b'<html>\n<title> - S. 809, PRIVACY PROTECTION ACT OF 1999</title>\n<body><pre>[Senate Hearing 106-1044]\n[From the U.S. Government Printing Office]\n\n\n\n                                                       S. Hrg. 106-1044\n\n             S. 809, ONLINE PRIVACY PROTECTION ACT OF 1999\n\n=======================================================================\n\n                                HEARING\n\n\n                               BEFORE THE\n\n                     SUBCOMMITTEE ON COMMUNICATIONS\n\n                                 OF THE\n\n                         COMMITTEE ON COMMERCE,\n                      SCIENCE, AND TRANSPORTATION\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 27, 1999\n\n                               __________\n\n\n    Printed for the use of the Committee on Commerce, Science, and \n                             Transportation\n\n\n71-813              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2002\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             FIRST SESSION\n\n                     JOHN McCAIN, Arizona, Chairman\nTED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina\nCONRAD BURNS, Montana                DANIEL K. INOUYE, Hawaii\nSLADE GORTON, Washington             JOHN D. ROCKEFELLER IV, West \nTRENT LOTT, Mississippi                  Virginia\nKAY BAILEY HUTCHISON, Texas          JOHN F. KERRY, Massachusetts\nOLYMPIA J. SNOWE, Maine              JOHN B. BREAUX, Louisiana\nJOHN ASHCROFT, Missouri              RICHARD H. BRYAN, Nevada\nBILL FRIST, Tennessee                BYRON L. DORGAN, North Dakota\nSPENCER ABRAHAM, Michigan            RON WYDEN, Oregon\nSAM BROWNBACK, Kansas                MAX CLELAND, Georgia\n                       Mark Buse, Policy Director\n                  Martha P. Allbright, General Counsel\n     Ivan A. Schlager, Democratic Chief Counsel and Staff Director\n               Kevin D. Kayes, Democratic General Counsel\n                                 ------                                \n\n                     Subcommittee on Communications\n\n                    CONRAD BURNS, Montana, Chairman\nTED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina\nSLADE GORTON, Washington             DANIEL K. INOUYE, Hawaii\nTRENT LOTT, Mississippi              JOHN F. KERRY, Massachusetts\nJOHN ASHCROFT, Missouri              JOHN B. BREAUX, Louisiana\nKAY BAILEY HUTCHISON, Texas          JOHN D. ROCKEFELLER IV, West \nSPENCER ABRAHAM, Michigan                Virginia\nBILL FRIST, Tennessee                BYRON L. DORGAN, North Dakota\nSAM BROWNBACK, Kansas                RON WYDEN, Oregon\n                                     MAX CLELAND, Georgia\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held July 27, 1999.......................................     1\nStatement of Senator Bryan.......................................     4\nStatement of Senator Burns.......................................     1\nStatement of Senator Dorgan......................................    25\n    Prepared statement...........................................    25\nStatement of Senator Kerry.......................................     3\nStatement of Senator Rockefeller.................................    26\nStatement of Senator Stevens.....................................     5\nStatement of Senator Wyden.......................................    24\n\n                               Witnesses\n\nAnthony, Sheila F., commissioner, Federal Trade Commission.......    26\n    Prepared statement...........................................    29\nLesser, Jill, vice president, Domestic Public Policy, America \n  Online.........................................................    46\n    Prepared statement...........................................    48\nMulligan, Deirdre, staff counsel, Center for Democracy and \n  Technology.....................................................    52\n    Prepared statement...........................................    54\nPitofsky, Robert, chairman, Federal Trade Commission.............     5\n    Prepared statement...........................................     7\nRotenberg, Marc, director, Electronic Privacy Information Center.    64\nSwindle, Orson, commissioner, Federal Trade Commission...........    29\n    Prepared statement...........................................    31\nThompson, Mozelle W., commissioner, Federal Trade Commission.....    32\nVarney, Christine, senior partner, Hogan & Hartson, on behalf of \n  the Online Privacy Alliance....................................    66\n    Prepared statement...........................................    68\n\n                                Appendix\n\nCenter for Democracy and Technology prepared statement...........    87\n\n \n                 S. 809, PRIVACY PROTECTION ACT OF 1999\n\n                              ----------                              \n\n\n                         TUESDAY, JULY 27, 1999\n\n                               U.S. Senate,\n                    Subcommittee on Communications,\n        Committee on Commerce, Science, and Transportation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 9:30 a.m. in \nroom SR-253, Russell Senate Office Building, Hon. Conrad Burns, \nchairman of the subcommittee, presiding.\n    Staff members assigned to this hearing: Robert Taylor, \nRepublican counsel; Moses Boyd, Democratic senior counsel; and \nAl Mottur, Democratic counsel.\n\n            OPENING STATEMENT OF HON. CONRAD BURNS,\n                   U.S. SENATOR FROM MONTANA\n\n    Senator Burns. We will call the committee to order this \nmorning. I will tell you, it has been a long day already. I \nstarted off at Bethesda Naval Hospital this morning, and we \nchaired and then completed a MILCON appropriations, now we have \ngot this, and I will have all my work done by noon, and then I \nam going to go to the golf course. [Laughter.]\n    Today\'s hearing concerns a topic of critical importance to \ntoday\'s increasingly digital world, the protection of online \nprivacy. The recent growth of the Internet has been nothing \nshort of breathtaking. The number of Internet users in the \nUnited States is now approaching 100 million. The number of \nonline consumers is now over 30 million. Clearly, the Internet \nhas become a staple of everybody\'s life.\n    The tremendous reach of the Internet does pose challenges \nas well as opportunities. Just as the revolution in \ncommunications technology has allowed individuals to gain \naccess to nearly limitless information, unfortunately digital \ntechnologies can also be used by bad actors to collect nearly \nlimitless information on individuals with out their knowledge.\n    I would like to thank my good friend and colleague, Senator \nWyden, for his vision and hard work in working with me on the \nOnline Privacy Protection Act of 1999, which will ensure the \nsafety net for privacy for online consumers.\n    I have worked closely with Senator Wyden in a bipartisan \nmanner on numerous high tech issues, and we continue to do \nthat. I know he shares my hesitation to engage in any sort of \nregulation of the Internet, but nonetheless we see a problem \nlooming on the horizon. I have stated on many occasions that \nnothing happens until a sale is made and the intent of this \nbill is to foster, not impede, the tremendous growth in \nelectronic commerce.\n    This bill was a product of many discussions with both \nindustry and privacy groups, and represents a balanced measured \napproach to the issue. We are very fortunate to have the entire \nFederal Trade Commission here today. I would especially like to \nthank the chairman for altering his very demanding schedule to \nbe here today. I have worked very closely with the chairman on \nmatters of Internet privacy in the past, and last year the \nChildren\'s Online Privacy Protection Act, which I supported, \ndrew heavily from the recommendations and the findings of the \nFTC\'s June 1998 report on Internet privacy.\n    The 1998 report found that 89 percent of children\'s Web \nsites collected personal information, while only 10 percent of \nthe sites provided for some form of parental control over the \ncollection and use of that information.\n    Thanks to the recommendations of the FTC and the work of \nSenator McCain and Senator Bryan and other members of the \nCommerce Committee, the Children\'s Online Privacy Protection \nAct, which requires the FTC to come up with some rules that \nwould provide notice of Web sites personal information \ncollection, passed into law in the 105th Congress.\n    Now, given this background, I have to say that I am very \npuzzled by the FTC\'s recent report to Congress on Internet \nprivacy. The report acknowledged that fewer than 10 percent of \nthe Web sites meet basic privacy protections, but called for no \nFederal legislation to address this critical situation.\n    The report pointed to the recent Georgetown study that \nshows that nearly two-thirds of Web sites now post privacy \npolicies as proof of industry progress and a reason for \nlegislation inaction. I applaud the increase in posting privacy \npolicies, but what about the other kinds of Web sites that fail \nto inform the consumers?\n    Also, I have examined several of these policies. Many of \nthem seem to have the purpose of exempting Web sites from \nliability, rather than informing consumers of their rights. The \nfact that many of these policies require a law degree to \ndecipher, not to mention a magnifying glass, given that they \nare in microscopic type, does not lead me to the conclusion \nthat no Federal action is necessary to protect online privacy.\n    I find the dissenting opinion of Commissioner Anthony in \nthe report very compelling. She rightly states that the \nlegislation is necessary to at least ensure a minimum of \nconsumer privacy protection in the digital era. In her opinion, \nher expression concerns that the absence of effective privacy \nprotections will undermine consumer confidence and hinder the \nadvancement of electronic commerce and trade, and I could not \nagree more.\n    In fact, several recent studies reveal that the single \ngreatest reason consumers do not buy goods online is because of \nthe concerns of privacy. Unfortunately, these fears have been \nproven to be well-based. As the communications revolution \nalters every aspect of our personal and economic lives, now is \nno time for delay or inaction.\n    I continue to move forward with this critical bill to make \nsure that consumers can feel confident in the safety of their \npersonal information in the digital age. It is nice to work \nwith Senator Wyden and my colleagues on the committee to ensure \nthis bill moves to markup and passage by the full Senate as \nquickly as possible.\n    I see my good friend from Massachusetts here this morning, \nand thank you for coming, Senator, and we look forward to your \nstatement.\n\n         STATEMENT OF HON. JOHN F. KERRY, U.S. SENATOR \n                       FROM MASSACHUSETTS\n\n    Senator Kerry. Thank you very much, Mr. Chairman. I will be \nvery brief. I can only stay for a portion of the hearing, but I \nwanted to first of all thank you for having this hearing. This \nis a complex and very important issue to all of us, and I will \njust be very, very brief, as I said.\n    A lot of us have been taking time to meet with a lot of the \ncompanies and begin to understand better what is happening in \nthe marketplace. I think we are beginning to get that sense. It \nstrikes me that obviously privacy is going to grow. I think \nmost people I have talked with in the industry are aware of \nthat, it will grow as an issue and be vital to the capacity of \nmany companies to be able to market and to grow. I think people \nunderstand that.\n    I have looked at the FTC\'s report on privacy, and generally \nagree with most of the majority view, though I think, as you \njust said, Mr. Chairman, that Commissioner Anthony\'s warnings \nand observations are not to be discounted.\n    Many Web sites are currently taking steps to notify users \nof their privacy programs, and I think we are at significantly \nenough of a nascent stage of development here that I am wary of \nregulation at this point in time. I do not think it is the \nright time to regulate the industry. I think, however, the FTC \nmay have somewhat overstated to some degree the progress that \nis currently being made.\n    There is a marked improvement in the number of sites \nposting privacy disclosure, but disclosure is different from \nthe set of choices sites have with respect to all the things \nthey could do to protect privacy.\n    The studies that you referenced, and that the report \nreferences, show that only 10 percent of the sites are \ncurrently addressing the four principles of notice, choice, \naccess, and security. I think that 10 percent figure should \nconcern all of us, but again, that is different from whether or \nnot at this point in time we ought to step in and actually \nregulate.\n    I think it probably concerns a lot of other people, too, \nand we ought to simply hold out our own notice to all of the \nparticipants that we are going to be watching very closely. We \nshould set high standards at this point in time as a goal for \nthem to achieve.\n    But again, I think self-regulation is the more important \nway to proceed at this point in time. I am not sure that we or \nthe FTC could write a law or regulation that will sufficiently \nallow for all the changes in technology that are taking place, \nand again, I am absolutely convinced that the companies \nunderstand that protecting consumer privacy is in their best \ninterests, and with the level of competition on the Web right \nnow, I think we would be well-advised to allow that to sort of \npercolate a little bit and perhaps see where we are.\n    So that said, Mr. Chairman, I think if self-regulation is \nnot working, and the surveys continue to show only minimal \ncompliance with the core privacy principles, we certainly have \nample opportunity to step in at that time, and I thank you \nagain, Mr. Chairman, for setting us down this road.\n    Senator Burns. Thank you, Senator Kerry.\n    Senator Bryan.\n\n  STATEMENT OF HON. RICHARD H. BRYAN, U.S. SENATOR FROM NEVADA\n\n    Senator Bryan. Thank you very much, Mr. Chairman. Let me \nfirst preface my comments by commending you for holding this \nhearing and the leadership that you and our colleague, Senator \nWyden, have provided on this issue.\n    I think Business Week magazine summed it up best in its \nJuly 26 article:\n\n    ``George Orwell\'s vision of Big Brother was Government run \namok, but it is not Government that threatens privacy today, it \nis Internet commerce.\'\'\n\n    That is a Business Week publication.\n    Internet commerce is evolving to the point where you could \nbe browsing a Web page for mutual funds at one moment and \nseconds later get a call from a telemarketer with a targeted \nmutual fund sales pitch. As online commerce grows, the value of \npersonal information for direct marketing will skyrocket. As \nBusiness Week put it, all over the Web a data gold rush is on. \nThe incredible communications and computing power of the \nInternet is handing companies an unprecedented opportunity to \ncollect and analyze information.\n    As some of you will recall, I became involved in the \nInternet privacy issue in the last session of Congress, working \nwith the chairman of the committee, Senator McCain, on the \nChild Online Privacy Protection Act. Working with the FTC, \nprivate sector groups as well, we were astonished to learn that \nWeb sites that focused on children\'s issues, and there were \nsome 90 percent or more who were collecting personal and \nprivate data, only about 1 percent of those actually gave \nparents an opportunity to in effect have an informed consent.\n    Working with the private sector and the FTC, we have now \ndeveloped the Child Online Privacy Protection Act. The \nrulemaking process is continuing, but the issue before us today \nis whether or not we should expand those privacy protections to \nthe adult Internet population.\n    I have not rushed to judgment as the FTC reviews this \nissue, but, Mr. Chairman, let me express my concern. I think \nthe privacy issue is very deep and very fundamental, and the \nAmerican public is just beginning to grasp how threatened their \nconcept of privacy is.\n    Although the industry needs to be commended for the strides \nit has made in setting up mechanisms to protect consumers\' \nprivacy, I continue to be concerned about several practices. \nThere appears to be an agreement that the biggest impediment to \ncommerce on the Internet is the public concern about privacy, \nand so you have on one hand an issue in which the public is \nconcerned about the loss of privacy, the business community, \nwhich is interested in expanding the potential for e-commerce, \nis impeded because of those customers\' concerns that the \ntransaction over the Internet will invade their privacy to an \nextent that they do not feel comfortable with.\n    Of the top 100 Web sites, 99 collect personal information, \nbut only 22 meet the fair information practice standards that \nhave been outlined. While we are focusing on privacy protection \nfor information consumers voluntarily give to the Web sites, \nthat is when they have a transaction much like an individual \nwho walks into a retail establishment and produces his or her \ncredit card or pays in cash, there is a record of that \ntransaction. I think all of us understand that concept.\n    But a device known as cookies, cookies I think is something \nthat would shock people. That is, it is now possible through \nthis amazing technology for a Web site to know when it has been \nvisited, not when a transaction has occurred, but when a Web \nsite has been visited, that information collected and made \navailable for direct marketers without the knowledge or the \nconsent of the consumer.\n    That, Mr. Chairman, in my judgment raises significant \nconcerns, so it is my hope that the industry and the regulators \nwill be able to work out something that will protect this \nprivacy. I must tell you, I am not persuaded at this point that \nthat is the case. I know the FTC has urged caution and \nrestraint at this moment.\n    Mr. Chairman, I commend you again for your leadership in \nmoving this ball forward. I think there is a significant issue \nthere, and that we may, indeed, have to resort to a legislative \nsolution if we are not able to reach an agreement very soon in \nterms of how we protect adult users of the Internet, and I \nthank you, Mr. Chairman.\n    Senator Burns. Thank you, Senator Bryan.\n    Senator Stevens.\n    Senator Stevens. No opening statement.\n    Senator Burns. Well, we welcome the Federal Trade \nCommission this morning, and the chairman, and we will hear \nfirst from the chairman, Mr. Robert Pitofsky, and we welcome \nyou this morning and thank you for coming en masse, we might \nadd. We like that idea.\n\n  STATEMENT OF HON. ROBERT PITOFSKY, CHAIRMAN, FEDERAL TRADE \n                           COMMISSION\n\n    Mr. Pitofsky. Thank you very much, Mr. Chairman, and \nmembers of the committee. It is truly a pleasure to meet with \nthis group that is so knowledgeable about the problems that we \nare going to address, the development of the Internet and \nprivacy issues on the Internet.\n    Let me try to focus the discussion in this way. Members of \nthe FTC are unanimous, and I believe the members of this \ncommittee are probably unanimous, that it is absolutely \nintolerable for sellers on the Internet to gather personally \nidentifiable information and sell it or otherwise transfer it \nwithout the buyer\'s permission. We are all there. The question \nis, what is the best way to ensure that that kind of behavior \ndoes not occur?\n    My own view is that there are always going to be four \ndifferent elements to a regulatory program of this sort. One, \ncase by case enforcement based on statutes already existing, \nlike our own statute that outlaws deception; new legislation, \nconsumer education, and self-regulation. The question is, what \nis the right mix to get to the goal line?\n    The FTC has taken a leadership role in this area. We have \nbrought a number of cases challenging violations of consumer \nprivacy on the Internet. We sued Geo Cities, one of the biggest \ncases that we have seen in this area, and we have brought other \nsuits. We have supported legislation. Indeed, we worked with \nthis committee and particularly the chairman and Mr. Bryan on \nthe Children\'s Online Privacy Act, which was put through the \nCongress in the most efficient and prompt way that I think I \nhave ever seen.\n    We last week unanimously testified in favor of legislation \nthat would protect the privacy of financial records, because \nfinancial records are different and deserve a heightened level \nof privacy protections. I would say the same thing about \nmedical records.\n    But the issue remains, what do we do about all the rest of \nthe invasions of privacy that adults may encounter when they do \nbusiness on the Internet, and to address that, let me talk a \nlittle bit about history. The FTC got out in front of this \nissue with hearings that were held 3 years ago examining \nquestions of the extent of invasions of privacy and what to do \nabout it. We then did a study at the request of Senator McCain, \naddressing questions such as what are the levels of invasion of \nprivacy, and what are the existing protections. In the summer \nof 1998 we put out a report.\n    We submitted a report to the Congress that said that, even \nthough practically everyone was collecting personally \nidentifiable information, only 14 percent posted any sort of \nnotice, and only 2 percent touched all the bases--that is: \nnotice, consent, access, and security, and we said at that time \nas politely as we knew how that this was a very disappointing \nperformance by the private sector.\n    Industry then agreed with that assessment, and the most \nresponsible companies in this country working on the Internet \nsaid, give us a chance to solve this problem through self-\nregulation, and they have put in considerable time and effort \nand resources to accomplish that.\n    Georgetown University then ran a study about a year later, \nand found that the 14 percent policy disclosures had become 66 \npercent. I myself was astonished that in 1 year, disclosures \nincreased from 14 percent to 66 percent. Indeed, a second study \nwhich looked only at the most frequently used Internet sites \nhad the disclosure polices up around 80 or 81 percent.\n    Still, only 10 percent, another study said 20 percent, but \nI say only 10 percent touched all the bases, and therefore \nwhile you have notice and opportunities to opt out, you do not \nhave the access issue taken care of, and you do not have the \nsecurity issue taken care of.\n    The question is, what do we do now? We are at a very \nimportant crossroads point in time as to what is the best way \nto address these questions. One is to let self-regulation \nproceed, and industry is following up to improve their \nperformance. For example, I know they sent a letter to the 34 \npercent of the sites on the Internet that did not have privacy \npolicies, asked them why, and urged them to change their \npolicies. If the private sector were to have anything like the \nsuccess this year that I had last year with self-regulation, \nyou would be up around 90 or 95 percent of disclosure of policy \nand remember, once they disclose their policies, if they do not \nabide by their own policy, that is deceptive under our statute \nand we can challenge their behavior under section 5 of the \nFederal Trade Commission Act.\n    Of course, we could now move to a law, and I must say that \nif we were to move to a law, the direction described in S. 809, \nnot every single word in the statute, of course, but the \ndirection seems about right to me. By the way, S. 809 pretty \nmuch reflects the direction that the business community has \nitself agreed to. That is to say, it calls for notice, consent, \naccess, security, and safe harbors for those responsible \ncompanies that behave in the appropriate way.\n    A majority of the commission believes that we ought to let \na little time go by, and I really mean a little time. There has \nbeen such progress, we challenged them so directly, and they \ncame through in improving self-regulation so substantially that \nwe ought to let a little time go by and see if they really get \nto the goal line.\n    If they do, then we have solved the problem without the \nnecessity of legislation in an area that is so dynamic that one \ncan only worry that the legislation will be outstripped by \ntechnological developments.\n    If they do not, if the progress does not proceed, then I \nwould be the first to be up here recommending that legislation \nis necessary to accomplish what we agree is a necessary \nprotection for consumers. So in the end consumers must be \nprotected. It is just an issue of how you get there.\n    Now, a large part of the complexity of this depends on the \nfollowing. Do you look at the 66 percent, say the glass is more \nthan half full, and we are going in the right direction, or do \nyou look at the disappointing 10 or 20 percent that have not \ntouched all the bases?\n    I feel you should look at both. I do not think notice and \nopt-out is a successful addressing of this problem, but I will \npoint out that Alan Weston, one of the most respected advocates \nfor privacy policy in this country, released the results of a \nnew study just about a week or 10 days ago. It showed that 85 \npercent of consumers principally or exclusively care about \nnotice and consent, the 66 percent, and they really are not \nnearly as concerned, or not concerned at all, about, touching \nall four bases of security and access.\n    So while I think consumers are entitled to more than \nnotice, it may be that many consumers really do not regard that \nas a priority issue for themselves, and it makes sense, because \nif you opt out, why do you have to worry about access? You are \nout of the system. If you opt out, why do you have to worry \nabout security? The information gatherer cannot use your \npersonal data, and if they do, after you have opted out, that \nwould be a violation of our statute.\n    Thank you very much, and let me turn the program over to my \ncolleagues.\n    [The prepared statement of Mr. Pitofsky follows:]\n\n       Prepared Statement of Robert Pitofsky, Chairman, Federal \n                            Trade Commission\n\n    Mr Chairman and members of the Subcommittee, I am Robert Pitofsky, \nChairman of the Federal Trade Commission (``FTC\'\' or ``Commission\'\'). I \nappreciate this opportunity to present the Commission\'s views on the \nprogress of self-regulation in the area of online privacy.<SUP>1</SUP>\n\n                     I. INTRODUCTION AND BACKGROUND\n\n    The FTC\'s mission is to promote the efficient functioning of the \nmarketplace by protecting consumers from unfair or deceptive acts or \npractices and to increase consumer choice by promoting vigorous \ncompetition. As you know, the Commission\'s responsibilities are far-\nreaching. The Commission\'s primary legislative mandate is to enforce \nthe Federal Trade Commission Act (``FTCA\'\'), which prohibits unfair \nmethods of competition and unfair or deceptive acts or practices in or \naffecting commerce.<SUP>2</SUP> With the exception of certain \nindustries, the FTCA provides the Commission with broad law enforcement \nauthority over entities engaged in or whose business affects commerce \n<SUP>3</SUP> and with the authority to gather information about such \nentities.<SUP>4</SUP> Commerce on the Internet falls within the scope \nof this statutory mandate.<SUP>5</SUP>\n    In June 1998 the Commission issued Privacy Online: 24 Report to \nCongress (``1998 Report\'\'), an examination of the information practices \nof commercial sites on the World Wide Web and of industry\'s efforts to \nimplement self-regulatory programs to protect consumers\' online \nprivacy.<SUP>6</SUP> Based in part on its extensive survey of over 1400 \ncommercial Web sites, the Commission concluded that effective self-\nregulation had not yet taken hold.<SUP>7</SUP> The Commission \nrecommended that Congress adopt legislation setting forth standards for \nthe online collection of personal information from children; and \nindeed, just four months after the 1998 Report was issued, Congress \nenacted the Children\'s Online Privacy Protection Act of \n1998.<SUP>8</SUP> As required by the Act, on April 20, 1999, the \nCommission issued a proposed Children\'s Online Privacy Protection Rule, \nwhich will implement the Act\'s fair information practices standards for \ncommercial Web sites directed to children under 13, or who knowingly \ncollect personal information from children under 13.<SUP>9</SUP> \nCommission staff is reviewing comments on the proposed rule and will \nissue a final rule this fall.\n    When the 1998 report was released, there were indications that \nindustry leaders were committed to work toward self-regulatory \nsolutions. As a result, in Congressional testimony last July the \nCommission deferred judgment on the need for legislation to protect the \nonline privacy of consumers generally, and instead urged industry to \nfocus on the development of broad-based and effective self-regulatory \nprograms.<SUP>10</SUP> In the ensuing year, there have been important \ndevelopments both in the growth of the Internet as a commercial \nmarketplace and in consumers\' and industry\'s responses to the privacy \nissues posed by the online collection of personal information. As you \nknow, on July 13, 1999, the Commission issued a new report on these \ndevelopments, Self-Regulation and Online Privacy: A Report to Congress \n(June 1999) (``1999 Report\'\').<SUP>11</SUP>\n    The 1999 Report notes that, while industry leaders have \ndemonstrated substantial effort and commitment to privacy protections \nonline, much remains to be done to ensure the widespread adoption and \nimplementation of fair information practices. As a result, the \nCommission has developed an agenda for the coming months to assess the \nprogress of self-regulation in greater detail. For these reasons, the \nReport concludes that legislation to address online privacy is not \nappropriate at this time. Nonetheless, I want to briefly present the \nCommission\'s views on S. 809, entitled the ``Online Privacy Protection \nAct of 1999,\'\' which sets out one model to consider if there were to be \nlegislation in the future.\n    S. 809 would require commercial Web sites to implement a framework \nof privacy protections that reflects the core fair information \npractices of notice, choice, access, and security. The bill combines \ngovernment enforcement with incentives for effective self-regulation to \nprotect consumers\' online privacy.<SUP>12</SUP> It encourages industry \nparticipation in the process of developing information practice \nstandards. The bill\'s safe harbor provision allows industry groups the \nflexibility to craft information practice guidelines that are sensitive \nto sector-specific concerns and technological developments, and to \nsubmit those guidelines for government approval. Once guidelines are \napproved, companies adhering to the guidelines are deemed in compliance \nwith the bill\'s requirements as well. Because it reflects fair \ninformation practices and contains significant incentives for self-\nregulation, S. 809 would be a useful template for any online privacy \nlegislation. We are pleased to work with the Committee as it continues \nto examine online privacy protections.\n\n           II. THE CURRENT STATE OF ONLINE PRIVACY REGULATION\n\n    The Commission\'s 1999 Report assesses the progress made in self-\nregulation to protect consumers\' online privacy since last June and \nsets out an agenda of Commission actions in the coming year to \nencourage industry\'s full implementation of online privacy protections. \nI am pleased to present the 1999 Report\'s findings to the Committee.\n    The Commission believes that self-regulation is the least intrusive \nand most efficient means to ensure fair information practices online, \ngiven the rapidly evolving nature of the Internet and computer \ntechnology. During the past year the Commission has been monitoring \nself-regulatory initiatives, and the Commission\'s 1999 Report finds \nthat there has been notable progress. Two new industry-funded surveys \nof commercial Web sites suggest that online businesses are providing \nsignificantly more notice of their information practices than they were \nlast year. Sixty-six percent of the sites in the Georgetown Internet \nPrivacy Policy Survey (\'\'GIPPS\'\') <SUP>13</SUP> post at least one \ndisclosure about their information practices.<SUP>14</SUP> Forty-four \npercent of these sites post privacy policy notices.<SUP>15</SUP> \nAlthough differences in sampling methodology prevent direct comparisons \nbetween the GIPPS findings and the Commission\'s 1998 \nresults,<SUP>16</SUP> the GIPPS Report does demonstrate the real \nprogress industry has made in giving consumers notice of at least some \ninformation practices. Similarly, 93% of the sites in the recent study \ncommissioned by the Online Privacy Alliance (``OPA Study\'\') provide at \nleast one disclosure about their information practices.<SUP>17</SUP> \nThis, too, represents continued progress since last year, when 71% of \nthe sites in the Commission\'s 1998 ``Most Popular\'\' sample posted an \ninformation practice disclosure.<SUP>18</SUP>\n    The new survey results show, however, that, despite the laudable \nefforts of industry leaders, significant challenges remain. The vast \nmajority of the sites in both the GIPPS and OPA surveys collect \npersonal information from consumers online.<SUP>19</SUP> By contrast, \nonly 10% of the sites in the GIPPS sample,<SUP>20</SUP> and only 22% of \nthe sites in the OPA study,<SUP>21</SUP> are implementing all four \nsubstantive fair information practice principles of Notice/Awareness, \nChoice/Consent, Access/Participation, and Security/\nIntegrity.<SUP>22</SUP> In light of these results, the Commission \nbelieves that further improvement is required to effectively protect \nconsumers\' online privacy.\n    In the Commission\'s view, the emergence of online privacy seal \nprograms is a particularly promising development in self-regulation. \nHere, too, industry faces a considerable challenge. TRUSTe, launched \nnearly two years ago, currently has more than 500 licensees \nrepresenting a variety of industries.<SUP>23</SUP> BBBOnLine, a \nsubsidiary of the Council of Better Business Bureaus, which launched \nits privacy seal program for online businesses last March, currently \nhas 54 licensees and more than 300 applications for \nlicenses.<SUP>24</SUP> Several other online privacy seal programs are \njust getting underway.<SUP>25</SUP> Together, the online privacy seal \nprograms currently encompass only a handful of all Web sites. It is too \nearly to judge how effective these programs will ultimately be in \nserving as enforcement mechanisms to protect consumers\' online privacy.\n\n                            III. CONCLUSION\n\n    The self-regulatory initiatives discussed above, and described in \ngreater detail in the 1999 Report, reflect industry leaders\' \nsubstantial effort and commitment to fair information practices. They \nshould be commended for these efforts.\n    In addition, companies like IBM, Microsoft and Disney, which have \nrecently announced, among other things, that they will forgo \nadvertising on sites that do not adhere to fair information practices \nshould be recognized for their efforts, which we hope will be emulated \nby their colleagues. Similarly, the Direct Marketing Association (DMA) \nis now requiring its members to follow a set of consumer privacy \nprotection practices, including providing notice and an opportunity to \nopt-out, when identifying information is shared with other marketers, \nand to use the DMA\'s two national services for removing consumers\' \nnames from marketing lists.I11Enforcement mechanisms that go beyond \nself-assessment are also gradually being implemented by the seal \nprograms. Only a small minority of commercial Web sites, however, have \njoined these programs to date. Similarly, although the results of the \nGIPPS and OPA studies show that many online companies now understand \nthe business case for protecting consumer privacy, they also show that \nthe implementation of fair information practices is not widespread \namong commercial Web sites.\n    As stated previously, the Commission believes that legislation to \naddress online privacy is not appropriate at this time. Yet, we also \nbelieve that industry faces some substantial challenges. Specifically, \nthe present challenge is to educate those companies which still do not \nunderstand the importance of consumer privacy and to create incentives \nfor further progress toward effective, widespread implementation.\n    First, industry groups must continue to encourage widespread \nadoption of fair information practices. Second, industry should focus \nits attention on the substance of web site information practices, \nensuring that companies adhere to the core privacy principles discussed \nearlier. It may also be appropriate, at some point in the future, for \nthe FTC to examine the online privacy seal programs and report to \nCongress on whether these programs provide effective privacy \nprotections for consumers.\n    Finally, industry must work together with government and consumer \ngroups to educate consumers about privacy protection on the Internet. \nThe ultimate goal of such efforts, together with effective self-\nregulation, will be heightened consumer acceptance and confidence. \nIndustry should also redouble its efforts to develop effective \ntechnology to provide consumers with tools they can use to safeguard \ntheir own privacy online.\n    The Commission has developed an agenda to address online privacy \nissues throughout the coming year as a way of encouraging and, \nultimately, assessing further progress in self-regulation to protect \nconsumer online privacy:\n    <bullet> The Commission will hold a public workshop on ``online \nprofiling,\'\' the practice of aggregating information about consumers\' \npreferences and interests gathered primarily by tracking their \nmovements online. The workshop, jointly sponsored by the U.S. \nDepartment of Commerce, will examine online advertising firms\' use of \ntracking technologies to create targeted, user profile-based \nadvertising campaigns.\n    <bullet> The Commission will hold a public workshop on the privacy \nimplications of electronic identifiers that enhance Web sites\' ability \nto track consumers\' online behavior.\n    <bullet> In keeping with its history of fostering dialogue on \nonline privacy issues among all stakeholders, the Commission will \nconvene task forces of industry representatives and privacy and \nconsumer advocates to develop strategies for furthering the \nimplementation of fair information practices in the online environment.\n\n         LOne task force will focus upon understanding the costs and \n        benefits of implementing fair information practices online, \n        with particular emphasis on defining the parameters of the \n        principles of consumer access to data and adequate security.\n         LA second task force will address how incentives can be \n        created to encourage the development of privacy-enhancing \n        technologies, such as the World Wide Web Consortium\'s Platform \n        for Privacy Preferences (P3P).\n\n    <bullet> The Commission, in partnership with the U.S. Department of \nCommerce, will promote private sector business education initiatives \ndesigned to encourage new online entrepreneurs engaged in commerce on \nthe Web to adopt fair information practices.\n    <bullet> Finally, the Commission believes it is important to \ncontinue to monitor the progress of self-regulation, to determine \nwhether the self-regulatory programs discussed in the 1999 Report \nfulfill their promise. To that end, the Commission will conduct an \nonline survey to reassess progress in Web sites\' implementation of fair \ninformation practices, and will report its findings to Congress.\n    The Commission is committed to the goal of full implementation of \neffective protections for online privacy in a manner that promotes a \nflourishing online marketplace, and looks forward to working with the \nSubcommittee as it considers the Commission\'s 1999 Report.\n                               __________\n\n                                ENDNOTES\n\n    1. The Commission vote to issue this testimony was 3-1, with \nCommissioner Anthony concurring in part and dissenting in part \nCommissioner Anthony\'s statement is attached to the testimony. My oral \ntestimony and responses to questions you may have reflect my own views \nand are not necessarily the views of the Commission or any \nCommissioner.\n    2. 15 U.S.C. Sec. 45(a).\n    3. The Commission does not have criminal law enforcement authority. \nFurther, certain entities, such as banks, savings and loan \nassociations, and common carriers, as well as the business of insurance \nare wholly or partially exempt from Commission jurisdiction. See \nSection 5(a)(2) of the FTC Act, 15 U.S.C. Sec. 45(a)(2), and the \nMcCarran-Ferguson Act, 15 U.S.C. Sec. 1012(b).\n    4. 15 U.S.C. Sec. 46(a). However, the Commission\'s authority to \nconduct studies and prepare reports relating to the business of \ninsurance is limited. According to 15 U.S.C. Sec. 46(a): ``The \nCommission may exercise such authority only upon receiving a request \nwhich is agreed to by a majority of the members of the Committee on \nCommerce, Science, and Transportation of the Senate or the Committee on \nEnergy and Commerce of the House of Representatives. The authority to \nconduct any such study shall expire at the end of the Congress during \nwhich the request for such study was made.\'\'\n    The Commission also has responsibility under approximately forty \nadditional statutes governing specific industries and practices. These \ninclude, for example, the Truth in Lending Act, 15 U.S.C. \nSec. Sec. 1601 et. seq., which mandates disclosures of credit terms, \nand the Fair Credit Billing Act, 15 U.S.C. Sec. Sec. 1666 et. seq., \nwhich provides for the correction of billing errors on credit accounts. \nThe Commission also enforces over 30 rules governing specific \nindustries and practices, eg, the Used Car Rule, 16 C.F.R. Part 455, \nwhich requires used car dealers to disclose warranty terms via a window \nsticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the \nprovision of information to prospective franchisees; and the \nTelemarketing Sales Rule, 16 C.F.R. Part 310, which defines and \nprohibits deceptive telemarketing practices and other abusive \ntelemarketing practices.\n    5. The Commission held its first public workshop on online privacy \nin April 1995. In a series of hearings held in October and November \n1995, the Commission examined the implications of globalization and \ntechnological innovation for competition issues and consumer protection \nissues, including privacy concerns. At a public workshop held in June \n1996, the Commission examined Web site practices in the collection, \nuse, and transfer of consumers\' personal information; self-regulatory \nefforts and technological developments to enhance consumer privacy; \nconsumer and business education efforts; the role of government in \nprotecting online information privacy; and special issues raised by the \nonline collection and use of information from and about children. The \nCommission held a second workshop in June 1997 to explore issues raised \nby individual reference services, as well as issues relating to \nunsolicited commercial e-mail, online privacy generally, and children\'s \nonline privacy.\n    These efforts have served as a foundation for dialogue among \nmembers of the information industry and online business community, \ngovernment representatives, privacy and consumer advocates, and experts \nin interactive technology. Further, the Commission and its staff have \nissued reports describing various privacy concerns in the electronic \nmarketplace. See, e.g., Individual Reference Services: A Federal Trade \nCommission Report to Congress (December 1997); FTC Staff Report: Public \nWorkshop on Consumer Privacy on the Global Information Infrastructure \n(December 1996); FTC Staff Report: Anticipating the 21st Century: \nConsumer Protection Policy in the New High-Tech, Global Marketplace \n(May 1996).\n    The Commission has also brought enforcement actions under Section 5 \nof the Federal Trade Commission Act to address deceptive online \ninformation practices. In 1998 the Commission announced its first \nInternet privacy case, in which GeoCities, operator of one of the most \npopular sites on the World Wide Web, agreed to settle Commission \ncharges that it had misrepresented the purposes for which it was \ncollecting personal identifying information from children and adults \nthrough its online membership application form and registration forms \nfor children\'s activities on the GeoCities site. The settlement, which \nwas made final in February 1999, prohibits GeoCities from \nmisrepresenting the purposes for which it collects personal identifying \ninformation from or about consumers, including children. It also \nrequires GeoCities to post a prominent privacy notice on its site, to \nestablish a system to obtain parental consent before collecting \npersonal information from children, and to offer individuals from whom \nit had previously collected personal information an opportunity to have \nthat information deleted. GeoCities, Docket No C-3849 (Feb 12, 1999) \n(Final Decision and Order available at http://www.ftc.gov/os/1999/9902/\n9823015d&o.htm)\n    In its second Internet privacy case, the Commission recently \nannounced for public comment a settlement with Liberty Financial \nCompanies, Inc., operator of the Young Investor Web site. The \nCommission alleged, among other things, that the site falsely \nrepresented that personal information collected from children, \nincluding information about family finances, would be maintained \nanonymously. In fact, this information was maintained in identifiable \nform. The consent agreement would require Liberty Financial to post a \nprivacy policy on its children\'s sites and obtain verifiable consent \nbefore collecting personal identifying information from children. \nLiberty Financial, Case No. 9823522 (proposed consent agreement \navailable at http://www.ftc.gov/os/1999/9905/1btyord.htm.)