity to another's private life. Although this tort is unlikely to 
apply to the disclosure of arguably public information such as names 
and addresses, release of more private information such as transaction 
histories might trigger this tort.\75\
---------------------------------------------------------------------------
    \74\ Restatement (Second) of Torts Sec. 652A (1977).
    \75\ But see Dwyer v. American Express, 652 N.E.2d 1351 (Ill. App. 
1995) (rejecting invasion of privacy claim based on alleged sale of 
card member lists sorted by buying patterns because customers 
voluntarily used card and company had ownership interest in data).
---------------------------------------------------------------------------
    In certain cases, the relationship between the consumer and the 
holder of consumer data gives rise to a legally cognizable duty not to 
disclose consumer information or to do so only in particular 
circumstances. A number of states, for example, have recognized an 
implied contractual duty on the part of banks not to disclose 
information about a depositor's account.\76\ A similar duty arguably 
arises in the context of a creditor-debtor relationship \77\ and a 
security firm-customer relationship.\78\
---------------------------------------------------------------------------
    \76\ See, e.g., Barnett Bank of West Florida v. Hooper, 498 So.2d 
923, 935 (Fla. 1986); Twiss v. State Dept. of Treasury, 591 A.2d 913, 
919-20 (N.J. 1990).
    \77\ See, e.g., Pigg v. Robertson, 549 S.W.2d 597, 600 (Mo. Ct. 
App. 1977).
    \78\ See, e.g., Barnsdall Oil Co. v. Willis, 152 F.2d 824, 828 (5th 
Cir. 1946).
---------------------------------------------------------------------------
    Finally, state regulation of professionals, such as accountants, 
doctors, lawyers, and psychologists, often impose restrictions on the 
use and disclosure of personal information such professionals obtain 
from their clients. Often the state code simply enforces or supports 
the self-regulatory code adopted by the profession. For example, many 
states protect communications between doctors and psychiatrists and 
patients, recognizing those professions' commitment to safeguarding 
such communications. Some states also have recognized that accountants 
have a general duty to maintain the confidentiality of client 
information.\79\ State laws often provide additional protections by 
determining that these professional codes of conduct create fiduciary 
duties on the part of professionals and permitting civil suits for 
breach of those duties.
---------------------------------------------------------------------------
    \79\ See, e.g., Alaska Sta. Sec. 8.04.662; Ariz. Rev. Stat. 
Sec. 32-749; Conn. Gen. Stat. Sec. 20-281j.
---------------------------------------------------------------------------
 iii. the online privacy alliance: using self regulation to safeguard 
                        consumer privacy online
    In keeping with the traditional commitment to self regulation in 
the United States and in response to the FTC's and the Clinton 
administration's call for responsible self-enforcement of privacy 
protection by U.S. industry, many U.S. businesses have come together to 
begin exploring the creation of self-regulatory programs. One 
particularly successful example of this effort has been the OPA, which 
brought together over 70 leading global companies and associations 
beginning in 1998 to address growing public concern over online privacy 
issues.
    The online medium creates particular challenges for privacy 
protection while simultaneously creating significant opportunities for 
consumer privacy education and empowerment. The challenges are 
manifold: Use of the Internet necessarily involves a tremendous flow of 
information, much of it personal in nature, in a wide variety of 
contexts. Some information flows involve the consumer actively 
providing information. For example, commercial Internet transactions 
require consumers to provide credit card or other payment and contact 
information, and in certain more sensitive contexts, some transactions 
may require other identifying data. Some sites may seek data in order 
to satisfy the consumer's request for information or services, such as 
where a consumer is asked about family size or smoking habits in 
response to an inquiry about hotel accommodations. Other sites may 
request data simply to use for marketing purposes. Consumers also may 
provide a great deal of data in order to obtain personalized services, 
such as targeted clipping services or personalized Internet service 
offerings. In some cases, consumers provide data without necessarily 
realizing they are doing so. For example, simply visiting or 
subscribing to certain online sites or services may itself create a 
footprint that conveys data about the individual's interests. But 
regardless of the context, all data collected online is already in 
digital format, which makes it easy to manipulate, store, and process, 
and in turn provides massive capabilities for use and transfer of data. 
Meanwhile, unless effective security measures are used, collection of 
data online is susceptible to computer ``hacking'' by unauthorized 
users, and also to fraud by consumers posing as a third party.
    These challenges place a special obligation on the online industry 
to educate consumers about the Internet's privacy risks and to enhance 
consumers' ability to make educated choices about how to protect their 
privacy rights. And indeed, the online medium provides tremendous 
opportunities for consumer data protection. Online merchants have an 
unmatched ability to provide consumers with information online quickly, 
efficiently, and cheaply. Unlike offline merchants who must rely on a 
one-time mailing or a small print notice in a catalogue, online 
merchants (or other site owners) interact directly with the consumer 
each time the consumer visits the merchant's site and therefore have 
the opportunity to educate and interact with the consumer concerning 
the site's privacy policies before any data collection takes place. 
Where appropriate, therefore, consumer consent can be requested at the 
point where a consumer interacts with a site or inquires about a 
product or service. Moreover, the merchant's ability to control what 
the consumer sees on any page of its site provides the merchant with a 
unique ability to educate the consumer about the site's privacy policy. 
The site can emphasize its participation in a privacy seal program, for 
example, or provide a link to the site's privacy policy from any page 
of the site. This in turn can empower consumers to make educated 
choices about whether they wish to deal with the particular online 
service based, at least in part, on the level of privacy protection the 
online operator provides.
    The online environment also permits a site to be designed to permit 
different levels of participation (or provide different types of 
benefits) based on the consumer's willingness to provide information, 
or to provide different levels of protection based on consumer demand. 
Online services also may provide the ability to make data anonymous 
easily, or to do so selectively upon consumer request. In addition, new 
technologies, such as P3P and filtering programs, provide consumers 
with the means to exercise independent control over the level of 
privacy they obtain while online. Finally, consumers have the ability 
to vary the level of privacy protection they desire each time they 
visit an online service or site: The process for providing or 
withdrawing consent is accessible and can be executed immediately and 
repeatedly to personalize the level of privacy protection.
    Thus, if the online industry takes seriously its obligation to 
educate and inform consumers, the medium presents enormous 
opportunities for consumer choice and self-determination. Accordingly, 
a central pillar of OPA's self-regulatory program is the requirement 
that an online site notify consumers about the site's data collection 
and dissemination policies. OPA members are committed to providing 
consumers with the information and tools they need to make informed 
choices. A second pillar of OPA's program is ensuring that consumers 
have the opportunity to make choices: consumers must be able to consent 
or withhold consent to the use of their data by the site they visit. 
Lack of consent may manifest itself in the consumer's refusal to use 
the particular service or continued interaction with the site on a 
limited level. In some cases, consent or opt-out may be more explicit 
and permit consumers to participate in the site while blocking only 
certain secondary uses of the consumer's data.
    OPA's program is designed to address the challenges and 
opportunities provided by the online medium while addressing the U.S. 
government's and the Directive's data privacy concerns. OPA has adapted 
these privacy principles to address the Internet industry's enormous, 
ongoing data flows. In order to enforce the OPA's privacy program and 
policies, the OPA encourages participation in a seal program that will 
ensure and enforce a minimum standard level of privacy protection. The 
seal program must also be easy for consumers to recognize and 
understand. Seal programs provide the added benefit of being backed up 
by the FTC's umbrella enforcement authority, state and local consumer 
protection agencies, and applicable sectoral data privacy regulation.

                   A. OPA's Privacy Policy Guidelines

    In keeping with the key substantive requirements of the Directive 
and the FTC's privacy principles, the OPA's privacy program addresses 
notice to data subjects, limitations on use of data, data security and 
quality, the right to correct personal data, and onward transfers of 
data. The OPA's program for online data privacy protection is compared 
with the key requirements of the Directive below.
    Notice to Consumers. Because of the rapidly growing ability to 
collect data about online consumers and the increasing demand for a 
personalized browsing experience, OPA strongly believes that website 
operators have a heightened responsibility to make available to online 
consumers the information necessary to make informed decisions about 
data privacy. The OPA believes that properly informed consumers should 
then be allowed to choose the level of privacy that they desire. The 
OPA therefore requires its members to post a privacy policy that online 
consumers can view before or at the time that personal data is 
collected or requested. The privacy policy must, among other things, 
notify consumers about the online site's data collection practices. The 
OPA's privacy policy requirement thus is similar to Article 10 of the 
Directive, which requires data controllers to provide data subjects 
with information about the controller's identity, the purposes of data 
processing, and other information necessary to guarantee fair 
processing. In addition, the privacy policy must be easy to find, read 
and understand; it also must clearly describe the information that is 
being collected, any possible onward transfers of personal data, and 
any options that consumers have to refuse to provide data or to block 
certain uses or transfers of data. OPA further encourages its members 
to disclose in their privacy policy any consequences of a consumer's 
refusal to provide information, the accountability or enforcement 
mechanism(s) used by the organization, and information about how to 
contact the organization with privacy concerns. By requiring members to 
provide comprehensive online privacy policies that are easy to find and 
read, OPA ensures that all online consumers have the information 
necessary to make an informed decision about whether or not to provide 
personal information to particular websites, how much information to 
provide, or whether to even visit certain sites.
    Limitations on purposes and onward transfers. Consistent with the 
OPA's principles regarding notice and consent, the OPA advocates 
allowing data subjects to opt out of any uses or processing unrelated 
to the original purpose for which the data are collected. Like Article 
6 of the Directive, which requires that personal data not be further 
processed in a way incompatible with the original purpose for 
collecting the data, the OPA privacy guidelines limit the extent to 
which data can be processed for purposes unrelated to the original 
disclosed purposes in the absence of proper consent. The OPA guidelines 
similarly limit transfers to third parties for marketing purposes or 
for other purposes unrelated to the original purposes for collecting 
the data, much like Articles 10 and 11 of the Directive, which require 
notifying data subjects of onward transfers of data to third parties 
where notification is necessary to ensure fair processing of the data. 
With respect to disclosure of data for marketing purposes, OPA requires 
its members to disclose in their privacy policies possible onward 
transfers of personal data and any marketing uses of data. These 
requirements, and the consumer's ability to leave the site or, in some 
cases, to opt out of a specific data use on the site, address the 
principles in Article 14 of the Directive, which provides data subjects 
with the right to notice prior to disclosure of their personal data for 
direct marketing purposes and the right to object to direct marketing 
uses of their data. OPA also encourages its members to take reasonable 
steps to ensure that third party transferees take reasonable 
precautions to protect transferred data.
    Data quality, access to data, and correction. The OPA supports the 
Directive's principles of assuring that (1) data are accurate, 
complete, and timely for their intended purposes, and (2) consumers can 
access data about them and correct that data where appropriate. 
However, the extraordinarily wide range of online data processing 
activities makes it difficult and costly to require all websites to 
provide consumers with unrestricted access to personal data without 
regard for its intended purposes or alternative means of ensuring that 
individuals are informed of data collection and that data quality is 
maintained as appropriate to those purposes.
    Consistent with the spirit of Article 12 of the Directive, which 
guarantees data subjects the right to access personal data and have 
that data corrected where necessary, the OPA requires its members to 
provide ``easy mechanisms'' for consumers to make inquiries and lodge 
complaints or objections. The precise mechanisms for such inquiries and 
the nature and scope of information provided to the consumer on request 
will necessarily vary according to the data at issue and the costs and 
benefits associated with furnishing access to the raw data or a summary 
of the data, given the context of the specific intended uses of the 
data. For example, some data collected online may be used for 
electronic commerce transactions or decisions to provide or terminate a 
service. OPA anticipates that its members would routinely provide 
access to transaction records and an opportunity to lodge corrections, 
as these have a substantive impact on the consumer. By contrast, a 
website may automatically record navigational or ``clickstream'' data 
as an individual moves from page to page on a site, either for 
statistical purposes (to better design and manage the site) or to 
automatically personalize the initial pages presented to the visitor 
based on the visitor's historical use of the site. Such information is 
processed automatically and changes over time. There is little benefit, 
and much cost, in accumulating this data in a form that could be 
reviewed intelligibly by the individual at any moment. Moreover, doing 
so raises additional privacy risks, since it means that more data is 
readily retrievable by name, and more identifying data must be 
collected to ensure that the person requesting access is indeed the 
data subject. Similarly, the use of website data to determine 
automatically whether to send an individual a product solicitation 
involves no substantive decision that affects significant consumer 
interests and does not warrant the cost (and sometimes the increased 
privacy risks) of storing and providing subsequent access to the data 
that prompted the solicitation.
    Because the online medium entails the possibility of tracking and 
recording enormous amounts of data on the use of a website, the costs 
of furnishing unlimited consumer access to all such data would often be 
prohibitive. The data may not be maintained in a manner conducive to 
consumer-specific access: marketing data, for example, is often coded 
and stored by categories of merchants or purchases rather than by 
consumer. Before imposing on website operators (and ultimately on 
consumers) the costs of providing access to all data resulting from a 
site visit, the nature and uses of that data must be taken into 
account. Where data is not used for a purpose that in any way affects 
the consumer's ``fundamental rights or freedoms,'' or that does not 
even involve denial of a more mundane benefit to the consumer, the cost 
and difficulty of access must be given particular weight.
    Access by the individual to all data generated online is not the 
only means of ensuring that consumers (and the relevant enforcement 
bodies) are aware of the operator's data collection practices and can 
assess their potential impact. This can often be accomplished, for 
example, by appropriate notices, consumer education, and monitoring 
techniques such as the use of ``decoys'' (pseudonymous registrations to 
check the manner in which an online service or website uses personal 
data), rather than by individualized access to vast amounts of non-
sensitive data. It is in the nature of online services and websites 
that it is easy to display notices at the point where information is 
collected and to give visitors an opportunity at any stage to seek 
clarification, opt out, or simply leave a site if they are not 
satisfied with its privacy practices. This offers an efficient means of 
protecting privacy and should suffice where the data collection is not 
used for substantive decisionmaking.
    Security. Like Article 17 of the Directive, the OPA advocates 
taking appropriate measures to protect personal data from destruction, 
loss, misuse or alteration.
    Collection of data from children. Well before the passage of the 
Children's Online Privacy Protection Act, discussed above, the OPA 
thought it necessary to provide special protection for young Internet 
users. Out of this concern, the OPA was among the first organizations 
to adopt principles specifically addressing collection of data from 
children under the age of 13. These specific principles require OPA 
members to obtain prior parental consent before collecting any 
individually identifiable offline contact information from children 
under the age of 13. Members may collect online contact information 
from children without obtaining prior parental consent only if they 
notify parents and allow them to prevent use of the data. Other special 
protections provided by these OPA principles include requiring members 
to prevent children from being able to publicly post individually 
identifiable contact information without prior parental consent; 
prohibiting members from using special games, prizes or activities to 
entice children to reveal more information than necessary to 
participate in the activity; and prohibiting members from distributing 
to third parties any individually identifiable information collected 
from a child without obtaining prior parental consent.

                       B. Enforcement Mechanisms

    Although membership in the OPA, standing alone, itself denotes a 
commitment to privacy protection that arguably could be enforced by the 
FTC, OPA also advocates that its members commit to an independent 
enforcement mechanism intended to back up that commitment. OPA promotes 
participation in a ``seal program'' by its members as a means of 
enforcing the OPA privacy guidelines and the member's privacy policies. 
Seal programs provide participants the right to use an identifiable 
symbol or logo (``seal'') to alert consumers that the participant's 
online service complies with the seal program's standards; that the 
participant has procedures to ensure compliance; and that the 
participant participates in a program designed to resolve consumer 
complaints.
    Seal programs are ideal enforcement mechanisms in the online 
environment for two reasons. First, seal programs take advantage of the 
visual nature of websites to alert consumers' attention to privacy 
policies and practices through the use of visible and easily 
recognizable graphic seals that can, if desired, be displayed on every 
page of a site. Second, to some extent seal programs standardize the 
terms and terminology of privacy practices, making them easier for 
consumers to comprehend. They give consumers a relatively simple, user-
friendly means of identifying websites that have made privacy 
commitments, linked to greater detail about the site's particular 
practices.
    In many seal programs, participants cede a degree of investigative 
or complaint resolution authority to the seal program's enforcement 
entity. The entity often is permitted to disclose complaints to the 
public and government agencies, and the entity can drop a company that 
fails to conform with the required conduct. Moreover, seal programs may 
provide government agencies with a hook to mix self-enforcement with 
government regulation: as discussed in Part I above, a company's public 
affirmation of participation in a seal program would provide the FTC 
(or other consumer protection entity on the state or local level) with 
the grounds to prosecute a company's failure to in fact uphold the 
standards articulated by the seal program.
    A seal program meeting OPA's criteria would enhance data privacy 
protection by requiring that seal participants live up to the types of 
privacy guidelines advocated by OPA, as well as any additional policies 
the seal program adopts. OPA does not, at least currently, intend to 
operate its own seal program, and it has not endorsed a specific 
program to date. In reviewing seal programs, however, OPA would expect 
a commitment to at least the same degree of privacy protection espoused 
by the OPA, as well as the following enforcement practices and 
policies:
    Participation from outside the business community. OPA suggests 
that the seal program obtain input from representatives of consumer 
advocate groups and academia, in addition to representatives of the 
business community.
    Verification and monitoring. Prior to awarding the seal to an 
organization, the seal program must require participants to submit to a 
compliance review by the seal program or provide a self-assessment 
verifying that the organization is in compliance with the program's 
standards. Once the seal has been awarded, participants must consent to 
periodic verification in the form of auditing, periodic reviews, or use 
of pseudonymous ``decoys'' or other technological monitoring.
    Complaint resolution. The seal program must require participants to 
provide an easy-to-use consumer complaint resolution process that will 
serve as the consumer's first remedy. If the participant and consumer 
are unable to resolve a complaint through the participant's internal 
dispute resolution process, the participant must then submit to the 
seal program's complaint resolution mechanism. In addition to these 
mechanisms, consumers must not be prohibited from pursuing any other 
legal remedies that may be available to them under federal or state 
law.
    Penalties or noncompliance. Failure to comply with the requirements 
of the seal program (and in particular, failure to follow the program's 
dispute resolution requirements) should result in placing the 
participant on probation or instituting proceedings to revoke the 
participant's right to use the seal.
    Monitoring for misuse or misappropriation. The seal program should 
monitor use of the seal and if necessary, bring litigation to prevent 
unauthorized use of the seal. In addition, the seal program must refer 
non-complying companies to appropriate government agencies, including 
the FTC.
    Education and outreach. The seal program must educate consumers and 
businesses about the seal program and online privacy issues. These 
education and outreach efforts should include providing publicity for 
participants, publicly disclosing seal revocation and material non-
compliance, and periodically publishing verification and monitoring 
procedures.
    To date, two major seal program initiatives are underway or about 
to be launched that may embody the policies and practices advocated by 
the OPA: TRUSTe and BBBOnLine. The OPA is monitoring the development of 
those programs and others to determine whether they meet OPA's 
requirements for privacy protection and effective enforcement.
    The TRUSTe program, which began as a collaboration between the 
Electronic Frontier Foundation and CommerceNet, has been administering 
its online privacy seal program since June of 1997. This program 
requires participants to post an online privacy policy that meets 
TRUSTe guidelines, to submit to TRUSTe oversight, and to cooperate with 
TRUSTe's dispute resolution efforts. In return, participants are given 
the right to display TRUSTe's seal on their home page. This seal serves 
as a link to the company's privacy policy, and consumers can also 
verify the authenticity of the seal online.
    The privacy policy required of TRUSTe participants must explain 
what data are being collected, the purposes of data collection and 
processing, with whom the data will be shared, the consumer's options 
concerning processing and onward transfers, data security procedures 
that are in place, and how consumers can update or correct data. 
Licensees who join or renew after October 1998 must also give consumers 
the opportunity to opt out of secondary or third-party uses of data 
provided by the consumer. Also in October 1998, TRUSTe introduced a 
Children's Privacy Seal Program that applies to websites directed 
specifically at children under the age of 13, as well as sites that 
collect age-specific information. The children's program requires site 
operators to notify parents and obtain their consent before collecting 
and using a child's online or offline contact information. Sites aimed 
specifically at children must post the unique ``kid's seal.''
    TRUSTe utilizes a variety of verification and enforcement 
techniques. In cases where TRUSTe suspects that a participant is not 
complying with program guidelines or with the participant's own privacy 
policy, the participant may be subject to on-site compliance reviews by 
TRUSTe's official auditors, revocation of the right to use the TRUSTe 
seal, termination from the TRUSTe program, and referral to appropriate 
government agencies.
    The Better Business Bureau (``BBB'') runs the largest and most 
recognized retail, service and national advertising self-regulation and 
consumer dispute resolution programs in the United States. Using its 
self-regulatory models as a starting point, the BBB has been operating 
an online seal program (with more than 2000 participants) through 
BBBOnLine since mid-1997. BBBOnLine assists consumers in finding 
reliable online merchants that have agreed to BBB standards for 
truthful advertising and customer satisfaction. BBBOnLine has proposed 
a privacy program that likely will be similar in many ways to the 
TRUSTe program and will utilize BBBOnLine's existing self-regulatory 
framework.
    BBBOnLine is still in the process of developing its privacy 
principles. These principles are expected to be similar to those of the 
OPA and TRUSTe programs, although they may in some respects provide 
additional privacy protections not currently required by the OPA and 
TRUSTe. The BBBOnLine enforcement framework will consist of use of a 
recognizable seal to assert compliance with BBBOnLine principles and 
the company's privacy policy, a comprehensive annual compliance 
assessment, additional independent verification measures, consumer 
dispute resolution, and appropriate referrals by BBBOnLine to the FTC 
and other government authorities. BBBOnLine participants will have to 
respond promptly to all consumer complaints, submit to BBBOnLine's 
dispute resolution process, and maintain a satisfactory complaint 
handling record with the BBB. BBBOnLine will refer eligible complaints 
to a free, informal dispute resolution process patterned after BBB's 
national advertising review program, and BBB will make that process 
available for complaints about non-seal participants as well as seal 
participants. BBBOnLine also will refer uncooperative or non-compliant 
companies to the FTC or other appropriate federal or state regulatory 
agencies.
                             iv. conclusion
    As Articles 25(2) and 27 of the Directive make clear, the EU has 
recognized that industry and professional standards can be powerful 
tools for protecting data privacy. In the United States, industry-wide 
self-regulation of data privacy can be an especially effective means of 
ensuring that consumer data receives the level of protection embodied 
in the EU Directive where such self-regulation combines private sector 
standards with FTC enforcement, regulation by federal and state 
agencies and, where appropriate, enforcement by the courts.
    In the online environment, OPA has established principles--
principles its members must publicly embrace--that are consistent with 
the policies of the U.S. government and with the Directive. OPA members 
must submit to dispute-resolution procedures, and, by publicly 
embracing OPA's principles, members are also subject to potential 
enforcement by the FTC and other government agencies. The emergence of 
two online privacy seal programs demonstrates that the enforcement 
element of OPA's self- regulatory framework is not just hypothetical, 
but is quickly developing. Moreover, these seal programs are not 
engaging in a ``race to the bottom,'' but rather, in keeping with the 
recent initiatives and pronouncements of the U.S. government, they are 
embracing meaningful principles embodying a significant degree of 
privacy protection. In addition, OPA members frequently will be subject 
to additional regulation of various types of data protection on both 
the state and federal level, enforced by government agencies and the 
courts. Self-regulatory programs such as OPA's, which are designed to 
operate in the context of the United States' layered approach of self-
regulation backed by government enforcement, should be recognized as 
effective by the EU in its effort to protect privacy while promoting 
the uninterrupted flow of global commerce.

