[Senate Hearing 107-1151]
[From the U.S. Government Publishing Office]
S. Hrg. 107-1151
NEED FOR INTERNET PRIVACY LEGISLATION
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
JULY 11, 2001
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2006
88-997 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
ERNEST F. HOLLINGS, South Carolina, Chairman
DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona
JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska
Virginia CONRAD BURNS, Montana
JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi
JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
RON WYDEN, Oregon SAM BROWNBACK, Kansas
MAX CLELAND, Georgia GORDON SMITH, Oregon
BARBARA BOXER, California PETER FITZGERALD, Illinois
JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada
JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia
BILL NELSON, Florida
Kevin D. Kayes, Democratic Staff Director
Moses Boyd, Democratic Chief Counsel
Mark Buse, Republican Staff Director
Jeanne Bumpus, Republican General Counsel
C O N T E N T S
----------
Page
Hearing held on July 11, 2001.................................... 1
Statement of Senator Allen....................................... 7
Statement of Senator Boxer....................................... 8
Prepared statement........................................... 9
Statement of Senator Burns....................................... 29
Prepared statement........................................... 29
Statement of Senator Carnahan.................................... 9
Statement of Senator Cleland..................................... 58
Statement of Senator Edwards..................................... 51
Statement of Senator Ensign...................................... 60
Statement of Senator Hollings.................................... 1
Prepared statement........................................... 2
Article, dated July 9, 2001, entitled, Confusing Privacy
Notices Leave Consumers Exposed, from USA Today............ 50
Statement of Senator Inouye...................................... 5
Prepared statement........................................... 5
Statement of Senator Kerry....................................... 55
Statement of Senator McCain...................................... 3
Statement of Senator Nelson...................................... 10
Statement of Senator Rockefeller................................. 10
Statement of Senator Wyden....................................... 6
Witnesses
Brondmo, Hans Peter, Author, ``The Engaged Customer'' and
Netcentives, Inc. Fellow....................................... 68
Prepared Statement........................................... 70
Cate, Fred H., Professor of Law, Indiana University School of Law 18
Prepared Statement........................................... 20
Catlett, Jason, President and CEO, Junkbusters Corp.............. 77
Prepared Statement........................................... 79
Misener, Paul, Vice President, Global Public Policy, Amazon.com.. 73
Prepared Statement........................................... 75
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center............................................. 12
Prepared Statement........................................... 14
Rubinstein, Ira, Associate General Counsel, Electronic Commerce
Policy, Microsoft Corporation.................................. 82
Prepared Statement........................................... 84
Schwartz, Paul M., Professor of Law, Brooklyn Law School......... 30
Prepared Statement........................................... 31
Seagraves, Les, Vice President and Chief Privacy Officer,
EarthLink, Inc................................................. 64
Prepared statement........................................... 65
NEED FOR INTERNET PRIVACY LEGISLATION
----------
WEDNESDAY, JULY 11, 2001
U.S. Senate,
Committee on Commerce, Science, and Transportation
Washington, DC.
The Committee met at 9:30 a.m., in room SR-253, Russell
Senate Office Building, Hon. Ernest F. Hollings, Chairman of
the Committee, presiding.
OPENING STATEMENT OF HON. ERNEST F. HOLLINGS,
U.S. SENATOR FROM SOUTH CAROLINA
The Chairman. We will commence the hearing with regard to
Internet privacy, and I will file my statement. Let me
summarize, because we need a sense of history.
The Congress has been front and center over the years with
respect to protecting the people's privacy. We had the Federal
Wiretap Act of 1968, the Credit Reporting Act of 1970, the
Privacy Act of 1974; I authored the Cable Act of 1984 and heard
some of the same misgivings by industry at the time. It has
worked extremely well; the Video Privacy Protection Act of
1988; and of course, for what we are discussing for adults, we
have got the Children's Online Privacy Act of 1998, all working
extremely well. There is a question raised even again on Monday
about the Financial Services Privacy Provisions, as to their
effectiveness, in USA Today.
Otherwise, on the subject itself, the Federal Trade
Commission has been toying with it for over 5 years. We have
got listed here in our notes some nine hearings whereby they
finally concluded after trying all the voluntary approaches,
they recommended legislation. We now find a very interesting
report that just came out from the Schwab Capital Markets on
the Internet, and let me just quote this:
``We disagree with corporate claims that a technology-
neutral, selective opt-in mandate would likely make targeted
marketing products prohibitively expensive to deploy or reduce
the overall margins and profitability of advertisers. We also
disagree that opt-in consent would have a substantial
disruptive impact on the Internet in general. In our view, the
experience of online opt-in consent business models suggests
that the consumers can be enticed to provide personal and
nonpersonal information at relatively little cost to web sites.
We believe that the additional cost to entice people to opt in
are likely to be overshadowed by the increase in revenues.''
That is the best of the best business analysts. And,
finally, of course, we are sort of behind the curve in the
sense that the Europeans have moved forward with their safe
harbor provision, and some would say, ``Well, they haven't
enforced it''. It just got in in the last 2 years. We have got
12 of the 15 states now complying, but more than anything else,
those in the business thinks it is going to be enforced, so
they have filed and met compliance: Microsoft, Intel, Hewlett-
Packard. We can go right on down the list.
So while we are wondering whether it is wise to require of
American entities such as Microsoft, it is already being
required, complied with, and they are happy in Europe.
[The prepared statement of Senator Hollings follows:]
Prepared Statement of Hon. Ernest F. Hollings,
U.S. Senator from South Carolina
Well--to quote former President Reagan--here we go again. Today the
Commerce Committee will hold its first hearing on Internet privacy. It
is past time for action on this issue, and I intend to introduce and
report legislation to the full Senate before the end of this session.
Last year, after five years of diligent study, the Federal Trade
Commission recommended that Congress pass Internet privacy legislation
that reflects the time-honored fair information practices of notice,
consent, access, and security. This recommendation was particularly
credible in light of the FTC's record of extensive analysis on this
issue and its two prior recommendations to allow self-regulation a
chance to work. Where did self-regulation get us? Nowhere. As Business
Week stated last year, ``self regulation is a sham.''
According to former FTC chairman Robert Pitofsky, ``some sites bury
your rights in a long page of legal jargon so its hard to find them and
hard to understand them once you find them. Self-regulation that
creates opt-out rights that cannot be found or understood is not really
an acceptable form of consumer protection.'' Look no further than your
mailbox to see that this is the case.
Pursuant to the Gramm-Leach-Bliley financial privacy rules,
Americans have been receiving literally billions of notices in the mail
alerting them that they can opt-out of the sharing of their personal
financial information by financial institutions with third parties.
These notices make a mockery of the claim that notice and opt-out
provides sufficient protection.
Let me quote from the cover letter accompanying one of these
notices:
``We recognize that privacy is a very sensitive and important
matter . . . [and] adhere to strict standards of security,
confidentiality, and privacy with regard to consumer
information . . . if you are comfortable with [our] handling of
information we collect, you do not need to take any action at
this time.''
That sounds pretty good, your information appears to be safe and
private. But the attached notice informs you that the company:
``Reserves the right to share all information we collect . .
. [including with] financial service providers, mortgage-
bankers-brokers, securities broker dealers, indirect loan
originators, correspondent lenders, transaction processors,
insurance agent/companies, . . . retailers, others, such as
non-profit organizations.''
Taken together, the cover letter and the attached notice are in direct
conflict and are deceptive. Quite clearly, this is concrete evidence of
why opt-out doesn't work. And, if it won't work when they mail you the
notice, it certainly won't work on the Internet when the notice is
buried behind a link at the bottom of a web page.
Clearly we need legislation that requires notice, affirmative
consent, reasonable access, and reasonable security to protect
individuals online. Such an approach would not represent, as industry
contends, a dangerous and unprecedented regulation of the Internet, but
rather, a logical extension of existing privacy laws to this new
medium. Congress has enacted numerous statutes to protect the privacy
of telephone customers, cable subscribers, video renters, and credit
card customers. The Internet should be no different.
Poll after poll indicates that the public wants this level of
protection. Advances in technology have provided information gatherers
the tools to seamlessly compile and enhance highly detailed personal
profiles and histories. Moreover, news reports regularly inform us of
privacy breaches of sensitive information on the Internet.
Last week, we learned that Eli Lilly inadvertently disclosed a list
of hundreds of customers suffering from depression, bulimia, and
obsessive compulsive disorder. Eli Lilly's response? An apology, and a
promise it won't happen again. A year ago, the New York Times reported
that 19 of the top 21 health sites on the Internet had privacy policies
but ``failed to live up to promises not to share information with third
parties.''
Obviously, fears about privacy are preventing the Internet from
reaching its full potential. Some studies indicate that as many as 20
percent of all Internet users give false information online to protect
their privacy. But there is a solution--privacy protection. Enacting
privacy legislation will enhance consumer confidence in the medium and
boost e-commerce. Forrester Research estimates that as much as $12
billion in online sales are lost annually due to concerns over privacy.
We can change that.
As for industry claims that opt-in kills the Internet, they are
just whistling Dixie. For example, a recent Arthur Anderson survey
reported that 74 percent of people will be happy to opt-in to share
their personal marketing information, if they believe they will receive
something in return.
Some forward thinking companies already know this. The New York
Times, Microsoft, Intel, Hewlett Packard, Expedia, Alta Vista, and
Earthlink all provide opt-in protection, reasonable access to personal
information that has been collected, and reasonable security for that
information. Moreover, I note that some of these companies, Microsoft,
Intel, Hewlett Packard, and one of the largest data collection
companies--Axciom--have all signed on to the EU Safeharbor, which
requires notice, opt-in for sensitive information, access and security.
If they can do it, we can legislate it--by establishing Federal
standards that codify these ``best practices.'' and, if we couple that
privacy protection with preemption, which I am always cautious about.
Congress can foster business certainty and consumer confidence and
allow the Internet to flourish.
I want to put to rest fears that somehow legislation will shackle
the Internet. The experts know that is not true. John Chambers of Cisco
systems predicts that by 2010, a quarter of the world's global commerce
will be conducted on the Internet. And Forrester Research group
predicts that over $180 billion in online sales will occur by 2004. No
legislation could ever stop, stifle, or thwart this inevitable
progress.
I look forward to working with my colleagues on this committee to
craft legislation in this area. Last Congress, nearly a majority of the
Committee cosponsored legislation in this area. This year lets finish
the job.
The Chairman. Let me yield to my distinguished former
chairman.
STATEMENT OF HON. JOHN McCAIN,
U.S. SENATOR FROM ARIZONA
Senator McCain. Thank you very much for reminding me, Mr.
Chairman.
[Laughter.]
Senator McCain. I want to thank you, Mr. Chairman, for
holding this hearing. The advent of network computers and
developments like broadband television and wireless location
technology make it much easier for businesses to track and to
trade information about consumers' transactions, whereabouts,
and preferences. For all the benefits that consumers derive
from the customized services that this flow of information
provides, surveys continue to show that Americans are concerned
and should be concerned about their online privacy.
Last year, Members of Congress responded to these concerns
by introducing various bills to restrict online collection,
use, and disclosure of personal information. Three of these
bills were introduced by members of this very Committee and
referred here. While the bills were similar, they all addressed
the elements of the Fair Information Practices: notice; choice;
access; and security. They also differed considerably in what
they prescribed.
With respect to consumer choice, for example, the question
of whether the law should provide the consumer with either an
opt-out or opt-in default was and remains an issue. Opt-out
allows consumers' personal information to be used unless
otherwise indicated, as opposed to opt-in, which prohibits the
use of consumer information in the absence of affirmative
consent.
The difference is significant, considering that the vast
majority of consumers probably will not change a default
setting so that while consumers have choice under either
regime, one significantly reduces the availability of personal
information while the other does not.
The bills also differed on whether or not companies should
be required to give the consumer access to all of the
information gathered about them. Senator Kerry and I thought it
would be unwise to mandate this, because it would require that
separate pieces of information about an individual be gathered
for the sole purpose of allowing a consumer to review them, and
this would create a profile that might not otherwise be
created. Moreover, a requirement that would allow consumers to
access freely all data collected about them could compromise
security and provide unintended consequences.
We failed to resolve these differences last year. I hope we
can this year, Mr. Chairman. Since then, there have been
developments that will and should enter the debate over what
kind of legislation is needed. Following the Committee's
hearings on online privacy last session, the Internet economy
has continued to deflate, forcing companies to rethink their
business models, and perhaps change the ways in which they
collect and trade personal information.
The demise of some dot-coms bodes both well and poorly for
personal privacy. On the one hand, the spate of dot-com
bankruptcies and subsequent sale of customers' personally
identifiable information to pay creditors demonstrates that
this data is a real asset and one that may not always be used
in accordance with stated policies. On the other hand, with
investment capital no longer available to keep companies with
nonsensical or nonexistent business models afloat, companies
that are going to survive will need to compete more robustly
for customers, and customer-friendly privacy policies are a way
to do this.
The global implications of our information practices are
also becoming more evident. Within the past year, numerous
countries with whose businesses we routinely share personally
identifiable information with, have passed laws restricting the
handling of information about their citizens.
In November of last year, the Department of Commerce began
registering American companies for the safe harbor agreement
that it had negotiated with the European Union. The agreement
gives American companies that adhere to strict privacy
practices a measure of protection against enforcement of the
European Union's privacy directive for the company's handling
in Europe or elsewhere of information about EU residents.
Closer to home, since the Committee's last hearing on
online privacy, final regulations controlling the use and
disclosure of sensitive personal information regarding people's
health and finances have been adopted and gone into effect.
Some have charged that the restrictions are inadequate, and
others complain that they're too onerous. Reacting to the
characterization of the debate about privacy legislation is one
that pits businesses against consumers. Since last year, a
number of businesses have commissioned or published studies
purporting to show very significant costs, both the businesses'
and the consumers', of restricting information flows.
Developments in the online industry self-regulatory regime,
spurred by threats of legislation and consumer concern, have
also occurred since last year. Some companies have revised
their information practices to provide better notice and choice
to consumers. Third-party advertisers, like DoubleClick, who
have in the past been perceived as the skunks in the privacy
debate, say they have made it easier for consumers to stop
these advertisers from tracking their movements online.
Companies have also developed a range of software tools
that protect privacy by anonymizing or encrypting information.
Later this year, Microsoft and, I am sure, other companies will
offer software that can electronically read a web site's
privacy policy and compare the policy to the user's preferences
regarding the placement of cookies.