\n    Since the fall of 1994, the Federal Trade Commission has brought 91 \nlaw enforcement actions against over 200 companies and individuals to \nhalt fraud and deception on the Internet. The FTC has not only attacked \ntraditional schemes that have moved online, like pyramid and credit \nrepair schemes, but in addition, the FTC has brought suit against modem \nhijacking, fraudulent e-mail marketing, and other hi-tech schemes that \ntake unique advantage of the Internet. The Commission pioneered the \n``Surf Day\'\' concept and has searched the Net in tandem with law \nenforcement colleagues around the world, targeting specific problems \nand warning consumers and new entrepreneurs about what the law \nrequires. The Commission has also posted ``teaser pages\'\' online, i.e., \nfake scam sites that give consumers education just when they are about \nto fall victim to an Internet ruse.\n    6. The Report is available on the Commission\'s Web site at http://\nwww.ftc.gov/reports/privacy3/index.htm.\n    7. 1998 Report at 41.\n    8. Title XIII, Omnibus Consolidated and Emergency Supplemental \nAppropriations Act, 1999, Pub L No 105-277, 112 Stat 2681,____ (Oct. \n21, 1998), reprinted at 144 Cong Rec H11240-42 (Oct. 19, 1998). The Act \nrequires, inter alia, that operators of Web sites directed to children \nunder 13 or who knowingly collect personal information from children \nunder 13 on the Internet: (1) provide parents notice of their \ninformation practices; (2) obtain prior, verifiable parental consent \nfor the collection, use, and/or disclosure of personal information from \nchildren (with certain limited exceptions); (3) upon request, provide a \nparent with the ability to review the personal information collected \nfrom his/her child; (4) provide a parent with the opportunity to \nprevent the further use of personal information that has already been \ncollected, or the future collection of personal information from that \nchild; (5) limit collection of personal information for a child\'s \nonline participation in a game, prize offer, or other activity to \ninformation that is reasonably necessary for the activity; and (6) \nestablish and maintain reasonable procedures to protect the \nconfidentiality, security, and integrity of the personal information \ncollected.\n    9. 64 Fed Reg. 22750 (1999) (to be codified at 16 C.F.R. pt 312).\n    10. Commission testimony on Consumer Privacy on the World Wide Web \nbefore the House Subcommittee on Telecommunications, Trade and Consumer \nProtection, Committee on Commerce (July 21, 1998) (available at http://\nwww.ftc.gov/os/1998/9807/privac98.htm). The Commission also presented a \nlegislative model that Congress could consider in the event that then-\nnascent self-regulatory efforts did not result in widespread \nimplementation of self-regulatory protections. Id. at 5-7.\n    11. A copy of the Report is attached as an appendix. The Report is \navailable on the Commission\'s Web site at www.ftc.gov/reports/\nprivacy99/index.html. In addition, the Commission testified on July 13, \n1999 before the Subcommittee on Telecommunications, Trade, and Consumer \nProtection of the House Committee on Commerce on Self-Regulation and \nPrivacy Online (www.ftc.gov/os/1999/9907/pt071399.htm). The Commission \nalso presented testimony on July 21, 1999 before the Subcommittee on \nFinancial Institutions and Consumer Credit of the House Committee on \nBanking and Financial Services on Financial Privacy, the Fair Credit \nReporting Act, and H.R. 10 (www.ftc.gov/os/1999/9907/fcrahr10.htm). The \nCommission vote to issue that testimony and the Report was 3-1, with \nCommissioner Anthony concurring in part and dissenting in part \nCommissioner Anthony\'s statement and Commissioner Swindle\'s concurring \nstatement were attached to the documents.\n    12. This aspect of the bill is consistent with the model \nrecommended by the Commission in its July 21, 1998 testimony.\n    13. The report is available at http://www.msb.edu/faculty/culnanm/\ngippshome.html [hereinafter ``GIPPS Report\'\']. The following analysis \nis based upon the Commission\'s review of the GIPPS Report itself; \nCommission staff did not have access to the underlying GIPPS data.\n    14. GIPPS Report, App. A at 5.\n    15. Id.\n    16. The GIPPS Report discusses findings on the information \npractices of 361 Web Sites drawn from a list of the 7,500 busiest \nservers on the World Wide Web. The list, a ranking of servers by number \nof unique visitors for the month of January 1999, was compiled by Media \nMetrix, a site traffic measurement company. As larger sites are more \nlikely to have multiple servers, the largest sites on the Web had a \ngreater chance of being selected for inclusion in the sample drawn for \nthe GIPPS survey. See GIPPS Report, App. A at 2; App. B at 9 n.iii. The \nCommission\'s 1998 Comprehensive Sample was drawn at random from all \nU.S., ``.com\'\' sites in the Dun & Bradstreet Electronic Commerce \nRegistry, with the exception of insurance industry sites. 1998 Report, \nApp. A at 2. Unlike the Media Metrix list used in the GIPPS sample, the \nDun & Bradstreet Registry does not rank sites on the basis of user \ntraffic.\n    17. Online Privacy Alliance, Privacy and the Top 100 Sites: A \nReport to the Federal Trade Commission at 3, 8 (1999) (available at \nhttp://www.msb.edu/faculty/culnanm/gippshome.html). The following \nanalysis is based upon the Commission\'s review of the OPA Study report \nitself; Commission staff did not have access to the underlying OPA \nStudy data.\n    18. 1998 Report at 28.\n    19. Ninety-three percent of the sites in the GIPPS survey, GIPPS \nReport, App. A at 3, and 99% of the sites in the OPA Study, OPA Study \nat 3, 5, collect personal information from consumers.\n    20. The GIPPS results show that thirty-six sites in the sample (or \n10%) posted at least one survey element, or disclosure, for each of the \nfour substantive fair information practices. GIPPS Report at 10 and \nApp. A at 12 (Table 8C). Thirty-two of these sites (or 89%) also posted \ncontact information. Id. Georgetown University Professor Mary Culnan, \nauthor of the GIPPS Report, reports the number of sites posting \ndisclosures for the four substantive fair information practice \nprinciples and for contact information in two additional ways: as a \npercentage of sites in the sample that collect at least one type of \npersonal information (95%); and as a percentage of sites in the sample \nthat both collect at least one type of personal information and post a \ndisclosure (13.6%). GIPPS Report, App. A at 12 (Table 8C).\n    21. Twenty-two sites in the OPA Study (or 22%) posted at least one \nsurvey element, or disclosure, for each of the four substantive fair \ninformation practices. OPA Study at 9-10 and App. A at 10 (Table 6C). \nNineteen of these sites (or 19%) also posted contact information. Id. \nProfessor Culnan also reports the number of sites posting disclosures \nfor the four substantive fair information practice principles in two \nadditional ways: as a percentage of sites in the sample that collect at \nleast one type of personal information (222%); and as a percentage of \nsites in the sample that both collect at least one type of personal \ninformation and post a disclosure (237%). OPA Study, App. A at 10 \n(Table 6C).\n    22. The Commission\'s 1998 Report discussed the fair information \npractice principles developed by government agencies in the United \nStates, Canada, and Europe since 1973, when the United States \nDepartment of Health, Education, and Welfare released its seminal \nreport on privacy protections in the age of data collection, Records, \nComputers, and the Rights of Citizens. 1998eport at 7-11. In addition \nto the HEW Report, the major reports setting forth the core fair \ninformation practice principles are: The U.S. Privacy Protection Study \nCommission, Personal Privacy in an Information Society (1977); \nOrganization for Economic Cooperation and Development, OECD Guidelines \non the Protection of Privacy and Transborder Flows of Personal Data \n(1980); U.S. Information Infrastructure Task Force, Information Policy \nCommittee, Privacy Working Group, Privacy and the National Information \nInfrastructure: Principles for Providing and Using Personal Information \n(1995); U.S. Dept of Commerce, Privacy and the NII: Safeguarding \nTelecommunications-Related Personal Information (1995); The European \nUnion Directive on the Protection of Personal Data (1995); and the \nCanadian Standards Association, Model Code for the Protection of \nPersonal Information: A National Standard of Canada (1996). The 1998 \nReport identified the core principles of privacy protection common to \nthese government reports, guidelines, and model codes: (1) Notice/\nAwareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/\nSecurity; and (5) Enforcement/Redress 1998 Report at 7-11.\n    The Notice/Awareness principle is the most fundamental: consumers \nmust be given notice of a company\'s information practices before \npersonal information is collected from them. The scope and content of \nthe notice will vary with a company\'s substantive information \npractices, but the notice itself is essential. The other core \nprinciples have meaning only if a consumer has notice of an entity\'s \ninformation practices and his or her rights with respect thereto. Id. \nat 7.\n    The Choice/Consent principle requires that consumers be given \noptions with respect to whether and how personal information collected \nfrom them may be used. Although choice in this context has been \ntraditionally thought of as either ``opt-in\'\' (prior consent for use of \ninformation) or ``opt-out\'\' (limitation upon further use of \ninformation), id. at 9, interactive media hold the promise of making \nthis paradigm obsolete through developments in technology. Id. The \nAccess/Participation principle requires that consumers be given \nreasonable access to information collected about them and the ability \nto contest that data\'s accuracy and completeness. Id.\n    The Integrity/Security principle requires that companies take \nreasonable steps to assure that information collected from consumers is \naccurate and secure from unauthorized use. Id. at 10. Finally, the \neffectiveness of the foregoing privacy protections is dependent upon \nimplementation of the Enforcement/Redress principle, which requires \ngovernmental and/or self-regulatory mechanisms to impose sanctions for \nnoncompliance with fair information practices. Id. at 10-11. The 1998 \nReport assessed existing self-regulatory efforts in light of these fair \ninformation practice principles.\n    23. Information about TRUSTe is taken from materials posted on \nTRUSTe\'s Web site, http://www.TRUSTe.org, and from public statements by \nTRUSTe staff. Several hundred additional companies have joined the \nTRUSTe program but are not yet fully licensed. See ``TRUSTe Testifies \nBefore House Judiciary Committee,\'\' May 27, 1999 (press release \navailable at http://www.TRUSTe.org/about/about--committee.html).\n    24. Information about BBBOnline is taken from materials posted on \nthe BBBOnline Web site, located at http://www.bbbonline.com, and from \nother public documents and statements by BBBOnLine staff.\n    25. CPA WebTrust, the online privacy seal program created by the \nAmerican Institute of Certified Public Accountants (AICPA) and the \nCanadian Institute of Chartered Accountants, currently has 19 licensees \n(program description available at http://www.cpawebtrust.org). The \nElectronic Software Rating Board\'s ESRB Privacy Online program was \nlaunched on June 1, 1999 (description available at http://\nwww.esrb.org).\n                               __________\n                                                 Microsoft,\n                                    Washington, DC., July 30, 1999.\nHon. Richard H. Bryan,\nU.S. Senate,\nWashington, DC.\n\n    Re: The Communications Subcommittee\'s July 27 Hearing on Privacy on \nthe Internet\n\n    Dear Senator Bryan: This is to respond to a statement made by the \nAmerica Online witness at the Subcommittee\'s July 27 hearing on \n``Privacy on the Internet.\'\' The statement was made in response to your \nquestion about AOL\'s current dispute with Microsoft and others in the \nInternet community over ``instant messaging\'\' services.\n    We understand that you asked AOL witness Jill Lesser whether her \ncompany\'s efforts to block the interoperation of AOL Instant Messenger \nwith new instant messaging services such as our own--thereby closing \noff the AOL service from competing services--contradict AOL\'s argument \nthat cable operators should open their new digital networks to \ncompeting internet service providers. The AOL witness defended here \ncompany\'s actions by alleging, among other things, that Microsoft had \nnot spoken to AOL about our desire to foster interoperability in this \narea.\n    Ms. Lesser might not have had all of the facts at her disposal. As \nfar back as late 1997, Microsoft and AOL personnel engaged in lengthy \ndiscussions about Microsoft\'s interest in working with AOL on new, \ninteroperable instant messaging technologies. Those discussions did not \nbear fruit. Subsequently, Microsoft personnel participated in, and \ncontinue to participate in, an undertaking by the Internet Engineering \ntask force to develop interoperability standards for instant messaging. \nIETF is one of the Internet\'s recognized standards bodies, and its \nactions are based on consensus among interested parties from the \nInternet community. With respect to instant messaging, we understand \nthat AOL personnel had been invited on several occasions to participate \nin IETF deliberations on interoperability, but that the company had \nopted not to join.\n    Although the AOL misstatement does not relate to Internet privacy, \nwe respectfully request that you ask for this letter to be inserted \ninto the record of the hearing so that it accurately reflects what has \ntranspired on this separate matter. Thank you.\n            Sincerely,\n                                  Jack Krumholtz, Director,\n              Federal Government Affairs Senior Corporate Attorney.\n                               __________\n\n        Self-Regulation and Privacy Online: A Report to Congress\n\n                     I. INTRODUCTION AND BACKGROUND\n\n    In June 1998 the Federal Trade Commission issued Privacy Online: A \nReport to Congress (``1998 Report\'\'), an examination of the information \npractices of commercial sites on the World Wide Web and of industry\'s \nefforts to implement self-regulatory programs to protect consumers\' \nonline privacy.<SUP>1</SUP> Based in part on its extensive survey of \nover 1400 commercial Web sites, the Commission concluded that effective \nself-regulation had not yet taken hold.<SUP>2</SUP> In both the 1998 \nReport and in subsequent testimony before Congress, the Commission \nraised concerns about protecting the privacy of children\'s personal \ninformation online and recommended that Congress pass legislation to \naddress these concerns.<SUP>3</SUP> In its testimony, the Commission \nalso raised concerns about the progress of industry self-regulation, \nbut noted that industry leaders had indicated their commitment to work \ntoward self-regulatory solutions. Accordingly, the Commission did not \nrecommend legislative action in the area of online privacy for \nconsumers generally, and instead urged industry to focus on developing \nand implementing broad-based and effective self-regulatory \nprograms.<SUP>4</SUP>\n    In the ensuing year, there have been important developments both in \nthe growth of the Internet as a commercial marketplace and in \nconsumers\' and industry\'s responses to the privacy issues posed by the \nonline collection of personal information. The Commission has examined \nthese developments and now presents its views on the progress made in \nself-regulation since last June, as well as its plans to encourage \nindustry\'s full implementation of online privacy protections.\n\nA. The Growth of Electronic Commerce\n    Commerce on the World Wide Web is booming. The United States \nDepartment of Commerce recently announced that online sales tripled \nfrom approximately $3 billion in 1997 to approximately $9 billion in \n1998.<SUP>5</SUP> Online revenues of North American retailers in the \nfirst half of 1998 were approximately $4.4 billion.<SUP>6</SUP> Online \nadvertising revenues have grown from $906.5 million in 1996 to $1.92 \nbillion in 1998.<SUP>7</SUP> In 1998, revenues for Internet advertising \nexceeded those for advertising on outdoor billboards.<SUP>8</SUP> It is \nestimated that almost 80 million adults in the United States are using \nthe Internet.<SUP>9</SUP> They are finding a vast array of products, \nservices, and information in a marketplace that has experienced \nexponential growth since its beginnings only a few years ago.\n    The Web is also a rich source of information about online \nconsumers. Web sites collect much personal information both explicitly, \nthrough registration pages, survey forms, order forms, and online \ncontests, and by using software in ways that are not obvious to online \nconsumers. Through ``cookies\'\' and tracking software, Web site owners \nare able to follow consumers\' online activities and gather information \nabout their personal interests and preferences. These data have proved \nextremely valuable to online companies because they not only enable \nmerchants to target market products and services that are increasingly \ntailored to their visitors\' interests, but also permit companies to \nboost their revenues by selling advertising space on their Web \nsites.<SUP>10</SUP> In fact, an entire industry has emerged to market a \nvariety of software products designed to assist Web sites in collecting \nand analyzing visitor data and in serving targeted \nadvertising.<SUP>11</SUP>\n\nB. Consumer Privacy Concerns\n    Notwithstanding the substantial benefits that consumers may derive \nfrom using the Internet, consumers still care deeply about the privacy \nof their personal information in the online marketplace. Eighty-seven \npercent of U.S. respondents in a recent survey of experienced Internet \nusers stated that they were somewhat or very concerned about threats to \ntheir privacy online.<SUP>12</SUP> Seventy percent of the respondents \nin a recent national survey conducted for the National Consumers League \nreported that they were uncomfortable providing personal information to \nbusinesses online.<SUP>13</SUP> Consumers are particularly concerned \nabout potential transfers to third parties of the personal information \nthey have given to online businesses.<SUP>14</SUP> It is not surprising \nthat only about one-quarter of Internet users go beyond merely browsing \nfor information to actually purchasing goods and services \nonline.<SUP>15</SUP>\n\n            II. THE COMMISSION\'S APPROACH TO ONLINE PRIVACY\n\n    For almost as long as there has been an online marketplace, the \nCommission has been deeply involved in addressing online privacy \nissues.<SUP>16</SUP> The Commission\'s goal has been to understand this \nnew marketplace and its information practices, to assess the impact of \nthese practices on consumers, and to encourage and facilitate effective \nself-regulation as the preferred approach to protecting consumer \nprivacy online. The Commission\'s efforts have been based on the belief \nthat greater protection of personal privacy on the Web will not only \nbenefit consumers, but also benefit industry by increasing consumer \nconfidence and ultimately their participation in the online \nmarketplace.\n    The Commission\'s 1998 Report discussed the fair information \npractice principles developed by government agencies in the United \nStates, Canada, and Europe since 1973, when the United States \nDepartment of Health, Education, and Welfare released its seminal \nreport on privacy protections in the age of data collection, Records, \nComputers, and the Rights of Citizens.<SUP>17</SUP> The 1998 Report \nidentified the core principles of privacy protection common to the \ngovernment reports, guidelines, and model codes that have emerged since \n1973: (1) Notice/ Awareness; (2) Choice/Consent; (3) Access/\nParticipation; (4) Integrity/Security; and (5) Enforcement/\nRedress.<SUP>18</SUP>\n    The Notice/Awareness principle is the most fundamental: consumers \nmust be given notice of a company\'s information practices before \npersonal information is collected from them. The scope and content of \nthe notice will vary with a company\'s substantive information \npractices, but the notice itself is essential. The other core \nprinciples have meaning only if a consumer has notice of an entity\'s \ninformation practices and his or her rights with respect thereto.\n    The other core principles are briefly summarized here. The Choice/\nConsent principle requires that consumers be given options with respect \nto whether and how personal information collected from them may be \nused.<SUP>19</SUP> The Access/Participation principle requires that \nconsumers be given reasonable access to information collected about \nthem and the ability to contest that data\'s accuracy and \ncompleteness.<SUP>20</SUP> The Integrity/Security principle requires \nthat companies take reasonable steps to assure that information \ncollected from consumers is accurate and secure from unauthorized \nuse.<SUP>21</SUP> Finally, the effectiveness of the foregoing privacy \nprotections is dependent upon implementation of the Enforcement/Redress \nprinciple, which requires governmental and/or self-regulatory \nmechanisms to impose sanctions for noncompliance with fair information \npractices.<SUP>22</SUP>\n    The 1998 Report assessed existing self-regulatory efforts in light \nof these fair information practice principles and set out the findings \nof the Commission\'s extensive survey of commercial Web sites\' \ninformation practices. The survey found that, although the vast \nmajority of sites collected personal information from consumers--92% in \nthe sample representing all U.S.-based commercial sites likely to be of \ninterest to consumers--only 14% posted any disclosure regarding their \ninformation practices, and only 2% posted a comprehensive privacy \npolicy.<SUP>23</SUP> The results of the Commission\'s census of the \nbusiest sites on the World Wide Web were more positive: while 97% \ncollected personal information, 71% posted a disclosure and 44% posted \na comprehensive privacy policy.<SUP>24</SUP> The Commission\'s survey of \nsites directed to children revealed that 89% collected personal \ninformation from children, 24% posted privacy policies and only 1% \nrequired parental consent prior to the collection or disclosure of \nchildren\'s information.<SUP>25</SUP>\n    The 1998 Report concluded that an effective self-regulatory system \nhad yet to emerge and that additional incentives were required in order \nto ensure that consumer privacy would be protected. Noting its \nparticular concern about the vulnerability of children, the Commission \nrecommended that Congress adopt legislation setting forth standards for \nthe online collection of information from children. Furthermore, in \nCongressional testimony last July, the Commission deferred judgment on \nthe need for legislation to protect the online privacy of adult \nconsumers, but presented a legislative model that Congress could \nconsider if industry failed to develop and implement effective self-\nregulatory measures.<SUP>26</SUP>\n\n                      III. CONGRESSIONAL RESPONSE\n\n    On October 21, 1998, the President signed into law the Children\'s \nOnline Privacy Protection Act of 1998 (``COPPA\'\').<SUP>27</SUP> The \nAct, passed by Congress just four months after the Commission\'s 1998 \nReport, requires that operators of Web sites directed to children under \n13 or who knowingly collect personal information from children under 13 \non the Internet: (1) provide parents notice of their information \npractices; (2) obtain prior, verifiable parental consent for the \ncollection, use, and/or disclosure of personal information from \nchildren (with certain limited exceptions); (3) upon request, provide a \nparent with the ability to review the personal information collected \nfrom his/her child; (4) provide a parent with the opportunity to \nprevent the further use of personal information that has already been \ncollected, or the future collection of personal information from that \nchild; (5) limit collection of personal information for a child\'s \nonline participation in a game, prize offer, or other activity to \ninformation that is reasonably necessary for the activity; and (6) \nestablish and maintain reasonable procedures to protect the \nconfidentiality, security, and integrity of the personal information \ncollected.<SUP>28</SUP> The Act directs the Commission to adopt within \none year regulations implementing these requirements.<SUP>29</SUP>\n    On April 20, 1999, the Commission issued a proposed Children\'s \nOnline Privacy Protection Rule and is now in the midst of this \nrulemaking effort.<SUP>30</SUP> The proposed rule requires Web site \noperators to post prominent links on their Web sites to a notice of how \nthey collect and use personal information from children under the age \nof 13, and sets out, among other things, standards for complying with \nthe Act\'s notice, parental consent, and access \nrequirements.<SUP>31</SUP> As required by the COPPA, the proposed rule \nalso includes a safe harbor provision under which industry groups or \nothers may seek Commission approval for self-regulatory guidelines. Web \nsite operators who participate in such approved programs may be subject \nto the review and disciplinary procedures provided in those guidelines \nin lieu of formal Commission investigation and law \nenforcement.<SUP>32</SUP> The safe harbor would serve both as an \nincentive for industry self-regulation, and as a means of ensuring that \nthe Act\'s protections are implemented in a manner sensitive to \nindustry-specific concerns and developments in technology. Commission \nstaff is reviewing comments on the proposed rule and will hold a public \nworkshop this month to solicit further discussion and comment on the \nissue of verifiable parental consent. The Commission will issue a final \nrule this fall.\n\n         IV. THE STATE OF ONLINE PRIVACY SELF-REGULATION TODAY\n\n    As noted in the Commission\'s 1998 Report, self-regulation is the \nleast intrusive and most efficient means to ensure fair information \npractices, given the rapidly evolving nature of the Internet and \ncomputer technology. During the past year the Commission has been \nmonitoring self-regulatory initiatives to address the privacy concerns \nof online consumers. In some areas, there has been much progress. The \nresults of two new surveys of commercial Web sites suggest that online \nbusinesses are providing significantly more notice of their information \npractices than they were last year. In addition, several significant \nand promising self-regulatory programs, including privacy seal \nprograms, are underway.\n    There are also major challenges for self-regulation. The new survey \nresults show that, despite the laudable efforts of industry leaders, \nthe vast majority of even the busiest Web sites have not implemented \nall four substantive fair information practice principles of Notice/\nAwareness, Choice/Consent, Access/Participation, and Security/\nIntegrity. In addition, the seal programs discussed below currently \nencompass only a handful of all Web sites. Thus, it is too early to \njudge how effective these programs will ultimately be in serving as \nenforcement mechanisms to protect consumers\' online privacy.\n    The Commission believes that there are additional steps that it can \ntake, together with industry, and consumer and privacy groups, to build \nupon the progress in self-regulation to date and to work toward full \nimplementation of effective online privacy protections. Some recent \ndevelopments and plans for future work to achieve this goal are \ndiscussed below.\n\nA. Recent Assessments of Web Sites\' Compliance With Fair Information \n        Practice Principles\n    Professor Mary Culnan of the McDonough School of Business at \nGeorgetown University recently announced the results of two industry-\nfunded surveys of commercial Web sites, conducted during the week of \nMarch 8, 1999. The Georgetown Internet Privacy Policy Survey \n(``GIPPS\'\') <SUP>33</SUP> reports findings on the information practices \nof 361 Web sites drawn from a list of the 7,500 busiest servers on the \nWorld Wide Web.<SUP>34</SUP> Ninety-three percent of the sites in this \nsurvey collect personal information from consumers, and 66% post at \nleast one disclosure about their information practices.<SUP>35</SUP> \nForty-four percent of these sites post privacy policy \nnotices.<SUP>36</SUP> Although differences in sampling methodology \nprevent direct comparisons between the GIPPS findings and the \nCommission\'s 1998 results,<SUP>37</SUP> the GIPPS Report does \ndemonstrate the real progress industry has made in giving consumers \nnotice of at least some information practices. On the other hand, only \n10% of the sites in the GIPPS sample are implementing all four \nsubstantive fair information practice principles of Notice/Awareness, \nChoice/Consent, Access/ Participation, and Security/\nIntegrity.<SUP>38</SUP> The GIPPS Report findings discussed above are \nsummarized in Figure 1.\n    Professor Culnan also conducted a census of the top 100 Web sites \ncommissioned by the Online Privacy Alliance, a coalition of more than \neighty online companies and trade associations that formed early in \n1998 to encourage self-regulation in this area (``OPA \nStudy\'\').<SUP>39</SUP> As is true of the GIPPS sample, nearly all (99%) \nof the sites in the OPA Study collect personal information from \nconsumers. Ninety-three percent of these sites provide at least one \ndisclosure about their information practices, while 81% of these sites \npost privacy policy notices.<SUP>40</SUP> This represents continued \nprogress since last year, when 71% of the sites in the Commission\'s \n1998 ``Most Popular\'\' sample posted an information practice \ndisclosure.<SUP>41</SUP> Only 22% of the sites in the OPA study address \nall four of the substantive fair information practice principles of \nNotice/Awareness, Choice/Consent, Access/Participation and Security/\nIntegrity, however.<SUP>42</SUP> These OPA Study findings are \nsummarized in Figure 1.\n\n                                Figure 1\n------------------------------------------------------------------------\n                                                 1999 GIPPS    1999 OPA\n                                                   Report       Study\n------------------------------------------------------------------------\nNumber of sites in sample.....................          361          100\nNumber of sites collecting personal                     337           99\n information..................................\nPercent of sites in sample collecting personal          93%          99%\n information..................................\nNumber of sites posting any privacy disclosure          238           93\nPercent of sites in sample posting any privacy          66%          93%\n disclosure...................................\nNumber of sites posting a privacy policy                157           81\n notice.......................................\nPercent of sites in sample posting a privacy            44%          81%\n policy notice................................\nNumber of sites posting a disclosure for all             36           22\n four substantive fair information practice\n principles...................................\nPercent of sites in sample posting a                    10%          22%\n disclosure for all four substantive fair\n information  practice principles.............\n------------------------------------------------------------------------\n\n    The GIPPS and OPA Study results suggest that the majority of the \nmore frequently-visited Web sites are implementing the basic Notice/\nAwareness principle by disclosing at least some of their information \npractices. The findings also indicate, however, that only a relatively \nsmall percentage of these sites is disclosing information practices \nthat address all four substantive fair information practice principles. \nBoth studies indicate that there has been real progress since the \nCommission issued its 1998 Report. Nevertheless, the low percentage of \nsites in both studies that address all four substantive fair \ninformation practice principles demonstrates that further improvement \nis required to effectively protect consumers\' online privacy.\n\nB. The Online Privacy Alliance <SUP>43</SUP>\n    On June 22, 1998, the Online Privacy Alliance (OPA), a coalition of \nindustry groups, announced its Online Privacy Guidelines, which apply \nto individually identifiable information collected online from \nconsumers.<SUP>44</SUP> Pursuant to these guidelines, OPA members agree \nto adopt and implement a posted privacy policy that provides \ncomprehensive notice of their information practices. The notice \nincludes a statement of what information is being collected from \nconsumers and how it is being used; whether the information will be \ndisclosed to third parties; consumers\' choices regarding the \ncollection, use and distribution of the information; data security \nmeasures; and the steps taken to ensure data quality and access to \ninformation. The OPA Guidelines also include provisions on choice, \nfeasible consumer access to identifiable information, and data \nsecurity, and call for self-enforcement mechanisms, such as online seal \nprograms, that provide consumers with redress.\n    The OPA Guidelines have been used by the leading privacy seal \nprograms, which have adapted them to fit their own program \nrequirements. Unlike the seal programs, however, the OPA does not \nmonitor members\' compliance or provide sanctions for noncompliance. The \ncentral focus of OPA\'s efforts since release of its Guidelines has been \nbusiness education to promote widespread adoption of online privacy \npolicies.\n\nC. Seal Programs\n    An encouraging development in the private sector\'s efforts toward \nself-regulation is the emergence of online seal programs. These \nprograms require their licensees to abide by codes of online \ninformation practices and to submit to various types of compliance \nmonitoring in order to display a privacy seal on their Web sites. Seal \nprograms offer an easy way for consumers to identify Web sites that \nfollow specified information practice principles, and for online \nbusinesses to demonstrate compliance with those principles.\n            1. TRUSTe<SUP>45</SUP>\n    TRUSTe, an independent, non-profit organization founded by the \nCommerceNet Consortium and the Electronic Frontier Foundation, was \nlaunched nearly two years ago, on June 10, 1997. The first online \nprivacy seal program, TRUSTe currently has more than 500 licensees \nrepresenting a variety of industries.<SUP>46</SUP> Since December 1998, \nTRUSTe\'s license agreement,<SUP>47</SUP> which governs licensees\' \ncollection and use of ``personally identifiable information,\'\' \n<SUP>48</SUP> has taken a more comprehensive approach to privacy by \nrequiring licensees to follow standards for notice, choice, access and \nsecurity based upon the OPA Guidelines. The license agreement also \nrequires licensees to submit to monitoring and oversight by TRUSTe, as \nwell as a complaint resolution procedure.\n    The TRUSTe program includes third-party monitoring and periodic \nreviews of licensees\' information practices to ensure compliance with \nprogram requirements. These reviews include ``Web Site reviews,\'\' in \nwhich TRUSTe examines and monitors changes in licensees\' privacy \nstatements and tracks unique identifiers in licensees\' databases (a \npractice known as ``seeding\'\') to determine whether consumers\' requests \nto be removed from those databases are being honored; and ``On-Site \nreviews\'\' in which a third-party auditing firm can be called in, should \nTRUSTe have reason to believe that a licensee is not in compliance with \nthe terms of the license agreement. Licensees must provide consumers \nwith a way to submit concerns regarding their information practices, \nand agree to respond to all reasonable inquiries within five days. \nTRUSTe also plays a part in resolving consumer complaints. TRUSTe \nprovides for public reporting of complaints, and, in appropriate \ncircumstances, will refer complaints to the Commission.\n            2. BBBONline Privacy Seal Program <SUP>49</SUP>\n    BBBOnLine, a subsidiary of the Council of Better Business Bureaus, \nlaunched its privacy seal program for online businesses on March 17, \n1999. Forty-two sites currently post BBBOnLine seals, and the program \nhas received more than 300 applications. In order to be awarded the \nBBBOnLine Privacy Seal, applicants must post a privacy policy that \ncomports with the program\'s information practice \nprinciples,<SUP>50</SUP> complete a ``Compliance Assessment \nQuestionnaire,\'\' and must agree to participate in a consumer dispute \nresolution system and to submit to monitoring and review by \nBBBOnLine.<SUP>51</SUP>\n    The BBBOnLine Privacy Seal Program covers ``individually \nidentifiable information,\'\' <SUP>52</SUP> as well as ``prospect \ninformation,\'\' which is identifying, retrievable information that is \ncollected by the company\'s Web site from one individual about \nanother.<SUP>53</SUP> The BBBOnLine Privacy Seal Program\'s consumer \ncomplaint resolution procedure is bolstered by several compliance \nincentives, including public reporting of decisions, and suspension or \nrevocation of the BBBOnLine seal, or referral to federal agencies, as \nsanctions for noncompliance. BBBOnLine has committed to adopting a \nthird-party verification system, although this aspect of the program \nhas not yet been implemented. The Commission looks forward to assessing \nBBBOnLine\'s enforcement mechanisms when they are fully in place.\n            3. Other Seal Programs\n    Several other seal programs have been developed or are under \ndevelopment. One is CPA WebTrust, created by the American Institute of \nCertified Public Accountants (``AICPA\'\') and the Canadian Institute of \nChartered Accountants and announced in September 1997.<SUP>54</SUP> The \nCPA WebTrust program, which licenses the CPA WebTrust seal to \nqualifying certified public accountants, requires participating Web \nsites to disclose and adhere to stated business practices, maintain \neffective controls over the security and integrity of transactions, and \nto maintain effective controls to protect private customer information. \nWeb sites are awarded the CPA WebTrust seal by certified public \naccountants who conduct quarterly audits to ensure compliance with the \nprogram\'s standards.\n    Although primarily intended to provide assurance for consumers that \na site displaying the seal is a legitimate business that will process \ntransactions and protect sensitive information like credit card \nnumbers, CPA WebTrust also has a privacy component. The information \npractice requirements in the latest version of the program, introduced \nin May 1999, conform to the OPA Guidelines. Currently, 19 Web sites \nhave been awarded the CPA WebTrust seal.\n    Industry sector-specific programs are also beginning to emerge. For \nexample, in October 1998 the Interactive Digital Software Association \n(``IDSA\'\') adopted its own fair information practice guidelines for its \nmembers\' Web sites.<SUP>55</SUP> In addition, on June 1, 1999, the \nEntertainment Software Rating Board (``ESRB\'\'), an independent rating \nsystem for entertainment software and interactive games established by \nIDSA in 1994, launched ESRB Privacy Online.<SUP>56</SUP> This online \nseal program requires participants to adhere to information practice \nstandards that parallel the IDSA guidelines.<SUP>57</SUP> The program \nmonitors compliance through a verification system that includes \nunannounced audits and seeding. The program also includes a consumer \nonline hotline for reporting privacy violations and alternative dispute \nresolution services to resolve consumer complaints.\n\n                             V. CONCLUSION\n\n    The self-regulatory initiatives described above, including the \nguidelines adopted by the OPA and the seal programs, reflect industry \nleaders\' substantial effort and commitment to information practices. \nThey should be commended for these efforts. Enforcement mechanisms that \ngo beyond self-assessment are also gradually being implemented by the \nseal programs. Only a small minority of commercial Web sites, however, \nhave joined these programs to date. Similarly, although the results of \nthe GIPPS and OPA studies show that many online companies now \nunderstand the business case for protecting consumer privacy, they also \nshow that the implementation of fair information practices is not \nwidespread among commercial Web sites.\n    Based on these facts, the Commission believes that legislation to \naddress online privacy is not appropriate at this time. We also believe \nthat industry faces some substantial challenges. Specifically, the \npresent challenge is to educate those companies which still do not \nunderstand the importance of consumer privacy and to create incentives \nfor further progress toward effective, widespread implementation.\n    First, industry groups must continue to encourage widespread \nadoption of fair information practices. Companies like IBM, Microsoft \nand Disney, which have recently announced, among other things, that \nthey will forgo advertising on sites that do not adhere to fair \ninformation practices are to be commended for their efforts, which we \nhope will be emulated by their colleagues. These types of business-\nbased initiatives are critical to making self-regulation meaningful \nbecause they can extend the reach of privacy protection to small and \nmedium-sized businesses where there is great potential for e-commerce \ngrowth.\n    Second, industry should focus its attention on the substance of Web \nsite information practices, ensuring that companies adhere to the core \nprivacy principles discussed earlier. It may also be appropriate, at \nsome point in the future, for the FTC to examine the online privacy \nseal programs and report to Congress on whether these programs provide \neffective privacy protections for consumers.\n    Finally, industry must work together with government and consumer \ngroups to educate consumers about privacy protection on the Internet. \nThe ultimate goal of such efforts, together with effective self-\nregulation, will be heightened consumer acceptance and confidence. \nIndustry should also redouble its efforts to develop effective \ntechnology to provide consumers with tools they can use to safeguard \ntheir own privacy online.\n    The Commission has developed an agenda to address online privacy \nissues throughout the coming year as a way of encouraging and, \nultimately, assessing further progress in self regulation to protect \nconsumer online privacy:\n    <bullet> The Commission will hold a public workshop on ``online \nprofiling,\'\' the practice of aggregating information about consumers\' \npreferences and interests gathered primarily by tracking their \nmovements online, and, in some cases, combining this information with \npersonal information collected directly from consumers or contained in \nother databases. The workshop, jointly sponsored by the U.S. Department \nof Commerce, will examine online advertising firms\' use of cookies and \nother tracking technologies to create targeted, user profile-based \nadvertising campaigns.\n    <bullet> The Commission will hold a public workshop on the privacy \nimplications of electronic identifiers that enhance Web sites\' ability \nto track consumers\' online behavior.\n    <bullet> In keeping with its history of fostering dialogue on \nonline privacy issues among all stakeholders, the Commission will \nconvene task forces of industry representatives and privacy and \nconsumer advocates to develop strategies for furthering the \nimplementation of fair information practices in the online environment.\n\n         LOne task force will focus upon understanding the costs and \n        benefits of implementing fair information practices online, \n        with particular emphasis on defining the parameters of the \n        principles of consumer access to data and adequate security.\n         LA second task force will address how incentives can be \n        created to encourage the development of privacy-enhancing \n        technologies, such as the World Wide Web Consortium\'s Platform \n        for Privacy Preferences (P3P).\n\n    <bullet> The Commission, in partnership with the U.S. Department of \nCommerce, will promote private sector business education initiatives \ndesigned to encourage new online entrepreneurs engaged in commerce on \nthe Web to adopt fair information practices.\n    <bullet> Finally, the Commission believes it is important to \ncontinue to monitor the progress of self-regulation, to determine \nwhether the self-regulatory programs discussed in this report fulfill \ntheir promise. To that end, the Commission will conduct an online \nsurvey to reassess progress in Web sites\' implementation of fair \ninformation practices, and will report its findings to Congress.\n    In undertaking these efforts, the Commission will be better able to \nassess industry progress in meeting its self-regulatory \nresponsibilities, while fostering the implementation of effective \nprotections for online privacy in a manner that promotes a flourishing \nelectronic marketplace.\n                               __________\n\n                                ENDNOTES\n\n    1. The Report is available on the Commission\'s Web site at http://\nwww.ftc.gov/reports/ privacy3/index.htm.\n    2. 1998 Report at 41.\n    3. 1998 Report at 42; Commission testimony on Consumer Privacy on \nthe World Wide Web before the House Subcommittee on Telecommunications, \nTrade and Consumer Protection, Committee on Commerce (July 21, 1998) at \n4-5 [hereinafter ``1998 Privacy Testimony\'\'] (available at http://\nwww.ftc.gov/os/ 1998/9807/privac98.htm).\n    4. 