                                   W. Scott Blackmer 
                                       ([email protected]),
                                   Lynn Charytan 
                                       ([email protected]),
                                   Wilmer, Cutler & Pickering,
                                           Washington, DC.
    The Chairman. Mr. Berman.

                   STATEMENT OF JERRY BERMAN

    Mr. Berman. Thank you, Senator. Mr. Chairman, Senator 
Leahy, Senator Kohl, Senator Schumer, I appreciate the 
opportunity to be here to talk about privacy on the Internet.
    While I agree with the caution and concerns of the previous 
witnesses, I want to endorse them, but also try and reposition 
the issue somewhat. I think we have to step back and say what 
are we doing here. The Internet is not just a commercial forum; 
it is the future community for many of us and for many of our 
transactions going into the 21st century. There are 160 million 
people on the Internet. It is eventually going to be all of us 
because we are moving our transactions. We are going to do 
business there; our libraries are there, medical records are 
there. We are putting entertainment there. We are building new 
communities.
    In all due respect, and it is true, without all the hype, 
we are building a ``virtual me'' and virtual communities, and 
that means that we are now looking at developing the 
fundamental rules for this Internet. It is almost like 
constitution-building, in my view. It is a global Internet, and 
that makes it difficult. We are not just all sitting in 
Philadelphia writing the rules for the world, but we are trying 
to figure out what the fundamental law is.
    My organization wants to ensure that there is a commerce 
clause, but that there is also a bill of rights, and that means 
that we have to look at the Internet from several perspectives. 
First, the key thing to understand about the Internet is that 
it is a different architecture. It is global, decentralized, 
interactive, which changes the characteristics.
    It is very important for Congress to understand its 
architecture. Not understanding the architecture in the 
Communications Decency Act--it is 0 for 2 in terms of writing 
legislation, so a careful look at how the Internet works and 
why it is different than other media is very important.
    Second, the goal has to be privacy. It is not legislation 
or self-regulation; it is privacy. And what do we mean by 
privacy? Privacy is not just protection against commercial 
users of information misusing my information. The government is 
also on the Internet. Law enforcement is also on the Internet. 
We just published a study of government Web sites. Two-thirds 
of all government sites haven't got a privacy policy up. They 
are doing business on the Internet.
    Senator Leahy's E-RIGHTS bill deals with how do we balance 
law enforcement needs and privacy in this new community. How is 
law enforcement going to be done? How are they going to relate 
to these new databases that are at AOL or on the Net, the 
digitalme that Novell talks about? So it is both privacy 
expectations against the government and the private sector. And 
self-regulation may work a great deal in the private sector up 
to a point, but I don't know how you solve the government 
problem without drawing law to limit and define the rights of 
citizens as against the government.
    When we talk about privacy, we have to break it down into 
several expectations. The first expectation that we have when 
we go on the Internet or into any community is that we have a 
certain amount of autonomy, what Senator Leahy talked about in 
Vermont, the right to be let alone, not to be identified, to 
shop, to browse. The Internet can afford that, but also the 
technologies like the Intel chip, which is an identity chip 
which may identify each one of us as we go through the 
Internet, cookies. You have heard of the technologies that are 
tracking and collecting information about citizens, not for bad 
purposes, but to make the Net more efficient, to sell commerce, 
to get people to the sites that they want to go to. But there 
is a rich, new source of information on the Internet, and the 
question is will citizens have the autonomy to be left alone.
    Second, the key to that is at least fair information 
practices. We go on the Net and we want to know when 
information is collected about us, where it is going, how is it 
going to be used, and do we have choices about that. That is 
fair information practices and it is the key. It helps us to 
know whether we have any autonomy. We have to ensure that those 
fair information practices are on the Net.
    The bad news is that we are very far behind. Only 14 
percent of all Web sites post what their privacy policies or 
information policies are. The good news is that the business 
community and everyone understands that it is good for business 
and commerce, and that consumers will not trust the Internet 
until those policies are there.
    Third, consumers want confidentiality. They want 
confidentiality in their communications. This committee, in 
1986--Senator Hatch, Senator Leahy--wrote the Electronic 
Communications Privacy Act which created new privacy rights for 
e-mail. The whole issue of encryption--because of the 
decentralized nature, that debate over encryption and 
technology policy is critical. There are new databases that are 
being created on the Internet, like digitalme, which are as 
sensitive as our wallet that is still there, but we are now 
shopping with on the Net. What are the protections against 
government for that?
    So we have to come back and say, well, what are the 
solutions? There are a bundle of solutions. Partly, it is 
technology, the Platform for Policy Preferences which allows 
people to express privacy policies on the Net. Partly, it is 
self-regulation, like BBBOnLine and TRUSTe, which is telling 
consumers and getting sites to disclose what their policies 
are. That will work up to a point.
    And I think that IBM and AOL and the Privacy Alliance are 
in the lead of establishing what the baseline rules are for 
fair information practices on the Net, but it will only go up 
to a point. At some point, you are going to have to deal with 
the bad actor on the Net, define what is a violation of privacy 
on the Net. In other words, you can't just say, well, this is 
what I am going to promise you about your information, but if I 
don't do it, what are the remedies? There may be some private 
sector remedies, but what is the role of the FTC there?
    You have to go very carefully here because you are dealing 
with information, and information raises First Amendment 
issues. The remedies have to be clear, concise and not vague, 
so that a lot of thinking has to go into what is the remedy for 
someone misusing your address and personal information in a 
commercial transaction versus a medical transaction. One size 
does not fit all. And then we are going to need legislation.
    To conclude, it is a series of things that we have to look 
at. We are at the beginning of trying to define the 
constitution for cyberspace. I think that there are several 
ways that you can go. One, Senator Hatch and Senator Leahy 
participated a decade ago in bringing the private sector and 
the privacy community and industry and policymakers together to 
define the Electronic Communications Privacy Act. That was a 
dialogue reaching consensus. No privacy legislation has ever 
been done without consensus between the private sector and the 
privacy community. It just never happened. So, that consensus 
is important. Senator Kohl's idea of a commission 25 years 
after the last commission, with the whole Internet, is a good 
idea for trying to sort out some of these problems.
    So I think we are at the beginning. We are anxious to work 
with all of you to try and define these issues. We think that 
this is a critical part of the new society that we are moving 
into, and I appreciate the opportunity to testify here today. 
Thank you.
    The Chairman. Thank you, Mr. Berman.
    [The prepared statement of Mr. Berman follows:]

                   Prepared Statement of Jerry Berman

                              i. overview
    The Center for Democracy and Technology (CDT) is pleased to have 
this opportunity to testify on the issue of individual privacy in the 
online environment. CDT is a non-profit, public interest organization 
dedicated to developing and implementing public policies to protect and 
advance civil liberties and democratic values on the Internet. One of 
our core goals is to enhance privacy protections for individuals in the 
development and use of new communications technologies.
    CDT focuses much of its work on the Internet because we believe 
that it more than any other media has characteristics--architectural, 
economic, and social--that are uniquely supportive of First Amendment 
values. Because of its decentralized, open, and interactive nature, the 
Internet is the first electronic medium to allow every user to 
``publish'' and engage in commerce. Users can reach and create 
communities of interest despite geographic, social, and political 
barriers. As the World Wide Web grows to fully support voice, data, and 
video, it will become in many respects a virtual ``face-to-face'' 
social and political milieu.
    But while the First Amendment potential of the Internet is clear, 
and recognized by the Court, the impact of the Internet on individual 
privacy is less certain. Will the online environment erode individual 
privacy-building in national identifiers, tracking devices, and limits 
on autonomy? Or will it breathe new life into privacy--providing 
protections for individuals' long held expectations of privacy?
    As we move swiftly toward a world of electronic democracy, 
electronic commerce and indeed electronic living, the need to construct 
a framework of privacy protection that fits with the unique 
opportunities and risks posed by the Internet is critical. But as 
Congress has discovered in its attempts to regulate speech, this medium 
deserves its own analysis. Laws developed to protect interests in other 
media should not be blindly imported. To create rules that map onto the 
Internet we must fully understand the characteristics of the Internet 
and their implications for privacy protection. We must also have a 
shared understanding of what we mean by privacy. Finally we must assess 
how to best use the various tools we have for implementing policy--law, 
computer code, industry practices, and public education--to achieve the 
protections we seek.
                 ii. what makes the internet different?
    As Congress considers crafting rules to protect privacy on the 
Internet, it must first understand the specific challenges to privacy 
posed by the Internets' functions and use.
A. Increased data creation and collection
    The Internet accelerates the trend toward increased information 
collection that is already evident in our offline world. The data 
trail, known as transactional data, left behind as individuals use the 
Internet is a rich source of information about their habits of 
association, speech, and commerce. When aggregated, these digital 
fingerprints reveal a great deal about an individual's life. This 
increasingly detailed information is bought and sold as a commodity by 
a growing assortment of players and often sought by government.
B. The globalization of information and communications
    On the Internet, information and communications flow unimpeded 
across national borders. The Internet places the corner store, and a 
store three continents away, equally at the individual's fingertips. 
Just as the flow of personal information across national borders poses 
a risk to individual privacy, citizens' ability to transact with 
entities in other countries places individual privacy at risk in 
countries that lack privacy protections. Whether protecting citizens 
from fraud, limiting the availability of inappropriate content, or 
protecting privacy, governments are finding their traditional ability 
to make and effectively enforce policies challenged by the global 
communications medium.
C. Lack of centralized control mechanisms
    The Internet's distributed architecture presents challenges for the 
implementation of policies. The Internet was designed without 
gatekeepers--there is no single entity that controls the flow of 
information. And as individuals and governments continually discover, 
the Internet offers users an unequalled ability to route around 
unwanted attempts to control activities and communications.
      iii. what do we mean by privacy, and how is it being eroded?
    There are several core ``privacy expectations'' that individuals 
have long held vis-a-vis both the government and the private sector, 
the protection of which should carry over to interactions on the 
Internet.
A. The expectation of autonomy
    Imagine walking through a mall where every store, unbeknownst to 
you, placed a sign on your back. The signs tell every other store you 
visit exactly where you have been, what you looked at, and what you 
purchased. Something very close to this is possible on the Internet.
    When individuals surf the World Wide Web, they have a general 
expectation of anonymity, more so than in the physical world where an 
individual may be observed by others. Individuals believe that if they 
have not affirmatively disclosed information about themselves, then no 
one knows who they are or what they are doing. But, counter to this 
belief, the Internet generates an elaborate trail of data detailing 
every stop a person makes on the Web. The individual's employer may 
capture this data trail if she logged on at work, and it is captured by 
the Web sites the individual visits. Transactional data, click stream 
data, or ``mouse-droppings'' can provide a ``profile'' of an 
individual's online life.
    Two recent examples highlight the manner in which individuals' 
expectation of autonomy is challenged. (1) The introduction of the 
Pentium III processor equipped with a unique identifier (Processor 
Serial Number) threatens to greatly expand the ability of Web sites to 
surreptitiously track and monitor online behavior. The PSN could become 
something akin to the Social Security Number of the online world--a 
number tied inextricably to the individual and used to validate one's 
identity throughout a range of interactions with the government and the 
private sector. (2) The Child Online Protection Act (COPA), passed in 
October, requires Web sites to prohibit minors' access to material 
considered ``harmful to minors.'' Today when an individual walks into a 
convenience store to purchase an adult magazine they may flash their 
id. Under the COPA an individual will instead be asked to not only 
flash their id, but also to leave a record of it and their purchase 
with the online store. Reliance on such systems will create records of 
individuals' First Amendment activities, thereby conditioning adult 
access to constitutionally protected speech on a disclosure of 
identity. The defenses pose a Faustian choice to individuals seeking 
access to information--protect privacy and lose access or exercise 
First Amendment freedoms and forego privacy.
B. The expectation of fairness and control over personal information
    When individuals provide information to a doctor, a merchant, or a 
bank, they expect that those professionals/companies will collect only 
information necessary to perform the service and use it only for that 
purpose. The doctor will use it to tend to their health, the merchant 
will use it to process the bill and ship the product, and the bank will 
use it to manage their account--end of story. Unfortunately, current 
practices, both offline and online, foil this expectation of privacy. 
Whether it is medical information, or a record of a book purchased at 
the bookstore, or information left behind during a Web site visit 
information is routinely collected without the individual's knowledge 
and used for a variety of other purposes without the individual's 
knowledge--let alone consent.
    The Federal Trade Commission report from last June, ``Privacy 
Online: A Report to Congress,'' found that despite increased pressure 
businesses operating online continue to collect personal information on 
the World Wide Web without providing even a minimum of consumer 
protection. The report looked only at whether Web sites provided users 
with notice about how their data was to be used; there was no 
discussion of whether the stated privacy policies provided adequate 
protection. The survey found that while 92 percent of the sites 
surveyed were collecting personally identifiable information only 14 
percent had some kind of disclosure of what they were doing with 
personal data.
    In a CDT study of federal agency Web sites, last week, we found 
that just over one-third of federal agencies had a ``privacy notice'' 
link from the agency's home page. Eight other sites had privacy 
policies that could be found after following a link or two and on 22 of 
the sites surveyed we could not find a privacy policy at all.
C. The expectation of confidentiality
    When individuals send e-mail they expect that only the intended 
recipient will read it. In passing the Electronic Communications 
Privacy Act in 1986, Congress reaffirmed this expectation. 
Unfortunately, it is once again in danger.
    While United States law provides e-mail the same legal protection 
as a first class letter, the technology leaves unencrypted e-mail as 
vulnerable as a postcard. Compared to a letter, an e-mail message is 
handled by many independent entities and travels in a relatively 
unpredictable and unregulated environment. To further complicate 
matters, the e-mail message may be routed, depending upon traffic 
patterns, overseas and back, even if it is a purely domestic 
communication. While the message may effortlessly flow from nation to 
nation, the privacy protections are likely to stop at the border.
    E-mail is just one example. Today our diaries, medical records, and 
confidential documents are more likely to be out in the network than 
stored in our homes. As our wallets become ``e-wallets'' housed 
somewhere out on the Internet rather than in our back-pockets, the 
confidentiality of our personal information is at risk.
    The advent of online datebooks, and products such as Novell's 
``Digital Me'', which invite individuals to take advantage of the 
convenience of the Internet to manage their lives, raise increasingly 
complex privacy questions. While the real ``me'' has Fourth and Fifth 
Amendment protections from the government, the ``Digital Me'' is 
increasingly naked in cyberspace.
                     iv. where do we go from here?
    It is clear that our policy framework did not envision the Internet 
as we know it today, nor did it foresee the pervasive role information 
technology would play in our daily lives. Our legal framework for 
protecting individual privacy in electronic communications, while built 
upon constitutional principles buttressed by statutory protections, 
reflects the technical and social ``givens'' of specific moments in 
history. Crafting privacy protections in the electronic realm has 
always been a complex endeavor. Reestablishing protections for 
individuals' privacy in this new environment requires us to focus on 
both the technical aspects of the Internet and on the practices and 
policies of those who operate in the online environment.
A. The importance of architecture
    Understanding the context is central to all effective efforts to 
protect privacy. While the global, distributed network environment of 
the Internet raises challenges to our traditional methods of 
implementing policies, the specifications, standards, and technical 
protocols that support the operation of the Internet offer a new way to 
implement policy decisions. By building privacy into the architecture 
of the Internet, we have the opportunity to advance public policies in 
a manner that scales with the global and decentralized character of the 
network. As Larry Lessig repeatedly reminds us, ``(computer) code is 
law.''
    Accordingly, we must promote specifications, standards and products 
that protect privacy. A privacy-enhancing architecture must 
incorporate, in its design and function, individuals' expectations of 
privacy. For example a privacy-protective architecture would provide 
individuals the ability to ``walk'' through the digital world, browse, 
and even purchase without disclosing information about their identity, 
thereby preserving their autonomy and ensuring the expectations of 
privacy. A privacy-protective architecture would enable individuals to 
control when, how, and to whom personal information is revealed. It 
would also provide individuals with the ability to exercise control 
over how information once disclosed is, if at all, subsequently used. 
Finally, a privacy-protective Internet architecture would provide 
individuals with assurance that communications and data will be 
technically protected from prying eyes.
    While there is much work to be done in the designing of a privacy-
enhancing architecture, some substantial steps toward privacy 
protection have occurred. Positive steps to leverage the power of 
technology to protect privacy can be witnessed in efforts like the 
Anonymizer, Crowds, and Onion Routing that shield individuals' identity 
during online interactions, and encryption tools such as Pretty Good 
Privacy that allow individuals to protect their private communications 
during transit. The World Wide Web Consortium's Platform for Privacy 
Preferences (``P3P'') is also a promising development. The P3P 
specification will allow individuals to query Web sites for their 
policies on handling personal information and to allow Web sites to 
easily respond. While P3P does not drive the specific practices, it is 
a standard designed to drive openness about information practices to 
encourage Web sites to post privacy policies and to provide individuals 
with a simple automated method to make informed decisions. Through 
settings on their Web browsers, or through other software programs, 
users will be able to exercise greater control over the use of their 
personal information.
    Technologies must be a central part of our privacy protection 
framework, for they can provide protection across the global and 
decentralized Internet where law or self-regulation alone may prove 
insufficient.
B. Protecting the privacy of communications and information
    Increasingly, our most important records are not ``papers'' in our 
``houses'' but ``bytes'' stored electronically at distant ``virtual'' 
locations for indefinite periods of time and held by third parties. The 
Internet, and digital technology generally, accelerate the collection 
of information about individuals' actions and communications. Our 
communications, rather than disappearing, are captured and stored on 
servers controlled by third parties. Daily interactions such as our 
choice of articles at a news Web site, our search and purchase of an 
airline ticket, and our use of an online date book to manage our 
schedule such as Yahoo's calendar leave detailed information in the 
hands of third-parties. With the rise of networking and the reduction 
of physical boundaries for privacy, we must ensure that privacy 
protections apply regardless of where information is stored.
    Under our existing law, there are now essentially four legal 
regimes for access to electronic data: (1) the traditional Fourth 
Amendment standard for records stored on an individual's hard drive or 
floppy disks; (2) the Title III-Electronic Communications Privacy Act 
standard for records in transmission; (3) the standard for business 
records held by third parties, available on a mere subpoena to the 
third party with no notice to the individual subject of the record; and 
(4) a statutory standard allowing subpoena access and delayed notice 
for records stored on a remote server such as the diary of a student 
stored on a university server, or personal correspondence.
    As the third and fourth categories of records expand because the 
wealth of transactional data collected in the private sector grows and 
people find it more convenient to store records remotely, the legal 
ambiguity and lack of strong protection grows more significant and 
poses grave threats to privacy in the digital environment.
    While Congress took the first small step towards recognizing the 
changing nature of transactional data with amendments to the Electronic 
Communications Privacy Act enacted as part of the Communications 
Assistance for Law Enforcement Act of 1994 (``CALEA''), the increase in 
transactional data and the increasing detail it reveals about 
individuals' lives suggests that these changes are insufficient to 
protect privacy.
    Moreover, the Electronic Communications Privacy Act must be updated 
to provide a consistent level of protection to communications and 
information regardless of where they are stored and how long they have 
been kept. Technologies that invite us to live online will quickly 
create a pool of personal data with the capacity to reveal an 
individual's travels, thoughts, purchases, associations, and 
communications. We must raise the legal protections afforded to this 
growing detailed data regardless of where it resides on the network.
C. Establish rules that give individuals control over personal 
        information during commercial interactions
    We must adopt enforceable standards, both self-regulatory and 
regulatory, to ensure that information provided for one purpose is not 
used or redisclosed for other purposes without the individual's 
consent. All such efforts should focus on the Code of Fair Information 
Practices developed by the Department of Health, Education and Welfare 
in 1973. The challenge of implementing privacy practices on the 
Internet is ensuring that they build upon the medium's real-time and 
interactive nature to foster privacy and that they do not 
unintentionally impede other beneficial aspects of the medium.
    Historically, for privacy legislation to be successful, it must 
garner the support of at least a section of the industry. To do so, it 
must build upon the work of some industry members--typically binding 
bad actors to the rules being followed by industry leaders--or be 
critically tied to the viability of a business service or product as 
with the Video Privacy Protection Act and the Electronic Communications 
Privacy Act.
    Today, the dialogue over assuring privacy on the Internet and in 
electronic commerce is well situated for a successful legislative 
effort. Consensus exists around at least four general principles: 
notice of data practices; individual control over the secondary use of 
data; access to personal information; and, security for data. However, 
the specifics of their implementation and the remedies for their 
violation are just beginning to be explored by all interested parties. 
When is information identifiable? How is it accessed? How do we create 
meaningful and proportionate remedies that address the disclosure of 
sensitive medical information as well as the disclosure of inaccurate 
marketing data? These hard issues must be more fully resolved before 
the policy process will successfully move forward. The leadership of 
Internet-savvy members of this Committee and others will be critical if 
we are to provide workable privacy protections for the Internet.
D. A privacy protection entity to provide expertise and institutional 
        memory, a forum for privacy research, and a source of policy 
        recommendations on privacy issues
    The work outlined above, and the state of privacy today, all weighs 
in favor of creating a privacy entity within the federal government. 
The existing approach has hindered the development of sound policy and 
failed to keep pace with changes in technology. While we are pleased 
with the Administration's recent appointment of Peter Swire to the 
Office of Information and Regulatory Affairs as the federal ``privacy 
czar,'' we believe that OIRA is incapable, due to institutional 
constraints and a lack of autonomy, of addressing several key privacy 
issues. The United States needs an independent voice empowered with the 
scope, expertise, and authority to guide public policy. Such an entity 
has important roles to play on both domestic and international fronts. 
It would serve as the forum for collaboration with other governments, 
the public interest community, and the business community.
                             v. conclusion
    No doubt, privacy on the Internet is in a fragile state. However, 
there is new hope for its resuscitation. There is a special need now 
for dialogue. Providing a web of privacy protection to data and 
communications as they flow along networks requires a unique 
combination of tools--legal, policy, technical, and self-regulatory. 
Cooperation among the business community and the nonprofit community is 
crucial. Whether it is setting limits on government access to personal 
information, ensuring that a new technology protects privacy, or 
developing legislation--none will happen without a forum for 
discussion, debate, and deliberation. We thank the Committee for 
providing this initial forum and look forward to working with the 
members and staff and other interested parties to foster privacy 
protections for the Digital Age.