In sum, these developments in foreign and domestic law as
well as industry self-regulatory practices, should be
considered as we debate the desirability of legislation to
regulate businesses handling personal information. I remain
convinced, Mr. Chairman, that a Federal law is needed.
I applaud the Chairman for continuing and commencing this
debate on this issue, and I look forward to hearing from our
witnesses. I am sorry, Mr. Chairman, for the unusually long
opening statement. This is a very, very important issue to all
Americans, and I am very proud of your leadership and continued
involvement in this issue. I thank you, Mr. Chairman.
The Chairman. I appreciate it, and we are looking forward
to working together and trying to get us a consensus built out
of the Committee.
Senator Inouye.
STATEMENT OF HON. DANIEL K. INOUYE,
U.S. SENATOR FROM HAWAII
Senator Inouye. Thank you very much, Mr. Chairman. I wish
to commend you for convening this hearing this morning on this
very important topic of Internet privacy.
Last year, I had the great privilege of co-sponsoring a
measure that was authored by our Chairman, Senator Hollings,
that I believe provided an excellent template for protecting
individuals online. This year, I hope we can report a similar
bill out of the Committee.
With that, Mr. Chairman, I ask that my full statement be
made part of the record.
The Chairman. It will be included.
[The prepared statement of Senator Inouye follows:]
Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
I am pleased the Senate Commerce Committee is holding this hearing
today on the important topic of Internet privacy. Last year, I
cosponsored legislation authored by our Chairman, Senator Hollings,
that provided an excellent template for protecting individuals online.
This year, I hope we can report a similar bill out of Committee.
The Internet is too vast and complex to leave privacy protection to
self-regulation. While many companies employ excellent practices, there
are thousands upon thousands of web sites with inadequate privacy
policies. Moreover, despite their best intentions, every incentive lies
with companies operating on the Internet to collect and profit from
individuals' personal information.
If individuals are willing to consent to such practices if they
believe they may receive something of value in return, that is one
thing. But most companies choose instead to set forth confusing, and
misleading privacy policies that only offer Internet users an
opportunity to ``opt-out'' of the collection and sale of their personal
information.
Often times these opt-out policies are hard to read, hard to
understand, and hard to find. To me that is not adequate consumer
protection. That is why I believe we need to set forth a strong Federal
standard--that is consistent with past laws on protecting privacy, for
example in the Cable Act. There, cable operators were required to get
prior consent (``opt-in'') from subscribers before sharing information
about individual subscriber viewing habits. This sensible rule has been
on the books for seventeen years and it seems logical as a framework
for use on the Internet. The Cable Act also requires that cable
operators give consumers a right to access information that has been
collected about them, and a right to seek damages in the event the law
has been violated.
The notion that such protections are somehow too regulatory is
somewhat curious to me. We have always put a priority on protecting
privacy. The Internet should be no different.
I commend the Chairman for holding this important hearing. I look
forward to our efforts in this area, and to the testimony of the
witnesses today. Thank you.
The Chairman. Senator Rockefeller.
Senator Rockefeller. I have no statement.
The Chairman. Thank you.
Then Senator Wyden.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. I will be brief. I
just wanted to make a couple of points. First, Mr. Chairman I
very much look forward under your leadership and working with
Senator McCain to producing a bipartisan bill. I think it is a
doable proposition. Senator McCain touched on the fact that a
variety of Committee members have legislation, but I think
under your leadership, we can put together a bipartisan bill.
It seems to me there are three or four key elements of
consensus that the Committee can work around. First of all, I
think it is clear that nobody on this Committee wants an Exxon
Valdez of privacy. I mean, we cannot afford a disaster that
would do enormous damage in terms of e-commerce and the private
sector.
Second, it seems to me that we all understand that people's
expectations in this field are very high, particularly as it
relates to their personal information, financial information
and health information. I don't think they want to put
businesses through bureaucratic water torture for what amounts
to, you know, paperwork exercises, but for their financial and
personal information, the expectations are very high.
The last point that I would make, Mr. Chairman, is that I
think perhaps the key challenge involved in trying to put
together a bipartisan bill here involves the private sector in
this country, and the question is really: Do they want one
standard to govern the privacy rules in this country, or do
they want 50? This involves the Federal and state relationship,
and it involves the question of whether the private sector is
going to have the U.S. Congress come in and in some way preempt
what the states and the various localities are doing.
My message to folks in the private sector is that if they
want some measure of preemption, they have got to support a
bill with meaningful privacy protection. There has got to be
meaningful privacy protection in order to have one standard
rather than 50, and I think Senator McCain made a key point
there. You have got to have those four elements of the Federal
Trade Commission report in order to get over the bar that
indicates you are for meaningful privacy protection, and I look
to forward to working with you and our colleagues in getting it
done.
The Chairman. Thank you.
Senator Allen.
STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. Thank you, Mr. Chairman, and thank you for
holding this hearing. This is an issue of concern to myself and
many others, and I do want to associate myself with the remarks
of Senator McCain and Senator Wyden. There are a lot of very
good ideas. I look forward to working with all members of this
Committee.
Senator McCain made a very good point on how the private
sector is addressing this in Microsoft's P3P. Senator Wyden
points out certain things that as we go forward with this, Mr.
Chairman, I believe that when you are talking about privacy,
there may need to be different levels of security based upon
whether this is privacy dealing with health or whether it is
finance, whether it may be consumer information.
I do think that if we go into this, we need to make sure
the regulations are reasonable, that they are not over-
burdensome as far as the Internet. The question and the results
will affect how we can have access to goods and services to
access for information to the education of our children, and
how we entertain our families.
I will be guided by, I think, two principles here. One is
that I believe that we should empower individuals, consumers,
to make sure that they have the information necessary to be
able to make a decision or a choice as to whether or not they
want to enter into a specific site or not, and second, I think
we need to encourage to the greatest extent possible reliable,
credible self-regulation.
Now, as far as the states are concerned, I am wondering
very much the rights and prerogatives of the states. However,
this is clearly interstate commerce, and I think to have a
patchwork of liabilities and rules would make it very, very
difficult for business to know what rules and what liabilities
they will have, and I do think that we need to be guided by
certain principles, and they be nationwide in that regard.
I also feel, Mr. Chairman, that we talk about privacy, but
really this is an issue of security, and most people understand
that interacting in a society, you are going to have share
information, whether it is on the Internet, whether it is
credit cards, whether it is writing checks, whether it is
answering a telephone call, whether having a telephone in your
home, having a car registered. There is information being
shared.
People are concerned about what happens to that information
when they voluntarily choose to reveal it, and I think that we
ought to make certain that the personal information that they
share is secure and will not be misused or abused.
So, Mr. Chairman, I thank you for bringing this very
contentious issue. I have been analyzing all the bills that
have been introduced before I became a member of the U.S.
Senate, and Senator McCain certainly had an outstanding bill,
from my perspective, last year. Senator Wyden also had--with
Senator Burns had outstanding bills, and maybe there is a way
we can come up with a bipartisan approach that empowers
individuals, makes sure they are informed, makes sure they have
the knowledge, but also trusts the private sector to the best
that they all can react to this need to come up with standards
that are credible and reliable.
So thank you, Mr. Chairman.
The Chairman. Thank you, Senator.
Senator Boxer.
STATEMENT OF HON. BARBARA BOXER,
U.S. SENATOR FROM CALIFORNIA
Senator Boxer. Mr. Chairman, I ask unanimous consent to
place my statement in the record. I will briefly, briefly
summarize.
The Chairman. It will be included.
Senator Boxer. First, let me also commend you for making
this a top priority. Senator McCain did, and I think it is so
necessary to clarify the nature of the problem we are trying to
solve, the degree of harm that consumers are suffering or might
suffer, and the appropriate response, the right response, to
that harm.
As a Senator from California, needless to say my deepest
hope is that we can, in fact, reach consensus. This would be a
tremendous thing, and I am really hopeful, given the nature of
the comments here today, that we can do that. You have a record
of doing that, and I certainly stand ready to do that. We want
to address the consumer concerns, and we also want to help the
Internet grow. We don't want to stand in the way of that. This
balance is crucial.
Last year, I did work with Senators McCain and Kerry on
their bill. I thought it was a balanced bill, but I stand ready
to see if there are ways we can make that bill better and
compromise and work with you, as long as we keep that basic
goal of that balance between protecting the consumer and
protecting the growth of the Internet, which I think is so key.
Let me just make one last point. I know the issue of
spamming is not part of this debate. We have other times to
look at the spamming question. But really in many ways, the
whole issue of spamming is a privacy issue. It is when you are
hit with those messages, so I trust that that also will move up
on the agenda as something very important.
And, again, I look forward to working with you, your staff,
and across party lines to reach a consensus on this.
The Chairman. OK. Good.
[The prepared statement of Senator Boxer follows:]
Prepared Statement of Statement of Hon. Barbara Boxer,
U.S. Senator from California
Mr. Chairman, thank you for calling this hearing on the
increasingly important issue of privacy on the Internet. It is my
understanding that this is only the first of a series of hearings we
will hold on this issue this year.
I commend you for making this issue a top priority. These hearings
are necessary to help clarify the nature of the problem we are trying
to solve, the degree of harm consumers are suffering or stand to
suffer, and the appropriate response to that harm.
I believe that with your leadership, we will be able to work
together on this committee to find a policy solution that will respond
to consumer concerns regarding their privacy on the Internet: and
simultaneously help the Internet grow in the process.
A number of us on this committee, including myself, have taken an
interest in passing legislation to protect privacy on the Internet.
Though we have some disagreement on how to achieve that goal, I believe
this and other hearings will help us air those areas of disagreement
and reach a consensus.
I look forward to this hearing and working with you and your staff
on this issue.
The Chairman. Senator Carnahan.
STATEMENT OF HON. JEAN CARNAHAN,
U.S. SENATOR FROM MISSOURI
Senator Carnahan. Thank you, Mr. Chairman. The issues
before this Committee today illustrate the profound impact that
the Internet is having on our lives. The Internet boom has
changed the way we communicate with others and the way we
receive information and the way in which we engage in commerce.
This innovation, however, is still in the growth phase, and I
do not think any of us can accurately predict how the Internet
will continue to change and develop, or what its future
applications might be.
As the Internet has grown, though, so too have the concerns
about the protection of personal privacy online. Such concerns
have led to a debate about whether we should address online
privacy through legislation, and if so, how that legislation
should be crafted. I think that a number of key factors ought
to be considered when assessing the need and the scope of
online privacy legislation.
Obviously understanding the nature of a user's concern will
be of paramount importance. I have seen survey data suggesting
that a majority of Internet users in the United States have at
least occasionally altered their online behavior because of
privacy concerns. It is difficult to discern, however, the
precise nature of Internet users' privacy concerns.
Are people worried primarily about identity theft? The
security of their credit card or other sensitive information?
Or are people uneasy about the collection of personal
information being used for marketing purposes? We will need to
identify exactly what causes Americans to alter their online
behavior in order to respond appropriately.
I am an active user of the Internet. I surf the web to get
my news and to conduct research and to shop, and I even
occasionally bid on an auction. It is extremely important to me
to know exactly what information a web site is collecting about
me and how they will use that information and to whom that
information will be disseminated.
When considering legislation, we must also determine how
our proposal will impact web sites and the companies who
operate them. We must ensure that we don't do anything that
would stifle future growth and innovation of the Internet, and
we must consider the impact that new technological advancements
may have on the dynamics of the issue.
P3P, for example, has the potential to allow users to
protect their own privacy by providing warnings about web sites
that do not fit their privacy preferences. Innovations such as
P3P may provide part of the solution to this problem. I believe
that eventually a workable balance will have to be struck; a
well-crafted legislative solution will set appropriate
guidelines for web operators, one that will assuage users'
concerns and ultimately lead to a more widespread use of the
Internet.
And, finally, I think that Government should lead the way
by example in terms of guaranteeing online privacy protections.
The Office of Management and Budget under President Clinton
issued privacy guidelines for all Federal agencies' web sites,
but this should just be the start of the Government's efforts.
I am working with state and local officials in my state in an
effort to ensure that Missouri is on the leading edge of
protecting the privacy of its citizens.
As we consider efforts to impose privacy guidelines on
commercial web sites, I think it is imperative that Government
demonstrate its commitment concurrently. Thank you, Mr.
Chairman.
The Chairman. Senator, you will find out what is collected
in the next campaign.
Senator Carnahan. I'm sorry?
The Chairman. I say, you will find out what they have
collected in the next campaign.
Senator Carnahan. Oh, yes, sir.
The Chairman. You said you wondered what.
Senator Ensign.
Senator Ensign. No.
The Chairman. Thank you.
Senator Nelson.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Mr. Chairman, I just want to say what a
pleasure it is to be a new member of this Committee. I am
looking----
The Chairman. Delighted to have you.
Senator Nelson. I am looking forward very much to serving
under your leadership and Senator McCain's leadership, and this
is a great privilege for me.
The Chairman. Thank you very much.
Senator Rockefeller.
STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
Senator Rockefeller. Mr. Chairman, I hadn't planned on
speaking, but I wanted just to make two points. Number one,
there has been this very interesting sort of cross-relationship
of we want to protect privacy, but we don't want to do anything
to prevent Internet growth, and it strikes me that when you are
talking about jobs in the environment, you run into this kind
of thing.
I mean, people always say, ``Well, we can't protect jobs
and environment,'' and that is often the case and sometimes it
isn't. Sometimes it just isn't. Sometimes you have got to
decide you are going to go this way or you are going to go that
way. And it may be that this is one of those issues.
Some here have talked about--you know, I am very strongly
for privacy, but we can't have any Internet regulation; we have
got to let them do it themselves. I have to tell you that I
have a very smart legislative assistant who just went through
my recent computer stuff with Windows cookies, and, you know, I
am highly offended by what I have in front of me, which is
basically everything that I have looked at, not just including
what I have looked at, but also the advertisements that came on
while I was looking at something.
Now, it is all listed right here. This just a few days, and
I don't like it, and it holds out to me the possibility of
being watched. Now, I consider myself reasonably--I use that
word carefully--reasonably sophisticated when it comes to the
use and knowledge about technology. I work on these things hard
as the Chairman knows. But I had no idea that I could get this.
I knew that there were cookies around and there were other
things around that could say where I was and what I was doing
and, you know, it is sort of like using a cell phone. The
advantage is nobody knows where you are calling from, and all
of a sudden this comes up and says, ``Well, they know exactly
where you are calling from, what you are going to do, what you
want''.