1998 Privacy Testimony at 4. The Commission also presented a \nlegislative model that Congress could consider in the event that then-\nnascent self-regulatory efforts did not result in widespread \nimplementation of self-regulatory protections. Id. at 5-7.\n    5. Remarks of Secretary of Commerce William M. Daley, Feb. 5, 1999 \n(text available at http://204.193.246.62/public.nsf/docs/commerce-ftc-\nonline-shopping-briefing).\n    6. The Boston Consulting Group, The State of Online Retailing 7 and \nApp. A (Nov. 1998).\n    7. Internet Advertising Bureau, Advertising Revenue Report (May \n1999) (major findings available at http://www.iab.net/news/content/\n1998results.html).\n    8. Id.\n    9. Intelliquest, Inc., Worldwide Internet/Online Tracking Service \n4th Quarter 1998 Report (results available at http://\nwww.intelliquest.com).\n    10. See Forrester Research, Inc., Media & Technology Strategies: \nMaking Users Pay at 4-6 (1998).\n    11. See, e.g., Rivka Tadjer, ``Following the Patron Path,\'\' ZD \nInternet Magazine, Dec. 1997, at 95; Thomas E. Weber, ``Software Lets \nMarketers Target Web Ads,\'\' Wall St. J., Apr. 21, 1997, at B1.\n    12. Lorrie Faith Cranor, et al., Beyond Concern: Understanding Net \nUsers\' Attitudes About Online Privacy at 5 (1999) [hereinafter ``AT&T \nStudy\'\'] (available at http://www.research.att.com/projects/\nprivacystudy).\n    13. Louis Harris & Associates, Inc., National Consumers League: \nConsumers and the 21st Century at 4 (1999).\n    14. AT&T Study at 2, 10.\n    15. Intelliquest, Inc., Worldwide Internet/Online Tracking Service \n1st Quarter 1999 Report (findings summarized at http://\nwww.intelliquest.com/press/release78.asp) (28%); Louis Harris & \nAssociates, Inc. and Alan F. Westin, E-Commerce & Privacy: What Net \nUsers Want at 1 (1998) (23%).\n    16. The Commission held its first public workshop on privacy in \nApril 1995. In a series of hearings held in October and November 1995, \nthe Commission examined the implications of globalization and \ntechnological innovation for competition issues and consumer protection \nissues, including privacy concerns. At a public workshop held in June \n1996, the Commission examined Web site practices in the collection, \nuse, and transfer of consumers\' personal information; self-regulatory \nefforts and technological developments to enhance consumer privacy; \nconsumer and business education efforts; the role of government in \nprotecting online information privacy; and special issues raised by the \nonline collection and use of information from and about children. The \nCommission held a second workshop in June 1997 to explore issues raised \nby individual reference services, as well as issues relating to \nunsolicited commercial e-mail, online privacy generally, and children\'s \nonline privacy.\n    These efforts have served as a foundation for dialogue among \nmembers of the information industry and online business community, \ngovernment representatives, privacy and consumer advocates, and experts \nin interactive technology. Further, the Commission and its staff have \nissued reports describing various privacy concerns in the electronic \nmarketplace. See, e.g., Individual Reference Services: A Federal Trade \nCommission Report to Congress (December 1997); FTC Staff Report: Public \nWorkshop on Consumer Privacy on the Global Information Infrastructure \n(December 1996); FTC Staff Report: Anticipating the 21st Century: \nConsumer Protection Policy in the New High-Tech, Global Marketplace \n(May 1996).\n    The Commission has also brought enforcement actions under Section 5 \nof the Federal Trade Commission Act to address deceptive online \ninformation practices. In 1998 the Commission announced its first \nInternet privacy case, in which GeoCities, operator of one of the most \npopular sites on the World Wide Web, agreed to settle Commission \ncharges that it had misrepresented the purposes for which it was \ncollecting personal identifying information from children and adults \nthrough its online membership application form and registration forms \nfor children\'s activities on the GeoCities site. The settlement, which \nwas made final in February 1999, prohibits GeoCities from \nmisrepresenting the purposes for which it collects personal identifying \ninformation from or about consumers, including children. It also \nrequires GeoCities to post a prominent privacy notice on its site, to \nestablish a system to obtain parental consent before collecting \npersonal information from children, and to offer individuals from whom \nit had previously collected personal information an opportunity to have \nthat information deleted. GeoCities, Docket No. C-3849 (Feb. 12, 1999) \n(Final Decision and Order available at http://www.ftc.gov/os/1999/9902/ \n9823015d&o.htm).\n    In its second Internet privacy case, the Commission recently \nannounced for public comment a settlement with Liberty Financial \nCompanies, Inc., operator of the Young Investor Web site. The \nCommission alleged, among other things, that the site falsely \nrepresented that personal information collected from children, \nincluding information about family finances, would be maintained \nanonymously. In fact, this information was maintained in identifiable \nform. The consent agreement would require Liberty Financial to post a \nprivacy policy on its children\'s sites and obtain verifiable consent \nbefore collecting personal identifying information from children. \nLiberty Financial, Case No. 9823522 (proposed consent agreement \navailable at http://www.ftc.gov/os/1999/9905/1btyord.htm).\n    17. 1998 Report at 7-11. In addition to the HEW Report, the major \nreports setting forth the core fair information practice principles \nare: The U.S. Privacy Protection Study Commission, Personal Privacy in \nan Information Society (1977); Organization for Economic Cooperation \nand Development, OECD Guidelines on the Protection of Privacy and \nTransborder Flows of Personal Data (1980); U.S. Information \nInfrastructure Task Force, Information Policy Committee, Privacy \nWorking Group, Privacy and the National Information Infrastructure: \nPrinciples for Providing and Using Personal Information (1995); U.S. \nDept. of Commerce, Privacy and the NU: Safeguarding Telecommunications-\nRelated Personal Information (1995); The European Union Directive on \nthe Protection of Personal Data (1995); and the Canadian Standards \nAssociation, Model Code for the Protection of Personal Information: A \nNational Standard of Canada (1996).\n    18. 1998 Report at 7-11.\n    19. Although choice in this context has been traditionally thought \nof as either ``opt-in\'\' (prior consent for use of information) or \n``opt-out\'\' (limitation upon further use of information), id. at 9, \ninteractive media hold the promise of making this paradigm obsolete \nthrough developments in technology. Id.\n    20. Id. at 9.\n    21. Id. at 10.\n    22. Id. at 10-11.\n    23. Id. at 23, 27.\n    24. Id. at 24, 28.\n    25. Id. at 31, 35, 37.\n    26. 1998 Privacy Testimony at 5-7.\n    27. Title XIII, Omnibus Consolidated and Emergency Supplemental \nAppropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681, ____ (October \n21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998). The \ngoals of the Act are: (1) to enhance parental involvement in a child\'s \nonline activities in order to protect the privacy of children in the \nonline environment; (2) to help protect the safety of children in \nonline fora such as chat rooms, home pages, and pen-pal services in \nwhich children may make public postings of identifying information; (3) \nto maintain the security of children\'s personal information collected \nonline; and (4) to limit the collection of personal information from \nchildren without parental consent. 144 Cong. Rec. S12741 (Oct. 7, 1998) \n(Statement of Sen. Bryan).\n    28. Title XIII, Omnibus Consolidated and Emergency Supplemental \nAppropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681, ____ (October \n21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998).\n    29. Id.\n    30. 64 Fed. Reg. 22750 (1999) (to be codified at 16 C.F.R. pt. \n312).\n    31. Id. at 22753-58 (Proposed Rule Sec. Sec. 312.4-312.6).\n    32. Id. at 22759-60 (Proposed Rule Sec. 312.10).\n    33. The report is available at http://www.msb.edu/faculty/culnanm/\ngippshome.html [hereinafter ``GIPPS Report\'\']. The following analysis \nis based upon the Commission\'s review of the GIPPS Report itself; \nCommission staff did not have access to the underlying GIPPS data.\n    34. GIPPS Report at 1; App. B at 4. The list, a ranking of servers \nby number of unique visitors for the month of January 1999, was \ncompiled by Media Metrix, a site traffic measurement company. As larger \nsites are more likely to have multiple servers, the largest sites on \nthe Web had a greater chance of being selected for inclusion in the \nsample drawn for this survey. See GIPPS Report, App. A at 1; App. B at \n9 n.iii.\n    35. GIPPS Report, App. A at 3, 5.\n    36. GIPPS Report, App. A at 5.\n    37. The Commission\'s 1998 Comprehensive Sample was drawn at random \nfrom all U.S., ``.com\'\' sites in the Dun & Bradstreet Electronic \nCommerce Registry, with the exception of insurance industry sites. 1998 \nReport, App. A at 2. Unlike the Media Metrix list used in the GIPPS \nsample, the Dun & Bradstreet Registry does not rank sites on the basis \nof user traffic.\n    38. The GIPPS results show that thirty-six sites in the sample (or \n10%) posted at least one survey element, or disclosure, for each of the \nfour substantive fair information practices. GIPPS Report at 10. \nThirty-two of these sites (or 8.9%) also posted contact information. \nId. and App. A at 12. Professor Culnan also reports the number of sites \nposting disclosures for the four substantive fair information practice \nprinciples and for contact information in two additional ways: as a \npercentage of sites in the sample that collect at least one type of \npersonal information (9.5%); and as a percentage of sites in the sample \nthat both collect at least one type of personal information and post a \ndisclosure (13.6%). GIPPS Report, App. A at 12 (Table 8C).\n    39. Online Privacy Alliance, Privacy and the Top 100 Sites: A \nReport to the Federal Trade Commission (1999) (available at http://\nwww.msb.edu/faculty/culnanm/gippshome. html) . The following analysis \nis based upon the Commission\'s review of the OPA Study report itself; \nCommission staff did not have access to the underlying OPA Study data.\n    40. OPA Study at 3, 5, and 8.\n    41. 1998 Report at 28.\n    42. Twenty-two sites in the OPA Study (or 22%) posted at least one \nsurvey element, or disclosure, for each of the four substantive fair \ninformation practices. OPA Study at 9-10 and App. A at 10 (Table 6C). \nNineteen of these sites (or 19%) also posted contact information. Id. \nProfessor Culnan also reports the number of sites posting disclosures \nfor the four substantive fair information practice principles in two \nadditional ways: as a percentage of sites in the sample that collect at \nleast one type of personal information (22.2%); and as a percentage of \nsites in the sample that both collect at least one type of personal \ninformation and post a disclosure (23.7%). OPA Study, App. A at 10 \n(Table 6C).\n    43. The information included in this section is drawn from the OPA \nWeb site (http://www.privacyalliance.org) and OPA members\' testimony \nbefore the Senate Judiciary Committee\'s Hearing on Privacy in the \nDigital Age: Discussion of Issues Surrounding the Internet on April 21, \n1999. The testimony is available on the OPA Web site, and at http://\nwww.senate.gov/<difference>judiciary/42199kb.htm.\n    44. The Guidelines are available at http://www.privacyalliance.org/\nresources/ppguidelines.shtml.\n    45. The information in this section is taken from materials posted \non TRUSTe\'s Web site, http://www.TRUSTe.org, and from public statements \nby TRUSTe staff.\n    46. Several hundred additional companies have joined the TRUSTe \nprogram but are not yet fully licensed. See ``TRUSTe Testifies Before \nHouse Judiciary Committee,\'\' May 27, 1999 (press release available at \nhttp://www.TRUSTe.org/about/about--committee.html).\n    47. Not all of TRUSTe\'s current licensees are subject to the latest \nversion of the license agreement.\n    48. ``Personally identifiable information\'\' is defined as any \ninformation that can be used to identify, contact, or locate a person, \nincluding information that may be linked with identifiable information \nfrom other sources, or from which other personally identifiable \ninformation can easily be derived.\n    49. The information in this section is taken from materials posted \non the BBBOnline Web site, located at http://www.bbbonline.com, and \nfrom other public documents and statements by BBBOnLine staff.\n    50. The BBBOnLine Privacy Seal Program establishes requirements for \nnotice, choice, access, and security. Comprehensive notice disclosures \nare required. Consumers must be allowed to prohibit unrelated uses of \nindividually identifiable information not disclosed in the site\'s \nprivacy policy and disclosure to third parties for marketing purposes. \nConsumers must also be permitted access to information about them to \ncorrect inaccuracies.\n    51. License fees to display the BBBOnLine Privacy logo are \ndetermined by a sliding scale according to the participant\'s revenues. \nCurrently, the annual license fee ranges from $150 for companies with \nunder $1 million in sales, to $3,000 for companies with sales over $2 \nbillion.\n    52. ``Individually identifiable information\'\' is defined as \ninformation that (1) can be used to identify an individual, (2) is \nelicited by the company\'s Web site through active or passive means from \nthe individual, and (3) is retrievable by the company in the ordinary \ncourse of business.\n    53. ``Prospect information\'\' would be collected when, for example, \na visitor to a site orders a gift for another person and supplies that \nperson\'s mailing address.\n    It is not clear whether demographic information about a consumer \nthat is collected at a site and tied to an identifier is covered by the \nBBBOnline program, although licensees are required to provide notice if \nthey merge or enhance individually identifiable information with data \nfrom third parties for the purposes of marketing products or services \nto the consumer.\n    54. Information about CPA WebTrust is available at http://\nwww.cpawebtrust.org.\n    55. Privacy in the Digital Age: Discussion of Issues Surrounding \nthe Internet, before the Senate Judiciary Comm., 106th Cong., April 21, \n1999 (prepared statement of Gregory Fischbach).\n    56. Information regarding the ESRB privacy seal program is \navailable at http://www.esrb.org.\n    57. The program guidelines include standards for notice and \ndisclosure; choice; limiting data collection and retention; data \nintegrity/security; data access; and enforcement and accountability.\n\n    Senator Burns. Thank you, Mr. Chairman. We have been joined \non the committee this morning by Senator Wyden and Senator \nDorgan.\n    Senator Wyden, do you have a statement or would you like to \nsubmit a statement?\n\n           STATEMENT OF HON. RON WYDEN, U.S. SENATOR\n                          FROM OREGON\n\n    Senator Wyden. Mr. Chairman, I would like to make a \nstatement, but I will be very brief.\n    This is an excellent panel. Is that acceptable at this \npoint?\n    Senator Burns. That is acceptable.\n    Senator Wyden. Thank you, Mr. Chairman. Let me begin by \nsaying how much I appreciate working with you in developing S. \n809. I think it is a balanced bill, and I have been pleased to \nwork with you. In going forward with this bipartisan effort \nthat you and I have launched, Mr. Chairman, I want to make it \nclear that first I believe in the power of free markets.\n    I think I showed with the Internet Tax Freedom Act, with \nthe Y2K liability legislation, with what we have done in \nencryption that I feel strongly about the potential of the \nmedium, but the reason that I want us to pass S. 809 is that I \nthink it would be a great mistake for this country to \nessentially sit idly by and wait for an Exon Valdez style \ninvasion of privacy before action is taken, and that is really \nwhat this legislation is all about.\n    Third, what is most telling to me is what the Nation\'s CEOs \nare saying about this issue in a recent survey by CEO Magazine. \nSixty percent of the chief information officers in this country \nwere unwilling to give personal information about themselves on \nline. I think if anything is telling about the need for a \nthoughtful, balanced bill, it is what the Nation\'s CEOs and \ntheir chief information officers are saying about the \nimportance of this legislation.\n    Finally, the last point I would make is that the folks that \nare working for self-regulation, the many companies that have \nhired some of the most talented lobbyists in the Nation to \nfight privacy regulation, are not the companies that the United \nStates Senate ought to be worried about. Those are the \ncompanies that have again and again reflected responsible \ncorporate efforts to try to deal with these issues, and it is \nthe bad actors that S. 809 is trying to target, not the \ncompanies that have formed this coalition, not the companies we \nwork with on Internet, tax freedom, or encryption, or Y2K \nliability. I am very hopeful we can go forward with this \nlegislation.\n    The last point I would make is a comment in response to \nwhat Bob Pitofsky said, and he as always has given very helpful \ntestimony. What we are trying to do in S. 809 is address your \npoint with respect to making sure that this law is not outdated \nby the time it goes into effect. Principles like opting out and \nunderstandable disclosure requirements are the kinds of things \nthat have stood the test of time at the Federal Trade \nCommission, and it is those kinds of principles that we want to \nuse for the foundation of privacy policy, and speak to the \nimportant point you are making about making sure that the \nCongress does not do something foolish that is essentially \noutdated by the time it becomes law. I thank you for the chance \nto make that statement.\n    Senator Burns. Thank you very much, Senator, and I \nappreciate working with you on this piece of legislation also.\n    Senator Dorgan, do you have a statement?\n\n  STATEMENT OF HON. BYRON L. DORGAN, U.S. SENATOR FROM NORTH \n                             DAKOTA\n\n    Senator Dorgan. Mr. Chairman, I will submit a statement for \nthe record.\n    I did want to thank you for the hearing and indicate that \nprivacy is of paramount importance to the American people. It \nis a freedom that we take for granted, but it is threatened by \nthose who would use information in a brokered capacity from \nInternet sites and other devices to undermine privacy, and I \nthink this hearing is right on point.\n    I think the legislation that has been developed is \ninteresting, and a useful contribution to this debate, and I \nwant to thank the commissioners for coming today and for their \ncontribution.\n    [The prepared statement of Senator Dorgan follows:]\n\n     Prepared Statement of Hon. Byron L. Dorgan, U.S. Senator From \n                              North Dakota\n\n    Mr. Chairman, I am pleased that you have called this hearing on the \nsubject of online privacy. In my judgment, the issue of online privacy \nis one of the most important and essential issues related to the \nInternet and e-commerce. It is very important that this Subcommittee \nfollow this issue closely and seek appropriate solutions to ensure that \nconsumers can have confidence that their privacy will be protected \nonline.\n    While the Internet and online commerce provides enormous \nopportunity for communication, information collection, and commerce, it \nalso provides an equal potential for serious invasion into people\'s \nrights to privacy. For this reason, the protection of privacy over this \nexciting new medium is of critical importance.\n    I greatly appreciate the work that the Federal Trade Commission has \ndone on this important subject. However, the recent report on ``Self \nRegulation and Privacy Online: A Report to Congress\'\' highlights the \nfact that, at the present time, online privacy protections industry \nwide leaves a lot to be desired. I can appreciate the position of the \nmajority of the Commissioners that legislation would be premature at \nthis time. Nevertheless, I still believe that it is very important that \nCongress closely examine online privacy issues and debate over \nlegislation is an important debate to have at this point. The findings \nof the Georgetown Internet Privacy Policy Survey that only 10% of \nInternet sites are implementing a full complement of online protections \n(such as notice/awareness, choice/consent, access/participation, and \nsecurity/integrity) is very disturbing. It would be foolish to declare \nvictory at this stage. In fact, we ought to remain very concerned and \nrealize that there is a great deal of improvement needed in order for \nconsumers to feel confident about privacy online.\n    Certainly, the industry has demonstrated that it is not deaf to the \nconcerns of protecting privacy. Indeed, the industry has a strong self-\ninterest in ensuring privacy protection and there is considerable \nevidence of industry-initiated efforts to adopt privacy protections. \nThe industry has indeed come to the table to address privacy issues on \ntheir own to a large degree. But, if consumers loss confidence in their \nability to protect their privacy online, they will likely leave the \nInternet and e-commerce behind. The government ought to be just as \nconcerned about a loss of consumer confidence in privacy protection as \nthe industry. That is why much, much, more needs to be done.\n    I still have an open mind as to whether or not legislation is \nnecessary at this point in time. But, I consider the debate a healthy \none and I think at a minimum, this Committee ought to monitor the \nprogress of the industry to adopt privacy protections. In the meantime, \nit is important that the FTC continue to work closely with industry to \naddress online privacy issues. That relationship appears to be \nproducing good results, but I remain concerned that that may not be \nsufficient in the long run.\n    Thank you Mr. Chairman. I look forward to hearing from today\'s \nwitnesses.\n\n    Senator Burns. Senator Rockefeller.\n\n           STATEMENT OF HON. JOHN D. ROCKEFELLER IV, \n                U.S. SENATOR FROM WEST VIRGINIA\n\n    Senator Rockefeller. Thank you, Mr. Chairman. Just a brief \nword. I am still unclear as to how I feel about this, and I \nthink reasonable people in fact in some ways ought to be \nunclear. I do not think enough people know enough about what \nthe potential is for self-regulation, or what the lack of \npotential is for self-regulation.\n    I think the Georgetown study which the FTC used, used in \nfact to draw one set of conclusions, and one might argue that \nin fact it drew another set of conclusions, but that aside, it \nlaid out five basic criteria that have to be met, and to me it \nis the meeting of the criteria more than the way in which they \nare met, whether it is done by Federal regulation or whether it \nis done by self-regulation.\n    Senator Wyden and I disagreed on the passenger bill of \nrights. I thought it could be done by self-regulation, he felt \nit should be done by legislative regulation, so these are in \nsome ways, you know, similar, and philosophically they have a \ntouch point, but I think the five points are, notice that \ninformation is being collected, choice of whether to disclose \ninformation, access to their own, that is the user\'s own \ninformation, security so that information is protection, and \ncontact information for questions or complaints.\n    Now, whether or not in what we hear and talk about today \nthe industry feels that they can do that, the record so far is \nnot a very good one. On the other hand, the industry is yet a \nvery young one, and laws last a long time. The industry changes \nand is capable of changing much more rapidly than are laws \nusually around here.\n    So I am reserving my right to hear some debate and decide \nwhat to do. I do, however, applaud your instinct for looking \nafter the consumer, and I thank the chairman.\n    Senator Burns. You can probably make up your mind by noon \ntoday. We do not want to push you too far. [Laughter.]\n    Let us continue on with the panel. From the Federal Trade \nCommission, the Hon. Sheila Anthony. We look forward to your \nopinion on this. Thank you for coming this morning.\n\n  STATEMENT OF HON. SHEILA F. ANTHONY, COMMISSIONER, FEDERAL \n                        TRADE COMMISSION\n\n    Ms. Anthony. Thank you, Mr. Chairman, and members of the \nSubcommittee on Communications. I am delighted to be here this \nmorning, and I appreciate your holding this hearing to address \na topic of extreme importance to the American people.\n    As the commission\'s 1999 report to Congress states, only 10 \npercent of well-traveled Internet sites in a recent survey have \nprivacy disclosures that speak to all four substantive \ninformation principles, notice, consent, access, and security. \nEven among the top 100 most frequently visited Internet, sites, \nand I would think there are about 7,500 sites that are \ntraveled, only some 20 percent have privacy disclosures \naddressing these four principles.\n    Some industry leaders have undertaken significant efforts \nto protect online privacy, and let me name a few. Microsoft, \nDell Computer, Disney Online, IBM, AT&T, Eastman Kodak, Fox \nBroadcasting, the Boston Globe, the San Francisco Chronicle, \nthe Wall Street Journal, CyberBills, Educational \nCommunications, Inc., Worldtravelcenter.com.\n    These self-regulatory efforts constitute a reasonable \nresponse to the widespread market demand for the protection of \nconsumer privacy, and likely play an important role in the \ngrowth of electronic commerce.\n    In addition, the seal programs show promise, but some \ncompanies have made a business out of collecting, buying, and \nselling individually identifiable information online. I was \nshocked to discover shortly after I joined the commission that \nat least one of the several information brokers operating in \nthe marketplace had my name, my husband\'s name, our address, \nthe value of our home, our social security numbers and the \nyears they were issued, our mothers\' maiden names, the address \nwe lived before coming to Washington, our two daughters\' names, \ntheir husbands\' names, their social security numbers, and every \naddress they ever had lived, including our 3-year-old \ngrandchild\'s social security number and name.\n    I might add that there were several mistakes in this \nreport. We in the Government, and especially those of us who \nhave gone through a confirmation process, and you who have \nstood for election, know what it is to have your private lives \nlaid bare, but most Americans do not, nor do they want to.\n    I am disappointed that sufficient progress by industry has \nnot been made toward the protection of online privacy under a \nself-regulatory approach. Such a lack of progress is \nsurprising, given the commission\'s clear articulation of fair \ninformation practice principles in our 1998 online privacy \nreport.\n    Even prior to my arrival at the commission, the agency had \nencouraged industry to adopt voluntary fair information \npractices. Secretary of Commerce Brown plainly expressed the \nfair information principles of notice and consent as long ago \nas 1995. These ideas are not brand new.\n    The self-regulatory environment has not advanced the ball \nas far as I would have expected. Thus, consumer privacy remains \nan issue about which 87 percent of online Americans, including \nme, are extremely concerned. Privacy is one of our most \ncherished freedoms. Too often, however, the debate about \nprivacy and the protection of personal information that is \nsurreptitiously gathered takes on an ethereal quality and looks \nfor proof of direct harm. Direct harm is not necessary to \njustify fair information practices, but it is evident, for \nexample, in cases of cyber stalking and identity theft.\n    The American public deeply values its privacy, quite apart \nfrom notions of direct harm. The studies of which I am aware \nconsistently show a high level of concern about online privacy. \nFor example, a study just released in April by Harvard, MIT, \nAT&T labs, and the University of California at Irvine, found, \nas I mentioned earlier, that 87 percent of Internet users were \nconcerned about personal privacy threats.\n    One year ago, these concerns were held by 81 percent of \nInternet users, so over the years, public concern has \nincreased, not decreased.\n    In reporting on the status of self-regulation and online \nprivacy protection, the commission has fulfilled its promises \nto collect information and report to the Congress. I \nrespectfully and affectionately disagree with my colleagues, in \nthat I believe the time is ripe for Congress to enact Federal \nlegislation to protect online consumer privacy, at least to the \nextent of providing minimal Federal standards.\n    As a whole, industry progress has been far too slow. \nNotice, while an essential step, is not enough if the privacy \npractices themselves are toothless.\n    I do believe Congress is the appropriate place for the \ndebate on this issue, and I note that several bipartisan bills \nare pending in both the House and the Senate, including the \nOnline Privacy Protection Act that has been introduced by you, \nChairman Burns, and cosponsored by Senator Wyden. These bills \ncan serve as starting points to craft balanced privacy \nlegislation.\n    I am concerned that without widespread implementation of \nfair information practices, and absent effective privacy \nprotections, several results are inevitable. First, the \ndissatisfaction of the American people will grow both in pitch \nand intensity, as it has in the past.\n    Second, a patchwork of State laws to protect online privacy \nwill emerge. A number of States, including California, \nColorado, Connecticut, Delaware, Florida, Louisiana, Maine, \nMassachusetts, Minnesota, Montana, Nevada, New Hampshire, New \nYork, Pennsylvania, South Carolina, Tennessee, Virginia, \nWashington, and Wisconsin have moved in that direction.\n    Consider the confusing environment that could result for \nconsumers online marketers and the courts under such a legal \npatchwork. Consider also the extreme burden on online \nbusinesses to comply with this patchwork of privacy laws.\n    Such businesses would be required to determine the \njurisdictional reach of each State possessing such privacy \nlaws, and to develop compliance strategies to satisfy privacy \nrequirements of each jurisdiction. Further, the entire process \nmay need to be repeated as line businesses grow and expand \ntheir product lines and as other States enact their laws. A \nsingle minimum Federal standard of online privacy would \ndecrease the cost and complexity of compliance while \nsimultaneously establishing essential privacy protections for \nonline American consumers. Further, I believe that Federal \nlegislation and meaningful self-regulation should operate hand-\nin-hand.\n    Third, I am concerned that the absence of online privacy \nprotections will continue to undermine consumer confidence and \nhinder the advancement of electronic commerce and trade, \nspecifically of trade with the European Union and its 320 \nmillion customers. Some types of personal information, such as \nhealth and financial information, may require heightened \nprivacy protections, but without the widespread adoption of \nfair information practices not even an across-the-board minimum \nstandard of protection exists.\n    Let me conclude by saying I remain troubled by the results \nof the Georgetown surveys, which show much less progress than I \nhad hoped. I am pleased to say the commission will continue its \ninvolvement in the privacy arena, and our report sets out a \nnumber of initiatives for the coming year.\n    Thank you for the opportunity to share my views.\n    [The prepared statement of Ms. Anthony follows:]\n\n Prepared Statement of Hon. Sheila F. Anthony, Federal Trade Commission\n\n    I support the Commission\'s 1999 Report to Congress on Self-\nRegulation and Privacy (``Report\'\'). The Report commends the seal \nprograms and the few responsible industry leaders that have undertaken \nsignificant efforts to protect online privacy by adopting fair \ninformation practices in their online dealings with consumers. I agree \nwith the report\'s conclusions that industry leaders must continue to \nencourage widespread adoption of fair information practices; focus \nattention to the substance of web site information practices; and work \ntogether with government and consumer groups to educate consumers about \nprivacy protection on the internet. I also support the Commission\'s \nagenda to address the public\'s strong concern about online privacy.\n    I am dismayed, however, with the results of the two studies cited \nin the Report. According to the studies, there is an enormous gap \nbetween the online collection of individually identifiable information \nand the protection of that information by the web site owners\' \nimplementation of fair information practices of notice, consent, \naccess, and security. While 93 to 99 percent of the surveyed sites \ncollect personal information from consumers, only 10 to 20 percent of \nthese sites have privacy disclosures implementing the four basic \nsubstantive fair information practices.\\1\\ It is not hard to see why \nsurveys show that the vast majority of Americans are concerned about \nthreats to their privacy online.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ See Report at 8-9.\n    \\2\\ See Report at 2-3.\n---------------------------------------------------------------------------\n    I disagree with the majority\'s opinion that ``legislation to \naddress online privacy is not appropriate at this time.\'\' \\3\\ As a \nwhole, industry progress has been far too slow since the Commission \nfirst began encouraging the adoption of voluntary fair information \npractices in 1996.\\4\\ Notice, while an essential first step, is not \nenough if the privacy practices themselves are toothless. I believe \nthat the time is ripe for federal legislation to establish at least \nbaseline minimum standards upon which meaningful self-regulation can \nflourish. I note that bipartisan bills are pending in both the House \nand the Senate and could provide a good starting point for crafting \nbalanced protective legislation. I am concerned that the absence of \neffective privacy protections will undermine consumer confidence and \nhinder the advancement of electronic commerce and trade.\n---------------------------------------------------------------------------\n    \\3\\ See Report at 15.\n    \\4\\ ``Staff Report, Public Workshop on Consumer Privacy on the \nGlobal Information Infrastructure,\'\' (December 1996).\n\n    Senator Burns. Thank you, commissioner, and Senator Kerry, \ndo you have any questions of this panel? You will submit them, \nokay. Thank you very much. I know you have got other things to \ndo. We are just trying to accommodate you.\n    Hon. Orson Swindle. Commissioner, we are looking forward to \nyour comments this morning. Thank you for coming.\n\n STATEMENT OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE \n                           COMMISSION\n\n    Mr. Swindle. Thank you very much, Mr. Chairman, members of \nthe committee. Let me begin by painting a big picture. Last \nmonth, the University of Texas, backed by Cisco Systems, \nintroduced a study of the current status of electronic commerce \nas one of the very first efforts to measure the Internet \neconomy. According to the study, the Internet economy generated \nan estimated $301 billion in revenue in 1998 and was \nresponsible for over 1.2 million jobs. These estimates are \nbased on worldwide sales of Internet-related products and \nservices by U.S.-based companies.\n    To put the figures in perspective, the Internet economy is \nalready bigger than the energy industry, the telecommunications \nindustry, and almost as big as the automobile industry. \nAccording to Secretary of Commerce Daley, retail consumer \npurchases over the Internet were $3 billion in 1997, $9 billion \nin 1998, and are estimated to approach $30 billion this year.\n    We are witnessing an incredible economic engine just \nrevving up. Consumers are not timidly engaging in this new form \nof commerce. As Chairman Pitofsky testified recently, it is \nremarkable the extent to which people are becoming committed to \ndoing commerce on the Internet. Consumers seem to like it.\n    The Commission\'s 1999 report on privacy recently submitted \nto Congress ultimately reached the correct and obvious \nconclusion. No legislative action is necessary at this time. \nSignificant self-regulatory progress has been made, but \ncontinued vigilance is needed if we are to obtain higher and \nhigher levels of confidence in protecting personal privacy.\n    The path to those higher standards is not through more laws \nand regulations. Rather, industry, advocates for privacy and \nconsumers and the Commission should be able to make further \nprogress by continuing to work together towards what we all \nagree to be mutually beneficial goals.\n    Industry, however, must lead the way, and I am confident \nthat it will, and will do so far more effectively than will \nmore laws and bureaucratic decisionmaking.\n    There is an incredibly exciting new world of economic and \neducational power before us. The rapid convergence of \ntechnology, information, and entrepreneurship is ushering in \none of the greatest expansions of freedom, choice and \nindependence mankind has probably ever seen, and democracy will \nbe better for it. However, without personal responsibility, \ndemocracy cannot flourish. Consumers definitely have a role to \nplay.\n    For certain, there are hazards associated with this new \nenvironment. How we balance protecting consumers and at the \nsame time make it possible for this vast potential to develop \nis critical. As reflected in our 1999 report, there is broad \nagreement on the core principles of fair information practices, \nnotice, choice, access and security. S. 809 addresses each of \nthese principles.\n    However, for those who wish to regulate online privacy, I \nask how will we do it? The devil is always in the details. We \nare coming to realize that technology and cost, not to mention \nthe exponential growth of the online world, are serious \nimpediments.\n    Recent data suggest that there are now approximately 3.6 \nmillion commercial Web sites, and they are increasing at over \n275,000 a month. We have a lot to learn about the Internet \neconomy and how to deal with it, as our ongoing rulemaking to \nimplement the Children\'s Online Privacy Protection Act of 1998 \nis revealing.\n    The old adage of looking before we leap is still wise \nadvice. Imposing additional laws and regulations on that which \nwe do not yet fully understand could produce incredibly \nnegative unintended consequences. Imagine this scenario, if you \nwill. First of all, massive numbers of unintended or innocent \nviolations of the new law will likely occur. Commercial Web \nsites are increasing at almost 10 percent a month. The \noverwhelming majority of these violations would be by \nentrepreneurs seeking to market a product on the Internet \nwithout understanding the new requirements, or not possessing \nthe technology or the resources to comply.\n    The regulators, armed with the new law, would, of course, \nhave to enforce it. Imagine the scope of this task and the \nlikely effects on entrepreneurs. While this might be a \nnightmare for regulators, it pales in significance to the \npossibility of regulation impeding the growth of this economic \nengine.\n    Do I suggest throwing in the virtual towel? Certainly not. \nI suggest a different approach driven by practicality. More law \nand regulation will not solve this problem. It is in the \ninterests of businesses, large and small, to provide customers \nwith safe transactions and secure privacy and business \npractices to win the confidence of those customers.\n    Because we are making progress, and because none of us \nfully understands where electronic commerce, entertainment, \nknowledge, information and education are heading, I strongly \nurge a more cautious approach. The rule of ``do no harm\'\' seems \nmost applicable here. Let us not add more laws and regulations \nat this time. Rather, let us continue to work together and \nallow this new economic engine and privacy policies to evolve.\n    For the most part, businesses have the creativity and \nmotivation to lead the way. Companies like AOL, IBM, and \nMicrosoft, who have led the way, also help countless other \ncompanies by their example.\n    Organizations and seal programs such as the Direct \nMarketing Association, BBBOnline, TRUSTe and others also are \nleading the way, and progress is increasing day by day. \nContinued focus on the problem by the Congress, the commission, \nadvocates for consumers and privacy, and leaders in industry \nshould bring about the progress we desire and the sound balance \nthat is imperative.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Swindle follows:]\n\n          Prepared Statement of Orson Swindle, Commissioner, \n                        Federal Trade Commission\n\n    I have voted to submit ``Self-Regulation and Privacy Online: A \nReport\'\' (the ``Report\'\') to Congress, although I have done so with \ngreat reluctance. I have voted to submit the Report because we promised \nthe Congress last summer that we would make a recommendation regarding \nthe need for legislation addressing online privacy. I also have voted \nto submit the Report because it ultimately reaches the correct and \nobvious conclusion: no legislative action is necessary at this time.\n    I must add, however, that I do not believe the Report accurately \nreflects reality. First, the dated and unfavorable results of the 1998 \nFTC Study are prominently described in the first seven pages of the \nReport, while the current and favorable results of the 1999 Georgetown \nsurvey are relegated to a brief discussion in the middle of the Report. \nThus, the Report does not present a clear and complete picture of the \nsubstantial progress industry has made in the past year.\n    Second, the Report overemphasizes the failure of industry to \nsufficiently implement all elements of comprehensive ``fair information \npractices.\'\' The Commission first articulated the elements of these \nfour practices in detail just one year ago. Given the recent vintage of \nthese elements, I believe industry has made substantial progress on \nthem as well.\n    Third, the Report only sparingly mentions the leadership on privacy \nissues that IBM, Microsoft, Disney, AOL, The Direct Marketing \nAssociation, privacy seal organizations, and many others in the private \nsector have continuously demonstrated. Faint praises tend to be \ndamning. Industry\'s leadership in achieving progress should be lauded \nnot buried.\n    Because the Report provides an inaccurate assessment of the current \nstate of online privacy and of the substantial progress attributable to \nindustry self-regulation, it is perhaps not too surprising that the no \nlegislative action recommendation appears at the very end of the \nReport, almost as if the recommendation is some trivial afterthought. \nThe Report instead should have emphasized ``front and center\'\' that \ncooperative and creative efforts by a public private partnership have \nachieved and will achieve progress far more quickly than more laws and \nregulations, which, while they may have a ``feel good\'\' quality to \nthem, likely will have adverse unintended consequences.\n    In summary, I think significant progress has been made, but \ncontinued vigilance is needed because we are not where we want to be. \nThe way to get where we want to be is not through more laws and \nregulation. Rather, industry, privacy and consumer advocates, and the \nCommission should be able to make further progress by continuing to \nwork hard and work together. In the event that our joint efforts do not \nproduce results, I would caution industry that there are many eager and \nwilling to regulate. If industry wants to have the freedom to adopt \nprivacy policies in response to market incentives and not government \nregulation, I encourage industry to continue to lead the way.\n\n    Senator Burns. Thank you, commissioner. Now, Commissioner \nMozelle Thompson, we thank you for coming this morning, and we \nare looking forward to your comments.\n\n STATEMENT OF HON. MOZELLE W. THOMPSON, COMMISSIONER, FEDERAL \n                        TRADE COMMISSION\n\n    Mr. Thompson. Thank you, Mr. Chairman. I am pleased to \nappear today before the Communications Subcommittee with my \nfellow commissioners to discuss the FTC\'s latest report on \nonline privacy. As you are aware, we have spent a lot of time \nand energy working on this issue, and we welcome the \nopportunity for each of us to share our individual views and \ninsights.\n    Following our 1998 report, in which the commission \nexpressed disappointment about industry progress on self-\nregulation, I specifically voiced my concerns about coverage, \nwhich is the breadth of total Web sites actually posting \nprivacy policies, and the development and implementation of \nenforcement mechanisms.\n    Now, 1 year later, and 3 years after the FTC first started \nworking with industry on Internet issues, I find the record of \nprogress is mixed. If we are going to be a leader in the global \nsystem of electronic commerce and e-commerce is going to \ncontinue to lead the new economy, we must reach a collective \nunderstanding on the principles that will provide consumers \nwith the confidence they need to accept e-commerce as a way of \nlife.\n    Those principles include the protection of consumer \nprivacy. In that vein, I note that S. 809 incorporates each of \nthe fair information principles the commission itself outlined \nin its testimony before the House Commerce Committee in July \n1998.\n    During the past year, industry leaders have expended \nsubstantial effort to build self-regulatory programs. However, \nas the Georgetown and OPA studies clearly show, while many \nleading online companies understand the importance of the \nbusiness case for protecting consumer privacy, implementation \nof fair information practices is not widespread among \ncommercial Web sites. In fact, a mere 10 percent of companies \nin the survey have done so.