    The Chairman. Mr. Bodoff.

                 STATEMENT OF RUSSELL T. BODOFF

    Mr. Bodoff. Thank you. Mr. Chairman and members of the 
committee, I am pleased to present to you our BBBOnLine Privacy 
Seal program and to share the experience of our first month of 
operation, after our official launch of the program which took 
place on March 17.
    BBBOnLine is a subsidiary of the Council of Better Business 
Bureaus, with the start-up of our BBBOnLine privacy initiative 
supported by 24 leading-edge sponsoring companies. The program 
benefits from the Better Business Bureau's 100-percent name 
recognition, as well as the BBB's 86 years' experience in 
voluntary self-regulation and consumer dispute resolution.
    Our privacy program awards an easily recognizable seal to 
businesses that post online privacy policies meeting rigorous 
principles, including notice to consumers, disclosure, choice 
and consent, access, and security. It offers a separate and 
distinct seal for sites directed at children. It provides a 
thorough and consumer-friendly dispute resolution system. It 
monitors compliance through a comprehensive assessment of a 
company's online privacy practices, and it takes specific 
actions for non-compliance, such as seal withdrawal, publicity 
and referral to government enforcement agencies.
    To qualify for a privacy seal, companies must submit an 
application and successfully complete a comprehensive 
assessment process that investigates over 170 different aspects 
of an applicant's information practices. The founding principle 
of our privacy program is that it requires privacy seal 
participants to say what they do, to do what they say, and have 
it verified.
    This begins with an easy to find and easy to understand 
privacy notice. Privacy notices must be one click away from a 
Web site's home page and from every other page where personally 
identifiable information is collected. Depending on the 
information practices of the participant, this privacy notice 
may contain as many as 16 required disclosures, but it will 
always describe who is collecting the information, what type of 
information is being collected, and how that information is 
used and shared. It will always disclose how an individual can 
access and correct their information, how to contact the 
company, and how to contact BBBOnLine.
    While evaluating the privacy notice is critically 
important, the BBBOnLine assessment does not stop there, but 
looks further into the actual information practices of a 
company. Participants must have in place reasonable security 
measures to prevent unauthorized access to both stored and 
transmitted data. This includes doors and locks, adequate 
training for employees, adequate logs and recordkeeping, and a 
mandatory use of encryption when there is a receipt or 
transmission of sensitive information, such as credit card 
numbers, health care data or Social Security numbers.
    Seal participants must provide a means by which individuals 
can gain reasonable access to all the maintained and 
retrievable personally identifiable information they submit 
online. Seal participants that operate Web sites or online 
services that are directed to children under the age of 13 must 
also complete an additional children's assessment process.
    BBBOnLine's privacy program's free, convenient and speedy 
dispute resolution service offers the assistance of trained 
professionals to ensure that consumers have a simple and 
effective way to have their concerns addressed. Consumers can 
contact the BBBOnLine dispute resolution intake center via e-
mail, toll-free telephone call, or by following the 
instructions on our Web sites.
    As remedies, consumers can seek to have the information 
which was submitted online used only in a manner consistent 
with the company's published privacy policy and/or the consumer 
can seek to have inaccurate information corrected. BBBOnLine 
may also require corrective action in the form of a change in 
the seal participant's online privacy policies or practices if, 
based on evidence in the case, it finds such action to be 
required to avoid return to the same complaint.
    The program will also monitor compliance through a system 
of random audits to ensure that program participants remain in 
compliance. We have designed our program to have serious and 
effective consequences for non-compliance. In our dispute 
resolution process, we will publish decisions so the public 
will be able to monitor resolution of complaints about 
violations of privacy policies.
    The Privacy Seal program has been officially open now for 
about 1 month. Since the launch, we have already processed over 
240 formal applications. We have awarded 14 seals and have many 
other companies ready and close to approval. The response has 
been impressive and more applications are coming in everyday. 
Companies are reporting to us that the assessment process is so 
thorough that it requires them to carefully evaluate and in 
some cases change their entire data-collecting and processing 
practices.
    Now that we are open for business, we are engaging in an 
aggressive outreach program to educate businesses on good 
privacy practices. For example, we recently entered into an 
agreement with the American Electronics Association to educate 
their 3,000 members about good privacy principles. Similar 
business outreach will be announced shortly with other major 
trade associations, as well as our Better Business Bureaus. 
Next on our agenda will be developing a major outreach to 
consumers and children to help them better understand how to 
protect their privacy while they are online.
    In closing, let me say how excited we are that the 
BBBOnLine privacy program, which was created in less than 9 
months, is already being described as the most comprehensive 
privacy self-regulation anywhere in the world. Consumers have a 
high level of trust in our organization. A study released last 
week by AT&T Research Labs indicated that a privacy notice on a 
Web site, along with the Better Business Bureau seal, gave a 
consumer a higher level of confidence than even privacy 
regulation.
    I want to thank the committee members for their attention, 
and I hope that you share our enthusiasm about the tremendous 
progress that has been made.
    The Chairman. Thank you, Mr. Bodoff.
    [The prepared statement of Mr. Bodoff follows:]

                Prepared Statement of Russell T. Bodoff

    Mr. Chairman and members of the Committee, my name is Russell 
Bodoff, I am Senior Vice President and Chief Operating Officer of 
BBBOnLine, an independent subsidiary of the Council of Better Business 
Bureaus. I am pleased to present to you the BBBOnLine Privacy Seal 
program and to share the experience of our first month of operation 
after the official launch of the program on March 17, 1999.
    The Council of Better Business Bureaus (CBBB) is the umbrella 
organization for the nation's Better Business Bureau system, which 
consists of over 130 local BBB's and branches and 270,000 member 
businesses across the United States. The CBBB is a nonprofit business 
membership organization tax exempt under section 501(c)(6) of the 
Internal Revenue Code. More than 325 leading edge companies nationwide 
belong to the CBBB and provide support for its mission of promoting 
ethical business practices through voluntary self-regulation and 
consumer and business education.
    Each year, millions of consumers contact the Better Business Bureau 
for pre-purchase information or for assistance in resolving marketplace 
disputes. In large part, they are drawn to the BBB by its enormous name 
recognition. The BBB trademark is one of the country's most widely 
recognized by both business and consumers (100 percent business and 98 
percent consumer brand recognition according to a 1996 Gallup Poll). 
The public looks to the Better Business Bureau for impartial and 
reliable information on a broad range of companies, products and 
services. We. provide reliability reports on individual businesses 
(members and non-members), issue reports on publicly soliciting 
charitable organizations and provide consumer advisories on a host of 
offers, promotions and scams. We offer consumers and businesses a means 
to resolve disputes through conciliation, mediation and, when 
necessary, arbitration. In fact, the BBB operates one of the, if not 
the, largest out-of-court consumer/business dispute settlement program 
in North America.
    Through its partnership with the major advertising trade 
associations, the American Association of Advertising Agencies (AAAA), 
the Association of National Advertisers (ANA), and the American 
Advertising Federation (AAF), the CBBB also operates a highly 
successful and much praised advertising self-regulation program that 
helps assure truthful advertising and appropriate advertising directed 
to children.
    Our name recognition, the extremely high level of trust we have 
earned from the public, and our experience in operating self-regulation 
and dispute settlement programs, including our previous experience with 
offering another seal program in the BBBOnLine Reliability Program, are 
some of the reasons the business community and the Administration asked 
BBBOnLine once again to provide a framework for self-regulation in the 
major issue of concern in online commerce--personal privacy protection.
    BBBOnLine is a 501(c)(6) tax exempt organization, supported by 
leading online marketing and technology companies in the United States. 
A wholly owned subsidiary of the CBBB, BBBOnLine was established by the 
CBBB and its member sponsors as a means to promote the highest ethical 
business practices online through self-regulation and consumer 
education and self-help measures, and thereby help to foster consumer 
trust and confidence in this new market. The online marketplace has 
vast potential for consumers and business alike. However, it presents 
risks to consumers who can not easily determine the reliability of any 
given company by simply looking at its website, and it makes it 
difficult for an ethical business to distinguish itself from a fly-by-
night operator.
    To help online companies distinguish themselves, BBBOnLine provides 
two separate seal programs for online businesses--the Reliability Seal 
Program and the Privacy Seal Program--and provides consumer information 
through our website, www.bbbonline.org.
    The BBBOnLine Reliability Program was launched in April of 1997 
with the support of 11 major corporate sponsors. The objective was to 
provide a resource for consumers seeking trustworthy businesses on the 
Internet; to help legitimate businesses distinguish themselves from 
fly-by-night operators; and to demonstrate that self-regulation of the 
online marketplace can succeed. To participate in the Reliability 
Program a company must be a BBB member, cooperate with CBBB's National 
Advertising Division (NAD), Children's Advertising Review Unit (CARU) 
and National Advertising Review Board (NARB) and commit to third-party 
dispute resolution. Over 2,900 companies from various sectors and of 
various sizes have been approved to date for the Reliability Seal and 
we are currently approving 200 new participants each month. Some of the 
largest marketing sites on the Internet participate in the program. 
Posting the Reliability Seal on a website provides consumers with an 
easy means to check a company's history, obtain contact information, 
and be assured that the company stands behind its advertising claims. A 
BBB representative visits, in person, the physical office of each and 
every Reliability Seal applicant, to ensure that they are who and 
where, they say they are.
    Launched in March 1999, the BBBOnLine Privacy Program is the only 
privacy seal program that is rooted in 86 years of experience in 
voluntary self-regulation and consumer dispute resolution. The 
BBBOnLine Privacy Program awards seals to online businesses verified as 
meeting our high standards including: the posting of online privacy 
policies meeting rigorous privacy principles, completion of a 
comprehensive evaluation, monitoring and review by a trusted 
organization, and participation in a consumer dispute resolution 
system. For further detail, please visit www.bbbonline.org/businesses/
privacy/eligibility.html.
    After the successful creation and implementation of the BBBOnLine 
Reliability Program, it was a natural progression for BBBOnLine to 
address the significant issues pertaining to privacy in electronic 
commerce. BBBOnLine agreed to design a new BBBOnLine privacy self-
regulation program in June of 1998. There was tremendous industry 
support for this effort. Twenty-four major companies provided start up 
funds of $2.3 million to develop the program design. Currently 
seventeen companies serve as full corporate sponsors: Ameritech, AT&T, 
Bank of America, Dun & Bradstreet, Eastman Kodak, GTE, Hewlett-Packard, 
Microsoft, Netscape, Procter & Gamble, Reed Elsevier (LEXIS-NEXIS), 
Road Runner Group, Sony Electronics, US WEST, Visa and Xerox. Plus, 
twenty-four companies support and participate in our privacy steering 
committee: America Online, American Express, AMR Corporation (American 
Airlines and Travelocity), AT&T, Bank of America, Dell, Dun & 
Bradstreet, Eastman Kodak, Equifax, Experian, Ford, Hewlett-Packard, 
IBM, Intel, J.C. Penney, MCI WorldCom, Microsoft, New York Times 
Electronic Media, Nickelodeon, Procter & Gamble, Reed Elsevier (LEXIS-
NEXIS), Sony Electronics, US WEST, and Xerox. In addition to the 
financial support provided by our founding sponsors, a steering 
committee of supporting companies was formed to assist BBBOnLine in 
developing a self-regulatory program that was substantive, realistic, 
and workable. Contributing to this effort were privacy experts such as 
Professor Alan Westin of Columbia University and Dr. Mary Culnan of 
Georgetown University. We also created a separate dispute resolution 
committee to help design a dispute resolution component to the program 
to deal with the specialized area of privacy disputes.
    The Privacy Program is designed to be a user-friendly tool that 
helps foster trust and confidence on the Net. It is also designed to be 
a valuable resource for business as a simple, one-stop, non-intrusive 
way to demonstrate compliance with credible online privacy principles.
    The core of the BBBOnLine Privacy Program:

   Awards an easily recognizable and affordable ``seal'' to 
        businesses that post online privacy policies meeting rigorous 
        principles, including notice to consumer, disclosure, choice 
        and consent, access, and security;
   Offers a separate and distinct seal for sites directed at 
        children;
   Provides a thorough and consumer-friendly dispute resolution 
        system;
   Monitors compliance through requirements that participating 
        companies undertake, at a minimum annually, assessments of 
        their online privacy practices; and,
   Takes specific actions for non-compliance, such as seal 
        withdrawal, publicity and referral to government enforcement 
        agencies.

    Applicants eligible to participate in the BBBOnLine Privacy program 
must post a clear and easy to find privacy notice and operate a website 
or online service that is directed to U.S. residents. To reach broadly, 
BBB membership is not required to participate in the privacy program, 
although applicants can not have an unsatisfactory BBB record.
    To ultimately qualify for a privacy seal, applicants must submit an 
application and successfully complete a comprehensive assessment 
process that investigates over 170 different aspects of an applicant's 
information practices, including privacy notice content and placement, 
corporate structure, security measures, transfer and merger of 
information, access, correction; and (if the website or online service 
falls within our children's guidelines) a comprehensive set of 
additional children's requirements. For more information, please visit 
www.bbbonline.org/businesses/privacy/assess-html.html or see Appendix 
A.
    The assessment process itself was field tested with a diverse group 
of companies to make sure that its objective of performing an in-depth 
evaluation of information practices was user friendly for business and 
workable in performing an effective analysis of the way a seal 
applicant collects and uses personal information. The assessment 
process offers companies an excellent benchmark for evaluation and 
implementation of sound privacy policies and practices.
    After successfully completing the assessment process, applicants 
must then have a company officer sign a participation agreement that 
obligates them to submit to random and independent third party 
verification, to utilize the BBBOnLine Dispute Resolution process, and 
to notify BBBOnLine whenever there is a material change in either (1) 
their privacy notice, (2) their information practices, and/or (3) the 
scope of the privacy seal.
    The essence of the BBBOnLine Privacy Program is that it requires 
privacy seal participants to ``Say What You Do, Do What You Say, and 
Have It Verified.'' SM This begins with a clear and easy to 
find privacy notice. Privacy notices must be ``one click away'', from a 
website's homepage and every other page where personally identifiable 
information is collected. Depending on the information practices of the 
participant, this privacy notice may contain as many as 16 required 
disclosures, but it will always describe who is collecting information, 
what types of information is being collected, and how that information 
is used and shared. It will always disclose how an individual can 
access and correct their information, how to contact the participant, 
and how to contact BBBOnLine. Mandatory opt-outs are required whenever 
information will be transferred to third parties for marketing, and 
whenever information is used in a way not described in the privacy 
notice.
    While evaluating the privacy notice is critically important, the 
BBBOnLine assessment does not stop there, but looks further into the 
actual information practices of an applicant.
    Seal participants must have in place reasonable security measures 
to prevent unauthorized access to both stored and transmitted data. 
This includes doors and locks, adequate training for employees, 
adequate logs and record keeping, and a mandatory use of encryption 
when there is a receipt or transmission of sensitive information such 
as credit card numbers, health care data, and social security numbers.
    In addition to disclosing information transfer practices and 
providing opt-outs if such transfers are for marketing purposes, seal 
participants must also take steps to ensure that transferred 
information continues to be used only in the ways disclosed in the 
privacy notice and according to the choices made by an individual. Seal 
participants must also follow special rules when information is 
submitted online by one person about someone else, such as with gift 
recipients.
    Seal participants must provide a means by which individuals can 
gain reasonable access to all the maintained and retrievable personally 
identifiable information they submit online, and establish a reasonable 
process by which seal participants can verify the identity of those 
requesting access.
    Seal participants that operate websites or online services, or 
portions thereof, that are directed to children under 13, or at which 
information is collected from visitors actually known to be children 
under 13, must also complete a children's supplemental assessment 
questionnaire and assessment process based upon the requirements of the 
Children's Online Privacy Protection Act of 1998, and the guidance set 
forth by both the Online Privacy Alliance, and the Council of Better 
Business Bureaus' Children's Advertising Review Unit.
    Such children's websites must acquire prior verifiable parental 
consent before a child's information can be collected and before 
children are given the ability to post identifying information. 
Reasonable efforts must be taken to prevent children from posting 
contact information. In certain circumstances and at certain locations, 
additional warnings and reminders to children must be placed within the 
website or online service. The participation in games or other online 
activities may not be conditioned on the disclosure of more information 
than is necessary. Special limitations are placed on e-mail and the 
creation of hyperlinks to other websites. Finally, seal participants 
who e-mail children must also take proactive steps to remind and 
encourage parents to check and monitor their children's online 
activities.
    In the month that the BBBOnLine Privacy program has been in 
operation, we have already gained much valuable experience. The 
assessment process involves a lengthy dialog between ourselves and our 
applicants, and often. we find ourselves learning from each other. For 
instance, in the process of evaluating the information practices of 
applicants, we find that we are also educating them on the importance 
of drafting clear privacy policies that disclose with sufficient 
specificity what is being collected and how that information is being 
used. We are talking with applicants about the necessity of providing 
access to and correction of information, and simultaneously, the 
importance of having in place verification methods for providing access 
to only those individuals authorized to obtain it. We are educating 
applicants on security measures, the many issues that arise in clearly 
defining the scope of the privacy seal protections, and the best way to 
protect children's privacy. In this way, we believe we are not only 
certifying websites that follow the BBBOnLine criteria, but also 
greatly raising the bar by giving applicants the time and guidance 
needed to make them knowledgeable about the issues surrounding online 
privacy.
    In addition to the assessment process, BBBOnLine offers consumers 
and businesses significant experience in resolving disputes. The BBB 
system currently runs what is probably the nation's largest consumer-
business dispute resolution program, primarily for most of the 
automobile industry, for whom we are certified as operating state-
compliant lemon law programs in those states allowing for state 
certification; BBB dispute settlement efforts also include 60,000 local 
business participants; our programs handle more than 30,000 cases a 
year, using the services of about 5,000 trained volunteer arbitrators, 
not to mention the hundreds of thousands of informal complaint 
resolution cases handled by the BBB's every day.
    Using BBB's dispute settlement experience, we stand ready to 
provide consumers with a specialized forum to air and resolve privacy-
related disputes (Appendix B). We will accept complaints from both U.S. 
residents and non-U.S. residents about companies and organizations with 
posted privacy notices, whose websites or online services are intended 
to be directed at U.S. residents, that misuse information. Complaints 
can be about the actions of seal participants and non-seal 
participants. Companies or organizations that do not cooperate with us 
in a dispute resolution proceeding can, in turn, be subject to public 
withdrawal of our seal and/or referral to the appropriate government 
agency.
    Free, convenient, and speedy dispute resolution by trained 
professionals ensures that consumers have a simple and effective way to 
have their concerns addressed. Consumers can contact the BBBOnLine 
Dispute Resolution Intake Center via e-mail, telephone call or by 
simply following our online complaint directions located on our web 
site at www.bbbonline.org/consumers/drguide.html. As remedies, 
consumers can seek to have the information which was submitted online 
used only in a manner consistent with the company's published privacy 
policy and/or the consumer can seek to have inaccurate information 
corrected. BBBOnLine may also require corrective action in the form of 
a change in a seal participant's online privacy policies or practices 
if, based on the evidence in the case, it finds such action to be 
required to avoid recurrences of the same complaint.
    The BBBOnLine dispute resolution process is designed to deliver 
consumer satisfaction. The first step will be to encourage a business 
and the consumer to resolve a complaint between the two parties. If 
this fails, BBBOnLine will step in to help, providing a consumer-
friendly process to resolve the complaint. An appeal process to an 
impartial panel is also available providing neutral expertise in the 
privacy arena. Indeed, we have been fortunate to recruit Andrew 
Strenio, a former Commissioner of the Federal Trade Commission, to be 
Chair of our appeals board. Businesses that repeatedly violate their 
own policies will have their seal revoked, and as previously mentioned, 
they will be publicly identified and the most serious or frequent 
offenders will have the violations reported to the proper government 
authority. The Better Business Bureau system has a long history of 
cooperation with regulatory authorities and the BBBOnLine Privacy 
Program will continue this collaboration to promote trust and 
confidence on the Internet.
    Seal participants are required to provide information within their 
privacy policy on how to contact BBBOnLine in order to ensure ease of 
access to the complaint resolution system.
    Each participant in the BBBOnLine Privacy Program agrees to 
cooperate with BBBOnLine in verification of their compliance with 
eligibility requirements. BBBOnLine may itself, or through an 
independent third party designated by BBBOnLine, conduct random 
compliance reviews (online, onsite, or otherwise) of one or more 
eligibility requirements on BBBOnLine's own initiative or in response 
to complaints from individuals or other third parties. By conducting 
surprise audits on program participants, we will be able to keep the 
importance of privacy issues at the forefront of online business 
practices and create a significant deterrence to noncompliance.
    If, as a result of a random review or other third party 
information, BBBOnLine finds the organization not to be in compliance 
with any of our eligibility requirements, we may decide to pursue a 
complete review of all of the eligibility requirements in order to 
allow BBBOnLine to retain confidence in the organization's continued 
eligibility to participate in the program. In addition, if the 
organization is merged, acquired by or consolidated with another 
company, it must inform BBBOnLine, which will require review of the 
circumstances surrounding the merger, consolidation or acquisition to 
determine whether the organization must requalify or provide additional 
information for use of the seal.
    We have designed our program to have serious and effective 
consequences for non-compliance. In our dispute resolution process we 
will publish decisions so that the public will be able to monitor 
resolution of complaints about violations of privacy policies. Our 
complaint resolution process will also keep statistics which will help 
us identify patterns of improper information practices and instances of 
non-compliance which we can use to monitor and enforce our program 
requirements. Of course we will only publish the name of the company 
complained about, protecting the consumer complainant's identity from 
disclosure. An important feature of our dispute resolution process is 
that it will not be binding on the consumer, so consumers will be free 
to exercise available judicial remedies in addition to the remedies 
offered by BBBOnLine.
    The Privacy Seal Program has been officially ``open for business'' 
for only one month. In this brief period of time we have already 
received over 240 applications and have awarded 13 seals. The response 
has been impressive and more applications are coming in everyday. The 
assessment process is a very thorough process that forces companies to 
carefully evaluate, and in some cases change, their entire data 
collecting and processing practices, online and off-line. The process 
goes well beyond the posting of a privacy policy.
    A study led by AT&T Research Labs released last week came to the 
conclusion that the combination of a privacy policy and a seal from a 
well known organization, like the Better Business Bureau, significantly 
raised people's confidence when they were asked to provide personal 
information online (www.research.att.com/projects/privacystudy/). In 
fact, of the respondents that were unsure or said that they would not 
provide personal information to receive free pamphlets and coupons at a 
site related to a favorite hobby:

   48 percent said they would be more likely to provide it if 
        there was a law that prevented the site from using the 
        information for any purpose other than processing the request,
   28 percent said they would be more likely to provide it if 
        the site only had a privacy policy,
   and 58 percent said they would be more likely to provide it 
        if the site had both a privacy policy and a seal of approval 
        from a well known organization such as the Better Business 
        Bureau

BBB's 100 percent brand name recognition and its 86 year history in 
self-regulation allows us to provide a program that can make a 
difference.
    Online privacy is often mentioned as one of the biggest concerns 
keeping consumers from engaging in e-commerce. The online privacy issue 
has become such a hot issue that many businesses are now starting to 
respond. As evidenced in our program, it is not only the large 
businesses that are exercising self-regulation.
    Many of the applications we have received have come from small to 
medium sized businesses. The BBBOnLine Privacy Seal Program was 
intentionally priced so that all companies could apply (Appendix C). 
The only item keeping a company from participating in the program 
should be its inability to meet the eligibility requirements; price 
should not be a factor. The World Wide Web is made up of hundreds of 
thousands of websites, most of which are not large companies. In order 
for self-regulation to work it must be accessable to the majority of 
web marketers, large and small companies alike. Indeed, now that we are 
open for business we are engaging in an aggressive outreach effort to 
reach as wide a business audience as possible. For example, we recently 
entered into a co-marketing arrangement with the American Electronic 
Association to educate their 3,000 plus members about good privacy 
principles and the BBBOnLine Privacy Program.
    BBBOnLine plans a comprehensive outreach effort for consumer 
education. We have approached consumer advocacy groups about joint 
efforts and hope to use our website to provide educational materials on 
helping consumers protect their privacy online.
    Though we just launched the Privacy Seal Program, it is our hope 
that as the program grows and as consumer awareness and education 
increases we will have been able to make the online marketplace a safer 
place to negotiate for all. We want to thank the Committee for your 
attention and hope that you share in our enthusiasm for the tremendous 
progress already made.
    I am available to answer any questions you may have.

    [GRAPHIC] [TIFF OMITTED] T8199.018
    
    [GRAPHIC] [TIFF OMITTED] T8199.019
    
    [GRAPHIC] [TIFF OMITTED] T8199.020
    
    [GRAPHIC] [TIFF OMITTED] T8199.021
    
    [GRAPHIC] [TIFF OMITTED] T8199.022
    
    [GRAPHIC] [TIFF OMITTED] T8199.023
    
    [GRAPHIC] [TIFF OMITTED] T8199.024
    
    [GRAPHIC] [TIFF OMITTED] T8199.025
    
    [GRAPHIC] [TIFF OMITTED] T8199.026
    
    [GRAPHIC] [TIFF OMITTED] T8199.027
    
    [GRAPHIC] [TIFF OMITTED] T8199.028
    
    [GRAPHIC] [TIFF OMITTED] T8199.029
    
    [GRAPHIC] [TIFF OMITTED] T8199.030
    
    [GRAPHIC] [TIFF OMITTED] T8199.031
    
    [GRAPHIC] [TIFF OMITTED] T8199.032
    
    [GRAPHIC] [TIFF OMITTED] T8199.033
    
    [GRAPHIC] [TIFF OMITTED] T8199.034
    
    [GRAPHIC] [TIFF OMITTED] T8199.035
    
    [GRAPHIC] [TIFF OMITTED] T8199.036
    
    [GRAPHIC] [TIFF OMITTED] T8199.037
    
    [GRAPHIC] [TIFF OMITTED] T8199.038
    
    [GRAPHIC] [TIFF OMITTED] T8199.039
    
    [GRAPHIC] [TIFF OMITTED] T8199.040
    
    [GRAPHIC] [TIFF OMITTED] T8199.041
    
    [GRAPHIC] [TIFF OMITTED] T8199.042
    
    [GRAPHIC] [TIFF OMITTED] T8199.043
    
    [GRAPHIC] [TIFF OMITTED] T8199.044
    
    [GRAPHIC] [TIFF OMITTED] T8199.045
    
    [GRAPHIC] [TIFF OMITTED] T8199.046
    
    [GRAPHIC] [TIFF OMITTED] T8199.047
    
    [GRAPHIC] [TIFF OMITTED] T8199.048
    
    [GRAPHIC] [TIFF OMITTED] T8199.049
    
    [GRAPHIC] [TIFF OMITTED] T8199.050
    
    [GRAPHIC] [TIFF OMITTED] T8199.051
    
    [GRAPHIC] [TIFF OMITTED] T8199.052
    
    [GRAPHIC] [TIFF OMITTED] T8199.053
    
    [GRAPHIC] [TIFF OMITTED] T8199.054
    
    [GRAPHIC] [TIFF OMITTED] T8199.055
    
    [GRAPHIC] [TIFF OMITTED] T8199.056
    
    [GRAPHIC] [TIFF OMITTED] T8199.057
    
    [GRAPHIC] [TIFF OMITTED] T8199.058
    
    [GRAPHIC] [TIFF OMITTED] T8199.059
    
    [GRAPHIC] [TIFF OMITTED] T8199.060
    
    [GRAPHIC] [TIFF OMITTED] T8199.061
    
    [GRAPHIC] [TIFF OMITTED] T8199.062
    
    [GRAPHIC] [TIFF OMITTED] T8199.063
    
    [GRAPHIC] [TIFF OMITTED] T8199.064
    
    [GRAPHIC] [TIFF OMITTED] T8199.065
    
    [GRAPHIC] [TIFF OMITTED] T8199.066
    
    [GRAPHIC] [TIFF OMITTED] T8199.067
    
    [GRAPHIC] [TIFF OMITTED] T8199.068
    
    [GRAPHIC] [TIFF OMITTED] T8199.069
    
    [GRAPHIC] [TIFF OMITTED] T8199.070
    
    [GRAPHIC] [TIFF OMITTED] T8199.071
    
    [GRAPHIC] [TIFF OMITTED] T8199.072
    
    [GRAPHIC] [TIFF OMITTED] T8199.073
    
    [GRAPHIC] [TIFF OMITTED] T8199.074
    
    [GRAPHIC] [TIFF OMITTED] T8199.075
    
    [GRAPHIC] [TIFF OMITTED] T8199.076
    
    [GRAPHIC] [TIFF OMITTED] T8199.077
    
    [GRAPHIC] [TIFF OMITTED] T8199.078
    
    [GRAPHIC] [TIFF OMITTED] T8199.079
    
    [GRAPHIC] [TIFF OMITTED] T8199.080
    
    [GRAPHIC] [TIFF OMITTED] T8199.081
    
    [GRAPHIC] [TIFF OMITTED] T8199.082
    
    [GRAPHIC] [TIFF OMITTED] T8199.083
    
    [GRAPHIC] [TIFF OMITTED] T8199.084
    
    [GRAPHIC] [TIFF OMITTED] T8199.085
    
    [GRAPHIC] [TIFF OMITTED] T8199.086
    
    [GRAPHIC] [TIFF OMITTED] T8199.087
    
    [GRAPHIC] [TIFF OMITTED] T8199.088
    
    [GRAPHIC] [TIFF OMITTED] T8199.089
    
    [GRAPHIC] [TIFF OMITTED] T8199.090
    
    [GRAPHIC] [TIFF OMITTED] T8199.091
    
    [GRAPHIC] [TIFF OMITTED] T8199.092
    
    [GRAPHIC] [TIFF OMITTED] T8199.093
    
    [GRAPHIC] [TIFF OMITTED] T8199.094
    
    [GRAPHIC] [TIFF OMITTED] T8199.095
    
    [GRAPHIC] [TIFF OMITTED] T8199.096
    
    [GRAPHIC] [TIFF OMITTED] T8199.097
    
    [GRAPHIC] [TIFF OMITTED] T8199.098
    
    [GRAPHIC] [TIFF OMITTED] T8199.099
    
    [GRAPHIC] [TIFF OMITTED] T8199.100
    
    [GRAPHIC] [TIFF OMITTED] T8199.101
    
    [GRAPHIC] [TIFF OMITTED] T8199.102
    
    [GRAPHIC] [TIFF OMITTED] T8199.103
    
    [GRAPHIC] [TIFF OMITTED] T8199.104
    
    [GRAPHIC] [TIFF OMITTED] T8199.105
    
    [GRAPHIC] [TIFF OMITTED] T8199.106
    
    [GRAPHIC] [TIFF OMITTED] T8199.107
    
    [GRAPHIC] [TIFF OMITTED] T8199.108
    
    [GRAPHIC] [TIFF OMITTED] T8199.109
    
    The Chairman. Mr. Fischbach.

                 STATEMENT OF GREGORY FISCHBACH

    Mr. Fischbach. Thank you, Mr. Chairman, Senator Kohl and 
Senator Schumer, for the opportunity to testify before the 
committee today regarding the protection of personal 
information on the Internet. I applaud you for your leadership 
in seeking to strike the right admittedly delicate balance 
between industry self-regulation and the appropriate role, if 
any, of government.
    I testify today wearing two hats. I am the Chairman and 
Chief Executive Officer of Acclaim Entertainment, a leading 
maker of video and PC games. Though headquartered in New York, 
Acclaim's flagship develop studio is Iguana Studios in Salt 
Lake City, which employs 90 software professionals.
    Senator Schumer. Excuse me, sir. Are you bragging about 
that? [Laughter.]
    The Chairman. Let's not have interruptions from New York. 
[Laughter.]
    We ought to be grateful here for the link-up, you know.
    Mr. Fischbach. Well, it works for both of you.
    I am here as Vice Chair of the Interactive Digital Software 
Association, the trade body representing the $6.3 billion U.S. 
entertainment software industry.
    Maintaining communication with our customers is fundamental 
to our success as a business. Unlike many other businesses 
where the essential interaction with consumers involves a one-
time transaction, entertainment software consumers expect and 
even rely on a continuous dialogue with their publishers. For 
example, buyers of our games expect us to provide them with 
software bug fixes, game tips, virus warnings and software 
upgrades.
    The Internet has become a major vehicle for talking to our 
customers. We use it to provide online product registrations, 
direct download of bug fixes and updates, new product 
information, and online gaming services. We recognize that 
using the Internet to communicate with customers means we must 
appropriately safeguard the personal information we collect and 
use online.
    In October 1998, the IDSA officially adopted voluntary 
principles and guidelines for fair information practices 
online. The guidelines generally conform to privacy principles 
proposed by the Department of Commerce and the OECD. While 
consistent with guidelines issued by other industry groups, the 
IDSA guidelines go further in three areas--access, information 
and children.
    On access, the IDSA guidelines direct that companies give 
consumers the opportunity for reasonable, appropriate access to 
personal identity information and the opportunity to correct or 
amend that information. In the area of enforcement, the 
guidelines direct the IDSA to make publicly accessible a status 
report on IDSA member implementation of privacy practices, and 
they require that members utilize certification seals provided 
by third-party entities.
    Finally, in the children's area the IDSA guidelines require 
that companies provide parents of children ages 13 to 17 with 
notice of online information collection and the opportunity to 
remove the information from the site's database. To date, 16 
IDSA members, who together accounted for almost 60 percent of 
all games sold in the U.S. in 1998, have posted online privacy 
policies as required by our guidelines or are in the process of 
doing so.
    For our company, compliance has required fundamental 
changes in the way that we do business and relate to our 
customers. This is an important point. Business does have a 
responsibility to protect privacy, but government must 
understand that these changes often touch on the most basic and 
important business asset we have, our consumer relationships.
    Let me tell you that overhauling our business model in this 
area is not as easy as it might seem when rules are first put 
on paper. In fact, we at Acclaim have opted to significantly 
limit how much information we collect on our Web site. 
Acclaim.net only collects and stores e-mail addressed, and only 
does so in three circumstances.
    When a Web site visitor is subscribing to our newsletter, 
downloading software, or ordering something from our online 
store, we make it clear that we may use these e-mail addresses 
for a variety of internal marketing purposes, but do not sell 
or distribute them to any outside person or organization. We 
also offer our customers the ability to have Acclaim delete 
their e-mail addresses.
    Finally, we expressly forbid children 12 and under from 
submitting information to us, and we will implement whatever 
consent and notice procedures the FTC identifies as appropriate 
regulations that are promulgated under this law. Our policy is 
posted and we hope to have a certification seal from the ESRB 
as soon as it is open for business, which we would anticipate 
by the end of this May.
    Mr. Chairman, I believe our industry and my company have 
made important strides toward protecting privacy. But my 
experience in these last few months tells me that one size does 
not fit all. A legislative or regulatory approach probably 
creates great confusion. I understand the appeal of a Federal 
mandate, but as someone working in the trenches I suggest to 
you that industry self-regulation, while perhaps imperfect, is 
ultimately the best and swiftest way to protect consumer 
privacy on the Internet, while allowing Internet creativity and 
experimentation to flourish.
    Thank you for this opportunity and I would be glad to 
answer any questions.
    The Chairman. Thank you, Mr. Fischbach.
    [The prepared statement of Mr. Fischbach follows:]