And I consider this mildly dangerous. During the course of
the questioning, I am going to be rather careful to ask people
why they think that we passed nine pieces of privacy
legislation. You mentioned a number of them, Mr. Chairman,
aimed at everything from telephones, credit cards, to children
over a number of years, and yet we allow this to go on, where
virtually anything--my life, my disposition, my nature, my
character, all of it is just sitting here for anybody to see
and, in fact, print out. So this is going to be an interesting
hearing.
The Chairman. And, in fact, sell.
Senator Rockefeller. And sell.
The Chairman. That is right. Very good. I think that is all
our colleagues, and we appreciate their attendance.
Mr. Marc Rotenberg, the Executive Director of Electronic
Privacy Information Center; Fred Cate of Indiana University
School of Law; and Dr. Paul Schwartz, professor of law at the
Brooklyn Law School, please come forward.
The Committee has received these statements, and they will
be included in the record in their entirety, but with the
attendance here this morning and the other important panel that
we have, we will ask that you try to summarize within 5 minutes
or a little bit more as best you can, and like I say, the full
statements will be included in the record.
Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Thank you very much, Mr. Chairman. I would
like to thank you and the other members of the Committee for
holding this hearing today. I think over the last few years,
there have been few Committees in Congress that have paid
closer attention to the privacy issue than the Senate Commerce
Committee, and I would like to thank you very much for your
continued work on this matter.
There are very few issues today also in the United States
where people seem to feel more strongly than on the matter of
personal privacy. In poll after poll, the public has made clear
that it is concerned about the loss of its privacy, and it
believes that it is appropriate and necessary for the
Government to act. This support is found across both political
parties, across all demographic groups.
One poll finds that 86 percent of Internet users favor opt-
in privacy policies. According to Business Week, three times as
many Americans favor government action on the privacy front
over industry self-regulation. And perhaps the most interesting
poll is the one recently released by the Gallup organization,
which found that not only 66 percent of Internet users believe
that the Federal Government should act, but support for privacy
legislation increased in proportion to the activity and
experience of Internet users.
In other words, the more people used the Internet, the more
they became dependent on the Internet for their business work,
for their private communications, for the type of information
sharing and exchange that has become increasingly common, the
more they felt it was appropriate to pass privacy legislation.
And in many ways, this is not surprising.
If you look at the tradition of the development of privacy
law in the United States, you will see, in fact, that Congress
has typically passed privacy legislation when new communication
services and new commercial environments have been created.
This was true in 1934 when privacy protection was established
for telephone service. It was true in 1984 when privacy
protection was established for cable service.
Legislation promotes public confidence and trust. It
rewards good business practice. It helps create new market
places and new economic opportunities where consumers are given
the assurance that their personal information will not be
misused.
I think the key question at this point, Mr. Chairman and
members of the Committee, is how to pass good privacy
legislation, how to get a bill done that will contain the key
elements that will make privacy workable in the online
environment. Now, in my statement, I have outlined what I
believe to be those key elements. I also publish a book that
contains U.S. privacy law, and I will briefly summarize what I
think is necessary to make privacy legislation work.
I think the key point, first of all, is that organizations
have to be open and accountable in the collection and use of
personal information. This is more than just having a privacy
policy. It is more than just telling people, This is what we
will do with your personal information. Individuals need to
have the ability to see that information, see how it is used
and who it is shared with others.
That's the approach that was taken, for example, not only
with credit reports, but interestingly also in the Cable Act of
1984, which says quite clearly that cable subscribers have the
right to ``access all personally identifiable information
regarding the subscriber collected and maintained by a cable
operator.'' That right of access is key to public confidence in
understanding how the personal information that they provide to
business will subsequently be used.
I think it is also important in a good privacy bill to have
a private right of action. This is the approach that was taken
not only in the Cable Act but in the Video Privacy Protection
Act and the Telephone Consumer Protection Act. Virtually every
privacy bill that has been done by the U.S. Congress gives
individuals the opportunity to receive a small award--we are
not talking about exorbitant fees here; we are talking about
$500 or $2,000--when they are able to establish that their
personal information was misused in violation of Federal law.
Now, on the critical issue of preemption--and I know this
is a difficult issue, because, of course, it is quite
attractive from the business side to say, ``How can we be
expected to comply with 50 different state standards''; that
seems to us an unreasonable burden, and I think we are
sensitive to that concern.
But I would like to make two points in response. First of
all, the tradition in this area, what has been done in the past
with Federal privacy legislation, is to create a baseline and
to allow the states to legislate upwards if they wish. This has
been done for two reasons: one, out of respect for our Federal
form of government, which allows the states to protect the
interests of their citizens if they so choose; also out of
recognition that states may be able to experiment in different
legislative approaches, come up with options that may not have
been developed in Washington or maybe not even by some of the
other states that turn out over time to be more effective.
Federal preemption would effectively prevent the states
from innovating in the privacy area, and I think this would be
a mistake. My other argument against Federal preemption
concerns the practical problems that consumers face today in
the online environment. It is true that in the absence of
Federal preemption, some businesses may face 50 different state
laws that they would have to comply with, but let's consider
now what consumers today on the Internet face when they surf
hundreds or possibly thousands of web sites in the course of a
few weeks or a few months.
Every one of those web sites could have a different privacy
policy, and every time a consumer goes from one web site to the
next, that person would effectively have to evaluate the
adequacy of that privacy protection. I think the goal in this
area has to be to establish fair and effective privacy
legislation. I think it will be good for consumers, good for
businesses, and I thank you again for the opportunity to appear
this morning.
The Chairman. Thank you very much.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg, Executive Director,
Electronic Privacy Information Center
My name is Marc Rotenberg. I am Executive Director of the
Electronic Privacy Information Center (EPIC) in Washington. I have
taught the Law of Information Privacy at Georgetown University Law
Center since 1990. I am the editor of two books on privacy and have
participated in many of the public campaigns over the past decade to
safeguard privacy rights in the United States.
I'd like to thank the Committee for holding this hearing today and
also for the hearings that were held during the past Congress to
address public concerns about privacy. This is an enormously important
issue of interest to a great many Americans. Simply stated, there is a
widespread concern that in order to enjoy the benefits of information
technology we will be forced to sacrifice personal privacy. The central
challenge is how best promote the benefits of new technology and to
preserve right of privacy and personal autonomy.
I believe that there are two questions before the Committee today.
The first is whether legislation is necessary to protect privacy on the
Internet. The second, if you agree that legislation is appropriate, is
what are the key elements of a good privacy measure. I will focus my
remarks on these two issues.
1. the need for privacy legislation
a. Legal Tradition
Legal tradition in the United States clearly shows that laws will
be established to safeguard the right of privacy when new electronic
services are provided. This was true in 1934 when the Congress adopted
provision 605 of the Communications Act to ensure the privacy of
communications sent by telephone and in 1999 when Congress passed the
Wireless Communications and Public Safety Act to safeguard the privacy
of location data in advanced network services.
With virtually every new technology that involved the collection of
personal consumer information--from Cable television and video rentals
to electronic mail and automated medical information--Congress has
passed laws to safeguard privacy. It has established clear
responsibilities for companies that collect personal information and
has created rights backed up with legal sanctions for individuals who
disclose information in the course of a commercial transaction.
These laws have promoted best business practices, promoted public
confidence, and limited the misuse of personal information in the new
electronic environments. In other words, these laws have encouraged
public adoption of new services to the benefit of both consumers and
businesses.
Some have said that there should not be different rules for the
online world and the offline world, but there are two answers to this
point. First, online commerce simply is different. Cookies, web bugs,
online profiling and Spyware are all uniquely associated with the
architecture of the interactive digital environment. Publishers in the
print and broadcast media simply do not have the ability to collect
personally identifiable information without the actual consent or
participation of their customers. A newspaper advertiser does not know
who was reading an ad.
But today with the Internet, advertisers do have the ability to
track individuals. Techniques are available to profile individual
preferences, oftentimes without the knowledge or consent of the
profiled person. It is because of the very specific capability of the
online environment to collect and record personal information that
legislation is appropriate. And it is consistent with the tradition of
US privacy law that such legislation be adopted.
b. Technology and Legislation Work Together
Key to the adoption of privacy legislation is that lawmaking and
technological innovation can work together. Groups, such as EPIC, that
favor privacy legislation have also worked to encourage the development
of technical standards that allow Internet users to safeguard their
data and protect their identity. One of the most popular features on
our web site is the Practical Privacy Tools page which allows Internet
users to surf anonymously, delete cookies, encrypt private messages,
erase files, and filter ads.
We recognize that there are a range of technical and legal
approaches that will help safeguard privacy. But we also believe that
in the absence of a statutory framework, a type of privacy survivalism
could easily result. Without consumer trust in new services, each
person will be forced to adopt elaborate defensive measures to protect
privacy in the most routine commercial transaction. Such an outcome
could not be beneficial for the long-term growth of electronic
commerce.
c. Public Opinion
There are very few issues today in which Americans have expressed a
clearer opinion than on the issue of privacy. In poll after poll, the
public has made clear that it is concerned about the loss of personal
privacy and that it believes it is appropriate and necessary for the
government to act. Large majorities are found in both political
parties.
According to the Pew Internet and American Life Project, 86% of
Internet users favor opt-in privacy policies. According to Business
Week, three times as many Americans believe the government should pass
laws now to safeguard online privacy as those who believe self-
regulation is sufficient. According to Forrester Research, 90% of
Americans want the ability to control the collection and use of their
data. The Pew survey also found that more than 90% of Internet users
thought companies should be punished when they violate their own
privacy policies.
In a recent Gallup Poll, 66% of email users said that the Federal
government should pass laws to protect citizens' privacy online. Most
remarkable is that the Gallup organization found that support for
legislation increased as the level of experience increased. Frequent
Internet users--those who spend 15 hours or more online each week--are
more likely to favor the passage of new laws (75%) than are infrequent
users (63%). This finding is contrary to some of the earlier industry-
funded polls that attempted to suggest support for legislation would
diminish as use of the Internet increased.
The message here is clear: experienced Internet users understand
the limitations of technical solutions and industry self-regulation.
They want legal control over their personal information.
d. Experience with Self-Regulation
The argument for legislation is also made clear by the failure of
self-regulation to safeguard online privacy and promote public
confidence in network services. Public concern about the loss of
privacy has grown almost in direct proportion to the self-regulatory
programs. In many respects, this is not surprising. These programs
encourage the posting of privacy notices, which have come to be called
privacy warning labels that provide little actual assurance of privacy
protection. If you go to a website and read a privacy policy, you will
see quickly that these policies simply state the many purposes to which
the information collected will be used. Few privacy policies make any
meaningful attempt to limit the use or disclosure of data obtained.
Technical problems are also arising with self-regulatory
initiatives. How do you provide a privacy notice to a person who tries
to access a web site from a cell phone, a commercial application that
may become increasingly popular in the years ahead? One solution now
under consideration is to create special symbols that could be viewed
on the cell phone display. Another privacy scheme sets out a confusing
array of privacy choices that will likely exclude many people from
commercial web sites where privacy rules could otherwise provide
uniform protection.
Problems with self-regulation can also be found in certain market
segments where industry has been left free to design its own privacy
policies rather than to rely on better established legal frameworks.
For example, the Network Advertising Initiative proposal sanctioned by
the FTC allows Internet advertisers to continue to profile Internet
users, based on only the availability of an opt-out opportunity. This
is contrary to the general approach in other areas which establish
legal obligations for those who create profiles on known individuals.
Even more surprising is that to exercise a right to opt-out of routine
tracking, Internet users must maintain on their computers a cookie from
the company that would otherwise track them!
e. Government Searches
Many who oppose legislation for online privacy say they want to
keep government off the Internet. But one practical consequence of
failing to pass privacy legislation is that without legislation there
is no protection for personal information held by third parties from
government searches. Government agents are free to go to Microsoft,
Yahoo, Amazon, or any company in possession of personal data without a
warrant and obtain the data on these companies' customers whether or
not it is directly relevant to a particular investigation. This is
contrary to the approach that has been established for other new
electronic services as well as the treatment of sensitive information
in the offline world. It also demonstrates the failure of self-
regulation: there is no procedure and no method of accountability when
data is disclosed to third parties through legal compulsion.
f. The International Dimension
The need for privacy legislation is demonstrated also by the
demands of global commerce which now allows consumers around the world
to buy and sell products online. This is a very promising development
but also raises substantial concerns about the protection of the
personal information that flows across the network. Many governments
have taken steps to develop privacy laws to safeguard consumer
interests.
Although the US has not yet adopted legislation that might be
considered adequate for purposes of the European Union Data Directive,
the Safe Harbor Arrangement does offer a possible intermediate step
that will provide some assurance of privacy protection for European
consumers doing business with US firms. Moreover, US firms have
realized that in adopting these standards for their relations with
customers in Europe, it is now sensible to provide similar protections
for customers in the United States.
Privacy legislation will help carry forward this process by
encouraging firms to adopt standards for privacy protection that will
be recognized in countries around the world. Establishing these privacy
rules for the online marketplace will be critical for the continued
growth of global commerce.
g. Emerging Challenges
Much of the privacy work of this Committee has focused on issues
associated with the Internet. But there are new challenges ahead. A
report from the Center for Digital Democracy makes clear that the
televisions in homes that allow us to look out on the world will
increasingly be looking back at us. Cameras in public places raise new
challenges for local communities. Even the tracking of rental cars by
GPS has provoked public concern.
I do not think Congress today can anticipate all of the new privacy
challenges that will arise. But the passage of legislation to protect
online privacy will carry forward an important tradition, strengthen
public confidence, and provide the basis for future legislative
efforts.
2. the need for good internet privacy legislation
If the case is made for legislation to safeguard the rights of
Internet users, then the next question is how best to draft the bill.
Previous legislation enacted by Congress provides a blueprint for
legislation in this area. These laws reflect a reasoned consideration
of the key elements for privacy protection in a wide range of areas.
They have also helped enforce best practices within industry segments,
promote public confidence in new services, and minimize that risk that
information will be used improperly.
a. Openness and Accountability
The first requirement of a good privacy law is that organizations
are open about their data collection practices and accountable to those
whose information they gather. This is not simple a matter of posting a
notice or a privacy policy on a web site.
The most effective way to ensure openness and accountability is to
give the individual the right to inspect the data collected, ensure its
accuracy and understand it use. This principle goes back to the Privacy
Act of 1974 which grants every citizen the right to access and correct
records maintained by Federal agencies, 5 USC Sec. 552a(d)(1-4), and to
the Fair Credit Reporting Act of 1970 which gives consumers the right
to access their credit reports maintained by credit reporting agencies.