\n    Although the OPA does not audit its members for compliance \nwith its privacy guidelines, the results of its own study shows \nthat only 22 percent of the top 100 Web sites, most of which \nare OPA members, have implemented all four elements of fair \ninformation practices.\n    These findings suggest that even these industry leaders are \nonly slowly rising to the challenge they have set. Accordingly, \nthe most important challenges to be addressed include first, \nreaching those businesses which have not take steps to protect \nconsumer privacy, especially small and medium-sized businesses, \nwhich we hope will provide the base for real growth in \nelectronic commerce and, second, encouraging widespread \nadoption of all of the fair information practices, including \neducating consumers about the value of their own self-\nregulatory efforts.\n    The activities of the commission, and the ones that we have \nplanned for the coming months, are designed to help us pinpoint \nspecific problem areas for action. The information we uncover \nin these workshops and task forces will go beyond the simple \nquantitative analysis we have done on a number of sites with \nprivacy policies to tell us exactly which aspects of fair \ninformation practices are not being complied with and why.\n    And so, despite my reservations and concerns about the pace \nof industry progress on privacy, I believe it is appropriate \nfor us to defer making a legislative recommendation, because \nthe commission\'s upcoming work will assist us in suggesting a \nmore tailored legislative response if industry fails to make \nfurther substantial progress.\n    However, I will note that congressional review of privacy \nissues is also helpful, and I feel strongly that there is a \nvalue to continued hearings and debate about legislative \nproposals. I continue to be hopeful, as well, that industry can \nsolve this problem. Recent initiatives by IBM, Microsoft, \nDisney, and the Direct Marketing Association are steps in the \nright direction.\n    I would also ask industry to redouble its efforts to \ndevelop effective technological tools that consumers can use to \nsafeguard their own privacy online, because even well-crafted \nlegislation will not achieve 100-percent compliance with fair \ninformation practices.\n    Ideally, easy to use technology will empower consumers by \nallowing them to predetermine the circumstances under which \nthey will share their personal information. We heard about some \nof these technologies last week during our workshop on \nimplementing the Children\'s Online Privacy Protection Act, and \nI am pleased to note that one of our proposed workshops for the \ncoming months focuses specifically on these new tools.\n    In sum, achieving a robust level of privacy protection will \nrequire cooperation between industry, Government, and \nconsumers. While we have chosen to let industry lead in solving \nthis public policy problem, public confidence in electronic \ncommerce will erode if they fail to live up to the challenge.\n    Ultimately, Government officials like us are directly \naccountable to the public, and we must also continue to play a \nrole in shaping the solutions to the privacy problem. In any \ncase, the FTC will continue to pursue its enforcement role \nagainst those who deceive consumers by misusing their personal \ninformation.\n    I believe that self-regulation will succeed only if \nindustry acts on the specific shortcomings documented by the \nrecent studies. Moreover, Congress and the Administration must \nremain vigilant, and should not foreclose the possibility of \nlegislative and regulatory action if there is not swift and \nsignificant additional progress.\n    Thank you.\n    Senator Burns. Thank you very much, commissioner. I just \nhave a couple of questions, then we will get into a little \ndiscussion and interaction here among our colleagues.\n    None of the studies referenced in your report provided \nrecent data much beyond the top 100 Web sites. Do you have any \ndata or experience about what is happening at lower levels, or \ndo we go on beyond the 100 that were mentioned in your report, \nand that is for any commissioner who wants to address it.\n    Mr. Pitofsky. Mr. Chairman, actually the Georgetown study \nhas two sets of conclusions. One deals only with the top 100, \nbut the other is a sample of a much broader range of Web sites, \nso that the Georgetown study does examine a very wide range of \nWeb sites. It is the broader study that concluded that at least \nright now 66 percent of those Web sites have some kind of \nprivacy policy on their screen.\n    Mr. Swindle. I think one of the critical points in looking \nat this kind of an evaluation is, as I mentioned, there are \nseveral million commercial Web sites, and by no stretch of the \nimagination have we looked at all of those, and it sort of \nmakes the point I was trying to get to.\n    But the sites that we looked at in the survey, or at least \nProfessor Culnan looked at in her survey, looked at sites which \nencompassed an extremely high percentage of all the people who \nlooked at the Internet, so it is not so much the universe of \nsites as it is where you are touching the most people. I think \nthat was the purpose, as I understood it, of the approach in \nthe survey, to look and see what is happening on sites where \nthe vast, vast majority of people were looking, and I think \nthat figure exceeded well over 90 percent.\n    Senator Burns. Any other comments?\n    Mr. Thompson. Just from the tenor of your question, though, \nI think one of the issues that I would be concerned about, and \none that I think we want to get at through further study, is \nthere a core that we are not getting to, those who are maybe \nwell-trafficked but are still not doing what they should be \ndoing in terms of privacy policies, and what are the \nimpediments there?\n    I think that at least from my standpoint would lead me to \nrecommend, if necessary, the kind of tailored legislation that \ngets at the problem, but that is one of the issues that I am \nconcerned about, especially if we are going to see real growth, \nand we are sensing that now in midsized companies, not just the \nindustry leaders, but in a broader base of e-commerce.\n    Senator Burns. Can you describe how S. 809 is \nphilosophically different from the Children\'s Online Privacy \nProtection Act that we passed last year that causes you \nconcerns? Philosophically, how are we different in that bill \nthat we passed a year ago?\n    Mr. Pitofsky. I think S. 809 looks in the same direction as \nthe children\'s statute. It has a balance to it that I really \nadmire, and it seems to be organized in such a way as to create \nincentives for industry to respond on their own.\n    I also like the safe harbor provision that is in the bill.\n    My own view is that the idea of commercial Web sites \ninvading a family\'s privacy by taking advantage of kids, of 8, \n9, 10-year-olds, is so outside the acceptable commercial \nbehavior that to me, of course, you should have legislation.\n    That is intolerable and, indeed, 2 of the 3 major cases \nthat we brought challenging companies for their behavior \ninvading privacy involved invading privacy of kids. It was \nSenator Bryan and you among others who really led the way in \ngetting Congress to act in that area.\n    With adults as well, I think invasions of privacy are \nunacceptable. But, we are not talking as we were in the \nchildren\'s statute about putting parents in control of their \nchildren\'s behavior when they are engaged in commercial \nbehavior on the Internet. We are certainly not talking about \ncompanies essentially saying to the parents, ``Why don\'t you \nwait outside while we deal with your children?\'\' While you \n``wait outside\'\' we will enquire for example, what their \ngrandparents give them with respect to stocks last Christmas, \nwhat is the income of the family, that sort of question.\n    That invasion of a family\'s privacy seems to me utterly \nunacceptable, and that is the reason why we supported \nlegislation there. I feel the same about privacy connected with \nfinancial records, medical records. Here, it is a tougher \nquestion.\n    Senator Burns. Senator Wyden.\n    Senator Wyden. Thank you, Mr. Chairman.\n    Senator Burns. I guess I went out of order. It should be \nSenator Bryan. I am sorry.\n    Senator Bryan. I appreciate that, but I would defer to \nSenator Wyden. He is a cosponsor of the legislation. Go right \nahead.\n    Senator Wyden. I thank my friend for his graciousness.\n    Mr. Chairman, so many nice things have been said about S. \n809 in the last half-an-hour I am tempted to say we ought to \nquit while we are ahead and just go forward, but I would like \nto ask about a couple of issues, and let me direct this one to \nyou, Mr. Pitofsky.\n    The commission said last July, and I quote here, unless \nindustry can demonstrate that it has developed and implemented \nbroadbased and effective self-regulatory programs by the end of \nthis year, additional Government authority in this area would \nbe appropriate and necessary, and I would like to begin by \nasking you if you think that the Georgetown study met the test \nthat the commission laid out a year ago.\n    Mr. Pitofsky. I do not believe that industry self-\nregulation is nearly where it has to be in order to persuade \nall of us that legislation is not appropriate.\n    I do believe that the progress they made in 1 year is \nsurprising to me, and impressive.\n    Senator Wyden. If a company publishes a privacy policy \nwhich provides consumers with no choice, and that company \ncollects and resells personal information about their \ncustomers, in your view does that provide adequate privacy \nprotection for the consumer?\n    Mr. Pitofsky. I do not think so. I know there is a bill \nthat says, put up a privacy policy, it does not matter what it \nsays, just put something up there and that will satisfy the \nlaw. I think consumers are entitled to better than that if we \nare going to go the legislative route.\n    Senator Wyden. In your opinion today, does the FTC have the \nauthority to take any action in those kinds of cases?\n    Mr. Pitofsky. Where they put up no policy at all? I do not \nthink we do. We put out an advisory opinion that perhaps we \ncould act where the victims were children, but if the victim is \nan adult, we could take that case to the courts and maybe we \ncould win it, but it would be beyond the precedent base of our \nunfairness jurisdiction as it now exists.\n    Mr. Swindle. Senator Wyden, may I comment on that? You \ncharacterize this as a consumer having no choice. The consumer \nalways has a choice. It is simply to click. That is what is so \nmarvelous about the Internet. It is perhaps the ultimate of \nfree expression and choice. The consumer does not have to be \nthere if they do not like what they see, or they do not like \nthe products they get, they do not like the prices, they do not \nlike the questions being asked.\n    I know I personally, on one of the major newspapers, I log \non because I read most newspapers by the Internet, the site \nstarted to ask me a bunch of questions. After I got by my name \nI said, I am not going to answer these questions, so away they \nwent, and now I look at it in print form, although the ink \nmakes me sneeze, so I am still not too happy with them, but I \njust simply will not deal with the website. Apparently, I have \nforgotten which Senator mentioned that a survey recently of \nmajor CEOs, 60 percent of them said they do not give personal \ninformation either. That is choice.\n    As to Senator Burns\' comment about the philosophical \ndifferences between the online children\'s privacy and what we \nare talking about here, I think it is a matter of we are \ndealing with children in one case and adults in another.\n    As I commented in my earlier comments, democracy depends on \nindividual responsibility, and so we are never without choice, \nand we will never reach perfection in this. No law ever does \nreach perfection, but I would contend, looking at the numbers, \nthat we are going to have even a harder time with this one.\n    We could always look to the example of the Soviet Union. \nThey virtually, or at least claimed to have perfection. They \nhad no freedom, but they had perfection. They did not have much \ncrime.\n    So I think these kinds of things have to be taken into \nconsideration.\n    Senator Wyden. I think what the debate is about, \ncommissioner, is whether people have an informed choice, and to \nme capitalism and making free markets work only can go forward \nwhen people can get information so they can make an informed \nchoice. There is no debate at all about the fact that you can \nclick the button.\n    The question is, can you have enough information so that \nwhen you are making those choices with the clicks, they can be \ninformed ones, and that is why I come to this as one of the \ncoauthors of the Internet tax freedom bill, and Y2K liability, \nand encryption, and a whole host of other things, making it \nvery clear I am not some wild-eyed fanatic for regulating the \nInternet and running some kind of one-size-fits-all Federal \noperation from Washington, D.C.\n    I am just very troubled by the fact that I do not think in \na lot of instances people are getting the information to make \nchoices, and what Bob Pitofsky essentially said is, he is \nconcerned about the problem. We can debate about what to do \nabout it, he does not think the commission has the authority to \ndo what I think is important for the bad actors that I know you \nare concerned about and I am concerned about, and that is what \nwe are wrestling with, and that is what we are trying to strike \nthe balance on.\n    Now, just a couple of other questions, and any commissioner \nreally can get into this. My understanding is that, as of \ntoday, it is still a small number of Web sites that actually \nbelong to one of these seal programs, one of the programs to \ntry to have the self-regulation that we have commended the \nlarger companies for.\n    Now, again, as with all of this, you have to put it in \ncontext. If you go on aggregate number of hits, it seems to me \nwe are just as Bob Pitofsky said, we are making some progress, \nbut if we have got a lot of people out there running Web sites \nwithout any effort to belong to these seal programs, that \ntroubles me as well.\n    Is it correct that it is a pretty small number of Web sites \nbelonging to seal programs?\n    Mr. Thompson. I think the answer is yes. I think that is \none of the challenges for the industry, is to figure out how \nthey can broaden that coverage, but it also points out, without \ntrying to cast a shadow on S. 809, but some of the areas that I \nwould like more information about in order to better, if I were \nmaking legislative recommendations, to better tailor it. One \nis, what is the size of that core, and is there something in \nlegislation that would be more directed at getting at that \nproblem? That is number 1.\n    Second of all, with regard to the safe harbor, I really \nthink that industry members, who are doing a good job, should \nbe getting the benefit of that safe harbor, but it is hard to \ntell from at least where I stand at this point how broad that \nsafe harbor should be, who it should cover, and under what \ncircumstances. That is some of the information I would like to \nfind out as our further study commences.\n    Senator Wyden. That is a fair comment, and I can tell you \nthat Senator Burns, as we worked on the legislation and as he \nand I talked to folks in the industry, it is our desire to \nensure that there is a wide birth for self-regulation. I mean, \nwe want to make sure that that safe harbor is done right, and \nBob Pitofsky and I have talked about it. We would very much \nappreciate the counsel and the input of the commission and the \ngood folks that you have over there to do it right, because we \nwant to give a wide birth for that, and to let the broadest \npossible set of self-regulatory efforts go forward.\n    A last question I have, and again I am taking time from \nSenator Bryan----\n    Senator Burns. I am going to cut you off here.\n    Senator Wyden. Can I just ask one other real quick one? \nGiven the fact that now the FTC has said they do not have much \nauthority--we have got a small number of Web sites belonging to \na seal program.\n    What we are saying is that there really is almost a pattern \nof nonenforcement of what is out there today, and I guess the \nlast question for any of you, given the fact that we are trying \nto deal with the bad actors, it seems to me you do need some \nenforcement authority to deal with those kinds of people. Is \nthere anything else that might possibly be an enforcement tool \nagainst people that all four of you would say are sleazy and \nare not in line with the principles that we would like?\n    Mr. Thompson. Money. That would help.\n    Mr. Pitofsky. Let me start out, first, I hope I have not \nleft the impression that we are helpless to address the problem \ncreated by the irresponsible few on the Internet. That is not \nquite the case. We have brought 91 cases in less than a year \nchallenging fraud on the Internet, and several involving \nprivacy invasions on the Internet, so if they deceive people, \nthey say give us the information and you can count on us, we \nwill not abuse the information that you give us, we bring those \ncases.\n    Now, second, as more and more companies put a privacy \npolicy up on the Internet, to the extent that they do not abide \nby their own policy, that would be deceptive and we would \nchallenge that.\n    Now, many of them, more than half have privacy policies \nnow. My hope is, and maybe I am being unduly optimistic about \nthis, is they will have as good a year this year as they did \nlast, and we will be up to the point where something like 90 \npercent of the companies will have a privacy policy, and if \nthey do not observe their own commitments, then we are not \nhelpless to act. We would challenge that kind of behavior.\n    Mr. Swindle. Senator Wyden, on one point, I think this \nwhole process is evolving. As Senator Rockefeller I think said \nearlier, we are just in the embryo stage of this thing, \nrealizing that Netscape came along here, the browser, what, in \n1993 or 1994 I believe, and we have gone from having 50 Web \nsites in 1993, I think I heard yesterday at a conference, to \nhaving 5 million plus now, or 6 million.\n    I think we make a mistake by assuming that those who do not \nhave privacy policies are bad. That takes us to places I do not \nthink we need to go.\n    Second, when we judge the progress by the number of people \nwho are on the seal programs, or coming under the seal \nprograms, BBBOnline, or TRUSTe and so forth--there are many \nextraordinarily good companies, I suspect. I do not have the \nnumbers, and I have written myself a note to find out--that \nhave privacy policies that are probably very good, but who are \nnot members of one of the seal programs. So, I just think we \nhave got to look at the big picture here and not just pick out \none thing and say, BBBOnline has only got X number of members.\n    Thank you, sir.\n    Ms. Anthony. I would just like to make this point. Federal \nlegislation setting out minimum standards and industry self-\nregulation are not mutually exclusive. Our own FTC act, which \nrequires that advertising be truthful and nondeceptive, which \nthe Congress in its great wisdom passed some many years ago, \nstill has engendered a very robust self-regulatory program by \nthe advertisers of America, and they work with us on a very \nconstant basis in seeing that advertising in the United States \nis on sound footing.\n    Passing minimum standards here to protect consumer privacy \ndoes not spell the death knell for self-regulatory efforts. In \nfact, I should hope they would be enhanced from that starting \npoint.\n    Senator Wyden. I took a lot of time. Thank you, Mr. \nChairman.\n    Senator Burns. I would have to say that this business \nprobably is not any different than any other business, and I \nwas struck by the comment of Mr. Swindle who says, how do you \nfind a balance that you do not kill the enthusiasm of this \neconomic engine and still give the consumer the protection that \nhe deserves, and that is a very fine line.\n    Senator Bryan.\n    Senator Bryan. Thank you very much, Mr. Chairman, and to \neach of our distinguished witnesses, thank you very much for a \nvery thoughtful dialogue today. I think this is very helpful.\n    I continue to be dazzled and amazed with the extraordinary \nexplosion of information-gathering capability. In this article \nthat I mentioned briefly in my opening comments, it goes on to \npoint out that one Web portal acquires 400 billion bytes of \ninformation each day.\n    Now, I think for most Americans the definition of a byte is \nnot something that is probably the discussion at dinner time \nconversation, but we are told here it is the equivalent of \n800,000 books that would be placed in a library each day. I \nrecognize it as a very difficult concept to fully get our arms \naround and to do the right thing, but let me say, Chairman \nPitofsky, with whom I have had a wonderful working \nrelationship, and I do very much appreciate, it does strike me \nas a kind of a follow up to Senator Wyden\'s question, that we \ndo have a catch-22.\n    You are saying, and I think that is correct, that those Web \nsites that publish privacy standards, that if they violate \nthat, that you have the ability under, I think it is section 5, \nto enforce that. Yet for the rogues out there in the world, if \nthey have no privacy standard, it would seem to me that you \nhave no capability at least to operate under the premise of a \ndeceptive trade practice.\n    Is that not a kind of a catch-22? The very people that we \nprobably want to bring on board because there are a number of \nresponsible Web operators who are moving in the direction that \nwe all want. Let me give you an opportunity to respond to that, \nthe catch-22 syndrome.\n    Mr. Pitofsky. I think the point you make is very well-\ntaken. It is a problem. I think I would like to join my \ncolleague, Commissioner Thompson. What we want to find out a \nlittle bit better is, who are those people out there? It is \npossible that the people who are gathering hundreds of \nthousands of pieces of information, they are the ones that have \nprivacy policies.\n    The 34 percent that do not is somebody operating in their \nbackyard on a narrow range selling some food product or some \nrecord or some book. They do not have the kind of information \nthat anybody would buy anyway.\n    But we do not know the answer to that. I am not asserting \nthat. I am saying, I want to find out more about it.\n    Let me just say, I want to share the view of my colleague, \nCommissioner Anthony, that this is not either-or. Self \nregulation and legislation have to mesh. What I am saying is \nthat we would know more, be in a better position to decide what \nminimum standards ought to be, after we study this area a \nlittle more and get some more information.\n    Senator Bryan. Mr. Swindle, if I might be able to respond \nto a comment you made and give you an opportunity to respond to \nmy comment, you have unfurled the banner of choice. That is the \nessence of the greatness in America, it seems to me. We have a \nlot of choices, and the entrepreneurial genius of the free \nmarket systems provide us a range of choices that are beyond \nwhat any of us could have imagined a decade ago, much less a \nhalf century ago.\n    But you said the choice, you can dial up on the Web, and if \nyou do not want it, you do not have to, but that does ignore \none aspect that is particularly troublesome to me, and that is \nthis concept of cookies, these Web sites that put these tags \non. I think most people have no idea that by simply browsing, \nall of a sudden information can be captured with respect to \nthem. How do you respond to that issue, because that is not \nchoice.\n    Mr. Swindle. Senator, I totally agree with you. I think \nwhat you are speaking of, the consumer\'s lack of knowledge or \nnow the acquiring of knowledge is reflected somewhat in the \nstatistics that Commissioner Anthony used a little while ago, \nwhen she said a survey was taken last year and said that 81 \npercent of the people were concerned about the privacy on the \nInternet, and a more recent study said 88 percent are \nconcerned.\n    I would contend that is because they now have more \nknowledge of what is possible through, as you describe, the \ncookie.\n    Again, as I tried to point out, we are in an industry that \nis evolving in every sense of the word. Awareness on the part \nof the public, consumer education, Government regulatory \nagencies trying to understand the phenomenon, businesses trying \nto understand the phenomenon.\n    I have been aware of this ``Cookies\'\' for some time, but \nperhaps I am a little bit better informed by circumstance. \nCertainly not by intellect, I might add, but certainly by \ncircumstance, and I am highly offended when one of these sites \nstarts asking me a question. I just leave them. I will not do \nit.\n    But when you do not know that it is going on you are being \nvictimized, and I think if we get more consumer education out \nthere, and people become more aware, we will see changes, and \nindustry is going to recognize they have got to satisfy their \ncustomers.\n    Senator Bryan. Do we have any idea how much information is \ncollected through this cookies device, and what these Web sites \nare doing with it? Are they blending offline information, \naddress, social security number, that sort of thing? I will \njust toss that out to any one of you who might care to respond. \nDo we have any information?\n    I find this particularly troublesome because in this sense, \neven the fairly sophisticated user of the Internet is captured. \nIn other words, it is a gotcha. You dial up, and that \ninformation is captured. It is not a volitional choice as to \nwhether or not you want to do business, or to request \ninformation from the Web site. Is there any information out \nthere that we have?\n    Mr. Pitofsky. You asked two questions. One is, do we have \nany sense of how much information is collected surreptitiously, \nnot just about what you buy, but what you think of buying, what \nyou are browsing. My answer is we do not. At least, I am not \naware of it. I think frankly this exchange suggests to me that \nin our report we ought to address that issue. Either we know \nthat answer, or we should say we do not.\n    As to your other question, I think we do know that \ncompanies are blending online and offline information in \nsomething called profiling, identity profiling, and that is \nvery troublesome, too. Commissioner Anthony read that long, \nlong range of information that is being gathered about people. \nI think quite frequently that includes online and offline \nsources of information, and it is a subject that ought to \ntrouble all of us.\n    Senator Bryan. And finally, let me just ask a question that \nis just a bit off the beat, but I think raises some policy \nconsiderations.\n    Sometime back we had a hearing before this committee on \nbroadband technology, and I recall the AOL person who testified \nraised the issue that was described essentially access is \ngained through the telephone system or cable, and that through \nthe telephone system we have a common carrier concept. \nEverybody kind of has access to it, and a level playing field, \nwhereas with respect to cable that is not the case. The AOL \nrepresentative I thought made a fairly persuasive point that \nthat is something we need to take a look at.\n    Now I read in the newspaper fairly recently that two of the \ntitans in the industry, Microsoft and AOL are going toe to toe \nwith respect to this instant messaging concept, and Microsoft \ncomes out with the software that will allow their users in \neffect to communicate with the AOL instant messaging \nsubscribers, and now AOL counterattacks by blocking access, and \nnow Microsoft is indicating that they are going to come back \nwith some kind of a counter to that counter.\n    Are there not some public policy implications? I mean, if \nwe were back in 1876 after Alexander Graham Bell asked Mr. \nWatson to come here, that the idea that somehow we would allow \nin the 20th Century. You cannot gain access to another \ntelephone system I think would come as a shock to us.\n    What are the policy implications for us there? I am talking \nabout consumers, recognizing there are some legitimate \nproprietary interests. I am not sure I have got the answer, but \nyou all give a lot of thought to these kinds of things. If I \ncould invite your response, and I thank you, Mr. Chairman \n    Mr. Pitofsky. Two reactions. No. 1 is, you are absolutely \nright to put this issue in the much broader context of where we \nare going structurally in communications technology.\n    No. 2, I am going to duck and say, we may take a look at \nthis question, and if we do I do not think I should be speaking \nout on the issue at this time.\n    Senator Bryan. Well, we may read something into that. Thank \nyou. [Laughter.]\n    I think that is a subliminal message. I would invite \nanybody else to respond. Silence reigns in the valley.\n    Senator Burns. Being raised and living west of the 100th \nmeridian, and dealing with the era that you were talking about, \nabout this, I am afraid we would have another OK Corral to \nsettle this.\n    Senator Bryan. It could be another Little Big Horn, \nhowever. [Laughter.]\n    Senator Burns. Senator Rockefeller.\n    Senator Rockefeller. It is very interesting to me, just \nfrom the point of view of the nature of Americans, when you \ncome to an issue like this. Justice Brandeis was terrified of \nthe invasion of privacy when photographs came out, and now we \nare going through exactly the same thing, with the obvious \ndifference that the reach of the Internet is far greater, far \nmore pervasive, and far more damaging to privacy than obviously \na photograph. Although photographs have done some fairly \namazing things in American life.\n    I guess the question I would ask is, if less than 10 \npercent of Web sites are doing what is felt to be adequate, \nthen one would come to the automatic judgment, well then, we \nhave to do something about it.\n    Then on the other hand 82 percent of the American people \nare worried that their privacy is going to be invaded, and a \nlot of them say they would rather not even get on the Internet \nthan take that chance. That would seem to go against the \ninterests of the industry because that is like depriving \nthemselves of customers if they do not behave as they should.\n    Frequently, industry wants to respond to its consumers, \nneeds to respond to its consumers, and particularly in an \nindustry like this one, where 9 out of 10 startup companies go \nout of business, which is higher than the usual. It is \nincredibly competitive, incredibly important to satisfy your \nusers.\n    So that leads me to this. It would seem to me there is an \nincentive, which is called the market, more business for \nindustry to do better, as, indeed, Microsoft and a few other \ncompanies are doing better, as the Georgetown studies and \nhearings like this in an incredibly young industry-- remember, \nwe did not have any Internet in the Senate until 2 or 3 years \nago, so this is a very, very young industry. It would seem to \nbe in the interest of industry to protect privacy to the extent \nthat it can.\n    Now, I do not know what that really means, but I would be \ninterested in your reaction, Mr. Chairman, and those of the \nother commissioners, of how at this very young stage you come \nto judge what the potential for this industry\'s behavior in \nresponse to this problem might be.\n    Mr. Pitofsky. That is quite a challenge. My own sense, and \nI speak only for myself, is I think this industry does get it. \nOr at least, let me put it this way, I think the responsible \nleaders of this industry get it, and they know that it is in \ntheir interest to ensure to consumers that their privacy will \nbe protected and to crack down if they can on those other \ncompanies who do not get it. I think they have worked hard in \nthis area over the last year or so.\n    Are they going to accomplish all that virtually all of us \nin this room agree is necessary? I do not know, but I do think \nwe ought to let this issue work its way out a little bit \nlonger. We ought to let a little time go by. If nothing else, \nwe will have a better idea of what legislation we really need.\n    What is reasonable access? What does that consist of? What \nare security arrangements? How should we set up the safe \nharbors? We know a lot now. I think we will know a lot more in \n6 months, 8 months, 10 months. We will certainly know whether \nthis remarkable progress is going to continue.\n    Senator Rockefeller. That is very interesting to me. I \nwould have said 1 or 2 years, or 3 years, and you are saying \nno, a much shorter time. You are not for the legislative \napproach. You are for the self-regulatory approach.\n    But on the other hand, you are saying, if in a period of 6 \nto 8 to 10 months we do not see the protection of privacy that \nwe feel that we need to meet the criteria, for example, that \nthe Georgetown report talks about, then the FTC might change \nits view and take a tougher view.\n    Now, that is a very interesting time line. I mean, around \nhere it usually takes 3 or 4 years to pass anything, and in \nfact, the chairman of this full committee is totally against \nthe bill that the subcommittee chairman is for, and given the \npower of chairmen, the bill may never come up.\n    So it is philosophically within the American political \ncontext interesting to me that, do we go now for what we judge \nto be the right criteria and lay it down, understanding that \nwhat you put up on your Web site as labeling of your protection \nof your customers does not necessarily mean you have to follow \nthrough underneath.\n    I mean, Meg Widman to me is sort of the perfect example. \nMeg Widman is caught right in between with eBay, because she \nhas to have information about her customers in order for her \ncustomers to trust each other enough in order to do business \nwith each other through the medium of auctioning, therefore she \nhas to have information. Yet, if she gets caught getting too \nmuch information, which is--not caught, but if she gets too \nmuch information and it goes beyond what competing potential \nbuyers need, then she could be in some kind of trouble, so it \nis interesting to me that you say 6 or 8 or 10 months might \ntell us what we need to know.\n    My question from that obviously has to be, does that mean \nthat 9\\1/2\\ percent of Web sites which now do provide that kind \nof privacy will--that that is going to increase enormously in 6 \nor 8 or 10 months, or are there discussions not only in the top \n100 Web sites but in the whole industry? Are they ongoing to \nthe extent that one could reasonably say, well, there are going \nto be substantial changes in the industry? The FTC would accept \nthat position for the moment if they believe that there will be \nchanges?\n    Mr. Pitofsky. Let me respond, and I know my colleagues want \nto speak to your excellent questions.\n    Our report commits us. We will be back here with a report \nin less than a year. Now, a couple of months have gone by \nalready since we wrote our report, so we are going to be back \nhere soon. I do not think this is an industry where you wait \naround 3 or 4 years. It moves too quickly, and therefore I \nthink we have a responsibility to have a followup report in \nthis area.\n    Am I convinced that industry\'s word is good, and they will \nreally achieve all these things? I am very interested in their \ncommitments and in their hopes and in their ambitions, but no, \nthat is not going to be the answer. The answer has to be \nproduction of a privacy policy that satisfies as many of these \ngoals as this group thinks ought to be satisfied.\n    I think things are going to get better. I think they will \ncontinue to improve. The way I put it is, will they get to the \ngoal line? I don\'t know. They have a long way to go.\n    Mr. Thompson. I think you raise some excellent questions, \nand raise some of the concerns that I have.\n    First of all, one of the challenges that we are seeing is \nwhether industry, the leaders in the industry can reach out and \ncapture those who are not participating.\n    Now, we have to understand the impediments why they are \nnot, but let me tell you there are some things going on right \nnow that we think are very helpful. For example, when IBM and \nMicrosoft say that they are not going to advertise on Web sites \nthat do not have a privacy policy, and this is our strategy for \nmoving in that direction, that is the kind of business-to-\nbusiness initiative that moves in the right direction. That is \none.\n    Second, is when the Online Privacy Alliance and others like \nthe DMA say, if you do not have a privacy policy that meets \nthese principles by X date, then you will no longer be a member \nof our association, that is another business-to-business kind \nof initiative that we think moves in the right direction.\n    Also, when they begin to say we are going to have a \nbusiness education program that is going to have these kinds of \nmilestones, those are the kinds of initiatives that are going \nto be important. We have to begin to measure those milestones \nand examine them carefully to see how they fit into a \nlegislative recommendation.\n    In addition, there are other things going on at the same \ntime that are going to be very important to this discussion. \nThe fact that technology is going to be improving, we know \nthat. There are some companies that we have heard of that want \nto provide consumers with tools so that they can decide how \nthey want to use information. That is going to be factored in.\n    At the same time we have seen the movement of getting \nbetter technology to deal with cookies, not just the fact that \nthe best that we have now is that when someone puts a cookie on \nyour machine they tell you there is a cookie. It does not tell \nyou what that cookie does. It does not tell what information \nthey are gathering, though we have seen people working on \ntechnology to give consumers better information about what the \nnature of those cookies are.\n    All of those things are coming to a head, and where I share \nthe chairman\'s view is this. Do not forget, 3 years ago there \nwas no Amazon.com, so 1 Internet-year people frequently say \nequals 3 years of normal business time, so that if we are \ntalking about compressed time frames here, I think that \nindustry understands that, and we understand that as well.\n    Senator Rockefeller. Commissioner Anthony, I apologize, but \nyou might have a different opinion. If so, I would like to hear \nit.\n    Ms. Anthony. I think the leaders of business really have \nstepped up to the plate in many instances, but as Senator Wyden \nsaid earlier today, it is not the leaders of the industry that \nI am so terribly concerned about because they are attempting to \nbe responsible.\n    It is the vast number of others who are gathering \npersonally identifiable information and selling it oftentimes \nto people with whom the visitor to the Web site has not \ncontracted for any purpose, or really has no idea that the \ninformation is being passed on to others.\n    I think that is the most offensive thing to me. I cannot \nspeak for all Americans, but certainly that is very bothersome, \nvery troublesome.\n    Senator Rockefeller. Thank you all. Thank you, Mr. \nChairman.\n    Senator Burns. Thank you. I want to thank the commission.\n    Mr. Swindle, you said a while ago there is always the \nclick. You can always click it off whenever you think----\n    Mr. Swindle. It is time to click.\n    Senator Burns. Well, I can remember, and so can the rest of \nthe members of this committee, when we were talking about the V \nchip, and ratings and things on television, and some \ninappropriate material that we thought should have some way to \nbe identified and to be filtered and this type thing. Well, I \nalways said there is a V chip on your television right now. It \nis called an on and off button, and I lost that argument, by \nthe way.\n    But nonetheless, I thank you for your opinion this morning. \nIt is really valued, and you have spent an inordinate amount of \ntime dealing with this situation, and I appreciate that very \nmuch.\n    Are there any other Members that have other questions of \nthe commission this morning?\n    I want to again express my appreciation.\n    Senator Rockefeller. Can I ask one? You should not have \nasked that.\n    Senator Burns. We almost made it, Mr. Chairman. [Laughter.]\n    Senator Rockefeller. This in fact interests me very much, \nbecause recently the FCC--not FTC, but FCC ruled that all \ncellular phones must have the ability to give emergency \npersonnel an exact location of a phone\'s user.\n    Just think about that. That means that anybody under a \ncircumstance could be identified precisely where they are by \nlaw, by Government regulation, and that could be seen to be \ndangerous, and with far-reaching consequences.\n    I remember a number of years ago an enormous tree, 150-\nyear-old oak fell on my wife and car, and she broke a lot of \nribs and had a lot of damage done to her on a crowded parkway. \nIt took an hour-and-a-half for an emergency vehicle to get to \nher.\n    Now, I am not saying with a crowded parkway that it would \nhave been faster, but to know exactly where she was would have \nbeen good, and yet that also raises questions, I would think, \nwith some of you. I am interested in the philosophical tug of \nthat, with my apologies to the chairman.\n    Mr. Pitofsky. Very quickly, that is a tough one. I do not \nthink this issue we have been discussing is nearly as tough as \nthe one you raise, because there is a tradeoff on the issue you \nraise between the good things that are accomplished and the \ninvasion of privacy. I mean, who wants the world to know \nexactly where you are every minute? I do not see this set of \nissues in that way.\n    Here, people are taking personally identifiable \ninformation, accumulating it, marshaling it, and selling it \nwithout your permission. I do not see the tradeoff there. That \nshould be prevented. The question is, how you do it.\n    Senator Burns. I would draw a parallel. I can remember \nbuying a toaster one time and it asked me all these silly \nquestions when I sent back the warranty. If I wanted to get a \nwarranty on that toaster, they asked me all these questions, \nyou know, and there was no way to click off on that. I did not \nfill them out, and I did not get the warranty on the toaster \nanyway. I was going to use it for other than toast. [Laughter.]\n    I had another idea, and that did not work, either. \n[Laughter.]\n    Thank you very much. We appreciate the commission coming \ndown this morning, and I will invite the second panel to come \nforward and take the table. We really appreciate your coming \ndown today, because we know you have a busy schedule of your \nown.\n    We will now hear from the industry, and we would like to \ncall to the table Ms. Jill Lesser, Ms. Deirdre Mulligan, Marc \nRotenberg, and Ms. Christine Varney. They are representatives \nof the industry, and we are looking forward to their testimony.\n    OK, as we get situated we are looking forward to the views \nof the industry, and I would like to introduce at this time Ms. \nJill Lesser, who is vice president, domestic public policy, \nAmerica Online. Thank you for coming this morning. We are \nlooking forward to your comments.\n\n           STATEMENT OF JILL LESSER, VICE PRESIDENT, \n             DOMESTIC PUBLIC POLICY, AMERICA ONLINE\n\n    Ms. Lesser. Chairman Burns, members of the subcommittee, \nthank you for the opportunity to discuss online privacy with \nyou today. As Chairman Burns said, I am Jill Lesser, and I am \nvice president for domestic public policy at America Online.\n    Privacy is, as we heard in the first panel and as we have \nbeen hearing in the media, an extremely important issue, \nbecause the online medium is quickly revolutionizing the way \npeople learn, communicate, and engage in business. People are \nmigrating online to meet their commerce and communications \nneeds, and there is an ever-increasing array of services.\n    The online environment also offers unique benefits for \ncustomization and personalization, and consumers can \ncommunicate specific preferences online that will allow them to \nreceive products and information targeted to them.\n    For example, AOL members can set up their own online \npreferences, and I stress that they do this voluntarily, \nputting in their zip code from their home town, and they can \nreceive weather and receive news stories in their local home \ntown paper.\n    But the power of the Internet, as you have heard earlier \ntoday and as we have repeatedly said, can only be realized if \nconsumers feel confident that their privacy is protected online \nand that they trust the entities with whom they are doing \nbusiness and communicating.\n    We, as a company, have taken many important steps to create \nan environment where our members can be certain that their \npersonal information is protected, and we protect the choices \nthey make regarding that information. Building on the lessons \nthat we have learned, sometimes from difficult experiences, and \nthe input we have received from our members and policymakers, \nmany of you included, we have created privacy policies that \nclearly explain our policies to our users, what we collect, \nwhat we do with it, who we share it with, and how they can \nexercise choices.\n    The privacy policy that we have lately adopted is based on \neight core principles, some of which are, we do not read any \nonline private communications, we do not use information about \nwhere our member goes online for anything, and we do not share \nany of that information with others. We give choices to AOL \nusers, and we take extra steps to protect kids.