                Prepared Statement of Gregory Fischbach

    Thank you, Mr. Chairman, for the opportunity to testify before the 
Committee today regarding the protection of personal information on the 
Internet. I applaud you for your leadership in seeking to strike the 
right, admittedly delicate balance, between industry self-regulation 
and the appropriate role, if any, for government.
    I testify today wearing two hats. I am the Chairman and Co-Chief 
Executive Officer of Acclaim Entertainment. I am also here as the Vice-
Chair of the Board of Directors of the Interactive Digital Software 
Association.
    Acclaim Entertainment, Inc. is a leading worldwide developer, 
publisher and mass marketer of software for use with interactive 
entertainment platforms including Nintendo, Sony and Sega hardware 
systems, and PCs. Acclaim owns and operates five studios located in the 
United States and the United Kingdom, and publishes and distributes its 
software directly in North America, the United Kingdom, Germany, France 
and Australia. Acclaim posted 1998 revenues of over $325 million. Our 
headquarters are located in Glen Cove, New York and Acclaim's common 
stock is publicly traded on NASDAQ under the symbol AKLM.
    You may know some of our key internally developed brands, Acclaim 
Sports, Turok, and WWF Warzone. WWF Warzone, developed by our flagship 
studio, Iguana Salt Lake City, was Acclaim's best selling product in 
1998. Our Salt Lake City Studio employs over 90 software professionals 
and generates several products annually.
    All of our company brands are supported by significant marketing 
campaigns including on-line promotion. Over the last year we have 
allocated significant resources to Acclaim On-Line, in an effort to 
better service our consumers. Consumers visit our site, Acclaim.Net for 
product information, release dates, free demo software, Ecommerce, tips 
and hints and company information. Last year traffic on Acclaim.Net 
grew by 325 percent. In calendar 1999, we expect to generate over 50 
million page impressions. In the future we plan to continue to serve 
our consumers on-line by offering new features including on-line game 
play through Acclaim.Net.
    The IDSA represents the U.S. publishers of entertainment software 
games for video game consoles, PCs, and the Internet. IDSA members 
collectively account for more than 85 percent of the $6.3 billion in 
entertainment software sold and rented in the U.S. in 1998, and 
billions more in export sales of U.S.-made entertainment software. The 
entertainment software industry is now the fastest growing of all U.S. 
entertainment industries, selling nearly 200 million units of PC and 
video games in the U.S. alone, or almost two per household.
    I want to spend my time sharing with you some of the lessons that 
Acclaim and the IDSA have learned as a result of the steps that we have 
taken to protect the personal information of entertainment software 
consumers online.
    Let me start with a little context: maintaining communication with 
our customers is at the core of what we do. It is fundamental to our 
success as a business. Unlike many other businesses where the 
transaction with consumers is a one-time event, our consumers expect 
and even rely on this continuous dialogue.
    Consumers expect us to provide them with software patches, game 
tips, and software upgrades and enhancements. They want information 
from us on sequels, they want technical support, they want to tell us 
what they think of our products, they want to volunteer to test 
products, and more. Consumers of online games, a growing part of the 
entertainment software industry, also increasingly expect us to provide 
online game services so they can participate in tournaments, find 
playing partners, or play massive multi-player games. Without personal 
information from those consumers, such as email address, name, and 
snail mail address, we cannot meet these needs; moreover, in an 
industry which is besieged by piracy, we need registration information 
to ensure that the consumer owns a legitimate, rather than pirated, 
copy and we need personal information from online game players to 
prevent players from abusing the game service or harassing other 
players.
    The Internet has become the major vehicle through which we meet 
many of these consumer demands. The Internet allows us to provide 
online product registrations, direct downloads of bug fixes and 
updates, new product information, and online game services.
    We recognize that our use of the Internet to communicate with our 
customers imposes a burden on us to put in place appropriate safeguards 
to ensure that the personal information we do collect is protected. 
This leads me to the actions that both Acclaim and the IDSA have taken 
to protect the personal information of consumers online.
    In March 1998 the IDSA convened a Privacy Working Group to create 
appropriate standards for protecting the privacy of consumers on the 
Internet. This Privacy Working Group consisted of General Counsels, 
Marketing Directors, and Webmasters from nine IDSA member companies, 
bringing legal, business, and technical expertise to the issue. Over 
the ensuing eight months, this Working Group and the IDSA Board 
hammered out Principles and Guidelines for Fair Information Practices. 
The Board officially adopted these Guidelines at its October 1998 
meeting, and IDSA members are expected to be in compliance by May 31, 
1999. Copies have been provided to the Committee.
    Developing these guidelines was not simple. It's easy to lose sight 
of the fact that we are talking about redefining how we relate to our 
consumers. From a business standpoint, this is not something we take 
lightly, especially not after spending years to build a sense of 
loyalty and trust with those who play our games. While some believe 
developing guidelines is a simple matter, we know from experience that 
even using the very valuable templates developed by such groups as the 
Online Privacy Alliance, the Organization for Economic Cooperation and 
Development (OECD), and the Department of Commerce, an enormous amount 
of thought must still be applied to ensure that the guidelines we've 
adopted for this industry take into account its unique qualities.
    We believe that the Guidelines we eventually developed represent an 
appropriate balance between protecting the online privacy of our 
customers while also preserving the interactive relationship that our 
customers expect. As their longer title indicates, the guidelines have 
two elements. First, they establish a core principle to which companies 
adopting the guidelines must adhere. Second, they provide guidance on 
ways to comply with each core principle, recognizing that companies 
may, depending on size, practices, and resources, choose different 
paths to complying with the principles.
    As these elements are widely recognized to be essential, the IDSA 
Guidelines contain principles on Notice, Choice, Data Collection 
Limitation, Security, Access, Enforcement, and special rules for 
children. With regard to Notice, Choice, Data Collection Limitation, 
and Security, the IDSA Guidelines are in conformance with those 
suggested by the OECD and the Department of Commerce, and consistent 
with those adopted by other industries and companies. However, the IDSA 
Guidelines go farther than other industries with regard to Access, 
Enforcement, and Children.
    With respect to Notice, Choice, and Data Collection Limitation, and 
Security, the IDSA guidelines (1) direct each IDSA member to implement 
and publish online a ``privacy policy'' that informs consumers about 
its online collection and use of personal information, (2) direct that 
each IDSA member give consumers the choice to exercise reasonable 
control over the collection and use of their personal data, generally 
establishing ``opt-out'' choice as the minimum acceptable tool; (3) 
direct IDSA members to only collect and retain personal data of 
consumers that is needed for valid business reasons, and give guidance 
as to the breadth of personal data that should be collected and when 
personal data should no longer be retained; and (4) direct that IDSA 
members take reasonable measures to assure the reliability of personal 
data they collect and take reasonable precautions to protect that data 
from loss, misuse, or alteration, and recommend that IDSA members take 
reasonable steps to assure that third parties to whom they transfer the 
personal data of consumers will provide sufficient protection to that 
personal data.
    As an industry which is both highly sensitive to our customer 
relationships, and which has a significant following among children, we 
spent considerable time crafting guidelines in the Access, Enforcement, 
and Children's areas. The result is that our guidelines in these areas, 
in some instances, go beyond recently enacted law and other voluntary 
approaches.
    For example, the IDSA guidelines with regard to access do not 
restrict consumer access to instances of ensuring data quality. 
Instead, they direct that IDSA members give consumers the opportunity 
for reasonable, appropriate access to personal identifying information 
about them that an IDSA member holds, and the opportunity to correct or 
amend that information when necessary.
    In the enforcement area, the IDSA guidelines create a detailed 
scheme for ensuring that IDSA members comply with their data privacy 
policies and provide appropriate means of recourse for consumers. They 
give explicit direction on internal mechanisms that should be followed, 
including establishment of clear procedures and specific time frames 
for resolution of complaints, identification and training of personnel 
that will ensure compliance and provide recourse to consumers, and 
appeals structures. IDSA members are also directed to create a system 
of incentives and/or sanctions, which might include bonuses, to 
encourage adherence to privacy policies. I believe that the vast 
majority of consumer complaints will be adequately and effectively 
addressed through these mechanisms.
    But, in order to provide consumers with additional confidence that 
they can rely on a privacy policy, the IDSA guidelines also establish 
two external mechanisms for ensuring member compliance with the IDSA 
guidelines. First, they direct the IDSA to make publicly accessible, 
both on its Web site and in its files, a report on the status of IDSA 
member adoption and implementation of privacy practices. After the May 
31, 1999 deadline for compliance, this status report will, among other 
things, identify the certification seal provider used by each member, 
include links to the privacy policies of IDSA members, and inform 
consumers how to access privacy practice compliance information about 
each IDSA member from the relevant seal provider.
    Second, the IDSA guidelines require that members utilize 
certification seals provided by third party entities. Such third party 
seal providers must be empowered to investigate and verify compliance 
with privacy policies, and to mediate or arbitrate consumer complaints. 
You are familiar with the BBB Online program, one prominent third party 
seal provider. In a few months, the Entertainment Software Ratings 
Board (ESRB) will launch its own seal program for entertainment 
software companies. Since 1994, the ESRB has been rating entertainment 
software titles for age and content appropriateness. Senators Kohl and 
Lieberman have called the ESRB the best and most credible entertainment 
ratings system in the U.S. More recently, the ESRB has begun rating 
entertainment software web sites along similar lines. In rating more 
than 5,000 products and web sites, the ESRB has developed a depth of 
ratings experience as well as terrific brand recognition and confidence 
among entertainment software consumers. The ESRB therefore decided it 
was a natural progression to build on that consumer trust by expanding 
into the privacy ratings arena. I'm sure the ESRB would be happy to 
share with this Committee details about its new seal service.
    The last area of the IDSA guidelines I would like to discuss are 
its rules regarding children. While 56 percent of video gamers and more 
than 70 percent of computer gamers are over 18, the IDSA recognizes 
that many children use our products, and that the online collection and 
use of personal data from children raises a different set of concerns 
than exist with adults. Therefore, the IDSA has adopted a more rigorous 
set of guidelines with respect to IDSA members that collect information 
from children.
    With respect to children age twelve and under, the IDSA guidelines 
mirror the recently enacted Children's Online Privacy Protection Act, 
but we go beyond the Act to create special rules with regards to 
children over twelve and under eighteen. If IDSA members engage in 
collection of personal information from these older children, the IDSA 
guidelines direct them to provide parents with notice of the collection 
and an opportunity to remove the information from the site's database.
    To date, sixteen IDSA members, who together accounted for almost 60 
percent of all games sold in the U.S. in 1998, have posted online 
privacy policies as required by the Guidelines or are in the process of 
doing so. IDSA is actively reaching out to others in the industry, and 
plans to meet face-to-face with the remaining members at our annual 
industry trade show next month. The IDSA also plans a series of 
regional seminars to help its members work through implementation 
issues.
    Once the IDSA adopted these guidelines in October 1998, the really 
tough work began. While drafting guidelines to cover companies of 
assorted sizes, resources, practices, business structures, and 
sensitivity was challenging, it is an even greater challenge to 
implement them. I tell you that based on real world experience. Think 
tanks, interest groups, government agencies, and congressional 
committees are laboratories; what might seem workable in the lab is not 
always practical outside of it.
    Acclaim has been actively trying to implement the IDSA guidelines 
for several months. If there is any one message I would like to leave 
you with today, it is that even modest rules on online collection and 
use of personal information often require fundamental changes in the 
ways companies do business and in their customer relationships. It is 
important to remember that for entertainment software companies this is 
an area vital, as folks in DC like to say, ``to our national 
interest.'' Anything we do which affects our interaction with customers 
is a significant business issue. As I noted earlier, our customers 
expect an ongoing relationship, and the effort to meet these 
expectations and protect their privacy is not an overnight process.
    In the last few months, Acclaim has conducted an internal review of 
our Web sites and the way they collect and use personal information 
from Web site visitors. We then worked with the IDSA to understand the 
guidelines and the changes we would have to make in our business 
practices to comply with the guidelines. We have posted a privacy 
policy on our Web site, and hope that the ESRB Privacy Program will 
soon be operational and thus able to review our policy and practices. 
If the ESRB requires further changes to our privacy policy and 
practices, we will have to devise ways to implement these changes.
    The privacy practices that Acclaim developed as a result of these 
efforts are, I think, pretty straightforward: we have opted to 
significantly limit how much information we collect on our Web site. We 
only collect and store email addresses and only do so in three 
circumstances: when a Web site visitor is subscribing to our 
Newsletter, downloading software, or ordering something from our online 
store. We make it clear that we may use these email addresses for a 
variety of internal marketing purposes, but will not sell or distribute 
these email addresses in any way to any outside person or organization. 
We do offer customers the ability to have Acclaim delete their email 
addresses from our databases by emailing our Webmaster with the word 
``remove'' in the subject header of the email. Finally, we expressly 
forbid children twelve and under from submitting information to us, and 
will implement whatever consent and notice procedures the Federal Trade 
Commission identifies as appropriate in regulations promulgated under 
the Children's Online Privacy Protection Act.
    As I stated, this ``simple'' Acclaim policy resulted from a very 
difficult process of figuring out how to apply the IDSA Guidelines to 
Acclaim. I will just to throw out a few scenarios to demonstrate the 
difficulties we faced when we tried to implement information collection 
and use limitations.
    The words ``provide reasonable, appropriate access'' seem simple. 
But what do they mean in practice? Suppose a consumer calls Acclaim in 
New York and asks for all information that all our operating units have 
on them? Acclaim New York and Iguana Salt Lake City have separate 
databases. Is it reasonable to give the consumer the information we 
have in New York and direct them to make other calls to ascertain the 
information held by other units? I'm sure the consumer would regard 
that as a nuisance. But the alternative would be for Acclaim to 
centralize all its databases. That is a very costly and complicated 
undertaking. Moreover, it raises privacy issues of its own since we 
would now have greater ability to develop profiles of individuals by 
aggregating all the data held by our individual companies.
    In the children's area, implementing the requirements for parental 
consent and notice are extremely difficult. For example, what does 
Acclaim do about the personal information it has collected from 
consumers for several years through offline registration of different 
products, such as our NFL Quarterback Club series? We collected 
information from registrants of NFL Quarterback Club '98 so that we 
might send them software bug fixes or information on the 1999 version. 
However, we never collected information on the age of these 
registrants, so now we are in a bind. What if some of these registrants 
are twelve and under? Are we breaking the new federal law, because we 
do not have parental consent to do so, by contacting them via email to 
inform them that their software is buggy? Alternatively, are we 
violating the IDSA guidelines by sending the same email to a seventeen-
year-old registrant because we do not send his parent notice of this 
contact? This could be solved by grandfathering in previous collected 
information, but for now it remains a troubling area of uncertainty.
    I mention these challenges not as an excuse for inaction, but a 
warning that what seems simple in principle can be devilishly 
complicated in reality. I believe IDSA's guidelines do protect consumer 
privacy while allowing entertainment software companies to maintain an 
interactive relationship with customers and to continue to experiment 
with business models on the Internet. But they may not be for everyone 
in the private sector. They are specifically crafted to meet the 
privacy expectations of entertainment software customers and the 
business needs of entertainment software companies. So our industry has 
made important strides toward protecting privacy. But my experience 
these last few months developing a privacy policy which works for 
Acclaim tells me that a `one size fits all' legislative or regulatory 
approach is a recipe for confusion. Industry self-regulation, while 
imperfect, is ultimately the best and swiftest way to protect consumer 
privacy on the Internet while allowing Internet creativity and 
experimentation to flourish. Thank you.