15 USC Sec. 1681g(a).
This approach has been carried forward in privacy legislation
developed for new electronic services. The privacy provisions in the
Cable Act of 1984, for example, establish the right for cable
subscribers to ``access all personally identifiable information
regarding the subscriber collected and maintained by a cable
operator.'' 47 USC Sec. 551(d). The Children's Online Privacy
Protection of 1999 allows parents to obtain records of information
collected on their children and request that certain information be
removed. 15 USC Sec. 6502(b)(1)(B)(i),(ii).
The right to access information about oneself held by others in the
context of a commercial relationship is one of the key elements of
effective consumer privacy legislation.
b. Meaningful Consent
Privacy law makes clear that consent must be meaningful and that
this often requires prior express consent. For example, the Video
Privacy Protection Act states that disclosure of personally
identifiable information, such as the title or description of tapes
rented, requires ``informed, written consent of the consumer given at
the time the time the disclosure is sought.'' 18 USC
Sec. 2710(b)(2)(B). The privacy provision in the Cable Act requires
``prior written or electronic consent'' before a cable operator may
collect any personally identifiable information that is not necessary
to provide the cable service or detect unauthorized interception of
cable communications. 47 USC Sec. 551.
One of the reasons that privacy advocates and experts favor the
opt-in approach is that it follows the common sense understanding of
consent. If you look up the dictionary definition for consent, you will
likely see ``permission,'' ``approval,'' or ``assent.'' All of these
terms imply an overt act, not a failure to act. This is the approach
typically followed in privacy statutes.
c. Private Right of Action
Privacy laws have also typically included a private right of action
that has empowered individuals and made it possible to hold accountable
those who misuse the personal information in their possession. In
crafting the liability provisions in privacy statutes, Congress has
wisely incorporated a liquidated damages provision that provides a
specific dollar figure for violations of the law. This is necessary
because it is often difficult to assign a specific economic value to
privacy harm.
The Cable Act, for example, allows for a civil action and the
recovery of actual damages not less than liquidated damages of $100 per
for violation or $1,000, whichever is higher. 47 USC Sec. 551(f). The
Video Privacy Protection Act specifies liquidated damages of $2,500. 18
USC Sec. 2710(c)(2). The Telephone Consumer Protection Act allows
individuals who receive unsolicited telemarketing calls to recover
actual monetary loss for such violation or up to $500 in damages. 47
USC Sec. 227(c)(5).
These awards are hardly exorbitant. But they do help ensure that
the rights established by Congress will be backed up with remedies. In
the absence of a private right of action, there is a very real risk
that there will be little incentive for companies to comply with
privacy standards.
d. Federal Baseline
Privacy laws enacted by Congress have typically not preempted state
privacy laws. This is partly out of respect for our Federal form of
government that grants states authority to safeguard the rights of
their citizens, and also out of recognition that states frequently
innovate in areas of emerging privacy protection. The bill to address
genetic privacy, for example, which has now received bipartisan
support, came about in part through a process of trial and error in
state legislatures. Similar experimentation in the best ways to address
video surveillance is currently underway.
In the Cable Act, states and franchising authorities may take
further steps to enact and enforce laws for the ``protection of
subscriber privacy.'' 47 USC Sec. 551(g). The Video Privacy Protection
Act will ``preempt only the provisions of State or local law that
requires disclosure'' otherwise prohibited by the section. 18 USC
Sec. 2710(f). Even the Telephone Consumer Protection Act left the state
Attorneys General free to bring actions under the Federal statute and
made clear that nothing in that law would ``prohibit an authorized
state official from proceeding in State court on the basis of alleged
violation of any general civil or criminal statute of such State.'' 47
USC Sec. 227(f)(6).
e. Cable Act as Model
Mr. Chairman, almost twenty years ago you introduced legislation to
safeguard the privacy rights of users of new interactive cable
services. Similar legislation was introduced at that time by Senator
Barry Goldwater and by Senator Howard Baker. There was no question at
that time that in the interactive environment associated with cable
television services in the early 1980s significant privacy issues would
arise. Customers would bank online, cast votes online, and express
their political opinions. Congress wisely established privacy rules to
safeguard the collection and use of personal information in that
emerging communications environment. The privacy provisions in the
Cable Act, although filling only a few pages, provide just about the
most extensive protection of privacy to be found in US law. 47 USC
Sec. 551. Under that law, every consumer in the United States who
subscribes to a cable television service receives certain basic privacy
rights.
Cable providers must provide written notice to subscribers of their
privacy rights at the time they first subscribe to the cable service
and, thereafter, at least once a year. These notices must specify the
kind of information that may be collected, how it will be used, to whom
and how often it may be disclosed, how long it will be stored, how a
subscriber may access this information and the liability imposed by the
Act on providers.
Subject to limited exceptions, the Act requires cable service
providers to obtain the prior written or electronic consent of the
cable subscriber before collecting or disclosing personally
identifiable information. The Act grants cable subscribers the right to
access the data collected about them and to correct any errors. It also
provides for the destruction of personally identifiable information if
that information is no longer necessary. There is a clear Fourth
Amendment standard that limits the circumstances under which government
may gain access to our private viewing records. Finally, the law sets
out a private right of action including actual and punitive damages,
attorney's fees and litigation costs for violations of any of its
provisions. State and local cable privacy laws are not preempted by the
Act.
The privacy provisions in the Cable Act of 1984 make clear that
Congress can pass sensible, workable and effective legislation for new
interactive environments. It has done so on a bipartisan basis and
those provisions have stood the test of time.
f. Consequences of Weak Legislation
It is conceivable that Congress would adopt a weak ``notice and
choice'' privacy law that provides few substantive rights, preempts
state law, and lacks a method of meaningful enforcement. Such a measure
would likely produce the backlash that has resulted from the weak
privacy provisions in the Financial Services Modernization Act. The
warning notices mandated by that law have simply raised public
awareness of the widespread sharing of personal information and the
difficulty in protecting privacy under the opt-out approach. This
approach fails to establish actual safeguards for personal data when it
is collected.
The better approach is the one favored by forward-looking
businesses and the one traditionally followed in privacy law: those who
wish to make use of personal information have the affirmative
responsibility to obtain meaningful consent, rights to access personal
information held by others should be established, and methods for
meaningful oversight should be established.
conclusion
Mr. Chairman, Members of the Committee, the time has come to make
clear that the right of privacy does not end where the Internet begins.
There is now the chance to establish law that will allow users to enjoy
the benefits of innovation and to preserve cherished values. We have
the opportunity to carry forward an American tradition that has marched
side by side with the advancement of new technology. But we may not
have this opportunity for long. In the absence of clear legal
standards, we could easily drift into a world of privacy notices and
warning labels, where every keystroke on your personal computer is
quietly recorded in the database of another computer, then to be merged
with data beyond your knowledge or control. In the absence of good
privacy legislation, that future seems likely.
Thank you for the opportunity to appear before the Committee. I
will be pleased to answer your questions.
The Chairman. Mr. Cate.
STATEMENT OF FRED H. CATE, PROFESSOR OF LAW,
INDIANA UNIVERSITY SCHOOL OF LAW
Mr. Cate. Thank you, Mr. Chairman, members of the
Committee. It is a privilege to appear, and I want to offer my
appreciation for your holding this hearing.
Given the limited time, I will address just a single issue,
and this issue is addressed in some greater detail in my
prepared statement, and that is the method by which consumer
choice is manifest and particularly the debate between opt-in
and opt-out that has occupied this Committee in the past and is
present in the bills that have been introduced to date.
The problem with the discussion of consumer control--and it
is in many ways a little dark secret that not many of us want
to talk about publicly--is that very few people read privacy
notices. In fact, very few people read any of the notices we
are presented with on the Internet. We click through them. We
accept the terms without reading them. For a number of reasons,
we do not encounter these notices, whether they are sent by
email or mail or other methods of communication.
In fact, the Post Office tells us that more than half of
mail sent in this country, unsolicited mail, is thrown away
without ever being opened. So when you put a privacy notice in
a letter and you mail it out in that form, half are going to be
thrown away before they are even seen, without ever being seen
by the consumer.
It is for this reason that we see very low opt-out rates in
this country, but it is also for this reason that we see very
low opt-in rates. The size of those rates, the fact that so few
people respond, reflects, in fact, very little about what their
choices are or how that choice is presented. It reflects
instead the fact that few of us want to make those decisions,
want to be bothered to make them, want to be interrupted when
browsing on the Internet to make them, and in fact, very few
people do make those decisions.
So the question for Congress, it would seem, is what to do
about online privacy in an environment in which people are most
likely to ignore and not act on the notices that will be
required or that are being voluntarily provided.
Under opt-out, when a consumer fails to respond, the
service can continue to be provided, the information can
continue to be used, and the consumer has the option, if he or
she wishes, if he or she is worried about privacy, to opt out
either then or at any time in the future.
Under opt-in, if the consumer either does not see the
notice or does not respond to it, then the service, if use of
the information is a condition of the service, cannot be
provided. The service is terminated at that point.
I found myself facing a good example of this this weekend
as I was downloading software from the Internet, and I was
presented not only with an intellectual property agreement,
which I did not read; I just clicked on ``Accept'', but then
for the first time in my experience, with a privacy agreement,
which I was forced to page through. I had to check on each
individual page that I had read it, and when I reached the end
of it, I clicked on ``I don't accept'', at which point the
installer closed, because my only choice at that point was to
accept or not to receive the service.
If you want your own practical experience for what this is
like, you might try setting your browser so that it will ask
before it accepts cookies. Most of the people who have tried
this--and this is often, I believe, testified to before this
and other Committees--find that after being interrupted 10 or
12 times asking, ``Will you accept a cookie?'', they set the
default to ``Accept all cookies.'' That is opt-in in its
clearest form, and it drives consumers to accept everything.
Interestingly, if you set your browser to say, ``No, I will
not accept cookies'', you are then driven off of many sites
which you might otherwise desire to use.
Now, this is dealing with opt-in and the situation in which
information is first being provided. We also must consider the
situation of subsequent use of information or use of that
information by a third party. Under opt-in, a notice must be
sent out, presumably by email or mail or telephone call. But,
again, we know historically a majority of those notices will be
ignored, and therefore, opt-in results in a de facto no-
information use rule with a dramatic effect on innovation, on
competition, on the ability to provide new services because of
the simple inability to even get the consumer to focus on the
choice.
Moreover, this is where the real cost to consumers--and
that is the only cost I am worried about today--that is where
the real cost to consumers is felt, by those multiple contacts,
by more email not less, by the increased price of services
because of having to include the cost of reaching the consumer
who is trying to hard not to be reached.
It is for this reason that opt-in, even though we think of
it as a consent mechanism, often creates only the illusion of
consent, not the reality, simply the appearance. We can all
feel better that we know consumers are having a chance to opt
in or not opt in, but in reality, consumers don't have that
chance, because they must opt in to get the service, the
information is necessary to provide the service, or because we
miss the notice altogether. We simply never have the
opportunity.
Now, the Chairman mentioned the situation in Europe
earlier, and I believe that this, what I have just testified
to, in fact, reflects what we see in Europe, which is very
little, in fact, virtually no enforcement of the opt-in
provisions, especially online. In fact, privacy scholar Amitai
Etzioni has written--and I quote:
``It seems that this EU directive is one of those laws that
is enacted to keep one group, privacy advocates and their
followers, happy, and as a rule is not enforced, so that
commerce and life can continue.''
A study this past January by Consumers International bears
out this result. After studying the most popular web sites in
the United States and Europe, the study found that although
they collected information at nearly comparable rates, U.S. web
sites provided better privacy protection despite having no
legal obligation to do so than European sites. In fact, the
authors of the study wrote--and, again, I quote: ``U.S.-based
sites tended to set the standard for decent privacy policies.''
Finally, let me just note in closing opt-in poses
significant First Amendment issues, precisely because of the
burden that it places on speech, on communication. The Supreme
Court has struck down many ordinances that would have required
affirmative consent before receiving door-to-door
solicitations, communist literature, even patently offensive
cable programming. It seems highly unlikely that the Court
would uphold the law requiring affirmative consent before
permitting the collection and use of basic and true personal
information. Thank you, Mr. Chairman.
[The prepared statement of Mr. Cate follows:]
Prepared Statement of Fred H. Cate, Professor of Law,
Indiana University School of Law
Mr. Chairman: My name is Fred Cate, and I am a professor of law and
director of the Information Law and Commerce Institute at the Indiana
University School of Law in Bloomington, and Global Information Policy
Advisor to the law firm of Hunton & Williams. For the past 12 years, I
have researched, written, and taught about information laws issues
generally, and privacy law issues specifically. I directed the
Electronic Information Privacy and Commerce Study for the Brook ings
Institution, served as a member of the Federal Trade Commission's
Advisory Committee on Online Access and Security, and currently am a
visiting fellow, addressing privacy issues, at the American Enterprise
Institute.
I appreciate the opportunity to testify today. I would like to take
advantage of the presence of my distinguished colleagues on this panel
and limit my testimony to two points: the ways in which requiring
consumer ``consent'' for information collection and use burdens
consumers and creates costs, and the extent to which requiring opt-in
exacerbates, rather than ameliorates, the harmful impact of many
privacy laws.
the transformation of privacy law
Historically, U.S. privacy law focused on two broad themes. The
first and most visible was preventing intrusion by the government. This
is the context of virtually all constitutional privacy rights, and it
reflects the reality that only the government exercises the power to
compel disclosure of information and to impose civil and criminal
penalties for noncompliance, and only the government collects and uses
information free from market competition and consumer preferences.