\n    We also make sure, and I think this is very critical, that \nthe privacy policy we have adopted is implemented throughout \nthe company and is signed by each and every one of AOL\'s \nemployees, and we keep our users informed about how they can \nprotect their own privacy.\n    For example, we constantly encourage--indeed, every time a \nmember signs on, that they should not give out their personal \ninformation unless they know with whom they are dealing, and \nshould never give out their AOL password to anyone.\n    As I said, we take extra steps to protect kids. That \nincludes the creation of a kids-only area, and we did, as I \nwill discuss later, support Senator Bryan\'s efforts last year \nin the Children\'s Online Protection Act, because we do believe \nthere was an area of particular concern.\n    Going further than just privacy, and also just with respect \nto AOL proper, we have developed one of the strongest examples \nI think of consumer protection and privacy online with our \nCertified Merchant program, where we basically require all of \nour merchants, and that is all the partners who sell to \nconsumers within the AOL shopping area, to abide by our \nCertified Merchant program, and that includes adopting their \nown privacy policy or complying with America Online\'s privacy \npolicy in addition to engaging in other forms of consumer \nprotection disclosures like making sure people understand what \nreturn policies are, when products will be shipped, and the \nlike.\n    As you will hear from Christine Varney, we have been a \nleader in the Online Privacy Alliance, which has undertaken to \npromote market-driven policies in the area of privacy, and we \nalso believe strongly that technology holds the key to ensuring \na safe and secure online environment.\n    As an online service provider, we believe it is critical to \nbe able to provide the most sophisticated security technologies \nto our members in order that they can help protect their own \nprivacy, and we will, as we have in the past, continue to \nadvocate strong encryption uses here and abroad.\n    Let me comment on the focus of today\'s hearing, and that is \nS. 809, the Online Privacy Protection Act. We would urge the \ncommittee, as I think the FTC has done, to proceed with caution \nin considering legislation, but we do not believe that our \ncomments indicate that Congress should be any less vigilant in \ntracking industry\'s progress in identifying areas where \nlegislation may be appropriate.\n    As I noted earlier, we did support the Children\'s Online \nPrivacy Protection Act because of the unique concerns relating \nto child safety in the online environment. However, even that \nlegislation, which was carefully crafted and widely vetted, is \nraising challenging interpretation and implementation issues \nfor the Federal Trade Commission and the industry, and we are \ngoing to continue to work through that process.\n    With respect to the specifics of S. 809, I would urge the \ncommittee to consider focusing not on a regulatory framework, \nbut on an enforcement framework. In that way, I think that the \nFTC can be empowered to stop the bad guys, in quotes, and let \nthe good guys continue to serve consumers with innovative \nservices and products.\n    What our research shows is that consumers are most \ninterested in an honest exchange. They see the benefit of the \nservices they receive online, but they want to ensure that they \nknow who will have access to the information and what will be \ndone with it, and so I think that focusing on giving the FTC \nthe powers they need, as Chairman Pitofsky noted, to basically \ngo after those folks who are engaging in fraudulent business \npractices, while not telling the leaders in the industry \nexactly where and how, for example, they need to post privacy \npolicies, will be very productive discussion, and we look \nforward to engaging in that dialogue with you, Mr. Chairman, \nand with Senator Wyden and others interested in this important \nissue.\n    I appreciate the opportunity to appear here, and I am happy \nto answer any questions.\n    [The prepared statement of Ms. Lesser follows:]\n\n  Prepared Statement of Jill Lesser, Vice President, Domestic Public \n                         Policy, America Online\n\n    Chairman Burns, Senator Hollings and Members of the Subcommittee, I \nwould like to thank you, on behalf of America Online, for the \nopportunity to discuss online privacy with you today. My name is Jill \nLesser, and I am the Vice President for Domestic Policy at AOL.\n    Privacy is an extremely important issue because the online medium \nis quickly revolutionizing the way we learn, communicate, and do \nbusiness. People are migrating to the Internet to meet their commerce \nand communication needs at an extraordinary rate because it is \nconvenient and fast, and offers an ever-growing selection of \ninformation, goods and services. AOL subscribers can sign on to our \nservice and do research, shop for clothes, and buy airline tickets all \nin a matter of minutes.\n    In addition, the online environment offers users unique benefits of \ncustomization and personalization. Consumers can communicate specific \npreferences online that will allow them to receive information targeted \nto their own interests. For instance, AOL members can set their online \npreferences to get the weather forecast for their own zip code, read \nnews stories about their own hometown, or receive notices about special \ndiscounts on their favorite CDs. No other commercial or educational \nmedium has ever afforded such tremendous potential for personalization.\n    But the power of the Internet can only be fully realized if \nconsumers feel confident that their privacy is properly protected when \nthey take advantage of these benefits. We know very well that if \nconsumers do not feel secure online, they will not engage in online \ncommerce or communication--and without this confidence, our business \ncannot grow. For AOL, therefore, protecting our members\' privacy is \nessential to earning their trust, and this trust is, in turn, essential \nto building the online medium. We learned this important lesson through \nour own mistakes not too long ago, when an AOL employee wrongly \nrevealed the screen name of one of our members to the government.\n    Recognizing the importance of this issue, AOL has taken a number of \nsteps to create an environment where our members can be certain that \ntheir personal information and their choices regarding the use of that \ninformation are being respected: from creating and implementing our own \nprivacy policies and educating our members about them, to promoting \nbest practices among our business partners, to engaging in industry-\nwide initiatives and enforcement mechanisms that will raise the bar for \nall companies who do business online.\n    Although the Internet is growing at a tremendous pace, we are still \nonly at the beginning of the development of this new medium. Industry \ninitiatives are helping to craft the ``rules of the road\'\' that will \ndictate online business practices, and we believe that it is important \nto see how those rules develop rather than imposing a sweeping \nregulatory framework on the Internet and e-commerce. Therefore, we hope \nto continue working with policymakers, consumer groups, and industry \ncolleagues to promote industry-led, market-driven initiatives that will \nbuild on the progress we have already made and ensure that individual \nprivacy is protected online.\n\n                           SETTING AN EXAMPLE\n\n    AOL is committed to protecting consumer privacy. Building on the \nlessons we have learned and the input we have received from our \nmembers, we have created privacy policies that clearly explain to our \nusers what information we collect, why we collect it, and how they can \nexercise choice about the use and disclosure of that information. We \nupdate our policies and procedures to respond to changes in technology \nor consumer demand, but our commitment to core privacy protections \nremains constant. AOL\'s current privacy policy is organized around 8 \ncore principles:\n    (1) We do not read your private online communications.\n    (2) We do not use any information about where you personally go on \nAOL or the Web, and we do not give it out to others.\n    (3) We do not give out your telephone number, credit card \ninformation or screen names, unless you authorize us to do so. And we \ngive you the opportunity to correct your personal contact and billing \ninformation at any time.\n    (4) We may use information about the kinds of products you buy from \nAOL to make other marketing offers to you, unless you tell us not to. \nWe do not give out this purchase data to others.\n    (5) We give you choices about how AOL uses your personal \ninformation.\n    (6) We take extra steps to protect the safety and privacy of \nchildren.\n    (7) We use secure technology, privacy protection controls and \nrestrictions on employee access in order to safeguard your personal \ninformation.\n    (8) We will keep you informed, clearly and prominently, about what \nwe do with your personal information, and we will advise you if we \nchange our policy.\n    We give consumers clear choices about how their personal \ninformation is used, and we make sure that our users are well informed \nabout what those choices are. For instance, if an AOL subscriber \ndecides that she does not want to receive any targeted marketing \nnotices from us based on his personal information or preferences, he \ncan simply check a box on our service that will let us know not to use \nhis data for this purpose. Because we know this issue is so critically \nimportant to our members and users, we make every effort to ensure that \nour privacy policies are clearly communicated to our customers from the \nstart of their online experience, and we notify our members whenever \nour policies are changed in any way.\n    We also make sure that our policies are well understood and \nproperly implemented by our employees. We require all employees to sign \nand agree to abide by our privacy policy, and we provide our managers \nwith training on how to ensure privacy compliance. We are committed to \nusing state-of-the-art technology to ensure that the choices \nindividuals make about their data online are honored. And, we believe \nthat our commitment to consumer privacy and the means we give our \nsubscribers to exercise their privacy prerogatives gives us a clear and \nmeaningful market advantage in attracting and retaining subscribers.\n    Finally, we try to keep users informed about the steps they can \ntake to protect their own privacy online. For instance, we emphasize to \nour members that they must be careful not to give out their personal \ninformation unless they specifically know the entity or person with \nwhom they are dealing, and we encourage them to check to see whether \nthe sites they visit on the Web have posted privacy policies.\n\n                       PROTECTING CHILDREN ONLINE\n\n    AOL takes extra steps to protect the safety and privacy of children \nonline. One of our highest priorities has always been to ensure that \nthe children who use our service can enjoy a safe and rewarding online \nexperience, and we believe that privacy is a critical element of \nchildren\'s online safety.\n    We have created a special environment just for children--our ``Kids \nOnly\'\' area--where extra protections are in place to ensure that our \nchildren are in the safest possible environment. In order to safeguard \nkids\' privacy, AOL does not collect personal information from children \nwithout their parents\' knowledge and consent, and we carefully monitor \nall of the Kids Only chat rooms and message boards to make sure that a \nchild does not post personal information that could allow a stranger to \ncontact the child offline. Furthermore, through AOL\'s ``Parental \nControls,\'\' parents are able to protect their children\'s privacy by \nsetting strict limits on whom their children may send e-mail to and \nreceive e-mail from online.\n    Because of the unique concerns relating to child safety in the \nonline environment, AOL supported legislation in the 105th Congress to \nset baseline standards for protecting kids\' privacy online. We worked \nwith Senator Bryan, the FTC, and key industry and public interest \ngroups to help bring the Child Online Privacy Protection Act (COPPA) to \nfruition last year. We believe the enactment of this bill was a major \nstep in the ongoing effort to make the Internet safe for children.\n\n                        FOSTERING BEST PRACTICES\n\n    In addition to adopting and implementing our own policies, AOL is \ncommitted to fostering best practices among our business partners and \nindustry colleagues. One of the strongest examples of this effort is \nour ``Certified Merchant\'\' program, through which we work with our \nbusiness partners to guarantee our members the highest standards of \nprivacy and customer satisfaction when they are within the AOL \nenvironment. AOL carefully selects the merchants we allow in the \nprogram (currently there are over 150 participants), and requires all \nparticipants to adhere to strict consumer protection standards and \nprivacy policies. The Certified Merchant principles are posted clearly \nin all of our online shopping areas, thereby ensuring that both \nconsumers and merchants have notice of the rules involved and the \ndetails of the enforcement mechanisms, which help to foster consumer \ntrust and merchant responsiveness.\n    Here are the criteria that our merchants have to meet in order to \nbecome certified and to display the America Online Seal of Approval \n(some screen shots that show how these criteria appear to subscribers \non our service are attached to this testimony):\n    1. Post complete details of their Customer Service policies, \nincluding: Contact Information, Shipping Information, Returns Policies, \nand Money-Back Satisfaction Guarantee Information.\n    2. Receive and respond to e-mails within one business day of \nreceipt.\n    3. Monitor online store to minimize/eliminate out-of-stock \nmerchandise available.\n    4. Receive orders electronically to process orders within one \nbusiness day of receipt.\n    5. Provide the customer with an order confirmation within one \nbusiness day of receipt.\n    6. Deliver all merchandise in professional packaging. All packages \nshould arrive undamaged, well-packed, and neat, barring any shipping \ndisasters.\n    7. Ship the displayed product at the price displayed without \nsubstituting.\n    8. Agree to adopt privacy policies that comport with AOL\'s privacy \npolicy.\n    Through our Certified Merchant program, we commit to our members \nthat they will be satisfied with their online experience, and we have \ndeveloped a money-back guarantee program to dispel consumer concerns \nabout shopping online and increase consumer trust in this powerful new \nmedium. We believe that these high standards for consumer protection \nand fair information practices will help bolster consumer confidence \nand encourage our members to engage in electronic commerce.\n\n                  HELPING TO PROMOTE INDUSTRY EFFORTS\n\n    The online industry as a whole is taking positive steps toward \nprotecting consumer privacy. In fact, to improve industry\'s commitment \nto online privacy, AOL joined with other companies and associations \nlast year to form the Online Privacy Alliance (OPA), a group dedicated \nto promoting privacy online.\n    As you will hear today, the OPA has worked hard to develop a set of \ncore privacy principles--centered around the key concepts of notice, \nchoice, data security, and access--and its members are committed to \nposting and implementing privacy policies that embody these principles. \nSince we began our efforts just a few months ago, the OPA has grown to \ninclude more than 85 recognized industry leaders, and industry efforts \nto protect consumer privacy online have blossomed.\n    A recent study conducted by Georgetown University Professor Mary \nCulnan shows that, in a sample drawn from a pool of the 7500 most \nvisited websites, more than 65% of the sites have posted a privacy \npolicy or a statement about their information practices. This number \ndemonstrates a tremendous increase from the number of sites posting \npolicies just one year ago, when the FTC conducted a similar study.\n    Following closely on the heels of the Georgetown study, the FTC \nreleased its report to Congress on the status of the industry\'s efforts \nto protect consumers\' online privacy and presented testimony before \nthis Subcommittee. Based on the progress of industry itself, the report \nconcluded that legislation to address online privacy was not \nappropriate at this time. The FTC credited ``responsible elements in \nthe online business community" with accomplishing a great deal in a \nshort amount of time. While the report recognized that more needs to be \ndone to secure consumers\' online privacy, it concluded that industry \nwas best positioned to take the leadership role in those efforts \nbecause it is ``the least intrusive and most efficient means to ensure \nfair information practices online, given the rapidly evolving nature of \nthe Internet and computer technology.\'\'\n    We concur with the FTC\'s conclusions; private sector leadership in \ndeveloping fair information practices online is the right approach to \nassuring broad privacy protection in that environment, but we also \nrealize that there is still more work to be done. To that end and to \nbuild on our success to date, the OPA has renewed its commitment to \nreach out to businesses nationwide to explain the importance of \nprotecting online privacy and posting meaningful privacy policies.\n    We believe that the OPA member companies are setting a new standard \nfor online privacy, and that as consumers become more aware of the \nchoices available to them, the marketplace will begin to demand robust \nprivacy polices of all companies that do business online. But we also \nunderstand the need for meaningful enforcement of industry standards. \nThat\'s why we abide by the OPA requirement to participate in robust \nenforcement mechanisms through our involvement in the TRUSTe and \nBBBOnline privacy seal programs. We are key sponsors of both the TRUSTe \nand BBBOnline privacy seal programs, and have worked closely with \nindustry representatives and members of the academic community to help \nformulate strict standards for seal eligibility.\n\n                          THE CHALLENGES AHEAD\n\n    It is clear that companies are responding to the increasing \nmarketplace demand for online privacy, and that the tremendous growth \nof e-commerce reflects positive trends on a variety of consumer \nprotection issues, including privacy. But our work has only just begun. \nAs technology makes it easier for companies to collect and use personal \ninformation, the adoption and implementation of robust privacy policies \nwill become even more important.\n    In part, we believe that technology holds the key to ensuring a \nsafe and secure online environment. As an online service provider, we \nbelieve it is critical for us to be able to provide the most \nsophisticated security technologies to our members so that they can \ntake steps to protect their own privacy online. That\'s why we will \ncontinue to advocate the widespread availability and use of strong \nencryption, both in this country and abroad.\n    The challenges that lie ahead will give us the chance to prove that \nindustry and government can work together to promote online privacy. \nBut ultimately, it is the consumer who will be the judge of whether \nthese efforts are adequate. Because no matter how extraordinary the \nopportunities for electronic commerce may be, the marketplace will fail \nif we cannot meet consumers\' demands for privacy protection and gain \ntheir trust.\n\n                         LEGISLATIVE PROPOSALS\n\n    The focus of today\'s hearing is legislation designed to extend the \nprivacy provisions in COPPA to adults--the Online Privacy Protection \nAct of 1999, S. 809--sponsored by Chairman Burns and Senator Wyden. AOL \nurges the Committee to proceed with great caution in considering this \nor any legislation that would extend regulation of the Internet beyond \nwhat is currently in force. Not only is generally privacy regulation \npremature, but we are concerned about unanticipated consequences that \ncould affect the growth of electronic commerce or otherwise harm \nconsumers and/or the industry.\n    As the Georgetown study showed and the FTC report confirmed, \nindustry led efforts have resulted in a tremendous increase in website \nadoption of privacy policies in a very short amount of time. And, as \nAOL has testified, industry is committed to continuing those efforts to \nachieve even greater progress in the future. Consequently, it is \npremature to consider legislation to address any gaps in self-\nregulation until it becomes apparent where such gaps would be. As the \nFTC report concluded, industry-led efforts to address online privacy \nare ``the least intrusive and most efficient means\'\' to accomplish the \nimportant public policy objective of creative a secure online \nenvironment for consumers. Private sector efforts should be given an \nopportunity to mature fully before Congress considers seriously whether \nfurther privacy legislation is necessary or prudent.\n    This is not to say that Congress should be any less vigilant in \ntracking industries\' progress and identifying areas where legislation \nis appropriate. For example, as noted previously, AOL supported COPPA \nbecause of the unique concerns related to child safety in the online \nenvironment. However, even that legislation, which was carefully \ncrafted and widely vetted, is raising challenging interpretation and \nimplementation issues for the FTC and for the industry. Just last week, \nthe Commission convened a special workshop in an attempt to get a \nbetter understanding of the myriad issues involved in obtaining \nverifiable parental consent, including whether the federal regulation \nproposed would discourage Internet start ups from offering content \ndesigned for children.\n    With respect to the specifics of S. 809, AOL urges the Committee to \nconsider focusing not on a regulatory framework for online privacy, but \nrather on strengthening the FTC\'s enforcement authority to prevent \nfraudulent business practices. In that way, the ``bad guys\'\' can be \nstopped and the ``good guys\'\' can continue to serve consumers with \ninnovative services and products. Our research shows that consumers are \nmost interested in an honest exchange. They see the benefit of the \nservices they receive online, but want to ensure that they know who \nwill have access to any information they give out and how it will be \nused.\n\n                                SUMMARY\n\n    We at AOL are committed to doing our part to protecting personal \nprivacy online. Our customers demand it, and our business requires it--\nbut most importantly, the growth and success of the online medium \ndepend on it. We appreciate the opportunity to discuss these important \nissues before the Committee, and look forward to continuing to work \nwith you on other matters relating to the Internet and electronic \ncommerce.\n\n    Senator Burns. Thank you very much. Now we will hear from \nMs. Deirdre Mulligan, who is staff counsel, Center for \nDemocracy and Technology.\n\n   STATEMENT OF DEIRDRE MULLIGAN, STAFF COUNSEL, CENTER FOR \n                    DEMOCRACY AND TECHNOLOGY\n\n    Ms. Mulligan. Thank you so much for the opportunity to be \nhere. I want to first thank the chairman and Senator Wyden and \nSenator Bryan for their leadership on the privacy issue and \nalso for your work on encryption.\n    As you have heard from everyone so far this morning, and my \nguess is you will continue to hear today, there is a fair \namount of consensus in this room, and I think what I have heard \nfrom the members of this subcommittee, there has been an \nagreement that consumers are concerned about their privacy. \nEighty-seven percent of consumers have registered concern--a \nvery high percentage of consumers. And I think Senator Wyden\'s \nearlier comments about very informed consumers, such as chief \ninformation officers, are incredibly reluctant to participate \nin all of the benefits that this new technology has to offer \nfor fear of loss of personal privacy.\n    You have heard widespread agreement that abiding by fair \ninformation practices, or, I would at least say, a narrower \nsubset of fair information practices, that have been offered by \nthe Federal Trade Commission, would substantially address \nconsumers\' concerns and help to establish a framework that will \nboth promote privacy and enable widespread use of electronic \ncommerce.\n    You have also heard agreement that it is in businesses\' \nenlightened self-interest to proceed in this direction. Yet we \nhave also noted that despite some very, very commendable \nefforts, right now we have a less than stellar record on \nactually seeing a widespread and ubiquitous enforcement of \nthose policies in the commercial marketplace.\n    We will also agree that business practices, best business \npractices, need to continue to move forward, and that the \nprivate sector does have a role to play in raising the \nbenchmark, and that self-regulatory programs will need to be a \npart of this very freewheeling and, as we heard, 3.6 million \ncommercial Web sites and growing by 10 percent on a daily \nbasis, we need as many cops on the beat as possible.\n    So, where will we disagree?\n    I think, as Senator Wyden pointed out, and Senator Burns, \nand the discussion around S. 809 indicates, the agreement is \nnot about where we should go; the agreement is primarily about \nhow best to get there.\n    I would like to submit for the record a report that CDT is \nreleasing today. And it is called ``Behind the Numbers: Privacy \nPractices on the Web.\'\' And what we tried to do is actually say \nwe have some statistics, from the Georgetown Internet Privacy \nPolicy Survey, the Online Privacy Alliance\'s Survey, from the \nFederal Trade Commission survey last year, that give us some \nindication of where practices are going in the online world.\n    What we have found is that while there has been some \nprogress, that many of the most deeply held concerns of \nconsumers remain unaddressed. For example, 87 percent of \nindividuals stated a concern with their privacy online. But a \nthird of the highly trafficked Web sites--this is not the 3.6 \nmillion, this is the 7,500 highly trafficked Web sites--remain \nsilent on the issue of privacy altogether. Ninety-one percent \nof Internet users and 96 percent of those engaged in e-commerce \nwant to know what personal information is collected and used. \nBut, again, less than 50 percent of these frequently trafficked \nWeb sites are telling consumers this critical information that \nthey need to make informed choices.\n    Forty percent of business Web sites are not allowing \nindividuals to exercise even a very limited right to object to \ncompanies re-contacting them. This was a critical concern. An \noverwhelming majority of individuals, as people have \nidentified, their top concern is their ability to control the \nuse of their information. And while we would suggest that an \nopt out, particularly when you are talking about financial \nrecords, medical records, which are provided on the Web--\nindividuals are engaging in lots of varied interactions on the \nWeb--an opt out model is clearly not what individuals think is \nappropriate when they talk about consent.\n    The question is, how do we move forward?\n    Part of our survey that I would like to offer for the \nrecord looked at the self-regulatory enforcement programs. And \nthere is some good news. TRUSTe, BBBOnline and WebTrust, which \nare the three that we looked at, are in fact raising the \nstandards for what business practices should be, as self-\nregulatory programs should do.\n    Right now, unfortunately, I think that there is the \nopportunity for an enormous amount of consumer confusion. Two \nof the self-regulatory programs are actually in the process of \nchanging their standards. And so, right now, a mark may mean \nthat a company is telling consumers what they do. It may mean \nthat it is actually adhering to a higher set of fair \ninformation practices. But the main lesson to consumers is that \neven where there is a trust mark, you have to read the fine \nprint, and that caution is certainly wise.\n    On the down side, less than 8.5 percent of even the 7,500 \nhighly trafficked Web sites are using these programs. And I \nwould suggest, when you look at the 3.6 million Web sites, that \nare growing by 275,000 a day, that 900 Web sites participating \nin self-regulatory enforcement programs is not going to provide \nthe kind of ubiquitous, enforceable privacy protections that \nthe FTC has requested and that I think consumers both demand \nand deserve.\n    For that reason, I think that S. 809 serves as a good \nstarting point for a discussion about how to move forward on \nprotecting privacy. I think that as Commissioner Swindle said \nearlier, the third of the Web sites that are not posting \nprivacy policies, are they necessarily bad actors? Perhaps not. \nDo they necessarily need some guidance? I would suggest yes.\n    Is there a reason why individual companies are not choosing \nto participate in self-regulatory enforcement programs? I \nbelieve there may be several--one of which may be cost. The \nfact that there is a Federal baseline, with a Federal \nenforcement mechanism, is something that in fact can continue \nto maintain the very low barriers to entry that we have in this \nmarketplace.\n    So, in moving forward, I look forward to working with the \nFederal Trade Commission, members of both industry and the \npublic interest sector, and members of this committee to figure \nout how to craft an appropriate framework that relies on self-\nregulation, legislation and technology to address individuals \nprivacy concerns.\n    Thank you.\n    [The prepared statement of Ms. Mulligan follows:]\n\n        Prepared Statement of Deirdre Mulligan, Staff Counsel, \n                  Center for Democracy and Technology\n\n                              I. OVERVIEW\n\n    The Center for Democracy and Technology (CDT) is pleased to have \nthis opportunity to testify about privacy in the online environment. \nCDT is a non-profit, public interest organization dedicated to \ndeveloping and implementing public policies to protect and advance \ncivil liberties and democratic values on the Internet. One of our core \ngoals is to enhance privacy protections for individuals in the \ndevelopment and use of new communications technologies. We thank the \nChairman and Senators Wyden and Hollings for holding this hearing and \nfor their commitment to seeking policies that support both civil \nliberties and a vibrant Internet.\n    CDT wishes to emphasize three points this morning:\n    <bullet> The Internet presents new challenges and opportunities for \nthe protection of privacy. Our policies must be grounded in an \nunderstanding of the medium\'s unique attributes and its unique \npotential to promote democratic values.\n    <bullet> Privacy is a complex value. In the context of this \ndiscussion, we believe Congress should focus on ensuring that \nindividuals\' long-held expectations of autonomy, fairness, and \nconfidentiality are respected as daily activities move online. These \nexpectations exist vis-a-vis both the public and the private sectors.\n    By autonomy, we mean the individual\'s ability to browse, seek out \ninformation, and engage in a range of activities without being \nmonitored and identified.\n    Fairness requires policies that provide individuals with control \nover information that they provide to the government and the private \nsector. The concept of fairness is embodied in the Code of Fair \nInformation Practices \\1\\--long-accepted principles specifying that \nindividuals should be able to ``determine for themselves when, how, and \nto what extent information about them is shared.\'\' \\2\\ The Code also \nrequires that those who collect and use personal information do so in a \nmanner that respects individuals\' privacy interests. Self-regulatory \nefforts designed for the online environment are gradually moving closer \nto the standards for privacy protection set out in the Code of Fair \nInformation Practices. However, legislation, as well as robust self-\nregulation, is both inevitable and necessary to ensure privacy \nprotection is the rule rather than the exception on the Internet. The \nChildren\'s Online Privacy Protection Act, which originated in the full \nCommittee, enacted last October provides a model for establishing such \na legal framework. The Online Privacy Protection Act of 1999 (S. 809), \nwith modifications, would provide a similar framework for protecting \nadult privacy and establishing the authority of the Federal Trade \nCommission to punish back actors.\n---------------------------------------------------------------------------\n    \\1\\ The Code of Fair Information Practices as stated in the \nSecretary\'s Advisory Comm. on Automated Personal Data Systems, Records, \nComputers, and the Rights of Citizens, U.S. Dept. of Health, Education \nand Welfare, July 1973:\n    There must be no personal data record-keeping systems whose very \nexistence is secret.\n    There must be a way for an individual to find out what information \nabout him is in a record and how it is used.\n    There must be a way for an individual to prevent information about \nhim that was obtained for one purpose from being used or made available \nfor other purposes without his consent.\n    There must be a way for the individual to correct or amend a record \nof identifiable information about him.\n    Any organization creating, maintaining, using, or disseminating \nrecords of identifiable personal data must reliability of the data for \ntheir intended use and must take precautions to prevent misuse of the \ndata. Id. at xx\n    The Code of Fair Information Practices as stated in the OECD \nguidelines on the Protection of Privacy and Transborder Flows of \nPersonal Data http://www.oecd.org/dsti/sti/ii/secur/prod/PRIV--EN.HTM\n    1. Collection Limitation Principle: There should be limits to the \ncollection of personal data and any such data should be obtained by \nlawful and fair means and, where appropriate, with the knowledge or \nconsent of the data subject.\n    2. Data quality: Personal data should be relevant to the purposes \nfor which they are to be used, and, to the extent necessary for those \npurposes, should be accurate, complete and kept up-to-date.\n    3. Purpose specification: The purposes for which personal data are \ncollected should be specified not later than at the time of data \ncollection and the subsequent use limited to the fulfillment of those \npurposes or such others as are not incompatible with those purposes and \nas are specified on each occasion of change of purpose.\n    4. Use limitation: Personal data should not be disclosed, made \navailable or otherwise used for purposes other than those specified in \naccordance with the \'purpose specification\'\' except: (a) with the \nconsent of the data subject; or (b) by the authority of law.\n    5. Security safeguards: Personal data should be protected by \nreasonable security safeguards against such risks as loss or \nunauthorized access, destruction, use, modification or disclosure of \ndata.\n    6. Openness: There should be a general policy of openness about \ndevelopments, practices and policies with respect to personal data. \nMeans should be readily available of establishing the existence and \nnature of personal data, and the main purposes of their use, as well as \nthe identity and usual residence of the data controller.\n    7. Individual participation: An individual should have the right: \n(a) to obtain from a data controller, or otherwise, confirmation of \nwhether or not the data controller has data relating to him; (b) to \nhave communicated to him, data relating to him:\n    <bullet> within a reasonable time;\n    <bullet> at a charge, if any, that is not excessive;\n    <bullet> in a reasonable manner; and,\n    <bullet> in a form that is readily intelligible to him; (c) to be \ngiven reasons if a request made under subparagraphs (a) and (b) is \ndenied, and to be able to challenge such denial; and, (d) to challenge \ndata relating to him and, if the challenge is successful to have the \ndata erased, rectified completed or amended.\n    8. Accountability: A data controller should be accountable for \ncomplying with measures which give effect to the principles stated \nabove.\n    \\2\\ Alan Westin. Privacy and Freedom (New York: Atheneum, 1967), 7.\n---------------------------------------------------------------------------\n    In terms of confidentiality, we need a strong Fourth Amendment in \ncyberspace. But confidentiality protections--both technical and legal--\nare growing increasingly porous as technology changes and more \ninformation resides outside of the home on networks. It is time to \nupdate and strengthen the Electronic Communications Privacy Act. \nFurther, our laws protecting privacy must be extended to take account \nof the global nature of the medium. Finally, to ensure that citizens \nand businesses have the ability to protect their sensitive information \nand communications, the government must change its policy course on \nencryption.\n    <bullet> Preserving these core elements of privacy on the Internet \nrequires a thoughtful, multi-faceted approach combining self-\nregulatory, technological, and legislative components.\n\n                 II. WHAT MAKES THE INTERNET DIFFERENT?\n\n    CDT focuses much of its work on the Internet because we believe \nthat it, more than any other medium, has characteristics--\narchitectural, economic, and social--that are uniquely supportive of \ndemocratic values. Because of its decentralized, open, and interactive \nnature, the Internet is the first electronic medium to allow every user \nto ``publish\'\' and engage in commerce. Users can reach and create \ncommunities of interest despite geographic, social, and political \nbarriers. As the World Wide Web grows to fully support voice, data, and \nvideo, it will become in many respects a virtual ``face-to-face\'\' \nsocial and political milieu.\n    But while the First Amendment potential of the Internet is clear, \nand recognized by the Supreme Court, the impact of the Internet on \nindividual privacy is less certain. Will the online environment erode \nindividual privacy-building in national identifiers, tracking devices, \nand limits on autonomy? Or will it breathe new life into privacy-\nproviding protections for individuals\' long held expectations of \nprivacy? The Internet poses both challenges and opportunities to \nprotecting privacy.\n    The Internet accelerates the trend toward increased information \ncollection that is already evident in our offline world. The trail of \ntransactional data left behind as individuals use the Internet is a \nrich source of information about their habits of association, speech, \nand commerce. When aggregated, these digital fingerprints reveal a \ngreat deal about an individual\'s life. The global flow of personal \ncommunications and information coupled with the Internet\'s distributed \narchitecture presents challenges for the protection of privacy. \nHowever, Anonymizers, anonymous remailers, and other privacy-enhancing \ntools allow individuals to create zones of privacy--limiting who knows \nwhat about them and protecting their sensitive communications from \nprying eyes. Computer code and products are becoming increasingly \ncritical to the protection of privacy in this distributed environment. \nWith privacy-enhancing tools users will be empowered to control their \npersonal information in new ways.\n    As we move swiftly toward a world of electronic democracy, \nelectronic commerce and indeed electronic living, it is critical to \nconstruct a framework of privacy protection that fits with the unique \nopportunities and risks posed by the Internet. But as Congress has \ndiscovered in its attempts to regulate speech, this medium deserves its \nown analysis. Laws developed to protect interests in other media should \nnot be blindly imported. To create rules that map onto the Internet, we \nmust fully understand the characteristics of the Internet and their \nimplications for privacy protection. We must also have a shared \nunderstanding of what we mean by privacy. Finally we must assess how to \nbest use the various tools we have for implementing policy--law, \ncomputer code, industry practices, and public education--to achieve the \nprotections we seek.\n\n      THE EROSION OF PRIVACY AND THE PATH TOWARDS ITS RESTORATION\n\n    There are several core ``privacy expectations\'\' that individuals \nhave long held vis-a-vis both the government and the private sector, \nthe protection of which should carry over to interactions on the \nInternet. Surveys of Internet users, and would-be Internet users, \nreveal a high level of concern with threats to privacy online. Surveys \nsuggest that concern over privacy is keeping individuals off the \nInternet \\3\\, retarding the growth of e-commerce \\4\\, and leading \nindividuals to engage in privacy-protective behaviors such as providing \nfalse information.\\5\\ A recent survey of Internet users found that 87% \nare concerned about threats to their personal privacy.\\6\\\n---------------------------------------------------------------------------\n    \\3\\ A 1998 Business Week Survey found that privacy was the number \none reason individuals are choosing to stay off the Intemet, coming in \nwell ahead of cost, concerns with complicated technology, and concerns \nwith unsolicited commercial email. Business Week, March 16, 1998.\n    \\4\\ A TRUSTe and Boston Consulting Group survey conducted in 1997 \nfound that privacy concerns were leading users to limit their \nengagement in electronic commerce.\n    \\5\\ Id. and see footnote 6.\n    \\6\\ Beyond Concern: Understanding Net Users Attitudes About Online \nPrivacy, AT&T, 1999.\n---------------------------------------------------------------------------\n    The remainder of our testimony will discuss the three critical \nprivacy expectations of autonomy, fairness, and confidentiality, \nexplore the changes in technology and policies that threaten them, and \nfinally outline a plan for their restoration.\nThe Expectation of Autonomy\n            Why is it at risk?\n    Imagine walking through a mall where every store, unbeknownst to \nyou, placed a sign on your back. The signs tell every other store you \nvisit exactly where you have been, what you looked at, and what you \npurchased. Something very close to this is possible on the Internet.\n    When individuals surf the World Wide Web, they have a general \nexpectation of anonymity, more so than in the physical world where an \nindividual may be observed by others. As documented in several surveys, \nindividuals value their anonymity and will take steps, such as \nproviding false information and refusing to register, to protect it.\\7\\ \nOnline, individuals often believe that if they have not affirmatively \ndisclosed information about themselves, then no one knows who they are \nor what they are doing. But, contrary to this belief, the Internet \ngenerates an elaborate trail of data detailing every stop a person \nmakes. The individual\'s employer may capture this data trail if she \nlogs on at work, and it is captured by the Web sites the individual \nvisits. This transactional or click stream data can provide a \n\'profile\'\' of an individual\'s online life.\n---------------------------------------------------------------------------\n    \\7\\ The 8th annual poll of the Grahpics, Visualization, and \nUsability Center at the Georgia Institute of Technology found that in \norder to protect their privacy, significant numbers of people falsify \ninformation online. Particularly, users report regularly falsifying \nregistration information. The most common reason for not registering is \nthe lack of a statement about how the information will be used. In \naddition, the GW study showed that users would rather not access a site \nthan reveal information. (1998)\n    The survey Beyond Concern: Understanding Net Users Attitudes About \nOnline Privacy found that individuals were reluctant to provide \nidentifying information such as credit card numbers but were more \nwilling to provide information that did not identify them. AT&T (1999)\n---------------------------------------------------------------------------\n    Two recent examples highlight the manner in which individuals\' \nexpectation of autonomy is increasingly challenged in the online \nenvironment. (1) The introduction of the Pentium III processor equipped \nwith a unique identifier (Processor Serial Number) threatens to greatly \nexpand the ability of Web sites to surreptitiously track and monitor \nonline behavior. The PSN could become something akin to the Social \nSecurity Number of the online world--a number tied inextricably to the \nindividual and used to validate one\'s identity throughout a range of \ninteractions with the government and the private sector. (2) The Child \nOnline Protection Act (COPA), passed in October, requires Web sites to \nprohibit minors\' access to material considered ``harmful to minors.\'\' \nToday, when an individual walks into a convenience store to purchase an \nadult magazine, they may be asked to show some identification to prove \ntheir age. Under the COPA, an individual will be asked not only to show \ntheir identification, but also to leave a record of it and their \npurchase with the online store. Such systems will create records of \nindividuals\' First Amendment activities, thereby conditioning adult \naccess to constitutionally protected speech on a disclosure of \nidentity. This poses a Faustian choice to individuals seeking access to \ninformation--protect privacy and lose access or exercise First \nAmendment freedoms and forego privacy.