    The Chairman. This has been an extremely interesting panel. 
I have to momentarily go meet with the Russian foreign minister 
on a very important matter and so I may have to leave before I 
can finish my questions, but I am going to try and come back.
    Let me begin with you, Mr. Sheridan. It is no secret that 
the Internet provides a new, valuable medium for merchants, as 
they are able to use the network to collect personal 
information about consumers. Some of the obvious methods by 
which commercial Web sites collect personal information include 
online surveys, registration pages, contests, and application 
forms.
    However, it is my understanding that sites also collect 
personal information, using technologies that are not obvious 
to the particular Web surfer. There has been a lot of confusion 
as to exactly what some of these technologies are and how they 
work.
    Could you please explain to us what a, ``cookie,'' is and 
how it works?
    Mr. Sheridan. It is fattening.
    The Chairman. It is fattening.
    Mr. Sheridan. Well, a cookie, as Mr. Berman mentioned 
earlier, is not an evil thing in and of itself. When you go to 
a page and fill out a form and you have put in what you are 
interested in, and magically next time you reappear at that 
page your preferences are known on what kind of news you would 
like, what has been set there is some data about you and what 
you are interested in and that is a cookie, in a simple way.
    It is also used when you go to buy a book at one of the 
online bookstores, for example. It has your credit card, 
shipping and all kinds of other information, and the nice thing 
is you can click there and just buy the book. The potential 
downside is that information is being used to help you and 
sometimes it is not clear how it is being used once it is in 
the system.
    The Chairman. If I understand you correctly, basically, a 
cookie is the technology that extracts information without the 
consumer knowing about that information.
    Mr. Sheridan. Generally, the cookie is set through 
information gotten by the consumer. Of course, it could also 
just log the fact that you were there and your address, too. It 
is a two-edged sword.
    The Chairman. Does this allow the Web sites to track which 
pages a consumer views and for how long?
    Mr. Sheridan. Well, the cookie doesn't necessarily do that, 
but inside of their system, depending on the site, there are 
ways in which the user can be essentially followed. They would 
know what they had clicked on and what their preferences were, 
then use that often to recommend something positive, such as a 
recommendation for a book that they think you would be 
interested in, based on what you had clicked on.
    The Chairman. Is there technology available, or do Web 
browsers allow a consumer to set his or her computer to prevent 
cookies from being placed, or at the very least give the Web 
surfer notice before it is placed in the computer?
    Mr. Sheridan. Web browsers from early on in the development 
of this technology have allowed the user to turn off cookies or 
to ask for notification when one is being asked for.
    The Chairman. I see. I want to thank you for this because 
it is helpful in educating the public in two ways. First, by 
letting them know how information could be extracted from them 
and, second, by informing them that they do have the power to 
control how some of these technologies are used through the use 
of technologies that they may already have on their laptops. So 
I think that is important that we establish that.
    Mr. Sheridan. Yes, it is.
    The Chairman. Now, Ms. Borsecnik, as an Internet service 
provider and a portal, you may have an interesting perspective 
to add. Does AOL use cookies on its Web sites?
    Ms. Borsecnik. AOL does use cookies on its Web sites. We 
use cookies to identify whether a customer has been there 
before. What we do is we can personalize a page someone sees 
based on the fact of whether they have been there before. So, 
for example, the first time they come we may offer a degree of 
help, a degree of explanation about the site that is not 
required on subsequent visits, things like that.
    Our system automatically collects a lot of data, some of 
which is required for us to run our business and some of which 
isn't in a personally identified way. So when we collect data 
of where people go online, we store and use that data in a way 
that anonymizes it and doesn't allow for us to connect that 
data with a specific user and we review it in aggregate. So we 
may know, for example, that ``x'' number of people have visited 
the personal finance area, but we couldn't say that you were a 
visitor to the area that day.
    The Chairman. I see. Mr. Berman, I need to run and I am 
appreciative that Senator Thurmond is here to spell me off, but 
it appears that some uses of cookies are legitimate and help to 
create a more efficient Internet. However, it also seems that 
these cookies could be used by some bad actors for purposes 
that certainly would be suspect. Maybe you could shed some 
light on what some of these less desirable uses of cookies are 
and what type of Web operators use cookies in these improper 
manners.
    Mr. Berman. Well, it is very difficult to make a judgment 
like that. Anyone who is using information in a way which I did 
not consent to--I go to a site, I think I am just browsing. 
They collect information about me. Then they may have marketing 
information and they are selling something to me. I don't like 
it. So it is a relative judgment by the consumer.
    I think that you are onto the right answer, which is that 
consumers ought to know that a cookie is being placed, in other 
words that information is being collected. There are mechanisms 
now in the browser which allow you turn a cookie off. There is 
even more advanced technology, such as the P3P platform, which 
the World Wide Web Consortium is working on with other industry 
and privacy organizations which will allow you to set your 
browser and state your preferences about what you want 
collected or not collected about you, and that will help to 
turn a cookie off or keep you away from sites that are 
collecting that information. The consumer can be put into a 
position to know what is going on.
    The Chairman. Mr. Wladawsky-Berger.
    Mr. Wladawsky-Berger. Yes. If I may add, Mr. Chairman, I 
think that all of the self-regulation concepts have at their 
heart an empowered consumer, and that is why what we always 
want is three key principles--notification, choice and 
recourse.
    Notification means that the consumer, the person that you 
are interacting with, always knows what is happening, what 
information you are collecting, what it is going to be used 
for. Choice means that if they are happy that it will be used 
for good things, they are happy to let you have it; otherwise, 
if they don't know or choose for whatever reason not to give it 
to you. And recourse means that there is a way, if you feel 
that you have been wronged, to take recourse, like contact 
BBBOnLine or some other mechanism, or in some cases the Federal 
Trade Commission.
    So I think those are the key principles, and then within 
those principles there are a lot of technologies that can do a 
lot of good, but if misused, then they can be used wrongly.
    The Chairman. Well, thank you.
    Mr. Berger. I just wanted to add one point, which is the 
most difficult issue to resolve is the recourse issue. One, 
getting everyone to put those notices up and tell you what is 
happening with information, but with the millions and millions 
of Web sites and the new ones coming online, the self-
regulatory efforts that are going on are really important. And 
AOL and Microsoft are doing a good job in terms of trying to 
move along toward self-regulation. We do have to raise the 
issue of the bad actor and the small Web site and what the 
recourse is there. That is not clear, but it is not easy to 
write because the violations have to be spelled out.
    The Chairman. Senator Kohl, let's turn to you. I apologize 
to you that I have to leave for that meeting, and I am not sure 
I can get back. But if not, Senator Thurmond will finish the 
hearing. Thanks so much.
    Senator Kohl. Thank you, Senator Hatch. I have a single 
two-part question for the panel, starting with Ms. Borsecnik. 
Are you all worried that the worst actors in your industry, the 
people who do not respect privacy, will undermine your efforts 
at self-regulation, and that Congress will legislate on the 
basis of anecdote in a way that neither makes good sense nor 
good public policy? And if you are worried about this, doesn't 
it make sense to consider a commission which may preempt some 
of the worst legislation and, even better, bring together 
industry, government and privacy experts to establish a 
balanced approach to privacy protection?
    Ms. Borsecnik.
    Ms. Borsecnik. Do we worry about it? Yes. Privacy is a real 
concern to our customers; we hear it on a daily basis from 
them. And we do worry that there are bad apples out 
there,tentially, just like in the days when the Senator was 
talking about being afraid that criminals would use cars to get 
away from the scene of the crime.
    But we worry more about legislation activity that is too 
quick to put a stake in the ground at a time when--you have 
heard from us all that this is a nascent industry; things are 
moving so quickly. Maybe I am just a poor predictor, but at any 
point in time I have a hard time knowing what my business is 
going to look like in 6 months, much less 6 years.
    And not only is the technology moving so quickly, I have 
found that customers' demands are progressing along with it. So 
to take a snapshot at any point in time when the industry is in 
its infancy and say this is the right solution, this technology 
is the right solution, I think I worry that that will be viewed 
as short-sighted in retrospect.
    In terms of a commission, we believe that an open and 
public dialogue is an enormous help on this issue. Even 
incidents that have happened, I believe, in the end have helped 
the industry realize that more attention needs to be focused on 
it and have resulted in some of the activities you have heard 
about here today. So we are very much in support of that kind 
of dialogue, particularly in areas that need particular 
attention, like kids' privacy and health care and things like 
that. A one-size-fits-all solution is definitely something that 
we would be concerned about that could stymie our business.
    Senator Kohl. Mr. Sheridan.
    Mr. Sheridan. Well, to address the first part of your 
question, yes, I think we all worry about it, both 
individually, those with kids who have to deal with it 
everyday, and also because frankly it hurts our business if 
this trust is broken down.
    We believe that the right approach is one that does not try 
to do everything at once; again, as my colleague here had said, 
a snapshot in time. And the time frames on the Internet are 
very compressed; things happen very quickly. And what we would 
be concerned about is any piecemeal, in-time solution that 
doesn't take into account the fast-moving nature of the Silicon 
Valleys of this country, and there are many of them, which are 
really an American miracle of competitiveness, job creation and 
wealth creation. It would be our concern that that would be 
derailed by government intervention.
    On the second part of the issue, we would welcome an open, 
balanced approach that is structured to represent this 
position. And if that were to occur, I think we would support 
it.
    Mr. Wladawsky-Berger. Senator Kohl, I agree with my 
colleagues that the Internet and all the applications that it 
is helping bring about--it is too young, too complicated and 
too fast to know at this time what to regulate. It is just very 
hard when we don't have enough information because it has only 
really been around, in this explosive way it has taken off, for 
the last few years. And it feels like every month, something 
brand new happens. The fear we all have is we can regulate 
something now that 2 years from now will just look quaint. Why 
did we do that when technology went way beyond that, or the 
marketplace?
    Now, when things are moving so fast, definitely research 
and dialogue are more important than ever. Chairman Hatch 
mentioned when he introduced me that I am a member of the 
President's Information Advisory Technology Committee. We just 
submitted a report; it was just printed last week. And we 
recommended a doubling of IT research over the next 5 years, 
especially research on long-term strategic issues, and we 
called out specifically privacy issues as areas that should be 
aggressively funded because the more we understand the problem, 
the more we study it, the more we can then have the right 
approaches to getting privacy to happen. I think your idea of a 
commission is a very sound one. It is in the spirit of 
understanding and getting more information, and we would be 
very happy to work with you to see how best to make it happen.
    Senator Kohl. Mr. Berman.
    Mr. Berman. I certainly support the idea, particularly if 
it has a time frame and some very specific questions about 
remedies. The last privacy commission 20 years ago really did 
get out of the one-size-fits-all and looked at the particulars 
of different industries and the technology. In the absence of 
OTA and all of that background, this would be very helpful.
    In the CDA legislation on child decency, Congress passed a 
second statute. It is now being enjoined in the courts, and 
they added to that statute a commission to study the issue 
about what was the best way to do it. They passed the 
legislation before they finished their commission work. Now, 
the commission is going to start. I think the better way to do 
it is to have the commission and then pass the legislation. So 
that would get it right for once.
    Senator Kohl. Thank you. Mr. Bodoff.
    Mr. Bodoff. I think there is a variety of ways of answering 
that question, and let me take two approaches. First of all, 
when we deal with bad apples, the first concern always has to 
be companies who don't post any privacy notice at all. If we do 
our job correctly in the self-regulatory area and we get out 
there and we educate consumers to look for privacy policies, 
the marketplace is going to drive companies to put privacy 
notices on their Web sites.
    If a company has a privacy notice and violates it, through 
a self-regulation process and working closely with the Federal 
Trade Commission and other regulatory organizations, those can 
be acted upon as deceptive trade practices. But a lot of talk 
is on the bad apples, and in our extensive experience looking 
at the Internet, our greater challenge is a lot of the new, 
smaller businesses coming online that we wouldn't describe at 
all as bad apples, but they are coming online with lack of 
sophistication and experience of how to operate on the 
Internet.
    And it really is critical for business organizations to 
come together and educate these businesses on good practices 
because our experience is when we reach out to these companies, 
we have very, very good compliance with companies responding 
and wanting to do the right thing.
    Senator Kohl. Mr. Fischbach.
    Mr. Fischbach. Our business has really changed and will 
change dramatically over the next 4 to 5 years. I mean, we 
started writing software that was costing us $25,000, and some 
of the people in the back of the room probably played some of 
those games. But, today, we will spend anywhere between $3 and 
$6 million to write a title. We will spend over $100 million on 
R&D.
    The competitive nature of our industry--it is the fastest 
growing portion of the entertainment business--puts everybody 
up to a much higher standard and really does eliminate a lot of 
the bad apples just because they can't afford to compete or 
they can't afford to participate in the organization or the 
association.
    The industry itself is a relatively new industry. Our 
association is relatively new, but the steps that we have taken 
in order to self-regulate, I think, are to be looked at and 
commended. When it was asked by Congress whether we should 
create a rating system for our organization or not, as you 
know, Senator Kohl, we went ahead and did that, and we have 
done it very effectively and we have virtually 100 percent 
compliance within our industry.
    We have taken the same steps with respect to our Internet 
sites and our Internet activities. We do think it is an issue. 
We are being very proactive. The companies in our industry 
participate on one side from Sony, which is a multi-billion-
dollar company, to some very small companies. So the way that 
those rules will become enforced and how quickly we can have 
them adopted by our members may be different. It may not be 
quite as quick as Congress would like, but we are all moving in 
the right direction.
    Virtually all of the companies in our association that have 
any kind of public presence at all, whether they be public 
entities or just basically marketing their products to the 
public as a whole, have taken an aggressive action with respect 
to this. So I think with respect to our industry self-
regulation will work and has worked.
    Mr. Berman. May I just add to my comment?
    Senator Kohl. Mr. Berman.
    Mr. Berman. A commission should be tracking ongoing efforts 
to see whether they are effective. In other words, it should 
not be let's all stop and study this, because there are some 
very important efforts in technology and self-regulation, and 
even legislation at the State level that ought to be looked at 
in terms of whether they are effective, and if they are not, 
what are the alternatives, and report back to Congress and to 
the administration.
    Senator Kohl. Ms. Borsecnik.
    Ms. Borsecnik. One follow-up point is that represented here 
today are some of the more influential companies in the 
Internet industry. And as such, we have a great deal of 
responsibility and influence on other players. We have 
mentioned a couple programs today, including AOL's Certified 
Merchant program, IBM's advertising program, in which we have 
the ability to influence that sphere of business contacts and 
partners by only engaging in business contracts that require 
our business partners to follow our privacy policies or privacy 
policies of a standard set by BBBOnLine, or only allocate 
advertising dollars to those sites that agree to comply with 
that. I think that that is having an enormous impact, also, on 
the proliferation of privacy policy sites on the Web.
    Senator Kohl. Thank you all.
    Senator Thurmond [presiding]. Senator Leahy.
    Senator Leahy. Thank you, Mr. Chairman. One of the things I 
have been concerned about is the different privacy policies of 
different companies. I look at Web sites and while many various 
companies have policies, it gets kind of confusing because they 
are so different. Some sites reserve the right to change their 
policy, but only a few explicitly state that a change in policy 
will not affect what they have already gathered. And the fact 
that they may just suddenly change their mind is a little bit 
puzzling.
    I looked at one I have got here from Polaroid. It says, 
``we reserve the right to change this statement at any time'' 
on what they do. It says that they collect aggregate and user-
specific information on what pages consumers access or visit. I 
consider myself somewhat Web-savvy, and I am sure that the Web 
master finds this perfectly clear, but I am not quite sure what 
it is they are finding out. In any event, they say they can 
change that any time they want anyway, so it probably doesn't 
make any difference what it is they are finding out.
    In fact, I saw one, Purina, which goes on at great, great 
length about it. It is very specific, very legalistic. It looks 
like a corporate merger proposal. Then we have another one, 
though, that I do kind of like, Super Stats. They give you the 
legal line and then they put in parenthesis, ``translation: we 
don't see or give your info to jerks who want to send you a 
bunch of junk mail.'' That, I like. [Laughter.]
    You know, I am a lawyer, but that one I can understand and 
I think it is kind of nice.
    I am not suggesting we sit here and impose a uniform 
privacy policy, but how do we reduce the confusion for 
consumers without us standing up here and saying here is what 
it is going to be? I mean, how do you do it in such a way that 
I go from company A to company B, to a travel agency, to this, 
to that and the other thing, and have some idea what the 
consistency is?
    Mr. Wladawsky-Berger. Senator, that is one of the reasons 
to make it very simple for a potential customer to see the 
practices that we all support so strongly--the seal programs 
like BBBOnLine or TRUSTe. The hope is that when you go to a 
site and you see a seal program that you trust, it is like 
buying, let's say, an electric hair dryer, seeing that 
Underwriters Laboratory----
    Senator Leahy. I don't use a hair dryer with my hairline, 
but I understand what you are saying.
    Mr. Wladawsky-Berger [continuing]. Or some other electric 
appliance, and it has Underwriters Laboratory. They have a good 
reputation. At least a base level of good practices has been 
followed.
    Now, it is all very new. TRUSTe has been in operation about 
a year, 2 years now, and BBBOnLine just started. So we don't 
have enough information whether that will be enough. That is 
certainly the hope we have for the seal programs, to make life 
much easier.
    Senator Leahy. I have said this to your company up in 
Vermont: I feel, as I said earlier today, too, that good 
privacy policies are good business policies. I think what IBM 
did in your decision not to ship the Pentium III chip with the 
built-in serial number activated and in your decision not to 
advertise IBM on Web sites without posted privacy policies is 
very good and I hope that produces results. But I also hope 
that what it might do is be a kind of a corporate example that 
others will follow.
    Mr. Berman. Senator.
    Senator Leahy. Mr. Berman.
    Mr. Berman. I think that the seal programs are attempting 
to make some consistency across the Net in terms of 
expectations so that if it is a Good Housekeeping seal of 
approval or BBB, you will have some sense of what the 
parameters of those privacy policies are.
    We are very much in favor of a technology step, which is 
the development of what is called a Platform for Privacy 
Preferences, which would allow you, every consumer, to set what 
your preferences or your expectations of privacy are as you go 
shopping and going around the Net. And it will only go to sites 
that are consistent with your preferences. And if it is 
inconsistent with your preferences, that side would have to 
negotiate with you. If they want more information from you and 
you don't want to give it to them in your browser, they would 
have to explain what the big deal is and why they are giving it 
to you.
    I think that is absolutely essential because there is no 
way that the consumer is going to be able to read, let alone 
offline, but online, all of these policies. They need ways to 
make it seamless as part of their Web experience.
    Senator Leahy. Well, I know if I get my Internet through 
the phone company or the cable company, either under 47 U.S.C. 
Section 222 or Section 551, they have to give me a very clear 
understanding of how the information might be used. But if you 
are going outside that, AOL, for example, works very hard at 
protecting it, but that is still going to be a corporate 
policy, not a legal policy.
    Mr. Bodoff, you were trying to say something there. I mean, 
what I am saying is I want to know, if I have a certain 
expectation under one way of having it provided, how do I get a 
similar expectation under another one, because most people have 
an expectation of privacy and may not realize that it may vary 
considerably where they are.
    Mr. Bodoff. Well, I think one of the most important aspects 
of the program that we have just launched was the development, 
through the effort of many companies and privacy experts 
working together, of what we would call a series of best 
practices. In a sense, it is a road map, and any company who is 
applying for our seal and they go through their process, they 
have to evaluate their privacy policy against these best 
practices.
    So the issue that you started with, Senator Leahy, would be 
addressed in the criteria in our program. Each of the companies 
that have been approved to date in our program have had to make 
adjustments to the processes. So what is going to happen is as 
more and more companies go through these self-regulatory 
processes and match their own efforts against best practices 
that have been developed, we are going to see improvements in 
privacy policies throughout companies, and that is small, 
medium and large. And I think it is going to be very positive 
for the Internet and very positive for consumers.
    Senator Leahy. But are you saying that it should be done by 
policy and not by law?
    Mr. Bodoff. We are a self-regulation organization. We 
believe we have laid out models that have been developed in 
consensus environments that really point to excellent practices 
that should be included in a privacy policy, and we have given 
the road map for companies to follow.
    Senator Leahy. But the industry seemed to say they weren't 
good enough or fast enough last year when they supported the 
Children's Online Privacy Protection Act. They said we had to 
have a law. The Federal Trade Commission, I think, yesterday 
proposed the rules for implementing that new law which 
prohibits Web sites and online services from collecting, using 
or disclosing children's personal information.
    Why shouldn't industry support for the Children's Online 
Privacy Protection Act be taken as an admission that self-
regulation has serious limitations? Ms. Borsecnik.
    Ms. Borsecnik. I think there is an obvious and real concern 
about children that requires even more sensitivity, perhaps not 
the patience to wait as the policies evolve. Therefore, we were 
very supportive of those efforts in the area of children 
because there is just a certain extra added degree of concern 
that you need to apply to kids under the age of 18.
    In terms of the privacy seals----
    Senator Leahy. But let me just stop just for a moment. I do 
Internet chats almost once a week for the different schools 
around my State. I find it very exciting, especially when I see 
the quality of what the kids are asking, oftentimes better than 
the quality of some of the questions that we get in debate 
around here.
    But I have no way of knowing what their age is. I mean, the 
school will tell us when they come on, but I wouldn't know 
otherwise. I don't know whether they are under the age of 13 
and subject to the new law or not. I mean, how can you possibly 
do that?
    Ms. Borsecnik. How do we know that? Well, at AOL we 
encourage parents to set up separate accounts for kids that are 
set up specifically with controls in place for children that 
limit their ability to interact online in adult areas. And, in 
fact, that effort has been very successful. At this point, over 
75 percent of households with children in them that are AOL 
users use parental controls for their kids' accounts. So we 
have worked really aggressively in that area because we do 
believe that added care and protection is required for kids 
online, and added supervision.
    Senator Leahy. I cut you earlier in your answer.
    Ms. Borsecnik. I am sorry. I was referring back to the 
point someone made earlier about these Good Housekeeping-
equivalent seals. They are very helpful, we have found, among 
our members in helping convey that sense of security. What we 
found when we started looking at our privacy policy and 
rewriting it a year ago was we are throwing around terms that 
we assume other people are comfortable with, even things as 
simple as ``notice'' and ``choice.'' You know, we are drinking 
our own bath water.
    When you talk to customers, they want to know, are you 
giving out my phone number? Are you giving out my screen name? 
Are you following me around where I am going online? You know, 
really basic questions that anybody would be concerned about, 
and so we found that it is absolutely essential that privacy 
policies need to be stated in very plain English.
    Furthermore, they need to be available in an area that is 
easy to find online. When a customer first joins AOL, they see 
the privacy policy right when they are signing up to become a 
member and giving us their credit card. So everything that we 
can do and require our business partners to do that educates 
consumers at a really very basic level is necessary, and I 
believe the seal programs help in that regard, too.
    The Chairman. Mr. Berman.
    Mr. Berman. Senator, I think that the Child Protection Act, 
which we supported and worked on, and your mention of the Cable 
Act, is a very good example of what we are facing here. It 
would be great to just pass the Cable Act for the Internet, but 
as you know from the CDA experience, this is not just a cable 
network. It is very different. It is cable, television and 
everything all piled together. So trying to figure a one-size-
fits-all across the Internet is very difficult to do.
    What happened in the children's area is there was a clear 
set of concerns. It was an agreement on what was wrong, that it 
was inappropriate to collect that information on children. 
There was an effort to define what was a kid's site versus an 
adult site to hone in on that, and giving the FTC the 
flexibility to try and implement it in a way that balanced 
commerce, privacy and First Amendment rights. It had the 
element so that it was over-burdensome.
    I think that the real worry of Congress stepping in is not 
that they couldn't set the right rules, but that the privacy 
rhetoric and the demands could be counterproductive by passing 
an overall one-size-fits-all statute. I think that is the 
concern, not whether legislation ultimately is needed.
    Mr. Fischbach. In our industry, I mean we will move to 
electronic distribution of software. I mean, that is evident. 
In the next 4 to 5 years, 30 to 40 percent of our revenues will 
come from electronic distribution. Our consumer expects us to 
talk to him, whether he be 12 or he be 24 or he be 36. And 
unless he tells us what his age is, we won't know that.
    But we have a real issue with how to communicate, how to 
give him patches, how to tell him how to handle certain issues, 
because they will come and they will talk to us on the 
Internet. We have a Web master that goes back and forth. You 
can come to the site and you can find out about the products 
that we have or about the forthcoming products. We will 
sometimes send a notice and we will announce new products to 
him.
    But the basic information we are collecting is just an e-
mail address, at most, and very, very limited use of it. But it 
does create a question of how we deal with the child under 12. 
And I think in our industry, about 30 percent of the software 
is sold to children under 12 years old, and the balance is sold 
to adults or those over 12. So it is a real issue for us, and 
not one that I think legislation----
    Senator Leahy. It is also one where parents have got to 
start paying a lot more attention. You can't just simply say 
the companies and the Congress are going to do it. I mean, 
parents are going to start spending some time in finding what 
their kids are looking at off the computer, where they are 
going and how they are doing it.
    Mr. Fischbach. And we came together as an industry and we 
spent about 6 months trying to hammer out a policy that we have 
agreed to as an association, and then giving that policy to 
another board to enforce what works with the seal. So there is 
a check and a balance that exists within the system, with 
penalties that go along with it, and a way for people to become 
notified if a particular company isn't following the particular 
protocols.
    The Chairman. Thank you.
    Senator Thurmond.
    Senator Thurmond. Thank you, Mr. Chairman. I am pleased 
that we are holding this important hearing today on privacy and 
the Internet. I commend Senator Hatch for his leadership in 
this matter.
    Consumers are concerned about privacy. A Business Week 
magazine poll has said privacy is a major reason many consumers 
who are not using the Internet have stayed off. Therefore, this 
is an important issue. At the same time, I am concerned about 
government regulation being the solution. I am pleased that we 
have many industry representatives here to discuss their 
efforts to advance Internet privacy. I share the view of 
Senator Hatch that self-regulation is better than a detailed 
legislation mandate, and I am glad to have all of you with us 
today.
    Now, I have a question I would like to ask, and any one of 
you can answer it if you want to volunteer. When we talk about 
Internet privacy, there are a number of different consumer 
concerns that people talk about. We hear that consumers are 
concerned about the collection of personal data and that this 
affects their participation in electronic commerce.
    Based on the information you receive from your customers, 
and based on your experience in this business, I would like to 
hear from you what you believe to be some of the leading 
privacy concerns of consumers. What is it that consumers are 
concerned about that is keeping them off the Internet?
    Let's start with you, Mr. Fischbach, I think, and I would 
like to hear from any of you that care to express yourselves.
    Mr. Fischbach. I think the principal concern of the 
consumer is how is the information used; what do you know about 
me, and how can I stop you from using it from time to time if I 
don't want you to use it. In that regard, we have been pretty 
proactive in explaining to the consumer how we use the little 
information that we collect and how he can take his information 
off our list and how we clean our list from time to time so 
that we can basically deal with his issues.
    Senator Thurmond. Does anybody else care to comment?
    Ms. Borsecnik. I would like to comment. Our customers tell 
us three major concerns, as well as others, but the three major 
ones are, first of all, I am concerned about the security of my 
data online. One of the obstacles to e-commerce is concern 
about whether or not, when I enter my credit card and transmit 
it across this unknown network, whether it is safe and secure. 
And our customers tend to associate those security issues and 
privacy issues all together. To them, it is just one sort of 
vague concern.
    The second area we get a lot of concern about is are you 
tracking where I go and what I do online. Specifically, it is 
none of your business whether I am researching some health care 
issue for my family. So there is a lot of sensitivity there.
    And then, finally, the question we get a lot is what of 
this information do you share with anyone else. As our members 
establish a business relationship with us, they know and agree 
that certain information we collect we need to use for business 
purposes. We need their credit card information, we need their 
mailing information. But they are very concerned about our 
practices in regard to how we share that with third parties, 
whether they be private industry or the government. So those 
are issues that we address very specifically in our privacy 
policy and give our customers choices about opting out of.
    Senator Thurmond. With all the recent media attention to 
online privacy, many groups are advocating that we develop 
legislation imposing privacy standards for the Internet. In 
your written testimonies, most of you believe that broad 
Federal legislation to regulate the Internet at this time is 
premature.
    As someone who has been dealing with both the policy and 
business implications of privacy in the real world, can you 
tell us what problems would occur if broad Government 
regulation were imposed for privacy on the Internet? I call for 
a volunteer. Go ahead.
    Mr. Wladawsky-Berger. Senator Thurmond, the biggest concern 
we have is that it would make it very cumbersome especially for 
the smaller businesses we all have a hope to attract into the 
networked economy to get on. The larger companies--IBM, AOL and 
others--could adapt to it, and we can afford the expenses of 
what it takes.
    But for all of us, the biggest promise of this information 
revolution is reaching out, connecting everything, reaching 
everybody, businesses of all sizes. And we want to make it as 
easy for the businesses to get on and participate. As one of my 
colleagues at the table said before, the vast majority of small 
businesses want to do the right thing. They just don't know 
because they haven't used these technologies before. And we 
worry that if we have excessive regulation at this time, before 
we know what is needed, it will detract quite a number of them 
and that will not be good for them.
    Senator Thurmond. Mr. Berman, do you want to comment?
    Mr. Berman. Yes. I think that on one extreme is self-
regulation will solve this whole problem. That is just not 
going to happen. On the other side is there is something called 
excessive legislation, and I think that I would agree with you. 
You were talking about the European model of a big data 
protection board sitting on top of the Internet.
    But I also think that it is possible, and it is not a one-
size-fits all. But within those parameters, there is something 
less than excessive legislation and more than self-regulation 
which Congress ought to look at it, which is to try and figure 
out what the differences are between the different sectors on 
the Internet, create safe harbors there, create remedies that 
work, bring that down to concreteness. That is not an 
impossible task; it is absolutely an essential task that 
Congress do it and move.
    And I think that the IBM's and the AOL's and the IDSA's 
will be the flagship and set, I think, the good safe harbor 
standards about what is good behavior on the Net. But for the 
millions of Web sites that are not going to comply with 
BBBOnLine, are not going to join any seal program, have no 
incentive to do privacy, I think public policy requires that 
Congress address that issue.
    Senator Thurmond. Thank you.
    Ms. Borsecnik. One other point. We keep referring to the 
Internet industry, and the truth of the matter is the Internet 
is not an industry. The Internet is a medium and the Internet 
touches every single industry. So when you think of it that 
way, everything from A to Z--the travel industry, the personal 
finance industry--you know, every piece of commerce, every 
business is moving online in one way or another. It gives a 
good perspective of the complexity of regulating an environment 
in which clearly one size can't fit all.
    Mr. Sheridan. From our point of view, the issue is how is 
it that it is not immediately out of date in something that is 
moving this fast. The Government isn't known for its own speed, 
and our concern would be that a proper balance would absolutely 
have to be struck. And our concern is it is a snapshot in time 
again.
    And the other one is just plain old confusion; it would be 
a different kind of confusion. How do we avoid confusing people 
additionally with a great deal of new regulations? That would 
be another one of our concerns. How does this not turn into a 
mess and a slippery slope if we do this and then all kinds of 
regulations follow and build on it, because once it is written 
in, it is very unlikely to ever go out.
    Senator Thurmond. Thank you.
    Mr. Berman. May I respond to that?
    Senator Thurmond. Mr. Berman, did you want to say 
something?
    Mr. Berman. I just want to respond to that. I think that, 
yes, there are very serious concerns that you could, you know, 
bollux up the Internet, and my organization shares those 
concerns. And a rule could be obsolete tomorrow, but there is 
no reason why you cannot have the flexibility to try and figure 
out a process which recognizes the flexibility, the changing 
nature of the Internet, and tries to get going on these 
problems.
    I think that one of the confusions out there now is that no 
one knows what the rules are, whether they are simple or 
complex. And I think that consumers are staying off the 
Internet because they don't know whether there is any privacy 
out there, and there are a lot of companies that don't know 
what their liability or exposure is, or what is coming down the 
pike. So it is very difficult to plan for privacy. Getting some 
simple rules and simple remedies, not complex and excessive, 
might help the Internet so that it would know where it is.
    Senator Thurmond. Mr. Fischbach, in your testimony you 
address some practical problems with implementing effective 
privacy practices. I think it would be very helpful to us as 
policymakers if you could share with us some specific examples 
of the problems that have occurred.
    Mr. Fischbach. Well, databases are probably the easiest one 
to point a finger at. In terms of where we have collected 
information in the past, we have been in business for a dozen 
years or so and we have collected information from our 
consumers based on registration and warranty cards that we 
compile on a database and from time to time sift through. We 
also have operated several different sites from time to time 
where we collected information from consumers, for whatever the 
reasons were, that would talk to us.
    When it came to the question of how we deal with the term 
``access'' and how we define what we are supposed to do with 
the consumer who comes to us and says, OK, I would like to know 
what kind of information sits in your database about myself, 
does that mean as a company that we have to go through the 
simple record of the site that we now operate and say, OK, we 
can sift through that pretty quickly?
    Does it mean that we have to go through the other databases 
that we kept and say, OK, now we have to collect that 
information to find out what we know about you? Or do we go 
even to a third place where we have collected these warranty 
cards from our consumers who registered with us for products? 
And we ship about 15 million boxes a year, so we have lots of 
cards that we have been dealing with over the last 12 years or 
so.
    And the question is how do we interpret that. We 
interpreted that language to say that we would use reasonable 
efforts to come back and provide whatever information the 
consumer was asking for to tell him what we knew about him that 
sat in our database.
    Senator Thurmond. Mr. Bodoff, some----
    Mr. Bodoff. Well, I probably could share some of these--I 
am sorry.
    Senator Thurmond. I just started to ask another question. 
Did you want to comment on this?
    Mr. Bodoff. The only thing I was going to add to that from 
our experience and in the development of our process and 
hearing many companies going through it is that having the 
opportunity to revisit and look at what is identified as good 
practices, large companies with multiple divisions are finding 
surprises. That is going to happen. The positive thing is 
moving to address them. Having information being maintained on 
a Web site by a lot of different business units, it has to 
filter down to these large, diversified organizations. So as 
they move to improve their privacy policies, I think 
organizations are finding challenges in front of them, and the 
positive thing is the way that they are responding to them.
    Senator Thurmond. Mr. Bodoff, some of the witnesses have 
noted the industry seal programs, such as BBBOnLine and TRUSTe, 
to address self-enforcement. Can you explain how BBBOnLine 
works and how BBBOnLine is different from other seal programs?
    Mr. Bodoff. Well, as I mentioned earlier in my testimony, 
we have an 86-year history in self-regulatory activities. Our 
program, we believe, goes much further than any other privacy 
seal effort on the Internet. It is extremely comprehensive in 
that it does not look at just the privacy notice. It looks at 
the entire information practices within the company and it 
evaluates whether the company has the processes in place to be 
able to live by the privacy notice. And that is very, very 
important because that is where we are getting feedback from 
the companies.
    Now, when they are asked to measure their processes against 
the policy statements that they are making is where the rubber 
hits the road and when they really realize whether indeed they 
do have the processes in place. So I think it is the 
comprehensiveness, the way our program has been described, the 
name recognition. One of the things that we bring to the table 
is very quick public confidence levels in a seal associated 
with the Better Business Bureau name because of the public 
trust level associated with our organization.
    Senator Thurmond. I now have to leave for another 
engagement. I wish to thank all of you people for coming here 
and testifying and giving us the benefit of your good advice.
    I thank you, Senator Hatch, for the good job you are doing.
    The Chairman. Thank you, Senator Thurmond.
    Senator Schumer.
    Senator Schumer. Thank you very much, Mr. Chairman, and 
thank you for having these timely hearings. I think it is so 
good that we are having hearings before any proposals are 
before us on an important issue. I am new to this issue and am 
glad we are also trying to make it a good, strong judiciary 
issue.
    So I have some questions, I guess. My first question deals 
with my experience with privacy issues and with other kinds of 
issues in the House. And one of you mentioned this, but no one 
focuses on it. Usually, when government is importuned to act, 
it is because there are bad actors. There are not the IBM's or 
the AOL's, but others who do things that horrify people. And 
sure as we are sitting here, there are going to be bad actors 
who do something. They will sell private medical records that 
they get hold of or something like that.
    What do any of you suggest we do, just say, well, you know, 
relying on the marketplace? That won't work. These are market-
driven decisions. Self-regulation? That doesn't work. By 
definition, a bad actor doesn't submit to self or industry 
regulation. How do we deal with bad actors, and if we don't 
deal with them, isn't it likely that they will just grow and 
grow and grow, and actually hurt you folks who are trying to 
do--I respected the statements that everyone has done here 
because you are trying to do the best work.
    So that, to me, is the fundamental question here, not the 
95 percent of those involved who would find a balance. Left to 
your own devices, you will find a balance between freedom of 
speech and privacy rights, but there are some who won't.
    Yes, the gentleman from IBM.
    Mr. Wladawsky-Berger. Senator Schumer, first of all, as my 
colleague from AOL said before, the Internet is a medium, and 
it is a wonderful, mysterious, very flexible medium. But what 
is happening more and more is that the technology is now 
disappearing into the woodwork and enabling lots of 
applications.
    Now, for a lot of bad things that would happen on the 
Internet, there are probably already laws to handle those bad 
things because people are doing things over the Internet that 
have been done for many, many years. And so one thing for sure 
is to have a good understanding whether existing practices 
protect that, and if so, apply those protections. And then when 
they don't, then one can look at incremental changes to the 
protection. So I would say that is point No. 1.
    Senator Schumer. If I might, I agree with you, and 
certainly in an ideal world you could apply the--the Internet 
basically just speeds information up.
    Mr. Wladawsky-Berger. Right.
    Senator Schumer. It doesn't change the transaction of 
information. However, because things are so quick, there are 