The second theme reflected in U.S. privacy law throughout the last
century was preventing uses of information that harm consumers. When
privacy laws did address privates-sector behavior, they were designed
to prevent specific, identified harms. So, for example, the common law
privacy torts of intrusion, public disclosure, and false light privacy
all require that the conduct complained of be ``highly offensive to a
reasonable person,'' \1\ and the information disclosed must either be
false\2\ or ``unreasonably place[] the other in a false light before
the public.'' \3\ Similarly, the Fair Credit Reporting Act, one of
earliest privacy laws applicable to the private-sector, focuses
primarily on correcting inaccuracies and assuring that credit
information is not used in ways likely to harm consumers.\4\
Increasingly, however, the dominant trend in recent and pending
privacy legislation is to invest consumers with near absolute control
over information in the marketplace--irrespective of whether the
information is, or could be, used to cause harm. Public officials and
privacy advocates argue that ``we must assure consumers that they have
full control over their personal information'' \5\ and that privacy is
``an issue that will not go away until every single American has the
right to control how their personal information is or isn't used.'' \6\
The National Association of Attorneys General's December 2000 draft
statement on Privacy Principles and Background sets forth as its core
principle: ``Put simply, consumers should have the right to know and
control what data is being collected about them and how it is being
used, whether it is offline or online.'' \7\ And virtually all of the
privacy bills pending before Congress reflect this goal: ``To
strengthen control by consumers'' and ``to provide greater individual
control.'' \8\
This dramatic expansion from focusing on information privacy only
in the contexts of government collection and harmful use, to regulating
all personal information in the marketplace, poses many issues. Two of
the most important involve the capacity and desire of most individuals
to exercise control over information about them, and the impact of the
legal means by which they seek to do so.
the limits of control
The problem is that most consumers, in practice, don't want to
exercise that control over the information we disclose and generate. We
don't want to take the time to make those decisions, we often lack the
knowledge or experience to understand the decisions we are being asked
to make, we rarely want to be held responsible for the consequences of
our decisions (especially since we seldom understand them), and, most
significantly, we consider the interruption of being asked a nuisance
and, as a result, we resent it. This is especially true on the
Internet, where speed and convenience are most highly valued.
In practice, consumers ignore virtually all privacy notices and
authorizations. The U.S. Post Office reports that 52 percent of
unsolicited mail in this country is discarded without ever being
read.\9\ This is especially true online. Unsolicited e-mail, even when
sent by a company with which the recipient has a relationship, is not
opened at about the same rate, privacy policies are widely ignored, and
pop-up screens with terms and conditions are simply clicked through
without ever being read. The chief privacy officer of Excite@Home told
a Federal Trade Commission workshop on profiling that the day after 60
Minutes featured his company in a segment on Internet privacy, only 100
out of 20 million unique visitors accessed that company's privacy
pages.\10\
All of the available data on consumers opting out or opting in
reflects this. Extensive experience with company-specific and industry-
wide opt-out lists, and the recent experience of financial services
companies providing opt-out opportunities in compliance with the
privacy provisions of the 1999 Gramm-Leach-Bliley Financial Services
Modernization Act, demonstrate that less than 10 percent of the U.S.
population ever opts out of a mailing list--often the figure is less
than 3 percent.\11\ Privacy advocates often point to these figures as
evidence that opt-out doesn't work. However, opt-in rates are virtually
identical if not lower. In fact, two major U.S. companies recently
tested the response rates to opt-in and opt-out, by sending e-mail
messages describing the same use of personal information to
statistically similar subsets of their respective customer bases. One
e-mail said that the information would be used unless the customer
opted out. The other said the information would not be used unless the
customer opted in. In both tests, the response rates were the same for
both sets of messages: customers did not respond to either.
the opt-out-opt-in comparison
The question then for Congress, as you consider the need for any
new online privacy legislation and the relative merits of opt-in and
opt-out, is what is the impact of any new law on consumers, especially
in light of consumers' tendency to fail to respond to privacy notices
of any form. Both opt-in and opt-out give consumers the same legal
control about how their information is used; under either system, it is
the customer alone who makes the final and binding determination about
data use. Therefore, the real focus of your inquiry must be on the
burdens and costs imposed by each system.
While I and others have written and length about these issues in
broad terms, I thought it would be most useful today to try to address
these questions in the most specific manner possible.
Let's assume that Congress passes a law requiring that Web site
operators provide a privacy notice and obtain some form of consent
before collecting, using, or disclosing personal information. What
would this mean in practice?
opt-out
If opt-out, then the notice would be provided--much like 88 percent
of commercial Web sites (100 percent of the busiest commercial Web
sites) already do voluntarily and have done for more than a year\12\--
in whatever form and including whatever terms Congress or Federal
regulators required. The notice would include information about opt-out
opportunities. That small percentage of the public who is acutely
privately sensitive and today exercises opt-out opportunities whenever
presented, would continue to do so and, importantly, would for the
first time have the legal right to do so.
Most consumers, however, would continue to ignore both the notices
and the opt-out opportunities, precisely as they do today. And, as a
result of consumers not opting out, Web sites would be free to use
information for any purpose that was within the scope of the privacy
notice and that was not specifically prohibited by other laws.
Consumers would get the same service, benefits, opportunities, and
offers that depend on that information. This is presumably what those
consumers want, because if they did not, and if they felt sufficiently
strongly about it, they could exercise their opt-out right at any time.
Given the fast-changing nature of Internet services and
technologies, it is unlikely that any privacy notice would cover all
future uses of information. As new uses were developed, the Web site
would be required to provide some form of prominent notice on the Web
site or via e-mail (the precise details of how the notice must be
provided would likely be set by Federal regulators). That notice would
specify both a meaningful opportunity for consumers.to opt out and a
sufficient amount of time for consumers to exercise their opt-out
rights, before engaging in the new use. Again, it is reasonable to
assume that most consumers would ignore the notice and the opt-out, but
they would nevertheless receive whatever benefits or opportunities
resulted from the use of their information. That is how online opt-out
would work.
opt-in
If Congress' new law required opt-in consent for data collection,
use, or transfer, the result would be quite different. Under opt-in,
Web sites could no longer provide their privacy notices as they
currently do or as they would under mandated opt-out, but instead would
have to force every consumer to see the notice in an effort to obtain
his or her consent to collect and use personal information. Presumably,
the same small percentage of consumers who already read notices and
worry about their privacy would continue to read privacy notices, but
now they would have to do nothing to block use of their information.
The substantial majority of other consumers who ignore privacy policies
would also likely continue to do so.
Assuming the information was necessary to provide the service (for
example, an address necessary to mail a book or airline ticket) or that
the Web site chose to condition service on the consumer opting in, then
the failure to opt in would mean no service. Both the minority of
consumers who act on privacy policies, and the majority of the rest of
us who simply ignore them, would be denied service. Our privacy would
be protected to be sure, but at the price of our not using the
Internet. Consumers can obtain this type of privacy protection today--
just by walking away from businesses whose privacy policies we disagree
with--without the intervention of Congress.
For a sense for what this would be like in practice, set your
browser to ask before accepting cookies. After you have been
interrupted 10 or 12 times asking for consent to record information
that is necessary to access the requested site, you will have a good
feeling for what opt-in is like. If you click ``No,'' you will be
blocked from the Web page, so while you may have the satisfaction of
being asked--again and again--you have no choice but to consent, unless
you want to seek service elsewhere. After having our Internet browsing
repeatedly interrupted by opt-in requests to which we must accede to
proceed, most Americans will be asking how to opt out of opt-in.
As new uses for the information were developed, the operator would
have to contact every consumer individually to ask him or her to opt in
to the proposed use of the information. When most consumers failed to
respond, presumably the Web site operator would try again and again to
gain consent, thus increasingly burdening the consumer with more
unsolicited e-mail, telephone calls, and/or mail, and increasing the
cost of providing the new service or product for which consent was
being sought.
We have some sense of what that cost and burden might amount to.
U.S. West, one of the few U.S. companies to test an opt-in system,
found that to obtain permission to use information about its customer's
calling patterns (e.g., volume of calls, time and duration of calls,
etc.) to market services to them required an average of 4.8 calls to
each customer household.before the company reached an adult who even
could grant consent, and cost almost $30 per customer contacted.\13\
Some of those calls went unanswered, but others reached answering
machines, children, and other household members and visitors who were
ineligible to consent. Those individuals bore the burden resulting from
the practical fact that it is much harder for businesses to contact
consumers than for consumers to contact businesses--but this is
precisely what opt-in requires.
A 2000 Ernst & Young study of financial institutions representing
30 percent of financial services industry revenues, found that
financial services companies would send out three to six times more
direct marketing material if they could not use shared personal
information to target their mailings, at an additional cost of about $1
billion per year.\14\ The study concluded that the total annual cost to
consumers of opt-in's restriction on existing information flows--
precisely because of the difficulty of reaching customers--was $17
billion for the companies studied, or $56 billion if extrapolated to
include the customers of all financial institutions. And those figures
do not include the costs resulting from restricting information-flows
to reduce fraud, increase the availability and lower the cost of
credit, provide co-branded credit cards and nationwide automated teller
machine networks, develop future innovative services and products.\15\
The reason for this greater cost is easy to see. Under opt-out, a
business wishing to use information about consumers can inform all
potential consumers at once--through policies posted on Web sites,
disclosures mailed to customer addresses, and other efficient, cost-
effective forms of communications. The business doesn't even have to
know specifically with whom it is attempting to communicate.
Consumers who object to a proposed use of personal information can
prevent it by contacting the business via a toll-free telephone number,
Web site, or pre-addressed response card. The communication can take
place at virtually anytime--and therefore at the consumer's
convenience--and the response mechanism can serve other business
purposes. For example, the 800-number can reach a customer service
center that is staffed to answer a variety of customer questions and
provide access to customer account information. The Web site can
provide a wide range of information and services, in addition to the
opportunity to opt-out.
The comparative ease of communicating the privacy notice to the
consumer, the flexibility of the customer being able to opt-out at his
or her convenience, and the ability to spread the cost of handling
``opt-outs'' using systems that serve other functions does not mean
that opt-out is without cost, but it does help to reduce those costs--
both to consumers and businesses--significantly.
Moreover, the burden on consumers is multiplied by the fact that
all of these contacts are just to obtain permission to examine data
about customers to determine their eligibiliiy for a product or service
offering. For those individuals who are eligible, a second round of
contacts is necessary to actually make them to offer. It is difficult
to imagine that this opt-in system will be perceived by consumers as
anything more than an annoyance. U.S. West's customers displayed their
annoyance at the intrusiveness required by opt-in. Only 28 percent
opted-in when they were interrupted with a call seeking consent, but 72
percent opted-in when the opportunity to consent was presented to the
customer at the conclusion of a call that the customer initiated.\16\
Of course, this annoyance will be even greater for those people who
do not qualify for the offer. For example, in the case of U.S. West,
the telephone company was asking existing customers for permission to
examine information about their calling patterns to determine their
eligibility for new service plans and discounts. However, not all
customers who consented actually qualified for the new service or
discount. The burden and cost of contacting those customers who did not
qualify were wholly wasted.
Under opt-in, the Web site operator has to contact all customers
seeking their individual consent to examine data about them, even
though many or most may not qualify for the offer. Because opt-in
prevents businesses from using personal information to target their
consent requests, it not only results in extra contacts with the
consumers, but also exacerbates the burden of those contacts because
they cannot be tailored to reflect consumer interests.
These same issues are presented by efforts to attract new customers
by using personal information (such as their e-mail address) to contact
them. Today, if a company wishes to expand into a new geographic area
or product line, it may seek a list of potential customers from a third
party. Under opt-out, a third party is free to provide the company with
such a list, provided that it excludes consumers who have already
opted-out of receiving such communications. The company can then use
the list to contact people with a special offer or introductory
discount. After receiving the offer, consumers are free to opt-out of
receiving future offers from that company. The only ``harm'' suffered
by the individual is receiving an offer in which he or she ultimately
was not interested.
Under opt-in, every person on that list will need to be contacted
for consent. The company cannot contact them, because it does riot have
explicit consent to make such a use of their names or addresses. The
third party supplying the list is unlikely to bear the expense and
inconvenience of contacting every person on the list. The promise of
explicit consent in the opt-in requirement has resulted in nothing to
consent to at all.
Alternatively, depending upon the specific requirements of the opt-
in law, the new service provider may be allowed to contact potential
customers, but it will have to do so twice: once to gain consent to
make the second contact conveying the offer. Moreover, since most
requests for consent are ignored, the most likely effect on an opt-in
law is to prevent contacting potential customers entirely. This is why
Robert E. Litan, Director of the Economic Studies Program and Vice
President of The Brookings Institution, has written that switching from
an opt-out system to an opt-in system would ``raise barriers to entry
by smaller, and often more innovative, firms and organizations.'' \17\
opt-in and the illusion of consent
Because of the inherent difficulty of businesses contacting
consumers individually, many consumers may miss out on opportunities
that they would value, not because they chose not to receive them, but
because they never had the opportunity to choose. In one-third of
households called by U.S. West, for example, the company never reached
the customer, despite repeated attempts. Consequently, those customers
were denied the opportunity to receive information about new products
and services.\18\ This is a very practical example of the way in which
an opt-in system may only create the illusion of consent.
We have already seen the extent to which consumers ignore requests
for consent. Moreover, even when mail is actually read and the offer
appeals to the consumer, lethargy and the competing demands of busy
lives often conspire to ensure that no action is taken. Only 6-11
percent of customers in the U.S. West opt-in test responded to written
opt-in requests, even though more than four times that number--28
percent--indicated that they desired the service when called about it,
and, as noted, 72 percent ordered the service when asked during a phone
call that the customer initiated.\19\ This suggests that the issue
isn't privacy or the attractiveness of the request, but rather the
annoyance to consumers of being interrupted with requests for consent--
precisely what an opt-in law contemplates.
The opportunity to consent may also be illusory because the
business wishing to use the information has no affordable way of
reaching consumers individually. If the cost of obtaining consent is
too great to make the proposed use of information economically
feasible, then there will be nothing to which the consumer can consent.
If opt-in means that lists of potential customers are no longer
available from third parties, then, as we have seen, the promise of
explicit consent in the opt-in requirement will likely result in
nothing to consent to at all. Consider the example of AOL Time Warner.
As a startup company, AOL mailed free copies of its software to people
likely to be interested in Internet access. Prohibiting the fledgling
AOL access to information about consumer addresses and computer
ownership would have denied consumers information about an opportunity
that many of them obviously value, increased the volume of marketing
material that AOL would have been required to distribute, and
threatened the financial viability of a valuable, innovative service.
The opportunity for consent under an opt-in system may also be
illusory because of the difficulty of building new data systems, and
implementing new uses of data, one customer at a time. For example,
highly valued services, such as consolidated statements and customer
service, could not exist if consumers were given the choice about the
sharing of information about their accounts, because few businesses
could realistically provide both consolidated and nonconsolidated
services. To do so would require one customer service center manned by
one set of representatives using one information system for customers
who consented to information-sharing, and a panoply of other customer
service centers manned by teams of other representatives using a
variety of other information systems each covering only a single aspect
of a customer's account for those customers who did not consent. This
is an area where there is no room for consumer choice--opt-in or opt-
out: Service must either be provided on a consolidated basis for all
(which is the choice of most consumers) or for none (in which cases all
customers must endure the added cost and inconvenience of separate
statements and service centers).