\nThe Path to Individual Autonomy Online\n    While the global, distributed environment of the Internet raises \nchallenges to our traditional methods of implementing policy, the \nspecifications, standards, and technical protocols that support the \noperation of the Internet offer a new way to implement policy \ndecisions. In the area of autonomy, focusing on standards and \napplications is crucial. By building systems that respect individuals \nvaried needs for identification, pseudonymity, and anonymity--building \na digital wallet with cash, credit cards, a metro fare card, and a \ndriver\'s license--will help build an online environment that promotes \nautonomy. By building privacy into the architecture of the Internet, we \nhave the opportunity to advance public policies in a manner that scales \nwith the global and decentralized character of the network. As Larry \nLessig repeatedly reminds us, ``(computer) code is law.\'\'\n    Accordingly, we must promote specifications, standards and products \nthat protect privacy. A privacy-enhancing architecture must \nincorporate, in its design and function, individuals\' expectations of \nprivacy. For example, a privacy-friendly architecture would provide \nindividuals the ability to ``walk\'\' through the digital world, browse, \nand even purchase without disclosing information about their identity, \nthereby preserving their autonomy. Of course, it would also provide \nindividuals the opportunity to create relationships that are \nidentifiable--or at least authenticated--for engaging in activities \nsuch as banking. This would be coupled with policies that allow \nindividuals to control when, how, and to whom personal data collected \nduring interactions is used or disclosed.\n    While there is much work to be done in designing a privacy-\nenhancing architecture, some substantial steps toward privacy \nprotection have occurred. Positive steps to leverage the power of \ntechnology to protect privacy can be witnessed in tools like the \nAnonymizer, Crowds, and Onion Routing, which shield individuals\' \nidentity during online interactions, and encryption tools such as \nPretty Good Privacy that allow individuals to protect their private \ncommunications during transit. Coupled with rules such as those found \nin the Government Paperwork Elimination Act of 1998, which established \nprivacy protections governing personal information collected when the \npublic uses electronic signature systems,\\8\\ technology may evolve in \nways that support individuals\' interest in autonomy.\n---------------------------------------------------------------------------\n    \\8\\ Many such systems gather sensitive information in the course of \nproviding and guaranteeing an electronic signature. The law prohibits \ncompanies that collect such information from using or disclosing it \nwithout the permission of the person involved. Authored by Senators \nLeahy and Abraham, this marks the first attempt to craft a legislative \napproach to dealing with the potential erosion of privacy created by \nelectronic signature use.\n---------------------------------------------------------------------------\nThe Expectation of Fairness and Control Over Personal Information\n            Who controls the data?\n    When individuals provide information to a doctor, a merchant, or a \nbank, they expect that those professionals/companies will collect only \ninformation necessary to perform the service and use it only for that \npurpose. The doctor will use it to tend to their health, the merchant \nwill use it to process the bill and ship the product, and the bank will \nuse it to manage their account--end of story. Unfortunately, current \npractices, both offline and online, foil this expectation of privacy. \nMuch of the concern with privacy in electronic commerce stems from a \nlack of privacy rules in various sectors of the economy, such as \nfinancial and health, that handle a treasure trove of sensitive \ninformation on individuals.\n    Whether it is medical information, or a record of a book purchased \nat the bookstore, or information left behind during a Web site visit, \ninformation is routinely collected without the individual\'s knowledge \nand used for a variety of other purposes without the individual\'s \nknowledge--let alone consent.\n    Focusing on the online environment, we now have information from \ntwo studies assessing the state of privacy notices on the World Wide \nWeb. Last June, the Federal Trade Commission\'s ``Privacy Online: A \nReport to Congress\'\' found that despite increased pressure, businesses \noperating online continued to collect personal information without \nproviding even a minimum of consumer protection. The report looked only \nat whether Web sites provided users with notice about how their data \nwas to be used; there was no discussion of whether the stated privacy \npolicies provided adequate protection. The survey found that, while 92% \nof the sites surveyed were collecting personally identifiable \ninformation, only 14% had some kind of disclosure of what they were \ndoing with personal data.\n    The newly released Georgetown Internet Privacy Policy Survey \nprovides new data. The Survey was designed to provide an update on the \nstate of privacy policies on the World Wide Web. The study shows that \ndefinite progress has been made in making many more Web sites privacy-\nsensitive, but substantive privacy protections are still far from \nubiquitous on the World Wide Web. While more Web sites are mentioning \nprivacy, only 9.5% provide the types of notices required by the Online \nPrivacy Alliance, the Better Business Bureau and TRUSTe. Indeed, fair \ninformation practices on the Web appear to remain the exception, not \nthe rule.\n    The Georgetown Survey shows that, spurred by surveys documenting \nconsumer concern and anxiety, and the work of individual companies \\9\\ \nand industry self-regulatory entities such as TRUSTe, the Online \nPrivacy Alliance, and the Better Business Bureau, an increased number \nof Web sites are providing consumers with some information about what \npersonal information is collected (44%), and how that information will \nbe used (52%). Companies posting fuller information about their data \nhandling \\10\\ are more likely to make them accessible to consumers. \nMany have a link to such statements from the home page (79.7%).\\11\\\n---------------------------------------------------------------------------\n    \\9\\ For example, IBM recently stated that it would limit its \nadvertising to Web sites that post privacy notices.\n    \\10\\ The report calls these ``privacy policies\'\' as compared to \n``information practice statements.\'\' ``Privacy policies\'\' are a more \ncomprehensive description of a site\'s practices that are located in a \nsingle place and accessible through an icon or hyperlink. A site may \nhave a ``privacy policy\'\' by this definition but still not have a \nprivacy policy that meets the elements set out by the FTC or various \nindustry self-regulatory initiatives for an adequate privacy policy.\n    \\11\\ In response to the question, ``Is a Privacy Policy Notice easy \nto find?\'\' surfers in the 1998 survey answered yes for approximately \n1.2% of Web sites. FTC Report, Appendix C Ql9.\n---------------------------------------------------------------------------\n    However, on important issues such as access to personal information \nand the ability to correct inaccurate information, the Georgetown \nSurvey shows that only 22% and 18% respectively of these highly \ntrafficked Web sites provide consumers with notice. On the important \nissue of providing individuals with the capacity to control the use and \ndisclosure of personal information, the survey finds that 39.5% of \nthese busy Web sites say that consumers can make some decision about \nwhether they are re-contacted for marketing purposes--most likely an \n``opt-out\'\'--and fewer still, 25%, say they provide consumers with some \ncontrol over the disclosure of data to third parties.\\12\\\n---------------------------------------------------------------------------\n    \\12\\ This number is generated using the data from Q32 (number of \nsites that say they give consumers choice about having collected \ninformation disclosed to outside third parties)--64--and dividing it by \n256 (the total survey sample (364) minus the number of sites that \naffirmatively state they do not disclose data to third-parties (Q29A) \n(69) and the number of sites that affirmatively state that data is only \ndisclosed in the aggregate (Q30) (39)).\n---------------------------------------------------------------------------\n    Overall, the Georgetown survey reveals that, at over 90% of the \nmost frequently trafficked Web sites,\\13\\ consumers are not being \nadequately informed about how their personal information is \nhandled.\\14\\ At the same time the survey found that over 90% of these \nsame busy consumer-oriented Web sites are collecting personal \ninformation.\\15\\ In fact, the survey revealed an increase in the number \nof Web sites collecting sensitive information such as credit card \nnumbers (up 20%), names (up 13.3%), and even Social Security Numbers \n(up 1.7%).\n---------------------------------------------------------------------------\n    \\13\\ Only 9.5% of the most frequently visited Web sites and 14.7% \nof those that collect information had privacy policies containing \ncritical information called for by the FTC, the Administration, and \nrequired by the Online Privacy Alliance, TrutstE and the BBB Online, \nabout notice; choice; access; security; and contact information.\n    \\14\\ Last years survey found approximately 2% or Web sites that \ncollected data, and less than 1% of all Web sites, had adequate \nnotices.\n    \\15\\ 92.9% are collecting some type of personal information.\n---------------------------------------------------------------------------\n    Thus, while many companies appear to be making an effort to address \nsome privacy concerns, the results from the consumer perspective appear \nto be a quilt of complex and inconsistent statements. The number of \nsites that provide consumers with the types of notices required by the \nOnline Privacy Alliance, the Better Business Bureau and TRUSTe, and \ncalled for by the Federal Trade Commission and the Administration, is \nstill relatively small (9.5%).\n    The posting of privacy notices is not just a private sector issue. \nIn a recent CDT study of federal agency Web sites, we found that just \nover one-third of federal agencies had a ``privacy notice\'\' link from \nthe agency\'s home page. Eight other sites had privacy policies that \ncould be found after following a link or two and on 22 of the sites \nsurveyed we could not find a privacy policy at all.\n    The lack of widespread adherence to Fair Information Practices is \nundermining consumer confidence. A recent survey by the National \nConsumers League found that the majority of online users are not \ncomfortable providing credit card (73%), financial (73%), or personal \ninformation (70%) to businesses online.\\16\\ Due to privacy concerns 42% \nof those who use the Internet are using it solely to gather \ninformation, while a smaller 24% actually venture to purchase goods \nonline.\\17\\ A second study found that 58% of consumers do not consider \nfinancial transactions online to be safe, and 77% do not believe it is \nsafe to provide a credit card number through a computer.\\18\\ Privacy \nhas been rightly identified by the Federal Trade Commission, Congress, \nthe business community, and advocacy organizations as a critical \nconsumer protection issue in e-commerce.\n---------------------------------------------------------------------------\n    \\16\\ Consumers and the 21st Century, National Consumers League \n(1999).\n    \\17\\ Id.\n    \\18\\ National Technology Readiness Survey, conducted by Rockridge \nAssociates (1999).\n---------------------------------------------------------------------------\nEstablish Rules That Give Individuals Control Over Personal Information \n        During Commercial Interactions\n    We must adopt enforceable standards, both self-regulatory and \nlegislative, to ensure that information provided for one purpose is not \nused or redisclosed for other purposes without the individual\'s \nconsent. All such efforts should focus on the Code of Fair Information \nPractices developed by the Department of Health, Education and Welfare \nin 1973. The challenge of implementing privacy practices on the \nInternet is ensuring that they build upon the medium\'s real-time and \ninteractive nature to foster privacy and that they do not \nunintentionally impede other beneficial aspects of the medium. \nImplementing privacy protections on the global and decentralized \nInternet is a complex task that will require new thinking and \ninnovative approaches.\n    The Georgetown Survey supports our belief that a combination of \nmeans--self-regulation, technology, and legislation--are required to \nprovide privacy protections on the Internet. The study, as discussed \nabove, shows that some progress has been made in making many more Web \nsites privacy sensitive, but substantive privacy protections are still \nfar from ubiquitous on the World Wide Web. Because many Web sites need \nbaseline policy guidance and because self-enforcement mechanisms, while \nemerging, may not always provide a viable remedy, we believe that \nlegislation is both inevitable and necessary to ensure consumers\' \nprivacy on the Internet.\n    To achieve real privacy on the Internet, we will need more than \nbetter numbers, redoubled efforts by industry, or a legislative mantra. \nWe will need a good-faith concerted effort by industry, consumer and \nprivacy advocates, and policymakers to develop real and substantive \nanswers to a number of difficult policy issues involving the scope of \nidentifiable information, the workings of consent and access \nmechanisms, and the structure of effective remedies that protect \nprivacy without adversely affecting the openness and vitality of the \nInternet.\n    As the Federal Trade Commission\'s rulemaking under the Children\'s \nOnline Privacy Protection Act and industry\'s various efforts at self-\nregulation show, these issues are not easy. But armed with the findings \nof the Georgetown Internet Privacy Policy Survey, we believe interested \nparties are in a position to move forward on a three pronged approach--\nexpanded self-regulation, work to develop and deploy privacy-enhancing \ntechnologies such as P3P, and legislation-all require a serious \ndialogue on policy and practice options for resolving difficult issues \nin this promising medium.\n    In its testimony last July, the Federal Trade Commission stated \nthat, `` * * * unless industry can demonstrate that it has developed \nand implemented broad-based and effective self-regulatory programs by \nthe end of this year, additional governmental authority in this area \nwould be appropriate and necessary.\'\' \\19\\ Despite the considerable \neffort of Congress, the Federal Trade Commission, the Administration \nand industry to encourage and facilitate an effective self-regulatory \nsystem to protect consumer privacy, based on the survey results we do \nnot believe that one has yet emerged. Like Commissioner Anthony, we \nbelieve that industry leadership and self-regulatory programs are a \ncritical component of a privacy framework for the Internet, but that \nlegislation is also necessary to establish a baseline and ensure \nconsumers are protected from bad actors.\n---------------------------------------------------------------------------\n    \\19\\ Last years survey found approximately 2 percent or Web sites \nthat collected data, and less than 1 percent of all Web sites, had \nadequate notices. Privacy Online: A Report to Congress, Federal Trade \nCommission, June 1998.\n---------------------------------------------------------------------------\n    Last year, the Federal Trade Commission offered a legislative \noutline that embodied a framework, similar to the one we suggest, \nbuilding upon the strengths of both the self-regulatory and regulatory \nprocesses. This year several bills have been introduced on a wide range \nof privacy issues.\\20\\ The Online Privacy Protection Act \\21\\ \nintroduced by Senators Burns and Wyden is substantially similar to the \nmodel recommended by the Federal Trade Commission last year. (Specific \ncomments on the Online Privacy Protection Act can be found in \nsubsection 3 below.)\n---------------------------------------------------------------------------\n    \\20\\ Electronic Rights for the Twenty-First Century Act of 1999 (E-\nRIGHTS) (S. 854), introduced on April 21, 1999 by Senator Leahy (D-VT). \nThe Online Privacy Protection Act of 1999 (S. 809), introduced on April \n15, 1999, by Senators Burns (R-MT) and Wyden (D-OR). Internet Growth \nand Development Act of 1999 (H.R. 1685), introduced on May 5, 1999 by \nRepresentatives Boucher (D-VA) and Goodlatte (R-VA). Consumer Internet \nPrivacy Protection Act of 1999 (H.R 313), introduced on January 6, \n1999, by Representative Vento (D-MN). We anticipate additional \nproposals from Senators Kohl, Torricelli, DeWine, and Hatch, and \nRepresentative Markey.\n    \\21\\ The Online Privacy Protection Act of 1999 (S. 809), introduced \non April 15, 1999, by Senators Burns (R-MT) and Wyden (D-OR).\n---------------------------------------------------------------------------\n    Historically, for privacy legislation to be successful, it must \ngarner the support of at least a section of the industry. To do so, it \ngenerally must build upon the work of some industry members typically \nbinding bad actors to the rules being followed by industry leaders--or \nbe critically tied to the viability of a business service or product as \nwith the Video Privacy Protection Act and the Electronic Communications \nPrivacy Act. Several companies have staked out leadership positions on \nthe issue of online privacy and several self-regulatory programs have \nformed to drive industry best practices online. Numerous surveys have \ndocumented that consumers are concerned about their privacy in e-\ncommerce.\n    In addition to work on policies, there is important activity in the \ntechnical community on how to develop the tools necessary to implement \nfair information practices on the World Wide Web. The World Wide Web \nConsortium\'s Platform for Privacy Preferences (``P3P\'\') is a promising \ndevelopment. The P3P specification will allow individuals to query Web \nsites for their policies on handling personal information and to allow \nWeb sites to easily respond. While P3P does not drive the specific \npractices, it is a standard designed to promote openness about \ninformation practices, to encourage Web sites to post privacy policies \nand to provide individuals with a simple, automated method to make \ninformed decisions. Through settings on their Web browsers, or through \nother software programs, users will be able to exercise greater control \nover the use of their personal information. Regardless of how policies \nare established, an Internet-centric method of communicating about \nprivacy is part of the solution.\n    As Congress moves forward this year, we look forward to working \nwith you and all interested parties to ensure that fair information \npractices are incorporated into business practices on the World Wide \nWeb. Both legislation and self-regulation are only as good as the \nsubstantive policies they embody. As we said at the start, crafting \nmeaningful privacy protections that map onto the Internet requires us \nto resolve several critical issues. While consensus exists around at \nleast four general principles (a subset of the Code of Fair Information \nPractices)--notice of data practices; individual control over the \nsecondary use of data; access to personal information; and, security \nfor data--the specifics of their implementation and the remedies for \ntheir violation must be explored. We must wrestle with difficult \nquestions: When is information identifiable? How is it accessed? How do \nwe create meaningful and proportionate remedies that address the \ndisclosure of sensitive medical information as well as the disclosure \nof inaccurate marketing data? For the policy process to successfully \nmove forward these hard issues must be more fully resolved. We would \nwelcome the opportunity to work with Senators Burns and Wyden, and \nother members of this committee, to explore these issues and develop a \nframework for privacy protection in the online environment. The Online \nPrivacy Protection Act could serve as a starting point for this \ndiscussion. The leadership of Internet-savvy members of this Committee \nand others will be critical as we seek to provide workable and \neffective privacy protections for the Internet.\n3. Preliminary Comments on the Online Privacy Protection Act (S. 809) \n        and suggested changes\n    The Online Privacy Protection Act is closely modeled on the \nChildren\'s Online Privacy Protection Act enacted last year. It \nestablishes baseline practices for commercial Web sites handling \npersonal information and provides the Federal Trade Commission with \nauthority to enforce violations of the Act.\n    Legislation to protect privacy should be based on the Code of Fair \nInformation Practices which has served as a model for privacy \nlegislation and self-regulatory codes in the United States and across \nthe globe for 25 years.\n    The Code of Fair Information Practices requires that businesses \ncollecting personal information (recordkeepers):\n    Be publicly identified and provide a description of the purpose and \nuses they make of personal information.\n    Limit the personal information they collect to what is necessary to \nsupport the purpose of collection. Personal information must be \ncollected by lawful and fair means and, where appropriate, with the \nknowledge and consent of the individual.\n    Limit the use and disclosure of personal information to the purpose \nfor which it was collected, unless the individual has granted consent.\n    Ensure that personal information collected is relevant to the \npurpose of collection, accurate, timely, and complete.\n    Institute reasonable security safeguards against such risks as \nloss, unauthorized access, destruction, use, modification and \ndisclosure.\n    Be accountable for complying with fair information practices.\n    The Code of Fair Information Practices says that individuals should \nhave the right to:\n    Access personal information and to correct or remove data that is \nnot timely, accurate, relevant, or complete; and, to\n    Control the use of personal information. Personal information \nprovided to a business may not be used or disclosed for other purposes \nwithout the consent of the individual or other legal authority.\n    To bring the Online Privacy Protection Act (S. 809) in line with \nthe Code of Fair Information Practices we recommend the following \nchanges.\nSection 2(b)(1)\n            Individual Control\n    To ensure that individuals are able to control the use of their \npersonal information, Section 2(b)(1) (A)(ii) should require Web sites \nto gain individuals consent to the use and disclosure of personal \ninformation for purposes unrelated to the purpose for which it was \nobtained. The range of personal information that will be exchanged on \nWeb sites runs from the highly sensitive--financial and health--to \ncontact information such as email and address. Surveys indicate that \nindividuals desire control over their personal information: consent is \nthe surest method of providing consumers with this control. On the \nInternet we believe that the distinction between ``opt-out\'\' and ``opt-\nin\'\' may become less important as technology enables individuals to \nexercise control over how, when, for what purposes, and under what \nconditions they disclose personal information.\n    The bill summary suggests that the intent of the proposal is to \nprovide individuals with the ability to ``opt-out\'\' of having their \ninformation used and disclosed. However, as currently drafted this \nsection does not require Web sites to gain the individual\'s consent, \nnor does it provide an ``opt-out\'\' for the collection or use of \ninformation--it requires an ``opt-out\'\' be provided where information \nwill be disclosed to others. In addition, section (2) of this provision \ncould be read to allow Web sites to forego offering individuals even an \nopt-out if in the notice they tell individuals that they disclose \ninformation.\n            Access and Correction\n    To ensure that individuals are able to review and correct personal \ninformation about themselves, section (B)(i) should be amended to \nrequire Web sites to provide individuals with access to all personal \ninformation regardless of whether it is used internally, or sold or \ntransferred to other companies.\nSection 2(b)(2)\n            Limits on Disclosure\n    We have questions about the purpose of this section. However, at \nthis time, we recommend eliminating subsections (A) and (B) and \namending (C) by changing the word ``permitted\'\' to ``required.\'\' Thus \nthe provision would allow a Web site to disclose personal information \nwhere ``required under other provisions of law.\'\'\nSection 2(b)(3)\n            Limits on Access\n    We have questions about the purpose of this section. However, at \nthis time, we recommend eliminating subsections (A), (B) and (E). \nSection (C) should be rewritten to limit access to information that is \ntrade secret.\n            Additional comments\n    The scope of the bill is information collected online--this means \nthat information collected by Web sites from other sources is not \ngoverned by the bill. It is unclear whether consumers, and businesses, \ndistinguish between interactions conducted online and offline with the \nsame entity. As the Committee moves forward, it should consider whether \nthe online/offline distinction is meaningful to consumers and the \nbusiness community.\n    Several issues have surfaced during the Federal Trade Commission\'s \nRulemaking under the Children\'s Online Privacy Protection Act that \nwould benefit from additional consideration by this Committee. They \ninclude: what does it mean to ``collect\'\' information in the online \ncontext; when is information personally identifiable; and, what does it \nmean to ``contact\'\' an individual online. In addition, the Children\'s \nOnline Privacy Protection Act, and the proposed Online Privacy \nProtection Act, give enforcement authority to the Federal Trade \nCommission while other privacy statutes tend to provide individuals \nwith private rights of actions to address grievances. Arguments can be \nmade in favor and against each model of oversight and enforcement: \nexploring the effectiveness of each (or a combination thereof) would be \nuseful in crafting meaningful remedies for individuals and successful \noversight mechanisms.\n\n                 C. THE EXPECTATION OF CONFIDENTIALITY\n\n1. Who has access to records in cyberspace?\n    When individuals send email they expect that only the intended \nrecipient will read it. In passing the Electronic Communications \nPrivacy Act in 1986, Congress reaffirmed this expectation. \nUnfortunately, it is once again in danger.\n    While United States law provides email the same legal protection as \na first class letter, the technology leaves unencrypted email as \nvulnerable as a postcard. Compared to a letter, an email message is \nhandled by many independent entities and travels in a relatively \nunpredictable and unregulated environment. To further complicate \nmatters, the email message may be routed, depending upon traffic \npatterns, overseas and back, even if it is a purely domestic \ncommunication. While the message may effortlessly flow from nation to \nnation, the privacy protections are likely to stop at the border.\n    Email is just one example. Today our diaries, medical records, and \nconfidential documents are more likely to be out in the network than \nstored in our homes. As our wallets become ``e-wallets\'\' housed \nsomewhere out on the Internet rather than in our back-pockets, the \nconfidentiality of our personal information is at risk. The advent of \nonline datebooks, and products such as Novell\'s ``Digital Me\'\', and \nsites such as Wellmed.com \\22\\ which invite individuals to take \nadvantage of the convenience of the Internet to manage their lives, \nfinancial information, and even medical records raise increasingly \ncomplex privacy questions. While the real ``me\'\' has Fourth and Fifth \nAmendment protections from the government, the ``Digital Me\'\' is \nincreasingly naked in cyberspace.\n---------------------------------------------------------------------------\n    \\22\\ WellMed.com is a proprietary Online Health Management System \nwhich works by collecting personal health information from individuals, \nanalyzing that information to develop unique health profiles which are \nused for a variety of purposes. One service is HealthNow!--``an online \npersonal health record enabling secure, confidential, and private \nstorage, management, and maintenance of health information by \nindividuals and their families. HealthNow affords easy access of \nmedical records from one central location anytime and anywhere the need \narises.\'\'\n---------------------------------------------------------------------------\n2. Protecting the Privacy of Communications and Information\n    Increasingly, our most important records are not ``papers\'\' in our \n``houses\'\' but ``bytes\'\' stored electronically at distant ``virtual\'\' \nlocations for indefinite periods of time and held by third parties. The \nInternet, and digital technology generally, accelerate the collection \nof information about individuals\' actions and communications. Our \ncommunications, rather than disappearing, are captured and stored on \nservers controlled by third parties. Daily interactions such as our \nchoice of articles at a news Web site, our search and purchase of an \nairline ticket, and our use of an online date book, such as Yahoo\'s \ncalendar, leave detailed information in the hands of third-parties. \nWith the rise of networking and the reduction of physical boundaries \nfor privacy, we must ensure that privacy protections apply regardless \nof where information is stored.\n    Under our existing law, there are now essentially four legal \nregimes for access to electronic data: (1) the traditional Fourth \nAmendment standard for records stored on an individual\'s hard drive or \nfloppy disks; (2) the Title III-Electronic Communications Privacy Act \nstandard for records in transmission; (3) the standard for business \nrecords held by third parties, available on a mere subpoena to the \nthird party with no notice to the individual subject of the record; and \n(4) a statutory standard allowing subpoena access and delayed notice \nfor records stored on a remote server, such as the diary of a student \nstored on a university server, or personal correspondence stored on a \ncorporate server.\n    As the third and fourth categories of records expand because the \nwealth of transactional data collected in the private sector grows and \npeople find it more convenient to store records remotely, the legal \nambiguity and lack of strong protection grows more significant and \nposes grave threats to privacy in the digital environment.\n    Congress took the first small step towards recognizing the changing \nnature of transactional data with amendments to the Electronic \nCommunications Privacy Act enacted as part of the Communications \nAssistance for Law Enforcement Act of 1994 (``CALEA\'\'). But the ongoing \nand accelerating increase in transactional data and the detail it \nreveals about individuals\' lives suggests that these changes are \ninsufficient to protect privacy.\n    Moreover, the Electronic Communications Privacy Act must be updated \nto provide a consistent level of protection to communications and \ninformation regardless of where 21 they are stored and how long they \nhave been kept. Senator Leahy\'s recently introduced legislation is an \neffort to restore Fourth Amendment protections to our personal papers. \nTechnologies that invite us to live online will quickly create a pool \nof personal data with the capacity to reveal an individual\'s travels, \nthoughts, purchases, associations, and communications. We must raise \nthe legal protections afforded to this growing body of detailed data \nregardless of where it resides on the network.\n                               conclusion\n    No doubt, privacy on the Internet is in a fragile state. Providing \nprotections for individual privacy is essential for a flourishing and \nvibrant online community and marketplace. It is clear that our policy \nframework did not envision the Internet as we know it today, nor did it \nforesee the pervasive role information technology would play in our \ndaily lives. Our legal framework for protecting individual privacy in \nelectronic communications, while built upon constitutional principles \nbuttressed by statutory protections, reflects the technical and social \n``givens\'\' of specific moments in history. Crafting privacy protections \nin the electronic realm has always been a complex endeavor. \nReestablishing protections for individuals\' privacy in this new \nenvironment requires us to focus on both the technical aspects of the \nInternet and on the practices and policies of those who operate in the \nonline environment.\n    However, there is new hope for the restoration of privacy. \nProviding a web of privacy protection to data and communications as \nthey flow along networks requires a unique combination of tools--legal, \npolicy, technical, and self-regulatory. We believe that legislation is \nan essential element of the online privacy framework and we look \nforward to working with this committee on the Online Privacy Protection \nAct (S. 809) and other proposals. Whether it is setting limits on \ngovernment access to personal information, ensuring that a new \ntechnology protects privacy, or developing legislation all require \ndiscussion, debate, and deliberation. We thank the Committee for the \nopportunity to share our views and look forward to working with the \nmembers and 22 staff and other interested parties to foster privacy \nprotections for the Digital Age.\n\n    [Nova Law Review, The Internet and the Law, Winter 1999, Volume 23, \nNo.2, provided by Jerry Berman and Deirdre Mulligan, maintained in the \nSubcommittees files.]\n\n    Senator Burns. Thank you, Ms. Mulligan. We appreciate your \ncomments very much.\n    Now we have got Marc Rotenberg, director, Electronic \nPrivacy Information Center, here in Washington, DC. Thanks a \nlot, Marc, for coming this morning.\n\n            STATEMENT OF MARC ROTENBERG, DIRECTOR, \n             ELECTRONIC PRIVACY INFORMATION CENTER\n\n    Mr. Rotenberg. Thank you very much, Mr. Chairman, Senators \nWyden, Rockefeller, and Bryan, for the opportunity to be here.\n    You probably know a bit about EPIC. We conducted the first \ncomprehensive Web privacy survey back in 1997. And the FTC \nthought it was such a good idea, they did it the next year. And \nof course we have also been involved in a lot of the campaigns \nand worked with you on the encryption issue.\n    I would like to be able to join the chorus this morning, \nand tell you that self-regulation is moving in the right \ndirection and more needs to be done, but that is not my honest \nview. My honest view is that self-regulation to protect privacy \nis much like the emperor\'s new clothes--everybody looks at it, \nsays, oh, how nice, how fine, but in fact the new clothes of \nthe emperor do not protect his privacy any more than self-\nregulation is protecting consumers on the Internet.\n    And I can point to several instances in the FTC report to \ntry to demonstrate just how serious the problem is today. Much \nis made of this 66 percent number in the Georgetown survey, \nrepeated in the FTC report, and widely cited by industry \nleaders as an indication of progress and success. Let me tell \nyou what is behind that 66 percent number.\n    What that number says is that more and more Web sites are \ntelling people that come to their site: We collect personal \ninformation about you and we use it for marketing and other \npurposes. That privacy notice, more than any other type of \nnotice, is what people are seeing increasingly on the Internet \nwhen they go to Web sites and wonder what is happening to their \npersonal information. And at the point that 100 percent of Web \nsites have that privacy notice, there is going to be very \nlittle privacy on the Internet.\n    The reason, simply stated, is a privacy policy is not the \nsame as privacy protection. You can have privacy policies that \nsay, in effect, we collect your information and do with it \nwhatever we wish. That is our policy.\n    Now, it is true, of course, if you do not like that policy, \nyou do not have to go to that Web site. And I agree with people \nwho say, correctly, you always have the choice not to go a site \nthat has a bad privacy policy. But, guess what? If Web sites \nacross the Internet increasingly adopt those types of privacy \npolicies, what is going to happen over time, people will have \nthis choice: either to use the Internet for commerce and a \nwhole host of other neat things that are great to do and give \nup their privacy, or stay off the Net. That is the choice that \nconsumers are increasingly facing, because these privacy \npolicies do not actually provide privacy protection.\n    Now, you get glimmers of this in the FTC report. At one \npoint in the report, the FTC acknowledges that there really are \nnot safeguards in place, that less than 10 percent of Web sites \neven have the set of policies that the FTC thinks are \nnecessary, let alone whether they are enforced--which was an \nissue not even considered in the FTC report, that I think \nshould be considered--are those policies actually being \nfollowed--but then says, but let us not legislate too soon. It \nis a rapidly changing industry, new technology, we really do \nnot understand it, we do not want to make a mistake; let us see \nhow things shake out.\n    Let me tell you the problem with that approach. If we were \ntalking about Y2K protection, if we were talking about the \ndevelopment of computer security standards, no one would say, \nlet us wait after January 1st, and see what kind of Y2K \nproblems we have to deal with. And if we were talking about \ncomputer security, no one would say, well, let us see how many \nsystems are broken into and what our actually damage is before \nwe really deal with the issue of making our systems safe to put \nonline.\n    Good protection means advanced planning. It means \nanticipating problems and developing the policies and \nprocedures so that the likelihood of risk, the likelihood of \nmisuse, is reduced. And that is what privacy legislation tries \nto do.\n    It does not say to businesses, we do not want you to \nsucceed or we want to tie your hands or you should not do neat \nmarketing or offer great products. It says, if you are going to \ndo these things, let us do it in a way where there are some \nbasic privacy safeguards in place, so that people know what \nthey are getting into when they give up personal information. \nIf they have some problems, they have a place to turn.\n    I can tell you, we have had a lot of privacy legislation in \nthis country directly in response to the development of new \ntechnologies. We did it in 1994 with the Cable Act. We did it \nin 1986 for the Electronic Communications Privacy Act. We have \ndone it for auto dialers, junk faxes.\n    The Privacy Act of 1974, the most significant privacy law \nin this country, came about in part because of public concerns \nabout the automation of records held by Federal agencies. \nPeople did not say, well, you know, we should not have a \nFederal Government. I mean, maybe some people said that. But \nthey said, if we are going to automate these records, let us \nput in place a legal framework to protect the rights of our \ncitizens.\n    I think we are in the exact same place as we approach the \n21st century. We have wonderful new tools, wonderful new \nopportunities. Everyone agrees that the Internet is going to be \na fantastic engine of economic growth. But the real choice, the \ncritical choice in the privacy debate is, will American \nconsumers be forced to give up their privacy as the cost of \nusing the online services?\n    I think the answer to that question should be no. I think \nS. 809 is a wonderful, wonderful proposal. I would make some \nchanges, but I think it is an excellent start. It sets us in \nthe right direction to give consumers the kind of safeguards \nthey need online, allow business to go forward, and to make \nsure that we do not wake up tomorrow morning and find that it \nis too late because privacy is gone.\n    Thank you very much.\n    Senator Burns. Thank you very much for your comments.\n    Ms. Christine Varney, senior partner, Hogan & Hartson. \nThank you for coming today.\n\nSTATEMENT OF CHRISTINE VARNEY, SENIOR PARTNER, HOGAN & HARTSON, \n            ON BEHALF OF THE ONLINE PRIVACY ALLIANCE\n\n    Ms. Varney. Thank you for inviting me, Senator. And thank \nyou, Senators.\n    I just want to put a little bit of history and perspective \non the table here, and then maybe address some of the specific \nquestions that were raised in the previous panel. I have \nsubmitted written remarks for the record, if that is all right, \nSenator.\n    Senator Burns. Your full remarks will be made part of the \nrecord.\n    Ms. Varney. Thank you.\n    We have to think back to 1996, when I was at the Federal \nTrade Commission, and we had the first privacy workshop. And \nthere was enormous, heated argument among most of the people in \nthis room about whether or not you should have to tell people \nwhat information you collect online and what you do with it. \nAnd the argument was made at the time, wait a second, that is \nnot what we do offline; why should there be a different \nstandard online?\n    I well remember sitting there with operators of a Web site, \nwho had at the time the most popular game for 10-year-olds on \nthe Web--and I had a 10-year-old. In order to get to the game--\nyou could not get to the game unless you answered the following \nquestions: How old are you? Do you have any siblings? Where do \nyou live? Does mommy go to church? Does daddy go to church? Do \nyou go to mommy\'s church? Do you go to daddy\'s church?\n    Senator Burns. It sounds like my toaster.\n    Ms. Varney. Exactly. [Laughter.]\n    And the people that were running that game stood up in a \nroom of 500 people and fully defended that practice. And I have \nto say, there were half the people in the room in 1996 who \nsaid, well, you know, that is the standard.\n    Since 1996, we have moved to a point where, in industry \nonline, there is no serious debate. Everyone agrees that \nprivacy is important, that consumers are entitled to know what \ninformation is collected about them, and are entitled to make \nchoices about it.\n    So we have come an awfully long way in what you have \npointed out is a relatively short period of time. Do we have \nfurther to go? Of course we do.\n    Let us look at these numbers that we have all been talking \nabout this morning and realize what I think both Deirdre and \nMarc have alluded to is behind them. In the Georgetown survey, \nthere was a finding that 66 percent of the sites that they \nlooked at had some type of statement about data.\n    Well, what are the first two things that we looked at? \nFirst was did the Web site give some kind of notice? Did they \nexplain in some way what they collected? Eighty-seven percent \ndid.\n    The second thing is, did they give you some sort of choice \nor control, opt out, opt in? Seventy-seven percent did. Now, \nthat is fairly high, in my view.\n    Where does it go down? It goes down on access. Let us be \nfrank about access. There is a division in this country between \nmuch of industry and many leading privacy thinkers and some in \ngovernment about what constitutes access.\n    In the Online Privacy Alliance, we believe that consumers \nhave a right to see that data that is held about them is \naccurate and that one mechanism for checking accuracy can be \naccess. We do not have a per se access requirement. And I think \nthat is still an issue that is being debate and is evolving. I \ndo not think we have reached a consensus--at least not \ncommercially--on the access issue.\n    Security--in the study that was conducted by Georgetown, \nthey found that of the sites that had some type of privacy \nnotice, 44 percent had some type of security disclosed. We went \nback, and based only on my anecdotal checking, Senators, I can \ntell you, that is a failure of communication. The vast majority \nof Web site operators that I have talked to laughed and said, \nof course, we have security. This is one of our most valuable \nassets. We did not put it in our privacy policy. We did not \nknow we were supposed to talk about the security which we \nmaintain our databases in, in our privacy policy. We will put \nit in.\n    The last one is contact information. And there was a \nrelatively low number that had the name of an individual, other \nthan the Web master, that you could contact if you wanted \ninformation about the data that was held on you or the data \npractices at a company. Again, something that these companies \nneed to work on.\n    About 2 weeks ago, I wrote a letter to every single Web \nsite in our own review of the top 500 Web sites that we \nconducted, in connection with Ernst & Young, to every chairman \nof the 500 Web sites, where we could not easily find a privacy \npolicy, and said, please, please, please, you need to tell your \nconsumers what you are doing with their data, and you need to \ngive them choices.\n    So it seems to me that the consensus you are hearing here \nis yes, privacy is important; how do we get there? Legislation \ncan be one option. But I have heard from each of you different \nconcerns. And let me tell you, in my opinion--and I know you \nwill check with your own counsel--when Commissioner Anthony \ngave a detailed description of the information that someone \npresented to her about her family and her husband, her \nchildren, her social security number, guess what? That probably \ncame from an entity that collected that information from public \nrecord sources. And S. 809 would probably not, in my opinion, \nbe able to cover that.\n    The concerns that you have raised about cookies, Senator \nBryan--unless you are at a site where you are entering your \nname and address, the concerns that you have raised about \ncookies would probably not be covered by S. 809.