detection problems; there are problems that are different than 
non-Internet problems, in actuality.
    Go ahead.
    Mr. Wladawsky-Berger. I agree totally with you. It is not 
identical; it is an extension. I mean, the reason it has 
exploded in the marketplace, and the reason there is so much 
activity is that it is such a phenomenal extension. But for 
lots of problems, there are probably already recourses. That is 
the only point we should understand.
    I think point No. 2 is I would say that massive education 
is needed so that consumers, businesses, everybody knows sort 
of the rules of the road. This is what is expected, this is 
what you should do, this is what shouldn't happen. And we are 
all pretty comfortable that the more education there is, the 
better things will get. Maybe it is a little bit naive, but we 
have seen already----
    Senator Schumer. The more education, the better the good 
people can be and the worse the bad people can be.
    Mr. Wladawsky-Berger. I realize that, but lots of things 
can happen also if consumers realize this is what you should 
expect from Web sites you deal with. So it is not just that 
there won't be bad Web sites, it is that the invisible hand in 
the sense of they lose all their customers will take care of 
that.
    And then when that doesn't work, then we are not against 
legislation. We are not against the Government acting. We are 
saying let's not do it on a broad basis; let's do it for highly 
targeted problems when we find them. And protection of minors, 
protection of very sensitive information like medical records, 
might be in that category where we do need legislation. And 
when we find those highly targeted categories, by all means we 
should take action.
    Senator Schumer. Yes, Mr. Berman.
    Mr. Berman. There is a lot of truth in what he says. We 
have a very weak privacy regime for data in this country. We 
talk about privacy, but it is pretty thin in terms of 
legislation. There is no medical privacy. There is higher 
protection for video records than for medical records, and 
higher for video records than financial records.
    So there is a whole set of sectors where we have stopped 
doing any work or haven't been able to break the logjam between 
the different sides which need to be resolved because that 
information is moving on the Internet. So there are specific 
problems that need to be resolved.
    I think the difficult issue, and I think it is worth 
working on, is what are the remedies for violations in the 
commercial transaction world. When I talk about medical records 
and the big database, I understand someone ought to go to jail 
for that. There is a problem when you get down to when L.L. 
Bean takes--and forget their name--without my permission, gives 
my name and my address to REA, and they did it intentionally. 
There is a harm there, but what is it, and what do we impose on 
REA?
    If we don't figure that out and make it clear and specific 
and proportional, a lot of little companies aren't going to go 
into business. IBM can figure that out and go to court, but the 
vagueness, due process, and First Amendment issues that are 
raised by privacy remedies have not been addressed.
    Senator Schumer. I agree with you. I mean, we have had this 
in credit cards in the Banking Committee and we still haven't 
come to a good solution. But in reference to what Mr. Wladawsky 
said, you are right, we haven't come to this, but the 
Internet--I mean, hospital records; 20 years ago, the damage 
that would occur to your privacy would be maybe if someone who 
had access to those records gave them to a friend and somehow 
you heard about it. When it happens, the damage is limited and 
it doesn't happen that often.
    With the Internet, the chances of those records being 
spread to everyone in the world is much greater. That is the 
quantum difference here, which is a serious difference, and 
that is why we are having these hearings and we never had 
hearings on these privacy issues before.
    Yes, Mr. Sheridan.
    Mr. Sheridan. I think the context is what we are talking 
about. The Internet is in many places simply replacing certain 
processes, and there is no real protection for medical 
information bureaus for what they do. And they have been 
selling our information, and it may be even worse than not 
having it in the Internet because at least on the Internet, I 
am on that network. Before, there was a network between the 
insurance company who is checking my application for health 
insurance or life insurance and I have no idea what is going 
on.
    So what I am trying to say is this is in the context of the 
Internet is an attractive target for it, but it is actually a 
much broader problem than that.
    Senator Schumer. It is, but the Internet is bringing it to 
a head. That is the bottom line here, and I still think we are 
going to have to figure out, whether we do anything or not, 
some way to deal with bad actors. It may be as simple as what 
Mr. Berman said, increased penalties for those who do. Maybe 
there needs to be a greater prophylactic measure. I don't know. 
I am just getting into this. All I can tell you is I think the 
problem is not going to go away. I think it is going to get 
worse because the bad actors have more clout and more ability 
to do things, and we have to deal with it.
    I just had one other question. Did you want to say 
something, Ms. Borsecnik?
    Ms. Borsecnik. The only other comment I would add to that 
is they are also more highly visible and more exposed in this 
medium, which is a good thing for everyone. I think an enormous 
amount of attention is paid when these things happen. So I 
think rather than them proliferating like mushrooms in the dark 
somewhere, they will be further exposed in our industry because 
it is so open.
    Senator Schumer. Yes, and you will have a greater--I mean, 
there is a privacy issue and there is an accuracy issue, and 
the accuracy issue will--as I think Mr. Sheridan mentioned, 
that will be better because it will be out in the open, as you 
say. But the privacy issue is still one that hasn't been dealt 
with.
    Mr. Sheridan. It is like Mr. Berman is saying that there is 
a very fine line between our other freedoms.
    Mr. Berman. One point. We have worked on privacy issues 
before, particularly the law enforcement and privacy balance.
    Senator Schumer. Yes.
    Mr. Berman. And I said at the start of my testimony that 
Senator Leahy's effort to look at the Fourth Amendment issues 
on the Net are incredibly important because these companies are 
creating new kinds of data that make the Monica Lewinsky book 
purchase subpoena a piece of cake; I mean, just incredibly 
sensitive data being put away from your home and on the 
Internet. And we have got to figure out the standards of access 
for that for government agencies as against----
    Senator Schumer. This is one other point that I would like 
to make, a separate point, as somebody who is not as proficient 
as my children on this, but I am sort of learning. So I usually 
late at night read a national publication on the Internet, and 
I was wondering why they did it because I don't have to buy it 
the next day. And, you know, they got smart and last week they 
changed the whole system where you can only read parts of it 
now.
    But they also made me register and they just said, you 
know, they wanted my name and all that, but they wanted my 
phone number. Well, I didn't want to give them my phone number 
to get this, only because I wanted to make sure that they 
wouldn't give it to 30 people who would keep interrupting us at 
dinner.
    And I, who is probably middle-level proficient, but 
assuming from everything you say that everyone is going to be 
using this service, so I will probably move to a higher-level 
of proficiency over the next few years--I couldn't find out 
what they were going to use my phone number for. I punched 
around, I went to ``Help,'' I did everything I could. I could 
not find out why they wanted to use my phone number, so I 
didn't register.
    So there is a long way even on the things--forgetting the 
bad actor for a minute, this related to what you said, Ms. 
Borsecnik, that those of us who are not as proficient as you 
have very sort of elementary questions that for a semi-literate 
person in this area is very hard to figure out the answers to.
    Ms. Borsecnik. And you didn't register and they lost a 
customer, so they are going to realize that pretty quickly that 
they are losing people.
    Senator Schumer. But they have no idea why I didn't 
register.
    Ms. Borsecnik. Well, it will become obvious.
    Mr. Berman. Yes, they will figure it out.
    Senator Schumer. They will?
    Ms. Borsecnik. Oh, yes.
    The Chairman. Or you can type in 11111.
    Senator Schumer. Well, you know what? I thought about that. 
[Laughter.]
    I thought of doing 1234567, and then I said, well, you 
know, maybe I better check if I am violating some kind of rule 
or something like that. [Laughter.]
    The Chairman. Well, that is why I said 11111, because some 
poor slob could have that 1234567.
    Senator Schumer. That is true, that is true. Good point. 
You know what, Mr. Chairman? This is a pretty good political 
opportunity.
    Mr. Berman. It might have been his phone number.
    Senator Schumer. I would never do that to my Chairman, for 
whom I have tremendous esteem and respect.
    Mr. Sheridan. We are actually developing a product that 
will, if you choose to as your own personal policy, fill that 
in with random information that will appear correct, and it 
will be different every time.
    Senator Schumer. Ms. Borsecnik wasn't so happy with that 
idea. [Laughter.]
    Well, Mr. Sheridan, if you want to establish a branch 
office in New York that has 80 or 90 people to do that, I would 
be all for it.
    Mr. Sheridan. We have quite a few people in New York.
    Senator Schumer. Anyway, please.
    Ms. Borsecnik. My point was my view is that companies 
shouldn't be collecting information that is not necessary to 
run their business, or they should make it very obvious what is 
optional, what is not optional, and how you can exercise choice 
about how that information is used.
    Senator Schumer. By the way, I wouldn't have even minded if 
this company wanted my phone number to solicit me for them. But 
I was worried they would sell it to somebody or to a lot of 
somebodys.
    Ms. Borsecnik. Right.
    Senator Schumer. Thank you, Mr. Chairman.
    The Chairman. You are welcome.
    Senator Feinstein.
    Senator Feinstein. Thank you very much, Mr. Chairman. My 
concerns, in a sense, parallel Senator Schumer's. I, like him, 
am somewhat a newcomer to the Internet. I am the proud 
possessor of a new Think Pad which I enjoy very much.
    Mr. Wladawsky-Berger. Thank you.
    Senator Feinstein. You are welcome. [Laughter.]
    However, I have watched this privacy issue two-fold. The 
first has to do with the giving out of personal financial and 
medical information, some of it the most intimate details. And 
I have noticed then people begin to bring it in the public 
arena, and slowly the industry begins to respond by some form 
of self-regulation.
    I also have concerns on the other element of privacy and, 
of course, that is the pedophile looking for a victim. That is 
the drug cartel using highly encrypted computer technology to 
conspire to move tons of cocaine into this country, and that is 
the terrorist, as we found in the Philippines, using the 
privacy that encryption provides to conspire to blow up 
airliners.
    I am as heartened by anything, frankly, as Mr. Berman's 
comments this morning that the industry is beginning to realize 
that it has to be more vigilant with respect to self-
regulation. I mean, I know of no excessive legislation being 
proposed anywhere, certainly in this body, with respect to 
regulation. I do, however, think the jury is out with respect 
to self-regulation. And there are many of us with respect to 
children and crime that are really watching very carefully.
    I, for example, will look to see where the youngsters from 
the incident yesterday in Denver got the information to put 
together the 30 explosive devices that they put at that school 
and whether it came, in fact, from the Terrorist Handbook, 
something that I have been trying to get off the Internet for 5 
years now. It gets passed in the Senate and it gets deleted in 
the conference. So I have a little bit of frustration when I 
see somebody advertising, if you want to learn how to build a 
bomb that is bigger than the one at Oklahoma City, just read 
this.
    There was a cartoon in a California newspaper that showed a 
mother talking on the phone to a friend who said, I am so 
pleased with Johnny, he is learning so much from the Internet. 
And there is Johnny over at his computer stringing together 
sticks of dynamite. And so I only say that because it is a 
problem out there and children have blown themselves up, and I 
have enough testimony to know that that is an accurate 
statement.
    The question is really what we do about the abuses. Now, I 
am not talking about the companies, but the real abuses. And I 
would be interested, Mr. Berman, if you would be willing to 
expand a little bit on your comments in this direction.
    Mr. Berman. Well, it depends on the case we are dealing 
with. Certainly, in the real abuses, the pedophile, the people 
collecting information from children, and even the marketer 
who, under false pretenses, collects information and sells it, 
to my detriment, there needs to be a set of penalties, both 
civil and criminal, that make it clear that that is 
unacceptable behavior.
    Senator Feinstein. Is your organization willing to work in 
this direction?
    Mr. Berman. Absolutely.
    Senator Feinstein. I would like to work with you.
    Mr. Berman. As you know, we have had a debate about where 
to draw these lines, and I just got appointed by Senator 
Daschle, for good or for evil, to the COPA commission to again 
look at the issue of indecent communications on the Internet 
and what to do about that. I want to try and find solutions to 
keep that information away from children, but to try and do it 
consistent with this technology and the First Amendment.
    Two times I have said to the Congress I agree with your 
goals, but it is not going to work legally, so why don't we 
work a little more closely together to try and fine-tune this? 
And I think that solutions are possible, both in the First 
Amendment area and the privacy area, but it requires everyone 
taking a deep breath both on the privacy front and the law 
enforcement front, and even on the pornography front, and 
saying these are hard questions. We know it when we see it, but 
someone's Spam is someone else's First Amendment leaflet. How 
do we sit down and craft remedies? I am glad to work on that. 
It is just not a fast train.
    Senator Feinstein. It is very interesting. As a newcomer to 
this, I am so amazed by the power of it and the speed with 
which the technology is improving. I mean, just to keep up, I 
have had to buy two new computers in 4 years. Things change so 
fast.
    And I think none of us want to impinge on the First 
Amendment. On the other hand, one of the things I have been 
very concerned about is drugs coming into this country, and 
cocaine literally coming in by the ton and the inability to do 
anything about it. And we are told constantly that intelligence 
intercepts are way down because the telephone isn't being used 
anymore. Therefore, they can't get court orders to tap a phone 
because the phone isn't being used. But another vehicle is 
being used, and that, of course, is the computer. So how we get 
at this to prevent these kinds of major conspiracies also I 
think is something I would like very much to work on. I don't 
know the answers.
    Mr. Berman. Well, my experience has been that whether it is 
passing the Foreign Intelligence Surveillance Act or the 
Electronics Communications Act--that tells how long I have been 
around here--in all of these statutes, where law enforcement 
issues and privacy issues have been on the table, it ultimately 
requires some consensus and tradeoffs on both sides.
    Law enforcement may need ``A'' and clarification of its 
authority to do something, but at the same time Congress needs 
to be looking at the need for adjustments on the privacy side 
so that there is an increase in privacy as well as law 
enforcement and national security. Every time you have been 
able to find that kind of balance so that everyone has 
something to gain from it, you have a chance to craft 
meaningful legislation.
    Senator Feinstein. I am really heartened to hear that. Your 
testimony today, for me, was a major step forward from what I 
have been hearing for the last 6 years, and I just want to 
thank you and commend you for it.
    If anybody has any other comments to make on that, I would 
like to hear them, but I would like to ask Ms. Borsecnik 
something about your written statement just very quickly. You 
implied that AOL doesn't read private online communications, 
but you said that you carefully monitor your children's chat 
rooms and message boards.
    Ms. Borsecnik. Right.
    Senator Feinstein. How do you do this?
    Ms. Borsecnik. Well, there is a difference between private 
and public communications online. Private communications are e-
mail and instant messages. They are one-to-one. They are sent 
in privacy. There are also public areas online. Chat rooms are 
public areas and message board areas are public areas. That is 
very clear to users.
    In our policies, we set forth our policy, as you 
reiterated, on private communication. We also say that we hold 
our members to a certain conduct standard online, particularly 
in the areas that are targeted at kids and teens, and that we 
monitor what goes on in that area. Typically, the kind of 
transgressions we act against are your pretty typical profanity 
or threatening other members, the things that go on just sort 
of on a normal basis among----
    Senator Feinstein. Do you send this to all members?
    Ms. Borsecnik. Members review that all----
    Senator Feinstein. You have never sent it to me. I am a 
member.
    Ms. Borsecnik. When you first registered with America 
Online and we talked to you about what we call our terms of 
service, that information is included in that. And you are 
required as part of the registration process to click a button 
that said I have read this and I agree to the terms of service.
    Senator Feinstein. I never did.
    Ms. Borsecnik. It is also available online in a number of 
places where you can find it easily. I can send you a link or 
whatever. But, clearly, ensuring that people are aware of what 
those policies are is important for a variety of reasons, not 
the least of which is ensuring an enjoyable experience online, 
not only a safe and privacy-secure one, but an enjoyable 
experience for the rest of our customers.
    So we have rules of the road just like any other community, 
and in an online environment it is a little harder to convey 
what those rules are because people are anonymous. You wouldn't 
tend to stand up in a public forum and be profane. In an online 
environment where there is anonymity, we take extra efforts to 
explain to people what those community guidelines are. And that 
is even more true in the public arenas, as you mention, but we 
do have strict policies against private arenas, which are e-
mail, for example.
    Senator Feinstein. Could you send me some of that 
information that everybody gets? I would love to see it.
    The Chairman. I wouldn't mind receiving it, also.
    Ms. Borsecnik. I will send it to all of you.
    Senator Feinstein. Thank you.
    The Chairman. That would be great.
    Senator Feinstein. Thank you very much. Let me just ask one 
other question about children. I think we all agree that 
children present certain distinctive privacy issues due to 
their greater vulnerability. So I think it follows that 
children should be treated differently by Web sites operators 
and online service providers. The tricky issue, I think, is how 
do you determine when one actually is a child and when one 
isn't a child.
    I would be interested in hearing from each of you as to how 
a Web site operator or an online service provider could go 
about determining whether an individual is really a child or 
not.
    Ms. Borsecnik. I will answer that first. It is a little 
easier for AOL because to use AOL, you become a member. You 
need to use a credit card to become a member, and so it is not 
typical for children to have credit cards. We make it very 
clear in the registration process that to register as a member, 
you need to have a credit card and you need to be 18 years or 
older.
    Then, furthermore, we very aggressively encourage parents 
with children in the household to set up separate screen names 
for those children and designate them in certain age categories 
so that we can block certain functionality or areas on the 
Internet or our service from those kids.
    Senator Feinstein. Could you send me that information as 
well?
    Ms. Borsecnik. Yes, that will all be included and it is all 
explained in that document.
    Senator Feinstein. Thanks. I appreciate it. Thank you. 
Anybody else on that? Yes, sir.
    Mr. Fischbach. We are in the video game business and it is 
a real, ever-present question to us as to how we determine who 
a child is because it is certainly easy for them to say that 
they are not a child, or they just come onto the site and look 
around or they drop their e-mail address.
    The guidelines that we have chosen to follow are pretty 
clear in terms of what we use that information for, so we don't 
ask for his address. We don't ask for financial data, we don't 
ask for medical records, we don't ask for credit cards. The 
most that we ask for is an e-mail address at that juncture. 
What we are trying to determine as an organization and also as 
a company is how much further should we go in order to 
determine whether he or she is or is not a child.
    Should we ask them to give us her parent's address or e-
mail address? Should we ask for a telephone number for them? 
The more information that we attempt to extract, the more 
information we then have available to us and we are not 
interested in that information. We are not interested in 
somebody coming back. So it is really a question, and we as an 
industry organization are trying to look at how to best handle 
that situation. There is not a 100 percent answer.
    One of the ways that we just attempted to look at it was 
just to limit the amount of information because kids will come 
online and play games. They will ask for information about our 
next products. They will want to know if we have got a bug--if 
there is a bug in a game, and all software has bugs, if there 
is a fix for it. If I can't get from level 12 to level 13, how 
do I do it? And they will come and ask that information and we 
will pass information back to them. So it is a difficult issue 
and I don't know how we do it. There is not a 100-percent pure 
answer for it.
    Senator Feinstein. Please, anybody that wants to comment.
    Mr. Bodoff. I was going to say the answer is easy to say we 
require parental verification before you can collect 
information from a child. What is difficult is determining what 
is parental verification, and we are really looking forward to 
some new technology approaches and new ideas. What we are using 
now is basically what the Federal Trade Commission has 
referenced, and we use as examples credit cards or e-mail 
information from the parents before you can actually accept 
personally identifiable information from the child.
    But we all know children are creative, and that is a 
challenge. And we all, I think, in the business community are 
going to be looking for different ways of trying to improve 
upon that, but we definitely have a criteria that you cannot 
collect information from a child under the age of 13 without 
parental verification.
    Senator Feinstein. Could I ask a question? Why was 13 set 
as the age?
    Mr. Bodoff. We are modeling after the Online Privacy Act, 
the Children's Online Privacy Act, the Online Privacy Alliance. 
It is the feeling that I think--and I am not an expert in the 
children's area, but below 13 children do not have enough 
cognitive sense to be able to make the right decision when 
somebody is asking them to solicit information and how that is 
being used. And above that age, children start having that 
capability and there is a higher confidence level with that.
    Senator Feinstein. Anybody else on that?
    [No response.]
    Senator Feinstein. I think that is it. Thank you very much, 
Mr. Chairman.
    The Chairman. Thank you, Senator Feinstein.
    Let me just finish with one or two. Mr. Fischbach, I know 
you did not come here to testify about the nature of the 
products you sell and make available over your Web site, but 
many in America are trying to come to grips with the terrible 
tragedy that occurred yesterday in Colorado, and really in Salt 
Lake City as well, but especially in Colorado, where two 
dysfunctional young men murdered as many as 14 fellow students 
and a teacher, and then turned the guns on themselves.
    I predict that we will learn over the coming days that 
those Trenchcoat Mafia boys were obsessed with death and 
killing, and that much of what fueled their obsession came from 
the Internet and other media sources. In my opinion, our young 
people are exposed to too much violence and killing in our 
popular culture. You turn on a television set and you have got 
murder happening all the time. You flip through any number of 
the channels and it is hard to find a show where somebody is 
not being killed. You listen to today's music and its obsession 
with death and distress, groups like Marilyn Manson, which 
apparently these Trenchcoat Mafia members idolized.
    Another source for violence and death, of course, is video 
games. And I am not meaning to pick on you, but I would like to 
have you answer this because I think it is important for all 
people in this industry to realize that we watch stuff like 
this. Take, for example, Acclaim's ``Shadow Man.'' Now, I would 
note that Acclaim has many games on the Web site that are 
totally all right and that are not violent.
    This morning, however, we went to your Web site and took a 
look at some of the other games your company offers and 
stumbled across ``Shadow Man.'' Now, here is how your game 
information Web page reads, ``A killer is coming walking 
between worlds, trailing death from live side to dead side. A 
dead man is coming, scull in one hand, gun in the other, a 
voodoo mask in his chest and lines of power in his back. A 
possessed man is coming, stalking killers in tenements and 
deserts, subways and swamps, spirit world and real world. 
Shadow Man is coming, voodoo slave and hero, hitman and dead 
man. Sometimes, it takes a killer to stop a killer. Uniquely 
terrifying third-person adventure. Enter the dark world of Mike 
Leroy, hitman, dead man, Shadow Man. Blow your enemies away 
body and soul. Go in armed with voodoo power and gunpowder. 
Pack weapons like the 50-magnum Desert Eagle, the Violator, the 
Flambeau, the Calabash, and many more. Unravel the dark 
mysteries or die trying. More than just another blood-drenched 
shootout.''
    Now, could you tell us how many people access ``Shadow 
Man'' on your Web site daily? Do you have that kind of 
information.
    Mr. Fischbach. We can provide that to the committee if the 
committee was interested in that.
    The Chairman. OK.
    Mr. Fischbach. I can say we are equally as appalled with 
what happened in the schoolyard as you and everybody else.
    The Chairman. No, I don't mean to blame you for that, but I 
just cite this because it seems to me this is one of the 
illustrations of what is happening in our society.
    Mr. Fischbach. I think, in part, there are lots of factors 
that take place in what goes through young people's minds--what 
kinds of homes they come from, how they are dependent on other 
people, whether their families are really dysfunctional.
    We also have a very open gun environment in our society, 
where anybody can go buy weapons and anybody can buy ammunition 
to do what they please with. Yet, we don't sometimes point at 
those issues and say maybe that is part of the problem as well.
    There have been lots of studies that have been done with 
respect to violence and video games or violence and television 
or violence and motion pictures, most of which conclude that 
that is not the cause, especially of people like these young 
men here, as to why they become dysfunctional in our own 
society and do acts that we are all appalled by. So it is very, 
very difficult, and it is an issue that we all are confronted 
with. I mean, Kosovo is on the front page, as well as this 
other one, and we deal in a society that is very violence-
oriented.
    The products are a fantasy, and the products are a fantasy 
no different than a book or a film or a television show. And 
both of us know that you can't go from life side to dead side, 
which is the fantasy to begin with. And the game is really an 
adventure game that is very suspenseful as you go through. It 
is based on a comic book, not unlike many of the films or many 
of the books that have already been turned into films or video 
games. It is part of our culture.
    The Chairman. Well, as you can see, you are making a pretty 
good case that we have got a culture that seems to foster this. 
I remember the Tupac Shakur matters and how he was calling for 
killing police people and a lot of other things like that.
    For our information, it would be interesting for me to know 
how many people access ``Shadow Man'' on your Web site daily, 
whether or not you know how many of them are children, and how 
many video-depicted killings they engage in in a typical round 
and, in addition, if you could tell me whether you share my 
view that there is a collective dumbing-down of young people's 
attitudes toward violence. And I am not blaming you or the 
Internet solely. There is no question that the Internet has its 
bad side.
    Mr. Fischbach. With respect to ``Shadow Man'' or the sports 
games that sit on our Web site at this point in time, that is 
mere publicity and I don't believe there is a downloadable 
function from that, except they can take a visual if they want 
to take a visual from it. But there is no game-play that is up 
on our Web site that we have released at this juncture. So all 
it is is a statement about what the game contains, and I think 
some pictures about what the game contains.
    The Chairman. OK.
    Mr. Fischbach. And in terms of the number of people or 
whether they are children or not, we don't ask them. So you can 
access our Web site without asking our permission, whether you 
are a child or not.
    The Chairman. But even if you did, you may not be able to 
know. These kids are very clever.
    Mr. Fischbach. The game also carries an ``M'' rating on it, 
so the game is identified for a mature audience. It is not 
identified for children.
    The Chairman. I see. You know, I held a hearing on Internet 
sales of alcohol and I figured that would be an interesting 
hearing. You can't believe the fur that has been stirred up 
because of that, and you can't believe the arguments on all 
sides of that issue. I mean, it was really amazing how complex 
and difficult it was, as certainly exists with this.
    I didn't mean to pick on you, but I thought I would bring 
that out because we all know that there are problems with the 
Internet. We all know there are things that are wrong about the 
Internet. We all know there are many, many wonderful things 
that are right about it, too, and I would like to accentuate 
the ``rights'' and see what we can do to alleviate the 
``wrongs.''
    Senator Feinstein. Mr. Chairman, would you let me ask just 
one quick question?
    The Chairman. Sure.
    Senator Feinstein. Would you agree that this adds to the 
culture of violence that is being promoted in the United 
States?
    Mr. Fischbach. I can't answer that question because--I 
personally don't think so. I think the culture that we live in 
is reflective of lots of other environments, and I think with 
respect to the culture that we live in today with respect to 
how we use guns and ammunition, which I am highly opposed to, I 
think we are wrong. I think there is no legislation that deals 
with guns that is really effective.
    When we talk about what should exist and what shouldn't 
exist, and you say we are going to point it toward a film or we 
are going to point it toward a book and we are going to say, 
OK, that is the answer, I think that is a real simple approach. 
I mean, it is like a check mark, and if you looked at some of 
the other things that exist in our society, because we have 
access to all kinds of information, just not what sits on our 
Web site, but what sits in public records and what sits in 
libraries, what sits in films, it all has an influence.
    So you either take a paint brush and eradicate it all or 
you deal with it as a society through education. But there are 
elements in our society that can be dealt with, such as 
weapons, because there is no reason why anybody, especially a 
17-year-old kid, should walk around with a gun or be able to go 
buy ammunition.
    Senator Feinstein. Of course, I happen to agree with that.
    Mr. Fischbach. Thank you.
    Senator Feinstein. And I have tried very hard, which is not 
an easy thing to do around here.
    The Chairman. I give her an opportunity every chance I get. 
[Laughter.]
    Let me tell you, we already have a law that forbids selling 
of guns to minors. It isn't perhaps working, and there is no 
easy solution because we have people all over this country who 
value their right to keep and bear arms. We have those who 
abuse that right. But again, as Senator Feinstein has said, 
there is a culture here that no one individual, no one 
business, no one entity is to blame for all of it. But I think 
we all need to work on it and that is the only reason I raised 
that.
    Let me just say one last thing here. As I noted in my 
opening statement today, much of the discussion about possible 
solutions revolve around two exclusive models, either 
Government regulation by the FTC, the FCC, or some other 
regulatory body, or sole industry self-regulation. Mr. Berman, 
you have indicated we ought to go as far as we can on self-
regulation, but there is going to have to be some aspect of 
regulation.
    As many argue against the merits of either one of these 
solutions, I think it would be productive to explore whether 
another solution possibly exists; for example, examining quasi-
governmental self-regulatory models that have been successful 
in other industries. That is what we need to do, it seems to 
me. I think it is important to not establish rigid rules in 
this area, and instead have a flexible system in place that can 
respond quickly to changing consumer preferences and new 
technologies, like digitalme, perhaps, designed to give 
consumers more control over personal identifiable information.
    I don't know whether we have enough information about what 
it is exactly that consumers expect in terms of privacy 
protection, or even how this is effected. A flexible system 
would best be accomplished through self-regulation by members 
of the electronic community who are aware of consumer demands 
and expectations, it seems to me.
    I would like to get your views on whether a model similar 
to the one in the securities industry could be useful to 
address privacy on the Internet, a model where the basic codes 
of conduct are established by the industry with limited 
Government oversight to provide for a level of consumer 
confidence in the process.
    Now, if you believe it could be a useful model, I would 
kind of like to conclude this hearing by asking you to work 
with me over the coming days and weeks to develop a reasonable 
but limited legislative proposal that might help to solve some 
of the problems that all of you recognize exist in ways that 
don't stifle the industry and don't stifle innovation and 
creativity.
    I think that is a pretty big assignment, but that is one 
reason why we are holding this hearing to see if we can find 
some methodologies or some ways of solving these problems that 
will protect society, and yet make sure that we continue to go 
forward as the leaders in the world in this area.
    So why don't I start with you, Mr. Wladawsky-Berger, and 
then maybe you, Mr. Sheridan; you, Borsecnik; and Messrs. 
Berman, Bodoff and Fischbach. You don't all have to comment, 
but if you would like to.
    Mr. Wladawsky-Berger. Mr. Chairman, clearly, what should 
unite us here is the fact that we want the potential of the 
networked economy for the Nation to be fulfilled and all the 
positive things to happen and eliminate the negatives. And what 
that really means is that it is all very pragmatic. We are 
after a common objective, and if there are things that are 
highly targeted that can help us better achieve that objective 
within a self-regulatory mechanism, we would be very happy to 
work with you and investigate what those things might be.
    As I said in my testimony, and as we have discussed through 
the hearing, the only concern, or the main concern we have is, 
because things are moving so fast in such a complicated area, 
that we have regulations that will not work and that will make 
it harder for the objectives to be accomplished.
    However, if we can find highly selected areas where we can 
do some good, and we talked about protection of minors as one; 
protection of very sensitive information like medical records 
might be another that can help start setting the right 
mechanisms. And as we learn more, we learn more of what else to 
do. We will be very happy to work with you and see what makes 
sense.
    The Chairman. Well, as you know, one reason we held the 
Microsoft hearings was not just to try and resolve some 
problems that exist, but basically, I am a firm believer that 
unless we attack these problems now, you are going to have an 
over-regulatory nature, and that would be very detrimental to 
the Internet and to our future and to our future governance of 
these innovative and creative matters.
    So I think those hearings have proven to be the beginning 
of something very important. And I don't wish my friends at 
Microsoft any harm. I think the world of what they have been 
able to do, but there were some things that needed to be 
corrected and I think they are going to be corrected in the 
end.
    And it is important that we move in these directions 
because the last thing on Earth I want is an over-regulation of 
the Internet. But at least I have seen from the shaking of 
heads that all of you kind of indicate that there needs to be 
something here. And I don't want these wonderful, genius 
Members of Congress to just come up with it themselves. My 
experience has been that they may have a genius of sorts, but 
without an awful lot of help, we could really screw up the 
Internet, and I don't want to see that happen.
    Mr. Sheridan, do you have any comments about that?
    Mr. Sheridan. Yes. We would, Mr. Chairman, be more than 
happy to work with you on a middle way, something in between.
    The Chairman. Put some time into it because, you know, you 
have been right in the middle of all this. And, you know, my 
experience with the Internet creators is that they just love to 
burrow in and solve the engineering problems, but they are not 
really concerned about the legal problems or the statutory 
problems.
    Mr. Sheridan. Social problems.
    The Chairman. Social problems, yes, and I think you are 
going to have to be because the last thing on Earth you want is 
to have us come in here with a heavy hand.
    Mr. Sheridan. We agree.
    The Chairman. That is where it is headed, I can tell you, 
and I am trying to stop it with everything I can. And I think 
in the end, Microsoft may not thank me, but the fact of the 
matter is I think they will be better off in the end as well.
    Mr. Sheridan. We would be very happy to explore new models 
and look at what has worked, how can it be simple and flexible 
around a model that, as you were saying, is a hybrid. We would 
be glad to participate in that, and we would also like to see 
what laws could be better enforced, say, around medical issues 
and things that are----
    The Chairman. Right. Well, see, that is another big issue. 
I am very, very concerned. People say, well, we should be able 
to disclose people with emotional illness so they can't get 
guns. Well, there are a myriad set of problems there, 
everything from litigation and malpractice to--I mean, it is 
mind-boggling. And I would like to do that. I mean, I would 
like to be able to find some way that we could prevent that 
without destroying people's lives or their privacy, and it is 
pretty hard to do. But you folks, I think, may have the keys to 
do that.
    Ms. Borsecnik, as you know, I have tremendous respect for 
AOL and I have been very impressed with you here today, but do 
you have any comments on this?
    Ms. Borsecnik. Well, I think the issue you just brought 
up--we keep using the example in the health care industry--
conveys the concern of the one-size-fits-all issue. And I think 
Senator Kohl's suggestion of a commission that looks further 
into all the various sectors that are affected by privacy----
    The Chairman. A commission that might be supervised by the 
Government, you are saying?
    Ms. Borsecnik. Yes, because I think, as you said at the 
beginning, we are in the first inning on this discussion and 
the debate because of the myriad of complicated issues and 
industries involved. And we encourage that kind of discourse 
because only through that will we be able to focus on a 
solution that provides a standard that is acceptable, but is 
workable across a variety of businesses and a variety of 
consumer concerns.
    The Chairman. I am going to come to you last, Mr. Berman, 
since you have been the one who has been so crass as to 
recommend this process.
    Mr. Bodoff.
    Mr. Bodoff. The only thing I would add--and I have heard 
from two of our sponsors, AOL and IBM at the table here with 
me, and that is probably reflective of the other companies who 
have been instrumental in building our program--is that 
whatever happens, we don't do anything that discourages 
companies from joining self-regulatory activities.
    We have a great challenge in front of us now. We have got 
to get out and educate businesses and we have got to get 
businesses to make a commitment. And we are only open a month 
and we have some very aggressive plans, and I think if we were 
talking at the end of the year, we would see some very 
interesting results, the danger being in any activity that 
holds out something else and lots of companies who may be 
moving toward a self-regulatory approach right now hold off 
because they are waiting for something else. They are fearful 
of something else or something else is happening. So I would 
only ask that that be given consideration in any action that 
takes place.
    The Chairman. Thank you. Mr. Fischbach.
    Mr. Fischbach. Well, I think that as we continue moving 
forward, I put down in my notes paint brush as opposed to a 
small, thin brush, because each particular sector is going to 
have its own particular issues. And if we are too broad in 
whatever we attempt to do from a congressional standpoint, I 
think that the answer will probably harm us as oppose to help 
us with respect to the economics that can come from the 
Internet, plus the fact that it is really a worldwide issue. It 
is not just a local issue as to what takes place in the United 
States because of the access of information and where you can 
set your sites up.
    We would be happy to participate in some sort of a body 
which would study and make recommendations in terms of how to 
handle this, the suggestion of a commission to work on what 
kinds of legislation or rules should be passed. The problem, I 
think, is we know where we are today; we are not sure where we 
are going to be in 3 to 4 years from today and what changes 
will take place in technology and how we will move information 
back and forth. Some of it we can anticipate, but it will 
change the way that all of us do business and it will change 
the way that we access information.
    The Chairman. Thank you. Now, Mr. Berman, we will let you 
sum up for everybody.
    Mr. Berman. I think that we are all committed to the growth 
and dynamism of the Internet, and we want to make sure that it 
has the right fundamental law, and that commerce goes on and 
privacy is protected, and the free flow of information. And I 
think that the right approach is somewhere between these 
extremes, which is to really hone in and work together to bring 
the industry and the privacy advocates and policy experts 
together and try and work through these issues, to find the 
flexible--it doesn't have to be one-size-fits-all, but to work 
toward resolving some very hard issues of how to get fair 
information practices out on the Net. So we are pleased to work 
with you and the committee. We have done it before and we will 
do it again.
    The Chairman. Well, let me just challenge all of you to 
really live up to that because I would like to have the very 
best ideas you have. This committee has been doing some pretty 
good things in this area, in my opinion, and we are capable of 
doing many more good things, but we have got to have the right 
advice and the right counsel to be able to do them right.
    You know, there are so many problems, but I cite this 
problem. Since yesterday's murders in the Colorado school, I 
have been hit all over the place by people saying, well, we 
have got to have disclosure, at least from a weapons 
standpoint, of people's mental illness. The mental illness 
societies are going berserk over this because they know that 
once that starts, they are going to be discriminated against if 
it isn't handled absolutely right.
    Can it be handled absolutely right? Can we do something 
that really is a privacy type of thing that will work so that 
people are not discriminated against who have had an emotional 
disturbance at one time in their lives? If the truth is known, 
probably every one of us has suffered emotionally from time to 
time. Whether it rises to the dignity of having to have special 
professional help or not is another matter.
    But it is a big problem because everybody comes up with 
these broad-brush--you know, we have got to stop all weapons, 
or we have got to do this, or we have got to make sure nobody 
who has an emotional illness or even emotional distress has 
access to weapons. Well, that is just one very small, little 
aspect of this whole thing. You get into all the others, credit 
cards right on through, and it is almost mind-boggling.
    And you are kind of suggesting a private sector commission, 
set up maybe by the industry, that is supervised by maybe some 
sort of governmental supervision or regulation. My problem with 
Government is, once regulation starts, it becomes a stifling 
aspect to what really is, in the minds of many, one of, if not 
the most important set of opportunities in America's history, 
and one of, if not the most important industry in America right 
now, because from this industry almost everything we do in the 
future is going to be connected.
    So we would really like to have some ideas here before some 
people want to ram through some idiotic, stupid approach toward 
this that creates another Internet IRS, which goes from a few 
hundred pages to 6,000 pages overnight. I just don't want to 
see that happen.
    This has been a very good hearing. We are very grateful to 
each and every one of you for coming because each of you has 
expressed different aspects of this set of problems, and I 
think it has been a very, very good panel. So thank you so 
much.
    With that, we will adjourn until further notice.
    [Whereupon, at 12:51 p.m., the committee was adjourned.]