Finally, as noted, the opportunity for consent is always illusory
if the service or product cannot or will not be provided without
personal information. I experienced a very practical example of this
just this past weekend. When downloading software, I was presented with
a pop-up privacy policy. I could not continue installing the software I
wanted without providing the information requested--the site needed to
know certain information about my system to know which software to send
and how to configure it--and without clicking on the ``I accept''
button. The presence of that policy was a small burden and annoyance,
but yielded no benefit. The opportunity to opt in meant nothing--was
wholly illusory--because consent was a condition of service. A law
requiring opt-in consent in that situation would have merely increased
the cost and burden of formally verifying and recording the consent
that I had already manifest by my behavior, to use information without
which the requested service could not have been provided.
the lesson from europe
A number of legislators and privacy advocates have argued that
since the use of personal information in Europe is conditioned on opt-
in consent, the burdens and costs of opt-in must not be as great as
research and experience have suggested. This argument is fundamentally
flawed, as we are learning.
While it is true that European nations are required under the
European Union data protection directive, which took effect in 1998, to
condition the collection, use, or transfer of personal information on
explicit opt-in consent,\20\ there is little evidence that any have, in
fact, done so. European data protection officials have repeatedly
pointed out the impossibility of doing so. Instead, Europe has used a
concept of ``implied explicit consent''--if individuals are told of the
intended data collection or use and do not object, then surely,
European data protection officials argue, they must have opted-in.
There is nothing to distinguish this from opt-out. Privacy scholar
Amitai Etzioni has noted that European citizens rarely, if ever, are
asked for explicit permission to use personal information about them.
In fact, he tells of regularly asking his European audiences if anyone
has ever been asked to opt-in. To date, Etzioni reports only one
positive response-from a man who was asked for opt-in consent by
Amazon.com, a U.S. company.\21\ ``It seems that this EU directive is
one of those laws that is enacted to keep one group--privacy advocates
and their followers--happy and, as a rule, is not enforced so that
commerce and life can continue.'' \22\
A January 2001 study by Consumers International bears out Etzioni's
conclusion. Consumers International examined the use and protection of
personal information on 751 retail, financial, health, and other
popular Web sites in the United States and Europe. The study found that
while U.S. and European Web sites collect personal information at
nearly comparable rates (66 percent in the United States; 63 percent in
Europe), U.S. sites provide better privacy protection, despite having
no specific legal obligation to do so, than European sites, which are
subject to comprehensive legal requirements:
Despite tight EU legislation in this area, researchers did
not find that sites based in the EU gave better information or
a higher degree of choice to their users than sites based in
the US. Indeed, US-based sites tended to set `the standard for
decent privacy policies.\23\
Ironically, not only have more restrictive laws failed to provide a
higher standard of privacy protection, they have also failed to quell
consumer fears. Polls on consumer privacy concerns show nearly
identical results in the United States and Europe, despite wide
differences between laws. For example, Lou Harris & Associates found in
1999 that 80 percent of U.S. consumers and 79 percent of German
consumers surveyed agreed with the statement ``consumers have lost all
control over how personal information is collected and used by
companies.'' \24\ Similarly, 71 percent of the U.S. sample and 70
percent o0 of the German sample agreed that ``it is impossible to
protect consumer privacy in the computer age.'' \25\ In fact, despite
the far greater legal protections for privacy available in Europe,
Americans (64 percent) were more likely than Germans (55 percent) or
British (58 percent) respondents to believe that businesses will handle
personal information in a ``proper and confidential way.'' \26\
However, Americans (29 percent) proved no more likely than Germans (28
percent) and only slightly more likely than the British (23 percent) to
say they personally have been a victim of what they. felt was an
improper invasion of privacy by a business.\27\
opt-in and the first amendment
Opt-in also poses significant constitutional issues under the First
Amendment. The Supreme Court has struck down many ordinances that would
require affirmative consent before receiving door-to-door
solicitations,\28\ before receiving Communist literature,\29\ even
before receiving ``patently offensive'' cable programming.\30\ The
Court's opinion in the 1943 case of Martin v. Struthers--involving a
local ordinance that banned door-to-door solicitations without explicit
(opt-in) householder consent--is particularly apt:
Whether such visiting shall be permitted has in general been
deemed to depend upon the will of the individual master of each
household, and not upon the determination of the community. In
the instant case, the city of Struthers, Ohio, has attempted to
make this decision for all its inhabitants.\31\
The only Federal court to review a modern opt-in requirement
concluded that it violated the First Amendment. In 1999, the U.S. Court
of Appeals for the Tenth Circuit in U.S. West, Inc. v. Federal
Communications Commission, struck down the Commission's rules requiring
that telephone companies obtain explicit consent from their customers
before using data about those customers' calling patterns to market
products or services to them.\32\ The court found that the FCC's rules,
by limiting the use of personal information when communicating with
customers, restricted U.S. West's speech and therefore were subject to
First Amendment review. The court determined that under the First
Amendment, the rules were presumptively unconstitutional unless the FCC
could prove otherwise by demonstrating that the rules were necessary to
prevent a ``specific and significant harm'' on individuals, and that
the rules were `` `no more extensive than necessary to serve [the
stated] interests.'' ' \33\
Although we may feel uncomfortable knowing that our personal
information is circulating in the world, we live in an open
society where information may usually pass freely. A general
level of discomfort from knowing that people can readily access
information about us does not necessarily rise to the level of
substantial State interest under Central Hudson [the test
applicable to commercial speech] for it is'not based on an
identified harm.\34\
The court found that for the Commission to demonstrate that the
opt-in rules were sufficiently narrowly tailored, it must prove that
less restrictive opt-out rules would not offer sufficient privacy
protection:
Even assuming that telecommunications customers value the
privacy of [information about their use of the telephone], the
FCC record does not adequately show that an opt-out strategy
would not sufficiently protect customer privacy. The
respondents merely speculate that there are a substantial
number of individuals who feel strongly about their privacy,
yet would not bother to opt-out if given notice and the
opportunity to do so. Such speculation hardly reflects the
careful calculation of costs and benefits that our commercial
speech, jurisprudence requires.\35\
The court found that the FCC had failed to show why more burdensome
opt-in rules were necessary, and therefore struck down the rules as
unconstitutional. The Supreme Court declined to review the case.\36\
The Tenth Circuit's opinion in U.S. West is particularly applicable
to the current debate over opt-out and opt-in because it reaffirms what
the Supreme Court had previously indicated: that opt-in is more
burdensome than opt-out, and that, as a result, for the government to
adopt opt-in rules, it must first demonstrate that opt-out is not
adequate.
conclusion
The Role of Opt-In
Opt-in has its place. For example, Congress wisely required the
explicit consent of parents before Web sites collected information from
very young children.\37\ Information that is particularly sensitive or
particularly likely to be misused to harm the individual might also be
subjected to opt-in consent. And some companies online today
voluntarily use opt-in in settings where it is most easily managed
(such as online service providers, which by definition have contact
with their customers every time they log on) or where it is necessary
to ensure consumer confidence given the sensitivity of the relationship
and information (such as certain financial and health sites). But in
other settings, the higher costs imposed by a legally mandated opt-in
system are unwarranted.
This is especially true on the Internet where much of the
information disclosed is not sensitive or likely to be used to harm the
individual, but rather is a substitute for the very address information
browsing and buying habits that store clerks and merchants have been
noting for years. Moreover, because the use of information is so
central to customer service and convenience online, and the very
attraction of the Internet is its speed and ease-of-use, opt-in as a
legal requirement seems peculiarly inappropriate in the context of the
Internet.
Opt-in is unlikely to enhance privacy protection, because consumers
asked to opt in prior to receiving service are likely to do so to
receive service and to avoid the annoyance of being asked again. (That
is why millions of us click ``I accept'' boxes without ever reading the
terms to which we are agreeing.) Consumers asked to opt in later to new
uses of information are in most settings unlikely to ever be aware of
the request. This suggests that simply conditioning the use of personal
information on specific consent is tantamount to either creating a hoop
that Web users must jump through to obtain access to the information
and services they desire, or, alternatively, to effectively prohibiting
outright many beneficial uses of information. In either case, opt-in
acts like a tax on online commerce, compelling all consumers to pay for
the heightened privacy concerns of a few, yet providing enhanced
privacy to no one.
The Role of the Government
The fact that opt-in laws do not appear generally appropriate or
necessary for protecting privacy on the Internet, does not mean that
there is no role for the government or for law in protecting privacy
online. Far from it.
Regulators and law enforcement officials should enforce existing
privacy laws vigorously, and legislators should ensure that they have
the resources to do so. This is especially important in the context of
the Internet, where disparate jurisdictions and laws can make enforcing
existing laws difficult for most consumers. I think it is especially
important for the government to help ensure that Web sites adhere to
the commitments that they make in their privacy policies--whether those
policies are voluntary or required by law--so that individuals who do
read those policies can rely on them with confidence.
The government should also help educate the public about privacy
and the tools available to every citizen to protect our own privacy.
Many privacy protections can only be used by individuals--no one else
can protect their privacy for them. This is especially true on Web
sites, a majority of which originate in countries outside of the United
States. The common sense steps and practical technologies that
individuals can employ to protect themselves offer better, more
effective protection than any law. Yet few individuals will recognize
the importance of their responsibility or have the knowledge to fulfill
it without education.
Finally, should Congress conclude that some form of new mandated
consent requirement is necessary, opt-out is the less burdensome
alternative and the one more likely to be effective. It allows people
who are most concerned about their privacy to act to protect it--using
the same legal right that they have with opt-in--without unduly
burdening the great majority of us who are unlikely to read or act on
privacy notices. You may wish to take steps to make privacy notices
more complete and clear, and opt-out more effective. I advise caution,
however, before substituting Congress' judgment for that of the market.
Remember, the Gramm-Leach-Bliley privacy notices that the press and
State legislatures are so busy criticizing, were largely written by
Federal regulators. Their complexity is precisely what we should expect
if we require those notices to comply with Federal regulations and
regard them as creating binding contracts. Before mandating such
notices online, I urge you to think carefully about whether there is
any certain way to do better, and whether the cost of doing so is
justified in light of the few consumers who will ever read them.
Thank you again for the opportunity to testify.
Endnotes
1. Restatement (Second) of Torts Sec. Sec. 652B, D-E (1976).
2. Philadelphia Newspaper, Inc. v. Hepps, 475 U.S. 767, 777 (1986).
3. Restatement, supra, Sec. 652E.
4. 15 U.S.C. Sec. 1681 b(a) (1999).
5. Enactment of the Children's Online Privacy Protection Act, 106th
Congress, 2d Session, 146 Cong. Rec. E616, May 2, 2000, statement of
Jay Inslee (D-Wash.) (emphasis added).
6. Democrats Hold News Conference on Financial Privacy, May 4, 2000
(statement of John LaFalce (DN.Y.)) (emphasis added).
7. National Association of Attorneys General, supra at 7 (emphasis
added).
8. S. 30, 107th Cong. Sec. 2 (2001); H.R. 89, 107th Cong.
Sec. 2(b)(1) (2001); H.R. 347, 107th Cong. Sec. 2(b)(1)(A) (2001)
(emphasis added)
9. ``Briefs,'' Circulation Management, May 1999 (referring to the
U.S. Postal Service's Household Diary Study (1997)).
10. Federal Trade Commission, Workshop on The Information
Marketplace: Merging and Exchanging Consumer Data, Mar. 31, 2001
(comments of Ted Wham).
11. Less than 3 percent of the U.S. population takes advantage of
the Direct Marketing Association's Mail and Telephone Preference
Services. Financial Privacy, Hearings before the Subcomm. on Financial
Institutions and Consumer Credit of the Comm. on Banking and Financial
Services, House of Representatives, 106th Cong., 1st Sess. (July 20,
1999) (statement of Richard A. Barton) (available at http://
www.house.gov/banking/72099rba.htm). Financial institutions, retailers,
and other businesses report similar or lower figures for their opt-out
programs.
12. Federal Trade Commission, Privacy Online: Fair Information
Practices in the Electronic Marketplace--A Report to Congress at 11
(2000).
13. Brief for Petitioner and Interveners at 15-16, U.S. West, Inc.
v. Federal Communications Commission, 182 F.3d 1224, 1239 (10th Cir.
1999) (No. 98-9518), cert. denied 528 U.S. 1188 (2000).
14. Ernst & Young LLP, Customer Benefits from Current Information
Sharing by Financial Services Companies 16 (Dec. 2000).
15. Id.
16. U.S. West, Inc. v. Federal Communications Commission, 182 F.3d
1224, 1239 (10th Cir. 1999), cert. denied 528 U.S. 1188 (2000).
17. Robert E. Litan, Balancing Costs and Benefits of New Privacy
Mandates, in Lucien Rapp & Fred H. Cate, European and U.S. Perspectives
on Information Privacy (forthcoming).
18. Brief for Petitioner and Interveners at 15-16, U.S. West,
supra.
19. U.S. West, 182 F.3d at 1239.
20. Directive 95/46/EC of the European Parliament and of the
Council on the Protection of Individuals with Regard to the Processing
of Personal Data and on the Free Movement of Such Data art. 7 (Eur.
O.J. 95/L281).
21. Personal communication from Amitai Etzioni to the author (Feb.
21, 2001).
22. Amitai Etzioni, ``Protecting Privacy,'' Financial Times, April
9, 1999, at 18.
23. Consumers International, Privacy@net: An International
Comparative Study of Consumer Privacy on the Internet at 6 (2001)
(emphasis added).
24. IBM Multi-National Consumer Privacy Survey at 22 (1999).
25. Id.
26. Id.
27. Id. at 14.
28. Martin v. Struthers, 319 U.S. 141 (1943).
29. Lamont v. Postmaster General, 381 U.S. 301 (1965).
30. Denver Area Educational Telecommunications Consortium, Inc. v.
Federal Communications Commission, 518 U.S. 727 (1996).
31. Martin, 319 U.S. at 14 1.
32. U.S. West, 182 F.3d at 1235.
33. Id. at 1235 (quoting Rubin v. Coors Brewing Co., 514 U.S. 476,
486 (1995)).
34. U.S. West, 182 F.3d at 1235 (emphasis added).
35. Id. (emphasis added).
36. U.S. West Communications, Inc. v. Federal Communications
Commission, 528 U.S. 1188 (2000).