\n    So, while S. 809 reflects the goals that the Online Privacy \nAlliance has adopted--we have worked with your staff; these are \nthings that we believe are important--S. 809 conflicts with the \ncurrent privacy provision of H.R. 10, the banking reform bill, \nif that survives the conference. You would have less protection \nfor your financial information. And financial institutions, in \nmy reading of the two bills right now, would be largely exempt \nfrom S. 809.\n    So I think what you are hearing from a lot of us is let us \nkeep working on this. It is not time to stop working. But I am \njust not sure that catching the bad guys and prosecuting the \nbad guys is going to be accomplished through S. 809 at this \npoint in time.\n    Thank you very much.\n    [The prepared statement of Ms. Varney follows:]\n\n    Prepared Statement of Christine Varney on Behalf of The Online \n                            Privacy Alliance\n\n    The Internet is poised to become an explosive economic growth \nopportunity that will redefine global commerce in the information age. \nThat growth cannot and will not occur without consumer confidence. \nPrivacy is one of the cornerstones of consumer confidence in the \nInternet.\n    Last year numerous companies and associations came together to \ncreate policies and practices that can make privacy a reality for \neveryone on the Internet. These companies and associations, the Online \nPrivacy Alliance, are pleased to submit the attached documents. First \nis the Mission Statement describing the goals of the Online Privacy \nAlliance, second are the Guidelines for Privacy Policies that will be \nadopted by all Online Privacy Alliance members, third are the \nPrinciples for Children\'s Online Activities, and fourth are the \nGuidelines for Effective Enforcement of Self-Regulation.\n    The Online Privacy Alliance has worked diligently to come up with \npolicies that can be applied across many industry sectors. These \nguidelines, principles and statements reflect not only a deep \ncommitment to online privacy, but also new policies which the Online \nPrivacy Alliance members support. First, the Online Privacy Alliance \nbelieves that when there is use or distribution of individually \nidentifiable information for purposes unrelated to that for which it \nwas collected, individuals should be given the opportunity to opt out \nof such unrelated use or distribution. Second, the Online Privacy \nAlliance members believe that sites targeted at children under 13 \nshould not engage in the collection and maintenance of information from \nchildren without prior parental consent. Finally, the Online Privacy \nAlliance members believe that self-regulation requires robust \nenforcement and they are committed to ensuring such.\n    Over the past year the OPA has worked to expand the adoption of \neffective online privacy policies by organizations doing business \nonline. Clearly, the recent Georgetown Internet Privacy Policy Study \n(``The Georgetown Privacy Study\'\') indicates that significant progress \nhas been made in safeguarding privacy online. The fact that close to 66 \npercent of sites in the sample posted a privacy disclosure demonstrates \nthat adoption and disclosure of privacy policies is becoming the norm \non the Internet. Last year, the FTC reported that only 14 percent of \nWeb sites notified consumers about their privacy policies. Although the \nuniverse from which the survey samples are drawn differ, it is very \nclear that there has been enormous progress.\n    The OPA and its supporting organizations will continue to work to \nensure that effective online privacy practices are adopted and \nimplemented among the private sector. In particular, we will be \nfocusing on continuing outreach through business and consumer \neducation, while increasing awareness of various privacy assurance \nprograms. The Georgetown Privacy Study will serve as a road map to help \nus ensure that robust privacy practices are the norm online. It has \nbeen a pleasure working with this group and I look forward to \ncontinuing to work with the Online Privacy Alliance to build consumer \nconfidence in the Internet.\n                               __________\n\n                        Online Privacy Alliance\n\n                           MISSION STATEMENT\n\n    The Online Privacy Alliance will lead and support self-regulatory \ninitiatives that create an environment of trust and that foster the \nprotection of individuals\' privacy online and in electronic commerce.\n    The Alliance will:\n    <bullet> identify and advance effective online privacy policies \nacross the private sector;\n    <bullet> support and foster the development and use of self-\nregulatory enforcement mechanisms and activities, as well as user \nempowerment technology tools, designed to protect individuals\' privacy;\n    <bullet> support compliance with and strong enforcement of \napplicable laws and regulations;\n    <bullet> support and foster the development and use of practices \nand policies that protect the privacy of children;\n    <bullet> promote broad awareness of and participation in Alliance \ninitiatives by businesses, non-profits, policymakers and consumers; and\n    <bullet> seek input and support for Alliance initiatives from \nconsumer, business, academic, advocacy and other organizations that \nshare its commitment to privacy protection.\n\n                           MEMBERSHIP PLEDGE\n\n    As members of the Alliance:\n    <bullet> we endorse its mission;\n    <bullet> we commit ourselves to implement online privacy policies \nconsistent with the Alliance\'s guidelines; and\n    <bullet> we commit ourselves to participate in effective and \nappropriate self-regulatory enforcement activities and mechanisms.\n\n                 GUIDELINES FOR ONLINE PRIVACY POLICIES\n\n    Upon joining the Online Privacy Alliance, each member organization \nagrees that its policies for protecting individually identifiable \ninformation in an online or electronic commerce environment will \naddress at least the following elements, with customization and \nenhancement as appropriate to its own business or industry sector.\n1. Adoption and Implementation of a Privacy Policy\n    An organization engaged in online activities or electronic commerce \nhas a responsibility to adopt and implement a policy for protecting the \nprivacy of individually identifiable information. Organizations should \nalso take steps that foster the adoption and implementation of \neffective online privacy policies by the organizations with which they \ninteract; e.g., by sharing best practices with business partners.\n2. Notice and Disclosure\n    An organization\'s privacy policy must be easy to find, read and \nunderstand. The policy must be available prior to or at the time that \nindividually identifiable information is collected or requested.\n    The policy must state clearly: what information is being collected; \nthe use of that information; possible third party distribution of that \ninformation; the choices available to an individual regarding \ncollection, use and distribution of the collected information; a \nstatement of the organization\'s commitment to data security; and what \nsteps the organization takes to ensure data quality and access.\n    The policy should disclose the consequences, if any, of an \nindividual\'s refusal to provide information. The policy should also \ninclude a clear statement of what accountability mechanism the \norganization uses, including how to contact the organization.\n3. Choice/Consent\n    Individuals must be given the opportunity to exercise choice \nregarding how individually identifiable information collected from them \nonline may be used when such use is unrelated to the purpose for which \nthe information was collected. At a minimum, individuals should be \ngiven the opportunity to opt out of such use. Additionally, in the vast \nmajority of circumstances, where there is third party distribution of \nindividually identifiable information, collected online from the \nindividual, unrelated to the purpose for which it was collected, the \nindividual should be given the opportunity to opt out.\n    Consent for such use or third party distribution may also be \nobtained through technological tools or opt-in.\n4. Data Security\n    Organizations creating, maintaining, using or disseminating \nindividually identifiable information should take appropriate measures \nto assure its reliability and should take reasonable precautions to \nprotect it from loss, misuse or alteration. They should take reasonable \nsteps to assure that third parties to which they transfer such \ninformation are aware of these security practices, and that the third \nparties also take reasonable precautions to protect any transferred \ninformation.\n5. Data Quality and Access\n    Organizations creating, maintaining, using or disseminating \nindividually identifiable information should take reasonable steps to \nassure that the data are accurate, complete and timely for the purposes \nfor which they are to be used.\n    Organizations should establish appropriate processes or mechanisms \nso that inaccuracies in material individually identifiable information, \nsuch as account or contact information, may be corrected. These \nprocesses and mechanisms should be simple and easy to use, and provide \nassurance that inaccuracies have been corrected. Other procedures to \nassure data quality may include use of reliable sources and collection \nmethods, reasonable and appropriate consumer access and correction, and \nprotections against accidental or unauthorized alteration.\n    These guidelines are not intended to apply to proprietary, publicly \navailable or public record information, nor to supersede obligations \nimposed by statute, regulation or legal process.\n    Other valuable resources available to Alliance members in the \ndevelopment of privacy policies include: the OECD\'s ``Guidelines on the \nProtection of Privacy and Transborder Flows of Personal Data\'\'; the \nU.S. Department of Commerce\'s ``Staff Discussion Paper of Privacy Self-\nRegulation\'\'; and various industry association programs.\n\n              PRINCIPLES FOR CHILDREN\'S ONLINE ACTIVITIES\n\n    The Members of the Online Privacy Alliance believe that the \ndevelopment of interactive online communications provides tremendous \nopportunities for children. At the same time, it presents unique \nchallenges for protecting the privacy of young children. Children under \n13 are special. Unlike adults, they may not be fully capable of \nunderstanding the consequences of giving out personal information \nonline. However, children often understand how to navigate online far \nbetter than their parents do. Parents will not always have the \nknowledge, the ability or the opportunity to intervene in their \nchildren\'s choices about giving out personal information. Therefore, \ncompanies operating online must protect the privacy of children.\n    In connection with online activities of children under 13, the \nAlliance adopts the following principles.\n    Companies doing business online that operate sites that are \ndirected at children under 13 or at which the age of visitors is known, \nmust at those sites:\n    <bullet> Not collect online contact information from a child under \n13 without prior parental consent or direct parental notification of \nthe nature and intended use of this information, which shall include an \nopportunity for the parent to prevent use of the information and \nparticipation in the activity. This online contact information shall \nonly be used to directly respond to the child\'s request and shall not \nbe used to recontact the child for other purposes without prior \nparental consent.\n    <bullet> Not collect individually identifiable offline contact \ninformation from children under 13 without prior parental consent.\n    <bullet> Not distribute to third parties any individually \nidentifiable information collected from a child under 13 without prior \nparental consent.\n    <bullet> Not give the ability to children under 13 to publicly post \nor otherwise distribute individually identifiable contact information \nwithout prior parental consent. Sites directed to children under 13 \nmust take best efforts to prohibit a child from posting contact \ninformation.\n    <bullet> Not entice a child under 13 by the prospect of a special \ngame, prize or other activity, to divulge more information than is \nneeded to participate in that activity.\n\n           EFFECTIVE ENFORCEMENT OF SELF-REGULATION--SUMMARY\n\n    Effective enforcement of online privacy policies is intended to \nassure an organization\'s compliance with its privacy policies for the \ncollection, use and disclosure of personally identifiable information \nonline and provide for consumer complaint resolution. Whether \nadministered by a third-party privacy seal program, licensing program \nor a membership association, the effective enforcement of self-\nregulation requires: (1) verification and monitoring, (2) complaint \nresolution and (3) education and outreach. The Online Privacy Alliance \nbelieves the best way to create public trust is for organizations to \nalert consumers and other individuals to the organization\'s practices \nand procedures through participation in a program that has an easy to \nrecognize symbol or seal.\n\n                    THIRD-PARTY ENFORCEMENT PROGRAMS\n\n    Validation by an independent TRUSTed third party that organizations \nare engaged in meaningful self-regulation of online privacy, may be \nnecessary to grow consumer confidence. Such validation should be easily \nrecognized by consumers, for example through the use of a seal or other \nsymbol. The symbol or seal can be used to connote both compliance with \nprivacy policies and an easy method for consumers to contact the seal \nprovider. Thus, the Online Privacy Alliance supports third-party \nenforcement programs that award an identifiable symbol to signify to \nconsumers that the owner or operator of a Web site, online service or \nother online area has adopted a privacy policy that includes the \nelements articulated by the Online Privacy Alliance, has put in place \nprocedures to ensure compliance with those policies, and offers \nconsumer complaint resolution.\n\n                          PRIVACY SEAL PROGRAM\n\n    Such a privacy seal program (hereinafter ``the seal program\'\') \nshould implement mechanisms necessary to maintain objectivity and build \nlegitimacy with consumers. The seal program should utilize a governing \nstructure that solicits and considers input from the business \ncommunity, consumer/advocacy organizations and academics in formulating \nits policies. The seal program should strive to create a consistent and \npredictable framework in implementing its procedures. The seal program \nshould be independent and should endeavor to make receipt of the seal \naffordable for and available to all online businesses.\n    A seal program should include the following characteristics:\n    <bullet> Ubiquity.--In order to minimize confusion and increase \nconsumer confidence, efforts shall be taken to ensure ubiquitous \nadoption, and recognition of seals through branding efforts, including, \nfor example, co-branding with corporations or associations.\n    <bullet> Comprehensiveness.--A seal program should be flexible \nenough to address issues related to both sensitive and non-sensitive \ninformation.\n    <bullet> Accessibility.--A seal should be easy for the user to \nlocate, use and comprehend.\n    <bullet> Affordability.--The cost and structure of a seal should \nencourage broad use and should not be prohibitive to small businesses. \nThe cost of a seal will vary based on a number of factors, including \nthe extent and complexity of review, size of the business, the amount \nand type of individually identifiable information collected, used and \ndistributed, and other criteria.\n    <bullet> Integrity.--A seal provider should be able to pursue all \nnecessary avenues to maintain the integrity of the seal, including \ntrademark enforcement actions.\n    <bullet> Depth.--A seal provider should have the ability to handle \nthe number and breadth of consumer inquiries and complaints about the \npotential violation of online privacy policies and should have an \nestablished set of mechanisms to address those inquiries and \ncomplaints.\n\n                      VERIFICATION AND MONITORING\n\n    A seal program must require that its participants adopt a privacy \npolicy that comports with the principles endorsed by the Online Privacy \nAlliance. The scope of this requirement only applies to the \nparticipating organization and does not apply to the Web pages of \naffiliates or other Web pages linked to or from the participating \norganization\'s Web page. While these baseline principles should be \nstandardized, individual policies accepted by the seal provider should \nallow for sector-specific variations. The seal program must then \nrequire that an organization put in place either self-assessment or \naccept the seal program\'s compliance review prior to awarding the seal.\n    If a self-assessment system is chosen, it must be pursuant to a \nrigorous, uniform, clearly articulated and publicly disclosed seal \nprogram methodology under which an organization would be asked to \nverify that its published privacy policy is accurate, comprehensive, \nprominently displayed, completely implemented and accessible; and that \nconsumers are informed of the consumer complaint resolution mechanisms \nthrough which complaints are handled. A statement verifying the self-\nassessment should be signed by a corporate officer or some other \nauthorized representative of the company. The self-assessment should \nthen be reviewed by the seal program to assure compliance with the \nmethodology. Specific criteria for when a company should improve the \nimplementation of its self-assessment system, adopt further measures, \nor circumstances when a third-party review is required, should be part \nof the seal program\'s methodology for acceptable self-assessment.\n    Periodic reviews should be required by the seal program to ensure \nthat those displaying the seal continue to abide by their privacy \npolicies and that those policies continue to be consistent with its \nprinciples. These periodic reviews may include, but are not limited to, \nauditing, random reviews, use of ``decoys\'\' or use of technology tools \nas appropriate to ensure that sites are adhering to the articulated \nprivacy policies.\n    In cases where there is evidence that the company is not abiding by \nits privacy policies, the seal provider should establish clear criteria \nfor placing that company on probation or beginning procedures for the \nseal\'s revocation. The seal provider should establish clearly defined \ncriteria for when and how a company\'s seal may be revoked. A company \nshould be given notice and the opportunity to request outside review \nbefore its seal is revoked. Seal revocation should be a matter of \npublic record. The seal provider must clearly state the grounds for \nrevocation and establish a post-revocation appeals process. In addition \nto the above criteria, the seal provider should also strive to ensure \nthe integrity of the seal by monitoring for misuse or misappropriation.\n\n                     CONSUMER COMPLAINT RESOLUTION\n\n    An effective third-party enforcement mechanism must provide its \nparticipants and consumers a structure to resolve complaints and \nconsequences for failure to do so. Thus, a seal program must define the \nscope of complaints subject to the complaint resolution process, have a \nsystem in place to address complaints, the necessary staff to handle \nthe volume of complaints and the organizational depth to resolve them. \nThe seal program must provide a variety of easy mechanisms to allow \nconsumers to lodge complaints or ask questions. Seal recipients must \nagree to the complaint resolution procedure.\n    Under the complaint resolution system, consumers must first be \nrequired to seek redress for their complaints from the company they \nbelieved to have aggrieved them, before being granted access to the \nseal program\'s complaint resolution mechanism. Where complaints cannot \nbe adequately resolved by the company, and where the consumer and \ncompany have exhausted good faith efforts to reach agreement, the \ncompany should be required to submit to a complaint resolution \nmechanism.\n    Complaint resolution outcomes must not be contrary to any existing \nlegal obligations of the participating company. Failure of a company to \nagree with the outcome of the seal program\'s complaint resolution \nshould result in previously identified consequences to the company. \nNotwithstanding the complaint resolution process, the consumer, the \ncompany and the seal provider may pursue other available legal \nrecourse.\n\n                         EDUCATION AND OUTREACH\n\n    A seal program must develop and implement policies to educate \nconsumers and business about online privacy.\n    A seal program must develop and implement policies to encourage \nawareness of the program and online privacy issues with both consumers \nand businesses. Such techniques shall include: publicity for \nparticipating companies, public disclosure of material noncompliance or \nseal revocation, periodic publication of the results of the monitoring \nand review procedures, or referral of noncomplying companies to the \nappropriate government agencies.\n\n               ONLINE PRIVACY ALLIANCE ASSOCIATION POLICY\n\n    An association that joins the Online Privacy Alliance agrees to:\n    <bullet> endorse the Alliance mission statement, including: (1) \nadopting and posting privacy guidelines consistent with the Alliance\'s \nguidelines and appropriate to the association\'s membership; and (2) \nparticipating in self-regulatory enforcement mechanisms appropriate to \nthe association\'s online activities;\n    <bullet> encourage its members to adopt privacy guidelines \nconsistent with the Alliance\'s guidelines and appropriate to their \nindustry\'s sector, and to implement appropriate self-regulatory \nmechanisms; and\n    <bullet> actively participate in the Alliance\'s business outreach \nand consumer education programs.\n    An association also may administer a seal or other third-party \nself-regulatory enforcement program at its discretion.\n\n                            OTHER MATERIALS\n\n    <bullet> Executive Summary of the Georgetown Internet Privacy \nPolicy Survey Conducted by Professor Mary J. Culnan. See http://\nwww.privacyalliance.org/resources/gipps--summary.shtml\n    <bullet> Executive Summary of the OPA Privacy Policy Survey of the \nTop 100 Web Sites Conducted by Professor Mary J. Culnan. See http://\nwww.privacyalliance.org/resources/100--summary.shtml\n    <bullet> Privacy Initiatives by Private Sector: A partial review of \nsteps which OPA Supporters have done to help foster consumer confidence \nby protecting personal privacy in cyberspace. See http://\nwww.privacyalliance.org/resources/privinit.shtml\n    <bullet> A Quick Guide to Helpful Tips and Technical Tools for \nsafeguarding your privacy online. See http://www.privacyalliance.org/\nresources/rulesntools.shtml\n\n    Senator Burns. Thank you. I appreciate that very much.\n    But I will have to admit that you make some very strong \npoints when you start talking about the banking thing. We sat \ndown and talked to some financial people, and even addressed \ntheir congressional session. And it was interesting to hear \ntheir comments, and then their comments on S. 809. Nobody said \nthis was going to be easy to find that middle ground, but, \nnonetheless, we are attempting to.\n    Let me ask the panel if you see any difference in the \nonline environment between this year and last year, whenever we \nstart talking about, you know, we passed the Children\'s Privacy \nAct and now, a year later, has the landscape changed? Is there \na different environment out there now? Have we learned some \nthings? Did we do some things wrong? Did we do some things \nright?\n    I would like to hear some comments with regard to that. We \nwill just start with you, Ms. Mulligan.\n    Ms. Mulligan. I would love to. I first want to address the \nChildren\'s Online Privacy Protection Act. And, as you know, \nthere is a rulemaking going on now. And I think, as some folks \nhave alluded to, there are some very critical issues that have \nsurfaced during the Commission\'s rulemaking. One is, for \nexample, what does it mean to collect information in the online \nenvironment?\n    When you surf, you do leave behind logs that every single \nWeb site that you visit potentially is collecting information. \nNow, that information, they may not be using it in any way to \ncome back to you. They may not be interested at all in who you \nare. But there is just some tricky definitional issues.\n    And this has come up in other instances when you have dealt \nwith how do you deal with content, and making sure that service \nproviders, who are merely a conduit for other people\'s \ncommunication, are not held liable for the contents of that \ncommunication. And so there are some similar issues to look at, \nand make sure that you are actually placing liability on the \nright individuals.\n    And there are some other tricky issues--what is \nidentifiable data? And one of the things that I think is very \nimportant as we look at this issue--traditionally, privacy \nstatutes have been focused, as far as their enforcement \ntechniques, on providing individual citizens with rights of \naction. The Children\'s Online Privacy Protection Act, the \nOnline Privacy Protection Act that you proposed, are actually \nlooking at a different model of enforcement and oversight, \nwhich is an FTC model.\n    And I think there are arguments that you can make in favor \nand against both of those. And one of the things that I think \nreally needs to be explored a little bit further is which model \nis going to best ensure compliance, which model is going to \nbest ensure that harmed individuals actually have some \nrecourse, and perhaps it is a combination of the both. But I \nthink that is an issue that really could use some more \nexploration. And I think this committee would serve as a useful \nplace to have the discussion.\n    On the state of the Web and how things are changing, I \nthink one of the things that we are seeing as an increasingly \ndifficult issue and complex issue is the introduction of things \nthat are called identifiers. This has come up with the Pentium \nIII PSN unique identifier. And there was an enormous concern \nthat it was going to be cookies on steroids; that this was \ngoing to provide an enormous opportunity for individual\'s \nactions to be tracked and correlated all across the Web.\n    Another issue, which you have both raised--several members \nhave raised--is this distinction between online and offline \ninformation. Is that something that makes sense to consumers, \nand is it something that actually reflects business practices? \nAnd I think that the verdict is still out on that. And I think \nthe online environment, those lines between online and offline, \nwhile certain companies--and Jill Lesser talked about the fact \nthat AOL does not use information about online activities in \nmarketing to individuals or anything--that is not necessarily \nthe norm.\n    And there has been a lot of discussion about a merger \nbetween DoubleClick, which makes very aggressive use of \ncookies, and links individuals\' activities at various Web \nsites, which is what Senator Bryan was referring to, and \nAbacus, which is a very large database of people\' preferences \nand purchasing habits at catalogs. And these two companies are \nmerging. And what does that mean for our online and our offline \nidentities? Are they all of a sudden going to be coming \ntogether? And what does that mean for consumers?\n    So there are a number of pressing issues that I think were \nnot on the table probably 2 years ago.\n    Senator Burns. Marc?\n    Mr. Rotenberg. If I could, Senator, add a few additional \npoints. I think it is important to keep in mind that over the \npast year there has been a critical negotiation between the \nUnited States and Europe over the future of privacy protection. \nAnd this is very important, I think, for consumers and for \nbusinesses, because it goes to the whole issue of e-commerce \nand transporter data flow.\n    And the Europeans have made clear for a long time that they \nfeel quite strongly about the privacy issue. I think part of it \nhas to do with the history. I think part of it also has to do \nwith the integration of the European countries. But they said \nmore than a year ago to the United States that we would need \nstrong safeguards in this country for them to feel comfortable \nshipping private records, medical records, financial records on \nEuropean citizens to the United States.\n    And our negotiators said, well, we thought self-regulation \nwould do the job, and sort of reached the showdown point this \npast June. And the Europeans basically said, we do not think it \nis going to work for us. And we are seeing similar results with \nother countries that are moving increasingly to adopt privacy \nlegislation. You are seeing this also, as Commissioner Anthony \ndescribed, across the States. The States are not waiting. They \nare passing legislation. They are hearing from their voters, \ntheir consumers, that they want some safeguards now.\n    So I think you are seeing, one, a lot of political support \nand a lot of political action in support of legislation. The \nsecond thing I think you are seeing are very new business \npractices, with some very serious privacy repercussions. The \nDoubleClick-Abacus merger, which I describe in some detail in \nmy testimony, will radically transform the nature of \nadvertising.\n    Now, advertising is a very interesting marketing technique. \nBecause it is a way for seller to reach potential customers in \na segmented market and still allow people to protect their \nprivacy. In other words, if you are listening to a radio \nstation or watching television or thumbing through a magazine, \nyou are getting a lot of product information. That does not \nnecessarily mean that the person who placed that ad or that \nspot knows that you are hearing it or seeing it.\n    Now, that could change on the Internet in a very big way. \nAnd it has to do with a point that Senator Bryan made earlier \nthis morning. And that is the use of cookies. These cookies \nthat sit behind the banner ads are part of a big network. It is \nnot just the Ford site or the Eddie Bauer site or the Sears \nsite. There are big networks, like DoubleClick, that control \nmany of the ads that one Web surfer sees as that person goes \nacross the Internet. And they are building elaborate profiles.\n    Now, DoubleClick said originally, when people started \nasking all sorts of questions, well, what about the privacy \nconsequences here? They said, well, our system is going to be \nanonymous; we are not going to collect any personally \nidentifiable information. And there are a thousand Web sites on \nthe DoubleClick network that say that--anonymous, do not \ncollect any personally identifiable information. But now \nDoubleClick says, we are going to merge with Abacus.\n    Abacus is the largest catalog database firm in the United \nStates. And we are going to join our anonymous profiles of \nthose people clicking Web ads with all that data that is \nsitting in there--profile, occupation and information--to \nprovide you really great, high-quality, one-to-one marketing. \nThat has enormous privacy consequences for the Internet.\n    And the problem right now is that we do not have a legal \nway to get a hold of that process. I mean, maybe, on balance, \nit makes sense. I do not think it does. But we need a better \nway to get to those kinds of issues.\n    Senator Burns. Senator Bryan.\n    Senator Bryan. I thank the chair. Again, a very thoughtful \npanel, very helpful. You have done a fine job, Mr. Chairman.\n    Ms. Varney, let me, if I might, just respond. I happen to \nbe a conferee on the financial restructuring, S. 900, or H.R. \n10. And, as you know, in the financial restructuring version \nthe Senate has passed, there are no privacy provisions. We are \nnow told that the provisions in H.R. 10, some industry folks \nare saying that this is a deal breaker, that these kinds of \nprovisions will force the industry to back off.\n    And let me just say, I, like Senator Wyden and others, I do \nnot have a legislative Pavlovian response that there is an \nissue here we have got to legislate immediately. My approach \ncertainly would be to work as we did with AOL and direct \nmarketers and other Web operators and the FTC to craft \nsomething, as we did with the Children\'s Online Privacy \nProtection Act. That is my approach.\n    But I have to tell you, this privacy issue is something \nthat is very, very significant. With respect to banking, we now \nknow that there are major banks--responsible, legitimate \ninstitutions--that have, in effect, without the knowledge or \nconsent of the depositor, have transferred personal \ninformation, credit card numbers, bank account numbers, to \ntelemarketers--some of whom are only one step away from \nincarceration.\n    Now, I think that comes as a shock to folks. So, again, I \nam not as sanguine, perhaps, as you are as to how we are going \nto get through this conference on financial restructuring.\n    We have a lot of States that are responding to this issue. \nMy experience at the State level is where the Federal \nGovernment fails to act and there is perceived to be a \nlegitimate public policy issue, the States get involved. And \nthen we get this patchwork of legislation. Would not it make \nsense to have a uniform standard for the business community and \nthe private sector, consumer advocates, to, in effect, have a \nbaseline, as opposed to getting through a whole patchwork, if \nyou would, of different approaches that States might take? Let \nme give you that question.\n    Ms. Varney. If I can just clarify. My intention in \ncommenting on H.R. 10 was nothing other than to say it is a \nvery difficult area. And the possible inconsistencies of H.R. \n10 survive the conference with an S. 809, we have basically \nexempted this huge area of financial services from the \nrequirements of S. 809. And I am also very concerned about \nfinancial data, medical data and children\'s data, which are \ngenerally considered to be the most sensitive kinds of data. So \nmy comment is only to alert us to the pitfalls here.\n    Senator Bryan. OK.\n    Ms. Varney. If you think back, Senator, to when the \nfinancial services industry did come to Congress and say, \nseveral years ago, we are experiencing tremendous difficulty in \ncredit card acceptance because of the myriad of State laws, and \nwe would like you to work with us to come up with a national \nlaw, a Federal standard, to preempt the State laws, so that we \ncan have ubiquitous credit card deployment.\n    Now, some may think, in retrospect, that that is the reason \nwe have so much personal bankruptcy, because they now send \ncredit cards to 12-year-olds. But, on the other hand, that was \nan instance where industry did come to you and said, we have a \nproblem and we have concluded that the fix is a Federal \nlegislative fix and, with your help, we want to address it.\n    My sense, from the companies I work with, is that they have \nnot excluded that. They have merely said, we are not there yet \nand we would like to look at technological fixes, we would like \nto look at the demands of the consumer in the marketplace. We \nwant to see how all of this works.\n    My guess is, Senator, that many of my clients--eBay, \nAmazon, Yahoo, AOL--if they got to the point where they felt \nthat individual State, possibly conflicting or inconsistent, \nregulation was hindering their ability to do business with \nconsumers, they would be here in a heartbeat, asking you to \nwork with them to fix the problem.\n    Senator Bryan. Mr. Rotenberg, and perhaps Ms. Mulligan, \nwith respect to the cookies issue, which I think, as we have \ntalked about with the FTC panel, you do not really have a \nchoice there. The FTC has indicated, in response to one of my \nquestions that we really do not know the extent of the data \ncollection. What is the correct public policy for us to pursue, \neither through some type of voluntary industry accord or a \nlegislative approach? Is there any legitimate basis for them to \ncollect information just based upon your scanning the Web?\n    Mr. Rotenberg. Senator, I think the right starting point \nfor public policy in this area is the concept of fair \ninformation practices, which the Commissioners all spoke about \non the first panel. Fair information practices basically say \nthat when a company collects some information, they have some \nresponsibilities to you and you have some rights.\n    And the problems with cookies, you see, is because that \ndata collection is so secretive; people really do not know what \nis going on. Now, I could describe for you many applications of \ncookies which are fantastic to make the Internet work.\n    I mean there are certain aspects of the HTTP protocol, \nprecisely the fact that it is sort of stateless, and you come \nback to a Web site, having just clicked on a page, the Web site \ndoes not know who you are. So there has to be some way to sort \nof remember that you were the person who just clicked on the \npage before. And so you use cookies in these settings, for \nexample, if you go to an online bookstore and you want to \npurchase something online, and you bought one book and you want \nto buy a second one, the company needs to know that you bought \nthe first one. And they use cookies that way, and it makes a \nlot of sense.\n    But the banner ads which I described for you, that is a \nwhole different thing. That is about building a profile of what \nyou are interested in based on where you have been. And you \nreally exercise no control.\n    If we took the approach that fair information practices \nshould be enforced on the Internet, whether it is a purchase or \ncookies or something else, I think the rules would become clear \npretty quickly. And it would be hard, for example, for Web \nadvertisers to collect that data so secretly, but it would \nstill be possible for Web merchants to use this same technique \nto fulfill a customer\'s order.\n    That is why, in my view, privacy policies actually make \nthings simpler for people. They make it better for consumers \nand for businesses.\n    Senator Bryan. Ms. Mulligan, any comment?\n    Ms. Mulligan. Yes, I think I would just like to elaborate. \nPeople talk about fair information practices--it is often just \nkind of waved about. And they are pretty simple concepts. And, \nas Senator Wyden stated earlier, they are pretty tried and \ntrue. They have been well tested. And basically, individuals \nhave the right to access and correct information about them. \nThey have the right to control how data is used that they \nprovide to someone.\n    This means consent. Recordkeepers have responsibilities to \ntell people how they collect information, how they use \ninformation, to limit how they collect information, so that \nthey are not collecting the extraneous information that they do \nnot need to give you a warranty on your toaster. That they \nshould limit the use and they should honor an individual\'s \nability to control that data once they have collected it. That \nthey have an obligation to maintain that data in a form that \nprotects its quality and to provide it security. And that they \nhave an obligation to be accountable to the public for those \npractices.\n    I think, as Mr. Rotenberg said, technology can be used in \nboth ways that greatly advance our privacy and that advance \nconvenience, and they can also be used in ways that undermine \nboth individuals\' expectations of confidentiality, their \nexpectations of privacy, and kind of add to this general sense \nof unease, that someone is watching me.\n    I think that the way in which we move forward is by really \nlooking at what are the policies that we are trying to advance, \nand not necessarily focusing on a specific technology--although \nthere are technologies that I think are critically important \nand I think that this committee\'s work on encryption and the \nfact that we may have a bill that is looking quite strong going \nto the floor on the House side--I think that there is a lot of \npositive that technology can do, but really focusing on the \ntechnology may take our eye a little bit off the prize.\n    Senator Bryan. Ms. Lesser, let me ask you a question, if I \nmay. I catch here on the weekend newspaper that AOL----\n    Senator Burns. Excuse me, Senator. Would you do me a favor \nand ask Senator Wyden, once he gets done with his round of \nquestioning, could you wrap up the hearing? I have got a kind \nof important meeting that I have got to attend at 11:45, and I \nam a little late now. Can you wrap it up? Thank you very much.\n    Senator Bryan. Mr. Chairman, thank you for allowing me to \nask just one more question, and then I will let Senator Wyden--\n--\n    Senator Burns. You have got to deal with Wyden now. \n[Laughter.]\n    Senator Bryan. We have already had a tradeoff here, I \nthink, this morning.\n    I noticed in the Saturday paper that you are bidding \nfarewell to these core of under-18 volunteers, who have been \nkind of helping you to monitor some of the activities. And I \nwant to offer myself. In 18 months, I will be unemployed. You \nare saying that you are looking for someone who has greater \nmaturity than the 15- or 16-year-olds. I am not sure that any \nother qualification I might have to bring to bear would have \nany relevancy, but I am older and more mature than the younger \nfolks, and so I will look forward to volunteering.\n    Ms. Lesser. You are hired.\n    Senator Bryan. I am hired. Great.\n    Let me ask you the question that I asked the Commissioner. \nThat is, I thought AOL made a pretty argument, when we had the \nbroadband frequency argument. You were talking about access and \nhow, with the telephone network that is available, but with \nsome of the policies being pursued by cable operators, that you \ndid not. And that struck me. And then, I must tell you, I was \nsomewhat surprised when you and Microsoft got into this titanic \nbattle of the 800-pound gorillas in the industry.\n    Again, as I have commented earlier, Microsoft develops the \ntechnology on this instant messaging that would enable their \nsubscribers to communicate with your subscribers, and then you \ndeveloped the blocking strategy, and now they are trying to \ncounter-block.\n    It strikes me that there is an inconsistency here. Let me \ngive you an opportunity to explain that, and then I will yield \nto my patient friend from Oregon.\n    Ms. Lesser. Thank you. And I appreciate the opportunity to \nexplain this Senator Bryan. As I think is often the case, the \ndevil is in the details, so let me just give you a little bit \nof the details, and take you back to the beginning of when we \nbegan to offer instant messaging.\n    It is, as you may or may not know, a technology that works \nsomewhat like E-mail except that it pops up on your screen so \nit really is instant. And we developed the technology, \nactually, over 10 years ago. We quickly realized that it was \nprobably the most popular item on AOL. And so what we did was \nwe took it from being an AOL proprietary service and we made it \nfreely available on the Internet.\n    So AOL Instant Messenger, which is the subject of this \ndebate if you will, is freely available to everybody on the \nInternet. And over time, we have also been approached by other \ncompanies--Netscape being one before we were in discussions \nwith our acquisition; IBM being another, that there was just a \nstory about today where they are integrating our Instant \nMessenger technology into their own software, creating their \nown program, but basing it on our technology.\n    With those situations and with others that we have engaged \nin, we have basically a dialogue--does your technology \ninteroperate with our technology, because we support openness \nand interoperability? Does it work with our technology in terms \nof scalability? And how does it impact our proprietary servers?\n    So there are lots of questions you want to ask first before \nyou say absolutely, interconnect, have an interoperable system, \nwe support openness. So I think it is a fundamentally \nconsistent approach.\n    I will say that with respect to this hearing, I think it is \nan interesting issue. Because one of the things that was most \ndistressing about the way this happened is that Microsoft did \nnot give anybody at AOL any notice that they were going to try \nto interoperate, and did so just after midnight last week. And \nwhat they did, what their product does, is if you are an AOL \nInstant Messenger subscriber and you would go to sign up for \nMicrosoft, it actually says, I noticed that you are a member of \nAOL\'s Instant Messaging.\n    So they are basically picking up the information off our \nserver and saying to our consumers, we need your AOL screen \nname and your AOL password, which is a fundamental part of the \nway we maintain security in our system in order for you to be \nable to communicate through MSN\'s system with AOL\'s Instant \nMessenger customers.\n    So whereas we, every day, every time I sign on, a message \ncomes up, saying, do not give your password to anyone and do \nnot--and AOL employees will never ask you for your password in \nany situation, this sort of fundamentally undermines that \nsecurity issue, and in fact looks like--the intrusion of \nMicrosoft almost looks like the way we look at hackers. Which \nis, you have come in to use our technology in a way that we had \nno notice of.\n    So I think what we are going to do, moving forward, is try \nto work with Microsoft, with other companies that want to offer \nInstant Messaging and interoperate, and fully support those \ndiscussions and hope they move quickly. But, you know, I think \nthat there are a lot of details within this particular issue \nthat make it more complicated and I think make it not \ninconsistent with the commitment to openness.\n    Senator Bryan. I thank you very much. And a number of us \nwill stay tuned in as this develops.\n    Ms. Lesser. Please, do.\n    Senator Bryan. Thank you.\n    Senator Wyden. An excellent panel. It has been a long \nmorning, and I just have a few questions. Let me start with \nyou, Ms. Varney.