    [GRAPHIC] [TIFF OMITTED] T8199.110
    
    [GRAPHIC] [TIFF OMITTED] T8199.111
    
    [GRAPHIC] [TIFF OMITTED] T8199.112
    
    [GRAPHIC] [TIFF OMITTED] T8199.113
    
    [GRAPHIC] [TIFF OMITTED] T8199.114
    
    [GRAPHIC] [TIFF OMITTED] T8199.115
    
    [GRAPHIC] [TIFF OMITTED] T8199.116
    
    [GRAPHIC] [TIFF OMITTED] T8199.117
    
    [GRAPHIC] [TIFF OMITTED] T8199.118
    
    [GRAPHIC] [TIFF OMITTED] T8199.119
    
    [GRAPHIC] [TIFF OMITTED] T8199.120
    
    [GRAPHIC] [TIFF OMITTED] T8199.121
    
    [GRAPHIC] [TIFF OMITTED] T8199.122
    
    [GRAPHIC] [TIFF OMITTED] T8199.123
    
    [GRAPHIC] [TIFF OMITTED] T8199.124
    
    [GRAPHIC] [TIFF OMITTED] T8199.125
    
    [GRAPHIC] [TIFF OMITTED] T8199.126
    
    [GRAPHIC] [TIFF OMITTED] T8199.127
    
    [GRAPHIC] [TIFF OMITTED] T8199.128
    
    [GRAPHIC] [TIFF OMITTED] T8199.129
    
    [GRAPHIC] [TIFF OMITTED] T8199.130
    
    [GRAPHIC] [TIFF OMITTED] T8199.131
    
    [GRAPHIC] [TIFF OMITTED] T8199.132
    
    [GRAPHIC] [TIFF OMITTED] T8199.133
    
    [GRAPHIC] [TIFF OMITTED] T8199.134
    
    [GRAPHIC] [TIFF OMITTED] T8199.135
    
    [GRAPHIC] [TIFF OMITTED] T8199.136
    
    [GRAPHIC] [TIFF OMITTED] T8199.137
    
                                  