37. Children's Online Privacy Protection Act of 1998, Pub. L. No.
105-277, 112 Stat. 2681-728 (codified as amended at 15 U.S.C.
Sec. 6501-06 (1999)).
The Chairman. Thank you very much.
Just a moment, Dr. Schwartz. Senator Burns, our ranking
member on communications has to be at the Interior
Appropriations Subcommittee markup.
Senator Burns, you had a statement?
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Well, I have a statement, and I would ask
unanimous consent that that statement might be just entered in
the record, Mr. Chairman. I thank you for this courtesy. And,
of course, Senator Wyden and I will still be very much involved
in this issue with our bill, and we look forward to working
with you and the rest of the Committee as this legislation
moves forward. And I thank you for the courtesy.
The Chairman. Very much thank you.
[The prepared statement of Senator Burns follows:]
Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana
Thank you, Mr. Chairman. Today's hearing concerns a topic of
crucial importance in today's increasingly digital world: the
protection of online privacy.
To put it simply, Americans have no safety net of privacy online.
Ever-more sophisticated technologies are being developed to collect
nearly limitless information on individuals without their knowledge.
Consumers are clearly concerned at the ``flip side'' of the digital
revolution. Just yesterday, the Markle Foundation released a landmark
report on the ``State of the Net'' which revealed that nearly half of
the public viewed the Internet as a ``source of worry.'' Foremost among
their concerns is the lack of privacy on the Internet. A recent Gallup
poll found that nearly four-fifths of Americans were concerned about
the privacy of personal information they give out on the Internet.
Seven in ten online shoppers were concerned about the security of their
information. In addition, two-thirds of those polled called for Federal
legislation to protect their online privacy.
None of these striking numbers surprise me, as I continue to hear
from my contituents about the lack of privacy protections on the
Internet. I am more convinced than ever that legislation is necessary
to provide consumers with a safety net of privacy in the online world.
Online privacy is central to the future economic well-being of the
Internet. Despite the recent highly publicized flameouts of several
dot-com companies, e-commerce has continued to grow. However, the rate
of this growth is clearly being slowed by consumers' rising and
legitimate fears about privacy intrusion. Several studies pointed out
that the primary reason preventing more people from making purchases
online is the lack of privacy. While the Internet has exhibited massive
growth, currently less than 1 percent of all consumer retail spending
is done online. In short, e-commerce still has huge upside potential,
but that potential will never be fulfilled without basic assurances of
consumer privacy.
I would like to touch on the idea that merely posting privacy
policies somehow ensures actual privacy for users. Many of these
policies are frustrating exercises in legalese. It becomes obvious from
wading through examples of these policies that most were designed with
the goal of protecting companies from liability rather than informing
and empowering consumers. In today's hectic world, consumers simply
don't have either the time or the inclination to slog through confusing
policies that span multiple pages.
To address these concerns, in the 106th Congress, Senator Wyden and
I introduced the ``Online Privacy Protection Act,'' which was based on
our shared view that while self-regulation should be encouraged, we
need to also provide strong enforcement mechanisms to punish bad
actors.
I am open to working with the Chairman, Sen. Wyden and all of my
colleagues on the Committee to ensure that strong privacy legislation
moves to markup and passage by the full Senate as quickly as possible.
I look forward to the testimony of the witnesses. Thank you.
The Chairman. Dr. Schwartz.
STATEMENT OF PAUL M. SCHWARTZ, PROFESSOR OF LAW, BROOKLYN LAW
SCHOOL
Mr. Schwartz. Thank you. I am honored to be here today to
talk about Internet privacy with you.
Millions of Americans now engage in daily activities on the
Internet. Under current conditions, their behavior, our
behavior, creates detailed stores of personal data. The key
concept is that the Internet is an interactive
telecommunications system. In other words, computers attached
to it do not merely receive information but also transmit it.
Visits to the Internet create data trails.
What I would like to do today is briefly make three points.
First, I wish to address the EU data protection directive and
the U.S. Commerce Department's safe harbor agreement. Second, I
wish to talk about weaknesses in the current market for online
privacy. Third and finally, I wish to describe the nature of
the privacy harms to individuals in the online realm. Let me
begin.
The European data protection directive seeks to harmonize
privacy law in Europe at a high level. It also restricts
transfers of information to third-party nations that lack an
adequate level of protection. The response of the U.S. Commerce
Department has been to draft and negotiate EU approval of safe
harbor standards for privacy. And what does the safe harbor
provide? They provide the fair information practices that
Senator McCain alluded to in his opening statement: notice,
choice, access, security, and enforcement.
After a slow start for the safe harbor, more American
companies are signing up for it. Chairman Hollings in his
opening statement spoke of the number of leading information
age companies that have signed on to the safe harbor. In my
judgment, it speaks well for the business compatibility of the
safe harbor that companies such as Intel, Hewlett-Packard,
Acxiom Data and Microsoft have agreed to it.
The thing to remember, though, is that the EU directive is
there only to protect European citizens. It creates legal
obligations only for their information. The resulting gap in
protection leaves American citizens entitled under law only to
a lesser level of privacy protection.
Let me now turn to my second topic. In my view, we do not
have a well-functioning privacy market. What would a well-
functioning market require? It would require consumers who want
to sell or exchange their information to be able to bargain
over the terms under which they disclosed their personal data.
It would also require data processors, the buyers of
information, to offer different packages and prices for
personal information.
Currently, however, what we have on the Internet is a
Hobson's choice. Now, the original Hobson was an innkeeper in
England in the 17th Century. Hobson told his customers that
they were to take the horse closest to the stable door or they
would take no horse in the stable. That was the original
Hobson's choice. The Hobson's choice that we are now seeing is
either no privacy or no Internet, and I think this is exactly
what Senator Rockefeller pointed to when he talked about the
problems with cookies. It is, in fact, very, very difficult to
manage cookies.
Even beyond cookies, we have problems such as ``web bugs'',
also known as clear GIF's and many other privacy meltdowns that
are only a click stream away. So the emerging Hobson's choice
for Americans on the Internet is to sacrifice either privacy or
access to the Internet.
I now reach my third and final point. Let me try to
describe a way of thinking about the kinds of harms that occur
to privacy on the Internet. In my judgment, we have both
economic and noneconomic harms. The first economic harm is a
distributional one. The failure in the privacy market involves
a distribution away from consumers who care about privacy and
toward data processing companies. In other words, we have a
subsidy to data processing companies. They are essentially
getting information, our information, at a below true market
rate.
The second problem is weblining. Weblining is an emerging
practice on the Internet which is similar to ``redlining'' in
the off-line world. Weblining creates segmenting in which it is
our data profiles that decide the price that we pay, the
services we obtain, and our access to new products and
information. The danger is that weblining will hinder the kind
of increased opportunity that access to information should
provide.
The third economic harm on the Internet is a deadweight
cost. Consumers are buying less or not buying at all because of
their worries about privacy. In a November 2000 report, the
Forrester Research Group found that such consumer concern led
U.S. companies to have $12.4 billion in lost sales in the year
2000 alone.
Finally, there are noneconomic harms. Cyberspace is not
only a place for shopping; it is our new arena for public and
private activities. Yet, as Professor Jerry Kang of UCLA Law
School has written of cyberspace, it is a place where you are
invisibly stamped with a bar code. In the absence of strong
privacy rules, Americans will hesitate to engage in cyberspace
activities, including those that are most likely to promote
community.
Allow me to conclude. It is my hope that the Senate
Commerce Committee will respond to the situation I have
described with introduction of strong consumer privacy
legislation. Thank you for the opportunity to testify.
[The prepared statement of Mr. Schwartz follows:]
Prepared Statement of Paul M. Schwartz, Professor of Law,
Brooklyn Law School
Mr. Chairman and Members of the Committee: My name is Paul
Schwartz, and I am a Professor of Law at Brooklyn Law School in
Brooklyn, New York. For over a decade, I have been writing and teaching
about privacy law and other areas of information law. My publications
about privacy law include two co-authored reports carried out at the
request of the Commission of the European Union. I have also taught
courses in areas such as privacy law, Internet law, telecommunications
law, and the ``Law of Electronic Democracy.''
Millions of Americans now engage in daily activities on the
Internet, and under current technical configurations, their behavior--
our behavior--creates detailed stores of personal data. The Internet is
an interactive telecommunications system, which means that computers
attached to it do not merely receive information but also transmit it.
Social, political and commercial life on the Internet create a finely
grained data map of our interests, our beliefs, and our interpersonal
relationships. This personal information also has great commercial
value; it is no exaggeration to consider personal data to be the gold
currency of the Information Age.
It is, therefore, fitting that the Senate Commerce Committee is
examining Internet privacy. I am honored to be here today to share my
views regarding privacy law in cyberspace.
There are three topics that I wish to address: (1) the European
Data Protection Directive and the Safe Harbor Agreement; (2) the
weaknesses in the current ``market'' for online privacy (the problem of
``privacy market'' failure); and, finally, (3) the nature of the
privacy harms that individuals currently suffer in the online realm.
i. the european data protection directive
The Member States of the European Union (E.U.) have enacted a Data
Protection Directive that seeks both to harmonize their national data
protection laws at a high level and to restrict transfers of personal
data to third-party nations that lack ``an adequate level of
protection.'' \1\ In cases where such adequate protection is not
present, the Directive provides exceptions that permit transfers if,
among other circumstances, the party receiving the data has agreed by
contract to provide adequate protection.\2\
These national and European-wide measures for information privacy
pose significant challenges to the free flow of personal data to the
United States. Whether or not a U.S. company has ``adequate'' measures
for information privacy requires examination of the protections
available for specific data, including the safeguards offered by law
and relevant business practices.\3\ As a general matter, the European
view regarding United States privacy law has been skeptical.\4\
In response to E.U. Data Protection Directive, the U.S. Commerce
Department drafted and negotiated E.U. approval of ``Safe Harbor''
standards for privacy.\5\ The Commerce Department sought to bridge
differences in privacy approaches between the two countries and to
``provide a streamlined means for U.S. organizations to comply with the
Directive.'' \6\ As the Commerce Department states, ``The safe harbor--
approved by the EU in July of 2000--is an important way for U.S.
companies to avoid experiencing interruptions in their business
dealings with the EU or facing prosecution by European authorities
under European privacy laws.'' \7\ Under Ambassador David Aaron's
leadership, the Commerce Department also obtained E.U. agreement to
waive sanctions against any American companies that follow these
standards. American companies in the Safe Harbor are deemed to provide
``adequate protection'' for the personal data of Europeans.
What does the Safe Harbor provide? Americans companies that sign up
for it promise to provide a range of Fair Information Practices for the
personal information of Europeans. Fair Information Practices are the
building blocks of modern information privacy law; they are centered
around four key principles: (1) defined obligations that limit the use
of personal data; (2) transparent, that is open and understandable,
processing systems; (3) limited procedural and substantive rights; and
(4) external oversight.\8\ These principles are not a European
invention, but have been present in information privacy law and policy
in the U.S. since the era of mainframe computers in the 1970's.
After a slow start for the Safe Harbor, more American companies are
signing up for it. Perhaps the single most exciting development in the
last year in U.S. privacy law has been this new willingness of
corporate America to pledge allegiance to the most important Fair
Information practices. Among the corporations now on the Safe Harbor
list are Intel, Hewlett Packard, and Acxiom Data. Moreover, Microsoft
has announced that it plans to sign on to the Safe Harbor agreement.
These are, of course, all leading Information Technology corporations,
and Acxiom is also a leading collector of personal data. Based in
Little Rock, Arkansas, Acxiom Data supplies data infrastructure and
technology services to help companies and organizations better
understand customer behavior. It speaks well for the business
compatibility of the Safe Harbor that these companies have agreed to
it.
Under the terms of the Safe Harbor, however, American companies
pledge to provide Fair Information Practices only for the personal data
of European citizens. The question then becomes: why should American
citizens be entitled under law only to a lesser level of privacy
protection?
ii. weakness in the current privacy market
In this part of my testimony, I wish to consider the foundation
conditions for a functioning ``privacy market'' and to explore the
weaknesses in the existing market for personal information.
A well-functioning privacy market requires sellers (i.e. consumers)
to be able to bargain over the terms under which they will disclose
their personal data, and buyers (i.e. data processors) to offer
different packages and prices for this personal information. In such a
market, ``privacy price discrimination'' will emerge. Privacy price
discrimination involves a consumer seeking different packages of
services, products, and money in exchange for her personal data, and a
data processing company differentiating among consumers based both on
their varying preferences about the use of their personal data and the
underlying value of the information.
To illustrate this point, imagine two hypothetical consumers: Marc
and Katie. Marc cares deeply about how his personal information is
used; Katie does not. A surplus from cooperation under a property
regime requires at a minimum, however, that Marc and others with
similar preferences receive more than their ``threat value'' before
disclosure. The term ``threat value'' refers to the ``price'' that Marc
would place on not disclosing his personal information. Beyond
receiving the threat value, privacy price discrimination also requires
further elasticity in meeting more subtle privacy preferences of Marc.
Under the current regime, however, companies generally have no need to
offer Marc greater services or more money for his personal data than
they offer Katie.
The failure in the privacy market can be attributed to at least
four causes: (1) information asymmetries; (2) collective action
problems; (3) bounded rationality; and (4) limits on ``exit'' from
certain practices. We should briefly consider each of these four
shortcomings in the privacy market.
A. Information Asymmetries
The first weakness in the privacy market is that most visitors to
cyberspace lack essential knowledge of how their personal information
will be processed or how technology will affect data collection. Due to
this ``knowledge gap,'' development through a privacy marketplace of
rules for personal data use are likely to favor the entities with
superior knowledge--online industry rather than consumers. At present,
even relatively basic Internet privacy issues, such as ``cookies,'' are
met with widespread consumer ignorance.
Cookies are alphanumerical files that Web sites place on the hard
drives of their visitors' computers. Cookies are a ready source of
detailed information about personal online habits, but consumers
generally do not even know where cookie files are stored on their
computer. Beyond cookies, widespread information asymmetries involve
other aspects of the Internet's technical infrastructure. As a result,
``negotiations'' about the use of personal information occur with one
party, the consumer, generally unaware that bargaining is even taking
place!