\n    If the chief flight mechanic for Acme Airlines admitted \nthat he would not personally risk his life flying for Acme, \nAcme would obviously have a lot of problems selling tickets. \nNow, if 60 percent of the chief mechanics of all the airlines \nwere surveyed, and they said, we are not going to fly because \nof safety concerns, the whole industry would have a lot of \ntrouble growing their customer base.\n    Now, clearly, a flying accident carries more serious \nconsequences than the violations of privacy policy. But it \nseems to me the online business community has a not all that \ndifferent problem to my little fictional Acme Airlines. I find \nit absolutely astounding that 60 percent of the chief \ninformation officers, people who are in the business of making \nprofits in this field, are unwilling to give any personal \ninformation out about themselves. I think that is what this is \nall about.\n    What I find very troubling is the good work that your \ncompanies are doing, the good work that people like me are \ntrying to be supportive of, and stay up until the middle of the \nnight like we did on the Y2K liability bill, to try to be \nsupportive. I think it can really be undermined if we just sit \nand say, well, we will just watch all this self-regulation, and \nmaybe it will work and maybe it will not, and we will come back \nwhen it does. I guarantee you, if there is an Exxon Valdez \nstyle privacy invasion, a bill will go through here like grease \ngoing through a goose. It is going to make anything that Conrad \nBurns and I have been talking about look like pretty small \nstuff.\n    So how would you respond to the fact that 60 percent of \nthese people who make their living in this field will not give \nanything out?\n    Ms. Varney. I do not give out personal information online, \nSenator, ever. I do not allow my children to. I simply do not.\n    Now, when I go to buy office supplies or when I go to buy a \nbook or when I go to buy an album, I look very carefully at \nwhat the privacy policies are. And I will give the information \nnecessary to complete the transaction. And if I do not like the \nprivacy policy, I do not shop there. I would not fly Acme.\n    I think the point is that there is a lot of choice. And I \ndo not disagree with really anything you have said. I think it \nis an ongoing market. I think maybe the only perspective where \nyou and I may differ slightly is, where I see the need for the \ndebate, I do not think or recommend that you sit idly by and do \nnothing. I think what you are doing is exactly right.\n    However, I think we may be slightly premature to focus in \non a particular piece of legislation for general commercial \ntransactions. I am not talking about financial privacy, I am \nnot talking about medical privacy, and I am not talking about \nkids\' privacy--all of which are highly sensitive data. I am \ntalking about general, grown-up, commercial interactions, \ntransactions.\n    We do have an obligation here--the government, the business \nand the consumer sections--to work together to make sure this \nmarketplace works. Business has been doing its part. And I \nthink it sends the wrong message to business to say, okay, you \nhave spent the last 2 years really working hard to make privacy \nthe norm in the online transactional environment, and now we do \nnot think you have done the right thing, so we are going to \ncreate the norm for you. I just do not think we are there yet.\n    I agree with you, if the Exxon Valdez happens, we all \nbetter be up here and we better have our sleeves rolled up and \nbetter be prepared to deal with it.\n    Senator Wyden. The problem for me is that test after test \nis not being met. I read Bob Pitofsky what the Commission said \na year ago: Unless industry can demonstrate it has developed \nand implemented broad-based and effective self-regulatory \nprograms by the end of the year, additional government \nauthority in this area would be appropriate and necessary. It \nhas been a year later, and I asked Bob Pitofsky if the tests \nwere met, and he said no.\n    Ms. Varney. Well, I am not sure that I would agree with \nthat, Senator. I think that we can talk all day, as we have \nbeen, about whether or not 14 percent to 66 percent, and \neverything that is underneath it, means there has been \nsufficient progress. Even if there were agreement that there \nwere insufficient progress, I think you heard Ms. Lesser say \nthat the way to go here is not a regulatory framework, it is an \nenforcement framework.\n    So I am not sure that even if we all conceded the point, we \nare in agreement about what to do about it. And I am certainly \nnot willing to concede the point.\n    Senator Wyden. Well, I am going to let Ms. Lesser speak for \nherself because she always does so very eloquently. I heard her \nsay, and I am very comfortable with this as an orientation, \nthat what we want to do is make sure that we have got the tools \nto deal with the scalawags, with the bad actors, while not \nweighing down people who are responsible. And that is exactly \nwhere I want to be. That is what we are trying to do with the \nsafe harbor. As I think you know, in the discussions that we \nhad with Senator Burns\' folks, that was something I felt very \nstrongly about, and trying to give the widest possible berth.\n    So I want to give you a chance to speak for yourself on \nthis point, but I thought that the ground that you staked out \nthere was exactly where Senator Burns and I want to be in terms \nof this centrist, pragmatic kind of approach, so that people \nwho are working hard and wrestling with these issues on a \nregular basis, as you and a lot of your colleagues are, do not \nfind it a burden. In fact, in almost all instances, you accede.\n    In fact, probably the only thing I have disagreed with at \nall this morning--and I think she knows that I am very fond of \nher--I was almost going to give Ms. Varney the chutzpah award \nthis morning for saying, wait a minute, we have been for self-\nregulation, but we want to go even further on financial \nservices and cookies than S. 809 has. And I say that in a good-\nnatured way. And I think you made it clear that that was not \nwhat you wanted to do.\n    But I think we do want to strike the balance that Ms. \nLesser is talking about. I want to give her a chance to speak \nto that point.\n    Ms. Lesser. Thank you, Senator Wyden. I, too, am heartened \nthat you want to strike that balance. I am not sure that S. 809 \ndoes that the way it is drafted. And I think that, as you and I \nhave talked about, we should continue to work not only with the \nindustry and members of Congress, but the FTC and privacy \nadvocates, to figure out what the baseline may be.\n    What I think has come out in this hearing, however--and \nChristine Varney did emphasize it--is that this issue is a lot \nmore complicated than it appears on its face. Certainly \nrequiring a notice of privacy policies gets to a fair number of \nproblems that we are seeing online, but it does not necessarily \naddress all the issues that people have expressed concern \nabout.\n    The question really is, what are the issues that Congress \nshould address? What are the issues that the industry should \nretain flexibility on? What are the issues that technology is \naddressing? And how do we all come together to say there may be \na role for everybody?\n    So, as I have said before, I do not think it is wise for \nany company, particularly America Online, to testify that we \nare opposed to legislation, per se, because that is just not \ntrue. What we need to do is identify areas where there are--and \nI will maybe over-qualify this--but where there are market \nfailures. We did so, with Senator Bryan and others, in the \nchildren\'s bill, and we will continue to have that dialogue.\n    But as Deirdre Mulligan laid out very eloquently, there are \nmany, many unanticipated issues being raised in the context of \nthat rulemaking. We may learn from that experience, once that \nrulemaking is over, once the bill is actually in place, so we \nunderstand the impact on consumers, the impact on the industry, \nand the impact on moving forward. So I think it is an ongoing \ndialogue.\n    Senator Wyden. Well, I think that is a fair comment.\n    The kind of tools we tried to put in S. 809 are ones that \nwe think have stood the test of time, such as the principles \nlike opt out and baseline disclosure. And as Senator Burns and \nI have said repeatedly, we do not think this is the last word, \nand we are very anxious to have your continued input.\n    A question for Mr. Rotenberg and Ms. Mulligan--I think you \nsaw what I was trying to do, particularly with Chairman \nPitofsky, was to try to expose some of the holes in the \nexisting authority of the FTC to deal with these issues. I \nthink that, by the end, he said, well, gee, we are not \ncompletely helpless, and cited a couple of examples. And I \nfound that very helpful.\n    But, at the end of the day, the point that most troubles me \nis that if we are going to give a broad berth to self-\nregulation--and I made it clear that I am doing somersaults to \ntry to do that--we have got to have some real enforcement. Both \nof you have made it clear that that is the Achilles heel in \nthis self-regulation concept. I think a good way to wrap this \nthing up. I went to school on a basketball scholarship and you \nalways want one shot to quit on and today I think it would be \nto have you two tell us what you think a good enforcement \npackage would consist of.\n    Ms. Mulligan, Mr. Rotenberg, either one of you?\n    Mr. Rotenberg. Senator, in the context of my comments on\nS. 809, one of the points that I kept coming back to was the \nneed for the FTC to give more information to this committee and \nthe Congress and the public about what is actually happening. I \nwas frankly so frustrated by the FTC report, because there was \nno information there about enforcement, about consumer \ncomplaints. We submitted a Freedom of Information Act request \nto the FTC, and we have asked for all records regarding the \nprivacy investigations, to try to understand what is going on.\n    But my starting point--and I think if we do it in the \ncontext of S. 809--is to have an annual reporting requirement, \nso that you would have information about disposition, what \nhappens with privacy complaints, what cases were referred, how \nwere those resolved. One of the theories underlying the self-\nregulatory approach, as the chairman has described, is that the \nFTC would operate as a backstop. If, for example, an issue \ncould not be resolved through a self-regulatory group, like \nTRUSTe, then it would be referred to the FTC under Section 5 \nauthority, and some further action can be taken.\n    That information has to be provided on an annual basis. You \nneed some way to evaluate if it in fact is working.\n    Senator Wyden. Ms. Mulligan, before we move on--Ms. Lesser, \nMs. Varney, is that something that companies could live with? \nIs that kind of backstop kind of approach along the lines of \nsomething Mr. Rotenberg is talking about?\n    Ms. Varney. Well, I think in the first instance, what we \nare committed to at the Online Privacy Alliance is getting more \ncompanies in BBBOnline and TRUSTe and the WebTrust programs. It \nis an interesting discussion, Senator, that I have had with \nyour staff and with the Commissioners. When I was a \nCommissioner, I believed that it could be an unfair practice to \nbe collecting and using data without telling an individual that \nyou are doing it, and giving them whatever rights would be \nconcomitant with that. I continue to believe that that may be \nworth exploring.\n    Now, Bob Pitofsky was not only my professor at law school, \nhe was also the Dean. He is far more experienced in this than I \nam, and he told you point blank he did not think he would win \nthat case. But it seems to me that it is worthwhile to think \nabout whether or not it is an unfair practice to collect data \nwithout informing individuals and giving them an opportunity to \nexercise control over the data.\n    But, in the first instance, we are committed to building \nthe mechanisms in the marketplace.\n    Senator Wyden. That actually goes beyond even what Mr. \nRotenberg called for.\n    Mr. Rotenberg. I will sign up for that.\n    Ms. Lesser. But I think what Marc is talking about and what \nChristine is talking about both indicate sort of a continuation \nof what I was talking about, which is: What are we really \nlooking for? We are really looking to make sure consumers are \nprotected, and that when they have complaints or problems arise \nor there are bad actors out there, that there is a mechanism \nfor us to both make sure those bad actors stop engaging in \nbusiness; and, second, hold them up as examples.\n    Because what we have seen with the FTC\'s enforcement \nactions related to their deception authority over the past \ncouple of years has been a significant move by the industry, \nfrankly, to a place where a good part of the industry could \nsupport the children\'s bill. Because we all said, despite the \ninitial workshop on privacy which I participated in 4 years \nago, that people were standing up and saying it is not \nnecessary for us to provide parental disclosures even--forget \nconsent--when we collect information about children--it has now \nreally moved to be the perceived industry norm.\n    So I think that there is a lot that can be done in the \nenforcement area of the Federal Trade Commission. And it is \nsomething that you and this committee should examine.\n    Senator Wyden. You can swish the last shot of the game.\n    Ms. Mulligan. OK. Well, I would like to build on a comment \nthat Christine Varney made, and also actually a question that \nMarc has asked the Commission to provide documents on. I \nactually did file a complaint against two Web sites that were \nnot telling consumers what they were doing with information, \nand were collecting incredibly detailed health information--\none, targeting consumers with heart problems, collecting the \nmost detailed list of medications, how often they take them, \nwho prescribes them; and another very large pharmaceutical \ncompany, running a Web site aimed at asthma patients, \ncollecting incredibly detailed information about their health, \ntheir family\'s health, with no disclosures of how that \ninformation was to be used, and very little acknowledgement \nthat the company behind the Web site was in fact very large \ncompany, with many, many different interests in all different \nhealth care product industries.\n    Like Christine, my hope was that the FTC would in fact \nthink that they did have jurisdiction to go after Web sites \nthat were, I think, misleading consumers by not providing \ninformation. So, the omission rather than the act.\n    However, to my knowledge, there has been no action on that \ncomplaint. So I, like Christine, think that perhaps the \nCommission has decided that they do not have jurisdiction \nthere, as you heard Chairman Pitofsky say.\n    On the question of enforcement, I think that when I look at \nlegislative models or self-regulatory models in the privacy \narea, there are actually two different things that you are \naiming to do. One is to instill compliance. The goal is not to \nhave a lot of bad actors. I actually think that baseline \nguidance--as Commissioner Swindle said--the third of people who \nare not saying anything about how they handle information, you \ncan make the assumption that they are all scalawags or you can \nassume that perhaps an OPA letter has not gotten to them; they \ndo not live inside the Beltway and they are one of the 275,000 \nnew Web sites, and that actually they would benefit from some \nof the knowledge that this committee has generated and that the \nFTC has generated, and that a little direction would go a long \nway.\n    The second part is, how do you actually get to the bad \nactors? And as I alluded to earlier, we have a number of \nstatutes on the books, and most of those have looked at private \nrights of action as a method of enforcing. Despite the fact \nthat I think that privacy, particularly when you are talking \nabout sensitive information--somebody has disclosed my medical \nrecords, I want to go in and sue, right--there is an issue as \nto whether or not many consumers are actually aware of the fact \nthat their privacy has been violated.\n    So while I think a private right of action can be \ncritically important for an individual\'s vindication, I am not \ncertain that it is actually the best way to provide \nenforcement. Because, unlike the FTC, which has a fairly good \npool of resources to conduct investigations, to actually go in \nand look at what people are doing, the average consumer, kind \nof the harm that is going to actually get them into court \nbecause of the expense of actually enforcing their rights, I am \nnot sure what the right balance is between those two models. \nYou may want a little bit of each.\n    But I actually think Marc\'s suggestion that people report \nis something that we have seen. It is a useful oversight \nmechanism, for example, in Federal wiretapping. It provides \nsome public accountability. And I think that is critically \nimportant. But I think that looking at the remedy issue, the \noversight and the enforcement issues, is something that I would \nlike to see some more discussion on. And we are actually right \nnow conducting some research, and I will provide it to the \ncommittee when I have some more findings.\n    Senator Wyden. I still have the welts on my back from the \nY2K litigation debate. So your desire to hold off on further \ndiscussion of litigation is particularly well received at this \npoint.\n    Unless you all have anything to add further, know that this \nsubcommittee, and myself specifically, having worked with all \nfour of you very extensively in the past, really appreciates \nthe counsel. This is by no means the last word. This is going \nto be a debate, as you all have said, that evolves. We are \ngoing to be working closely with all four of you, and we will \nexcuse you at this time.\n    The subcommittee is adjourned.\n    [Whereupon, at 12:20 p.m., the hearing was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n     Prepared Statement of The Center for Democracy and Technology\n\n            Behind the Numbers: Privacy Practices on the Web\n\n    The state of privacy on the Internet is the topic of much \ndiscussion. Much of the focus to date has been on the numbers--how many \nWeb sites mention privacy? How many are allowing consumers the ability \nto opt-out? We believe it is time to focus on whether the policies in \nthe marketplace reflect Fair Information Practices--the corner stone of \ninformation privacy--and perhaps more importantly, to decide whether \nthey respond to consumers privacy concerns.\n    In considering the state of privacy protection at commercial Web \nsites, this report takes a three-part approach.\n    <bullet> First, the report reviews survey data about individuals\' \nexpectations of privacy on the Internet and in commercial interactions. \nThe survey data suggests that adherence to the Code of Fair Information \nPractices on the Internet would substantially address individuals\' \nprivacy concerns.\n    <bullet> Second, based upon the Georgetown Internet Privacy Policy \nSurvey data, the report further analyzes the quality of privacy \npolicies posted by some of the most frequently trafficked Web sites. \nThe report finds that very few Web sites are abiding by the sub-set of \nFair Information Practices called for by the Federal Trade Commission.\n    <bullet> Third, the report examines the private sector mechanisms \nfor overseeing and enforcing privacy polices. The report finds that the \nseal programs--BBBOnline, TRUSTe and WebTrust--do not require companies \nto comply with the full set of Fair Information Practices and, because \nsome programs have multiple versions, individuals must read the fine \nprint if they want to know what protections and rights the programs \nafford them.\n    The report concludes that Fair Information Practices continue to be \nthe exception rather than the rule on the World Wide Web; private \nsector enforcement programs cover a very small segment of commercial \nWeb sites; and individuals\' concerns with their privacy online remain \nonly partially answered.\n     1. what do we know about individuals\' expectations of privacy?\n    Over the past four years we\'ve witnessed an increase in surveys \nseeking to identify and document the public\'s attitudes toward privacy. \nRecent surveys document a growing concern with individual privacy on \nthe Internet. Surveys have documented that the privacy of personal \ninformation is of critical concern to those on the Internet and those \nwho have chosen not to come online. Surveys have also found a \nconnection between individuals\' willingness to engage in online \ncommerce and their concerns with privacy. Privacy concerns continue to \nescalate with a recent report finding that nearly 90 percent of \nrespondents were concerned about threats to their personal privacy \nonline.\n\nPrivacy is becoming an increasingly important issue to Internet users\n    <bullet> Eighty-seven percent of Net users are concerned about \nthreats to their personal privacy while online. (AT&T survey Beyond \nConcern: Understanding Net Users\' Attitudes About Online Privacy, 1999)\n    <bullet> Privacy now overshadows censorship as the number one most \nimportant issue facing the Internet. (The 8th semi-annual poll of the \nGraphics, Visualization, and Usability Center at the Georgia Institute \nof Technology, 1997)\n    <bullet> Tracking people\'s use of the Web (32 percent), and the \nsale of personal information (42 percent), were cited as the most \npressing privacy issues on the Internet. (Center for Democracy and \nTechnology Privacy Survey, 1998)\n    <bullet> A survey of parents found that their biggest concern \noverall, about their children\'s use of the Internet, was the abuse of \npersonal information--an issue more troubling to them than credit card \nfraud, unsolicited email, and exposure to pornography and/or strangers. \nSixty-five percent said that their children had been solicited to buy \ngoods or services on the Web while more than half said their children \nhave been asked to provide personal information at a site in order to \naccess content. (FamilyPC Special Report: Annual FamilyPC Internet \nSurvey Results, 1998)\n\nPrivacy concerns hinder e-commerce\n    <bullet> The majority of online users are not comfortable providing \ncredit card (73 percent), financial (73 percent) or personal \ninformation (70 percent) to businesses online. (National Consumers \nLeague, Consumers and the 21st Century, 1999)\n    <bullet> Forty-two percent (42 percent) of those who access the \nInternet or the World Wide Web are using the Net only to gather \ninformation about products and services while a much smaller 24 percent \nare going online to purchase goods or services. (National Consumers \nLeague, Consumers and the 21st Century, 1999)\n    <bullet> Fifty-eight percent (58 percent) of consumers do not \nconsider any financial transaction online to be safe, 67 percent are \nnot confident conducting business with a company that can only be \nreached online, and 77 percent think it is unsafe to provide a credit \ncard number over the computer. (National Technology Readiness Survey, \nconducted by Rockridge Associates, 1999)\n    <bullet> Many individuals have reported providing false information \nwhen registration is required. (The 9th semi-annual poll of the \nGraphics, Visualization, and Usability Center at the Georgia Institute \nof Technology, 1998)\n\nIndividuals want to know how their personal information is being used\n    <bullet> Very strong majorities (91 percent) of Net users, and (96 \npercent) of those who buy products and services online, say that it is \nimportant for business Web sites to post notices explaining how they \nwill use the personal information customers provide when buying \nproducts or services on the Web. (AT&T survey, Beyond Concern: \nUnderstanding Net Users\' Attitudes About Online Privacy, 1999)\n    <bullet> 66.7 percent of respondents cite the lack of information \nabout how their personal data will be used as the reason for not \nfilling out registration forms online. (The 10th semi-annual poll of \nthe Graphics, Visualization, and Usability Center at the Georgia \nInstitute of Technology, 1998)\n    <bullet> 41.7 percent of Internet users want to know what \ninformation is being collected and 45.8 percent want to know how it \nwill be used before they decide to withhold or supply demographic \ninformation. (The 10th semi-annual poll of the Graphics, Visualization, \nand Usability Center at the Georgia Institute of Technology, 1998)\n    <bullet> According to another survey, the most important factor to \nrespondents in deciding whether to provide information is whether or \nnot information will be shared with other companies and organizations. \nOther highly important factors in providing information on a Web site \ninclude whether information is used in an identifiable way, the kind of \ninformation collected, and the purpose for which the information is \ncollected. (AT&T survey Beyond Concern: Understanding Net Users\' \nAttitudes About Online Privacy, 1999)\n\nIndividuals want control over how their personal information is used\n    <bullet> Eighty-seven percent of respondents objected to a Web site \nselling information about them to other businesses. (AARP survey ``AARP \nMembers\' Concerns About Information Privacy.\'\')\n    <bullet> Similar concern was registered in the context of mergers, \nwhere 71 percent of respondents believed that merging companies should \nobtain written permission prior to sharing information. (AARP survey \n``AARP Members\' Concerns About Information Privacy.\'\')\n    <bullet> 74.3 percent of Internet users believe that content \nproviders (Web sites) do not have the right to resell their personal \ninformation. (The 10th semi-annual poll of the Graphics, Visualization, \nand Usability Center at the Georgia Institute of Technology, 1998)\n    <bullet> 90.5 percent of Internet users believe that individuals \nshould have complete control over which Web sites have access to \ndemographic information. (The survey found individuals want the control \nover the sale of their names and addresses by magazines to which \nthey\'ve subscribed.) (The 10th semi-annual poll of the Graphics, \nVisualization, and Usability Center at the Georgia Institute of \nTechnology, 1998)\n\nInternet users value their anonymity and are concerned about being \n        tracked online\n    <bullet> Individuals are often very uncomfortable providing \nidentifiable information such as credit card numbers and social \nsecurity numbers. (AT&T survey Beyond Concern: Understanding Net Users\' \nAttitudes About Online Privacy, 1999)\n    <bullet> 88 percent of Internet users say they value the ability to \nvisit Web sites anonymously. (The 10th semi-annual poll of the \nGraphics, Visualization, and Usability Center at the Georgia Institute \nof Technology, 1998)\n    <bullet> 82.4 percent of Internet users disagree with the \nadvertising agency practice of compiling usage behavior across Web \nsites for direct marketing purposes.\n    <bullet> Tracking people\'s use of the Web (32 percent) was cited as \na pressing privacy concern on the Internet. (Center for Democracy and \nTechnology Privacy Survey, 1998)\n\n        II. PRIVACY EXPECTATIONS AND FAIR INFORMATION PRACTICES\n\n    Individuals\' privacy expectations, identified by the survey data \nabove, are reflected in the Code of Fair Information Practices--broadly \nrecognized principles designed to ensure that individuals are able to \n``determine for themselves when, how, and to what extent information \nabout them is shared.\'\' \\1\\ Proposed in 1973 by a United States \ngovernment advisory committee set up to examine the impact of \ncomputerized records on individual privacy,\\2\\ the Code has never been \nenacted as such, but remains a sound and enduring baseline for \nevaluating the information handling practices of businesses and the \ngovernment.\\3\\\n---------------------------------------------------------------------------\n    \\1\\ Alan Westin. Privacy and Freedom (New York: Atheneum, 1967), 7.\n    \\2\\ Report of the Secretary\'s Advisory Committee on Automated \nPersonal Data Systems, Records, Computers and the Rights of Citizens, \nU.S. Dept. of Health, Education & Welfare, July 1973.\n    \\3\\ Recent statements on protecting privacy from various branches \nof the United States government, such as the Department of Commerce\'s \nGuidelines for Effective Self-regulation, the Federal Trade \nCommission\'s 1998 Report to Congress, and the Children\'s Online Privacy \nProtection Act all center on elements of the Code.\n---------------------------------------------------------------------------\n    The Code of Fair Information Practices \\4\\ can be summarized as \nfollows:\n---------------------------------------------------------------------------\n    \\4\\ Having discussed the Code of Fair Information Practices with \nmany non-experts, we drafted this version in an effort to make it more \naccessible and self-explanatory. Comments and criticisms are welcome. \nFor the standard text see Note 1.\n---------------------------------------------------------------------------\nIndividual Rights\n    Access and Correction.--The individual has the right to see \npersonal information about herself and to correct or remove data that \nis not timely, accurate, relevant, or complete.\n    Control.--The individual has the right to control the use of \npersonal information. Personal information provided to a record keeper \nmay not be used or disclosed for other purposes without the consent of \nthe individual or other legal authority.\nRecord Keeper Responsibilities\n    Openness.--Record keepers who collect or maintain information about \nindividuals must be publicly known, along with a description of the \npurpose and uses they make of personal information.\n    Limited Collection.--Record keepers who collect or maintain \npersonal information must collect only what is necessary to support the \npurpose of collection. Personal information must be collected by lawful \nand fair means and, where appropriate, with the knowledge and consent \nof the individual.\n    Limited Use.--The use and disclosure of personal information must \nbe limited to the purpose for which it was collected, unless the \nindividual has granted consent.\n    Data Quality.--Record keepers must ensure that personal information \ncollected is relevant to the purpose of collection, accurate, timely, \nand complete.\n    Security.--Record keepers must institute reasonable security \nsafeguards against such risks as loss, unauthorized access, \ndestruction, use, modification and disclosure.\n    Accountability.--Record keepers must be accountable for complying \nwith fair information practices.\n    Adherence to Fair Information Practices in the marketplace would \naddress many of the documented privacy concerns of individuals in the \nonline environment. The following section of the report examines the \nstate of Fair Information Practices at commercial sites on the World \nWide Web.\n\n            III. THE QUALITY OF WEB SITES\' PRIVACY POLICIES\n\n    What do we know about the quality of commercial Web sites privacy \npolicies? Do they conform to Fair Information Practices? Two surveys \nconducted approximately a year apart give us some information about \nwhether Web sites are posting privacy policies and, if they are, what \nthese policies say.\\5\\ Using the data from the most recent survey \nconducted by Mary Culnan--the Georgetown Internet Privacy Policy \nStudy--we can produce some useful information about the extent to which \nprivacy policies are being posted and how closely they align with Fair \nInformation Practices and the sub-set of Fair Information Practices \nthat have been called for by the Federal Trade Commission--Notice \n(openness); Choice (use and disclosure limitation); Access (access and \ncorrection); Security; and Enforcement (accountability).\n---------------------------------------------------------------------------\n    \\5\\ Very little data is available about whether companies are \nadhering to the privacy policies they post.\n---------------------------------------------------------------------------\nA. Overview of the Reports\n    In June 1998, the Federal Trade Commission\'s ``Privacy Online: A \nReport to Congress\'\' found that despite increased pressure, businesses \noperating online continued to collect personal information without \nproviding even a minimum of consumer protection. The report looked only \nat whether Web sites provided users with notice about how their data \nwas to be used; there was no discussion of whether the stated privacy \npolicies provided adequate protection. The survey found that, while 92 \npercent of the sites surveyed were collecting personally identifiable \ninformation, only 14 percent had some kind of disclosure of what they \nwere doing. Approximately 1.9 percent of Web sites provided the type of \nnotice that the FTC considered appropriate.\n    The newly released Georgetown Internet Privacy Policy Survey \n(GIPPS) provides new data. It finds that 92.8 percent of Web sites are \ncollecting personally identifiable information and approximately 9.5 \npercent of Web sites that collect personally identifiable information \nprovide the type of notices called for by the FTC and required by the \nguidelines of the Online Privacy Alliance, the Better Business Bureau \nand TRUSTe. Approximately two-thirds of the sites made some statement \nabout their collection or use of information--for example ``your order \nwill be processed on our secure server\'\' or ``click here if you do not \nwant to receive email from us\'\'--while one-third made no statements \nabout privacy at all. The survey documented an increase in the number \nof Web sites collecting sensitive information such as credit card \nnumbers (up 20 percent), names (up 13.3 percent), and even Social \nSecurity Numbers (up 1.7 percent).\nB. A Closer Look at the Findings\n    The questions in the Georgetown Internet Privacy Policy Survey \nreflect a subset of Fair Information Practices. Regardless, the data \nprovides some useful information about the state of privacy practices \non the Web. The survey data suggests that \\1/3\\ of Web sites are silent \non their use of personal information while \\2/3\\\'s are taking steps \ntoward addressing users\' privacy concerns. The policies being posted on \nthe Web are far from complete. Less than 10 percent met the test \nestablished by the Federal Trade Commission--a sub-set of Fair \nInformation Practice principles.\n    <bullet> Privacy policies are the exception not the rule on the \nInternet. Less than 10 percent of Web sites are meeting the standards \ncalled for by the FTC and required by seal programs.\n    <bullet> While data is not available, based on the GIPPS survey we \nbelieve that few Web sites are adhering to the full set of Fair \nInformation Practices.\n    <bullet> A small portion of Web sites participate in self-\nregulatory enforcement programs. According to CDT\'s analysis, only 8.5 \npercent of the sites surveyed (and a much smaller percentage of all \nsites on the World Wide Web) participate in one of the independent \nassessment programs discussed below.\n    <bullet> Roughly half of Web sites surveyed are providing visitors \nwith some information about how personal information is collected, \nused, or disclosed.\n    <bullet> A third of Web sites are not providing individuals with \nany information about how personal data is handled.\n    <bullet> Approximately a third of Web sites surveyed are telling \nvisitors about their use (or not) of cookies.\n    <bullet> Nearly 60 percent of Web sites that collect information \nare providing individuals the limited ability to object to its use for \nre-contacting.\n    <bullet> However, no data is available about the number of Web \nsites that allow individuals to limit other uses of their personal \ninformation.\n    <bullet> Approximately 50 percent of Web sites that collect \ninformation allow individuals to limit its disclosure to third parties.\n    <bullet> However, no survey data is available on whether Web sites \nallow individuals to limit disclosure to affiliates--a growing concern \nin the privacy arena.\n    <bullet> Forty-five percent of Web sites inform consumers that \ntheir information is secure during transmission. But a smaller 18 \npercent provide security assurances for information once it is \ncollected.\n\n          IV. PRIVACY SEAL PROGRAMS--OVERSIGHT AND ENFORCEMENT\n\n    One proposal for overseeing and enforcing privacy practices in the \nprivate sector is the use of Seal programs. Generally, the programs \nemphasize providing consumers with: (1) notice of a company\'s \npractices; (2) the ability to opt-out of information sharing; and (3) \nassurance that appropriate security is used to protect their personal \ninformation. The programs center on a contract between the seal program \nand the licensed seal holder. The seal is issued in exchange for the \ncompany\'s agreement to abide by a specific set of standards for \nhandling personal information and to permit some form of oversight of \nthe agreement. All use the threat of seal revocation and, in certain \ncases, referral to appropriate legal authorities to assure compliance.\n\nA. Overview\n    CDT examined three seal programs: BBBOnline; TRUSTe; and, WebTrust. \nAs of January 1, 2000, all of the seal programs will require licensees \nto comply with a similar subset of fair information principles. \nHowever, at the current time, the quality of privacy practices required \nof seal holders by the three programs varies substantially. Because two \nof the seal programs (TRUSTe and WebTrust) are in the process of \nraising their standards, a consumer cannot tell by the seal exactly \nwhat protections are offered. This undermines the simplicity the seals \nare supposed to provide.\n    <bullet> The BBBOnLine seal relies on its well-recognized name and \nin-house dispute processes. The core of the BBBOnline program is a \nstatement of compliance completed by companies and then reviewed by \nBBBOnline staff. BBBOnline staff initially handles disputes. If \nunsuccessful, the staff convenes a quasi-independent panel to hear the \ncomplaint, the findings of which are made public. Remedies for harmed \nconsumers are decided on a case-by-case basis, but consumers cannot \nreceive monetary damages. BBBOnLine currently has 48 licensees and more \nthan 400 applications are in process.\n    <bullet> TRUSTe has recently revised its license agreement. \nCurrently, consumers cannot tell by looking at the posted seal which \nstandard a company is abiding by, creating the potential for consumer \nconfusion. Licenses run a range between what is called the TRUSTe 3.0 \nagreement, through a set of 4.0 agreements to TRUSTe 5.0. The TRUSTe \n3.0 agreement assures users of little more than the fact that companies \nare notifying consumers of their practices. By October 1999, all of the \n3.0 agreements will expire, but until January 1, 2000, when all TRUSTe \nlicensees will be adhering to the higher (5.0) set of information \npractices, a TRUSTe seal could mean anything in between the 3.0 and 5.0 \nagreement. TRUSTe requires licensees to complete a self-certification \nstatement that is reviewed by TRUSTe staff. To check compliance, TRUSTe \nseeds Web sites with personal information, conducts random spot checks \nof its licensees, and conducts independent audits in some instances. \nTRUSTe staff generally handles consumer complaints. There is no program \nfor directly addressing the interests of aggrieved consumers. TRUSTe \ncurrently has 830 licensees and is receiving more than 100 applications \na month.\n    <bullet> WebTrust is in the process of revising its license \nagreement. Currently, the license emphasizes the security of the \ninformation practices and not privacy. By December 15, 1999, all \nlicensees will be adhering to a higher set of fair information \npractice. In addition to requiring a self-assessment by companies, \nWebTrust requires companies\' policies and practices to be continually \nverified through on site audits by CPAs. An independent arbitration \nboard handles disputes. The arbiter is free to award consumers with \nwhatever remedies are considered appropriate, including money. WebTrust \nhas awarded 22 seals and at least 40 more are in process. 150 CPA firms \nworldwide are able to award seals.\n\n[GRAPHIC] [TIFF OMITTED] T1813.002\n\n[GRAPHIC] [TIFF OMITTED] T1813.003\n\n[GRAPHIC] [TIFF OMITTED] T1813.004\n\n[GRAPHIC] [TIFF OMITTED] T1813.005\n\n[GRAPHIC] [TIFF OMITTED] T1813.006\n\nB. Do the Seal programs ensure compliance with Fair Information \n        Practices? Can individuals enforce their privacy rights?\n    While the Seal programs\' standards are, according to the GIPPS, \nhigher than the current practices at the vast majority of Web sites, \nthey fall short of meeting the Fair Information Practice Principles. As \nstated above, enforcement program participants make up only a small \nportion of the Web sites online. And even if a site is a member of a \nseal program, consumers should be wary--for today understanding what a \nseal means requires reading the fine print. Two sites with the same \nseal could have vastly different policies. While the seal programs will \neach have a single standard for companies to meet by January 2000, \ntoday it is clearly wise to cautious. Even with standardized \nrequirements consumers will have to read the small print to find out \nthe practices of a specific site and exactly what rights they may or \nmay not have.\n    In addition, as a recent complaint against Microsoft filed with \nTRUSTe illustrated the scope of the self-regulatory enforcement \nprograms is narrow. They only have the ability to monitor and enforce \nprivacy practices on the companies Web site. Where a consumer has an \nonline, but not Web site based, privacy complaint or an offline privacy \ncomplaint, the seal programs are unable to address them.\n    The threat of seal revocation is likely to encourage participants \nto more actively monitor their own behavior to ensure compliance, \nhowever seal revocation does not provide the individual who is harmed \nwith relief. At this time it is unclear whether the private sector \nmechanisms for addressing consumer complaints and handling disputes \nwill provide individuals with an effective method of protecting their \nprivacy.\n    Overall, the Seal programs have raised the bar in the private \nsector by establishing stronger--but still short of complete--practices \nfor handling personal information. However, they fall short of meeting \nthe Fair Information Practice Standards and responding to consumers\' \nconcerns. Today the three programs have enrolled a total of 900 Web \nsites--a very small slice of the hundreds of thousand commercial sites \non the World Wide Web.\n                   v. conclusions and recommendations\n    Whether the measuring tool is the policies of the Online Privacy \nAlliance, the seal programs, the FTC\'s pared down version of the Code \nof Fair Information Practices, or the full Code of Fair Information \nPractices--privacy practices at the vast majority of commercial Web \nsites are not making the mark.\n    The survey data above documented specific concerns of individuals \nusing the Internet. In analyzing the state of privacy practices on the \nWeb, it appears that consumers concerns are receiving an incomplete \nresponse from Web sites. Eighty-seven percent of individuals stated a \nconcern with their privacy online--but a third of highly trafficked Web \nsites remain completely silent on how they handle personal information. \n91 percent of Internet users, and (96 percent) of those engaged in \necommerce want to know what personal information is collected and \nused--but less than 50 percent of frequently trafficked Web sites \nprovide individuals with this information. An overwhelming majority of \nindividuals want to decide how their information is used--but 40 \npercent of business Web sites are not allowing individuals to exercise \neven a limited right to object to companies recontacting them. 74.3 \npercent of Internet users believe that content providers (Web sites) do \nnot have the right to resell their personal information--but of the 53 \npercent highly trafficked Web sites that say they share or sell \npersonal information less than 50 percent allow consumers to opt-out of \nthis practice. Individuals are concerned about their use of the World \nWide Web being tracked and profiled--but only 31 percent of these high \ntraffic Web sites informed individuals about their use (or non-use) of \ncookies. Consumers are not being provided with adequate information \nabout the use of personal information and they are not being provided \nwith the ability to determine for themselves how their personal \ninformation is used.\n    The seal programs have improved their requirements, however they \ntoo fall short of the Code of Fair Information Practices. And together \ntheir reach continues to be quite small--covering approximately 900 Web \nsites. It remains unlikely that the ``bad actors\'\' will participate in \nself-regulatory programs. A ubiquitous oversight and enforcement \nprogram has not emerged.\n    In light of these statistics on the behavior of highly trafficked \nWeb sites, consumers have good reason to be concerned for their privacy \nonline. Thanks to the actions of leading companies, privacy and \nconsumer advocates, and various parts of the government, some progress \nis evident on all fronts. However ubiquitous and enforceable privacy \nprotections across the World Wide Web have not materialized. We \ncontinue to believe that legislation is both necessary and inevitable \nto make individual privacy on the Internet the rule rather than the \nexception. We believe that the GIPPS survey data indicates that many \nWeb sites need some baseline policy guidance. The relatively low \nparticipation in self-enforcement programs indicates that, on their \nown, they will not be a viable option for the vast majority individuals \nwith privacy complaints. If we fail to create a privacy framework that \naddresses individuals\' privacy concerns we stand to undermine its \nenormous potential to support a vital online community and marketplace.\n\n                                <all>\n\x1a\n</pre></body></html>\n'