B. The Collective Action Problem
The second difficulty in the Internet privacy market is a
collective action problem. The need is for individual privacy wishes to
be felt collectively in the market. The good news first: a group of
privacy-promoting organizations are emerging. Among these institutions
are: (1) industry organizations that support self-regulation by
drafting codes of conduct; (2) privacy seal organizations, such as
TrustE and BBBOnline; (3) ``infomediaries'' that represent consumers by
offering to exchange their data only with approved firms; (4) privacy
watchdog organizations that bring developing issues to public
attention; and (5) technical bodies, such as the World Wide Web
Consortium (W3C), engaged in drafting Internet transmission standards,
including the Platform for Privacy Preferences (P3P). P3P is a software
transmission protocol that seeks to allow the individual to control her
access to Web sites based on her privacy preferences and the practices
at a given site.
Despite these promising developments, most of us are not yet able
to free-ride successfully on the efforts of those who are more savvy
about data privacy on the Internet. As many experts have pointed out,
current collective solutions, such as industry self-regulation and
privacy seals, are flawed. As an example, the FTC's 2000 Study, Privacy
Online, points to the lack of effective enforcement in current models
of industry self-regulation and the confusing implementation of privacy
seal programs.\9\ For that matter, the existence of competing privacy
seal programs raises the risk of forum shopping by Web sites that are
hoping for weaker enforcement from one seal service rather than the
other.
C. Bounded Rationality
The third difficulty with the privacy market is ``bounded
rationality,'' a concept developed by behavior economists.\10\
Scholarship in behavioral economics has demonstrated that consumers'
general inertia towards default terms is a strong and pervasive
limitation on free choice. This does not mean that consumers are all
sheep, but it does mean that default rules and form terms can have
great psychological force and are likely to reward those who otherwise
have greater power.
As a result of this current power dynamic, individuals faced with
standardized terms and expected to fend for themselves with available
technology may simply accept whatever terms are offered by data
processors. Indeed, the difficulties with bounded rationality extend
not only to personal information as traditionally understood but a new
and potentially risky set of personal information, namely ``privacy
meta-data.'' This point is worth elaborating.
Meta-data are information about information. For example, use of
telecommunications now creates ``communications attributes,'' which are
valuable data about consumers' service and calling preferences (call
waiting, caller ID, DSL lines, etc.). The use of privacy filtering
technology, such as P3P, creates another kind of meta-data, namely
information about one's privacy preferences. Ironically, these meta-
data will possibly contribute to additional privacy invasions. Already
in the offline world, direct marketers generate and sell lists of
people who have interest in protecting their privacy. Filtering will
therefore create the possibility of further privacy violations unless
customers prove able not only to negotiate for their privacy but for
the privacy of data about their privacy preferences.
Bounded rationality points to the need to find ways to permit
informed decision-making about use of one's personal information and
personal meta-information at the least cost to a consumer. The risk is
that the current privacy market will lead only to cyber-agreements that
represent new kinds of contracts of adhesion. In other words, new
technology may lead only to speedy ways to generate poor contracts.
D. Limits on Exit
Finally, cyberspace, in certain of its applications, turns out to
be far from friction-free. In particular, when limits exist on ``exit''
from certain practices, the danger is that online industry will be able
to ``lock-in'' a poor level of privacy on the Web. Again, cookies
provide a good example--cookies demonstrate how privacy ``lock-in''
takes place. A ready source of detailed information about personal
online habits and in widespread use, cookies are difficult to combat.
Mastery of advanced settings on one's Web browser, the downloading of
``cookie-cutting'' software, and some public protests about more
egregious practices have helped, but not solved this problem. As a
joint paper of the Electronic Privacy and Information Center (EPIC) and
Junkbusters has noted, ``Those consumers, who have taken the time to
configure their browsers to notify when receiving, or reject cookies,
have found that web surfing becomes nearly impossible.'' \11\
Moreover, beyond cookies, the next privacy melt-down is never far
away. A possible source for the next crisis are so-called ``Web bugs,''
also known as ``clear GIF,'' which permit Web sites to snoop on
visitors by use of code that occupies only one pixel on the screen. To
return to my earlier point about information asymmetries, an even lower
level of consumer awareness exists about Web bugs than about cookies.
As a final example of the emerging ``lock in'' for informational
privacy, many of us enter cyberspace anchored in real space settings
that limit our ability to negotiate. The modern workplace demonstrates
this phenomenon. As the New York Times concludes, ``the debate over
employee privacy is over.'' \12\ It is over because ``widespread,
routine snooping on employees is no longer a threat but a fact.'' \13\
Or, as Business Week states, ``When it comes to privacy in the
workplace, you don't have any.'' \14\ The emerging Hobson's choice for
Americans on the Internet is to sacrifice either privacy or access to
the Internet.
Let us conclude this section by returning to Marc and Katie, our
two consumers with different privacy preferences. Due to the pervasive
failure in the privacy market in the United States, commercial entities
generally obtain Marc's and Katie's personal data for the same low
price. As a result, a subsidy is given to those data processing
companies that exploit personal data. Put simply, the true ``cost'' of
personal data is not charged these organizations. One likely result of
subsidized personal information is that companies will over-invest in
reaching consumers who do not wish to hear from them. Personal
information at below-market costs will also lead companies to under-
invest in technology that will enhance the expression of one's privacy
preferences.
iii. economic and non-economic harms caused by privacy violations
It may be difficult at times to understand the nature of privacy
harms that occur in cyberspace. And it is certainly true, as Professor
Fred Cate and others have reminded us, that benefits are associated
with the sharing of information.\15\ Why should there be limits on the
use of personal data? In my view, the nature of the harms to personal
privacy on the Internet fall into two categories: (1) the economic, and
(2) the non-economic.
A. Economic Harms
Privacy violations cause economic harms to consumers by: (1)
causing an exchange of our personal information at lower rates than a
fully functioning privacy market would permit; and (2) squelching
democratic opportunity through emerging practices such as
``Weblining.'' Finally, privacy violations also lead to: (3) a lack of
consumer confidence that harms the development of e-commerce.
1. Personal Data at Below ``Market'' Rates
I have proposed that the true cost of personal data is not imposed
on organizations--the personal data of consumers (the Marc's) who care
about privacy and those that do not (the Katie's) can be obtained for
the same price. This market failure leads to both deadweight losses and
distributional consequences. The deadweight losses follow from the
existence of consumers who would engage in more or different kinds of
transactions on the Internet, but refuse to do so because of fears
about how their personal data will be collected and used. Polls have
consistently shown that many Americans decline to engage in cyberspace
transactions because of such worries.\16\ In this fashion, a deadweight
loss reduces the economic surplus that would be created were privacy
price discrimination in place. Such a loss, perhaps somewhat hidden
during the Internet's early stages of rapid growth, will become more
visible as e-commerce enters a slower stage. As a columnist in Silicon
Valley's Mercury Center warns, ``almost all of the online retailers
hurriedly launched in 1998 and 1999 now appear doomed to disappear--not
because e-commerce isn't going to be important, but because consumers
aren't moving fast enough toward online shopping to sustain today's Web
retailers.'' \17\
The failure in the privacy market also involves a distribution away
from Marc and even Katie and towards data processing companies.
Companies have no need to offer Marc greater services or more money for
his personal data. In fact, they may not even meet Katie's more modest
privacy threat value.
2. Weblining and the Limiting of Opportunity
The benefits of access to information, including personal
information, can certainly be positive. Yet, the processing of personal
data can also create significant social risks. If used improperly,
profiling will squelch opportunity rather than promote it. Consider the
emerging practice of ``Weblining,'' which is similar to ``red-lining''
in the real world. Weblining, as Business Week tells us, is the
``Information Age version of that nasty old practice of redlining,
where lenders and other businesses mark whole neighborhoods off-
limits.'' \18\ Weblining sews far-flung threads of personal data,
including data about one's ethnic background or religion, into profiles
that are used to sort people into categories and predict how they will
behave. It creates segmenting in which it is our data profiles that
decide the price that we pay, the services we obtain, and our access to
new products and information. Weblining sometimes even relies on so-
called ``neural networks,'' which are digital systems that evolve over
time in a fashion both independent of their developers and impossible
to predict.
The danger is that Weblining will hinder or even reverse the kind
of increased opportunity that access to information can stimulate. It
can be used to limit economic and informational possibilities for
individuals and different groups in a fashion that reflects and
reinforces existing prejudices and mistaken beliefs. As Business Week
warns, ``Weblining may permanently close doors to you or your
business.'' \19\
3. Consumer Uncertainty Harms the Development of E-Commerce
Americans may not fully understand the fashion in which Internet
snooping occurs, but they do have a growing awareness that a privacy
problem exists in cyberspace. As I have already noted above regarding
the resulting deadweight losses, consumer worries about privacy are
inhibiting electronic commerce. I wish to expand briefly on this point.
The Pew Research Center's ``Internet and American Life'' project
furnishes insights into the dynamic of how the lack of Internet privacy
harms e-commerce. The Pew Center's Internet Life Report, Trust and
Privacy Online (August 20, 2000) found, first, that the leading fear of
Internet users concerned their privacy. According to this survey,
eighty-four percent of Internet users were worried about ``[b]usinesses
and people you don't know getting personal information about you and
your family.'' \20\ The Pew Research Center's report also noted that
``[a] strong sense of distrust shades many Internet users view of the
online world and the uneasiness has grown in the past two years.'' \21\
The Pew Research Center identified a relation between fears about
privacy and ``lower participation in some online activities, especially
commercial and social activities.'' \22\ In similar terms, a Business
Week/Harris Poll from March 2000 found a high level of concern about
privacy from people who have gone online but not yet shopped there.\23\
Finally, the Forrester Research Group found in late 1999 that privacy
concerns had led to $2.8 billion in lost sales that year alone.\24\
Uncertainty about privacy is harming the development of e-commerce.
B. Non-Economic Harms
In addition to the economic harms that follow from the lack of
strong privacy standards on the Internet, non-economic harms also take
place. Cyberspace is not only a place for shopping; it is our new arena
for public and private activities. Cyberspace demonstrates information
technology's great promise: to form new links between people and to
marshall these connections to increase collaboration in political and
other activities that promote democratic community. In particular,
cyberspace has a tremendous potential to revitalize democratic self-
governance at a time when a declining level of participation in
communal life endangers civil society in the United States.
Consider the Supreme Court's decision in 1997 in ACLU v. Reno.\25\
In striking down certain provisions of the Communication Decency Act,
the Supreme Court declared its intention to protect the ``vast
democratic fora'' of the Internet.\26\ The Supreme Court considered the
Internet to be a speaker's paradise; as the Court noted, ``this
dynamic, multifacted category of communication'' permits ``any person
with a phone line'' to ``become a town crier with a voice that
resonates farther than it could from any soapbox.'' \27\ This language
is similar to language used by the political scientist Benjamin Barber,
who has defined civil society as the free space in which democratic
attitudes are cultivated and conditioned.\28\ In Professor Barber's
words, ``The public needs its town square.'' \29\
Without privacy, however, the implications of hanging out at the
town square are dramatically changed. The Supreme Court's decision in
Reno v. ACLU is also illustrative in this regard. The Supreme Court
praised the Internet's potential for furthering free speech; for the
Court, the Internet represented a ``new marketplace of ideas.'' \30\ We
must note, however, a paradox in this regard: while listening to ideas
offline, in Real Space, generally does not create a data trail,
listening in cyberspace does. The Internet's interactive nature means
that individuals on it simultaneously collect and transmit information;
as a result, merely listening on the Internet becomes a speech-act. A
visit to a Web site or a chat room generates a record of one's
presence.
To extend the Supreme Court's metaphor, the role of town crier in
cyberspace is often secretly assigned--a person can take on this role,
whether or not she seeks it or knows afterwards that she has been given
it. Already a leading computer handbook, the Internet Bible, concludes
its description of the low level of privacy in cyberspace with the
warning, ``Think about the newsgroups you review or join--they say a
lot about you.'' \31\ If cyberspace is to be a place where democratic
discourse occurs, the right kinds of rules must shape the terms and
conditions under which others have access to our personal data. The
issue is of the highest importance; the Internet's potential to improve
democracy will be squandered unless we safeguard the kinds of
information use that democratic community requires.
A poor level of privacy in cyberspace threatens the promise of the
Internet: it discourages political and social participation in this new
realm. As Professor Jerry Kang has written of cyberspace, it is a place
where ``you are invisibly stamped with a bar code.'' \32\ In the
absence of strong privacy rules, Americans will hesitate to engage in
cyberspace activities--including those that are most likely to promote
democratic self-rule.
conclusion
The E.U. Data Protection Directive and the U.S. Commerce
Department's Safe Harbor indicate a possibility of harmonizing global
data flows at a high level of privacy protection. The question then
becomes the kind of privacy protection that should be in place for
personal data use within the U.S. In my testimony today, I have
identified numerous grounds for concluding that the ``privacy market,''
that is the market in which personal data are collected and exchanged
in the U.S., will not alone produce the right level of information
privacy. Finally, I have sought to identify a basic taxonomy of
economic and non-economic harms occuring in the online realm. It is my
hope that the Senate Commerce Committee will respond to this situation
with introduction of strong consumer privacy legislation.
Thank you for the opportunity to testify today.
Endnotes
1. Directive 95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data, Art.
25, O.J. of the European Communities, no.L281, 31 (Nov. 23, 1995)
[hereinafter European Directive].
2. European Directive, at Art. 26.
3. European Directive, at Art. 25(2). See Working Party on the
Protection of Individuals with Regard to the Processing of Personal
Data, First Orientations on Transfers of Personal Data to Third
Countries--Possible Ways Forward in Assessing Adequacy, XV D/5020/97-EN
final WP4 1-5 (June 26, 1997).
4. To make matters more complicated, the EU Directive's provisions
on data transfers are enforced by the Member States, which makes their
current views and future action critical.
5. Int'l Trade Admin., Electronic Commerce Task Force, Safe Harbor
Principles (Nov. 4, 1998) .
6. U.S. Commerce Dept, Safe Harbor Overview, (visited July 9, 2001)
.
7. Id.
8. For a description of early proposals regarding fair information
practices, see the Privacy Protection Study Commission, Personal
Privacy in an Information Society 14- 15, 500-502 (1977); David
Flaherty, Protecting Privacy in Surveillance Societies 306-307 (1989).
For analysis of fair information practices as the building blocks of
information privacy, see Paul M. Schwartz, Privacy and the Economics of
Personal Health Care Information, 76 Tex. L.Rev. 56-67 (1997); Paul M.
Schwartz, Privacy and Participation, 80 Iowa L.Rev. 563-564 (1995).
9. FTC, Privacy Online: Fair Information Practices in the
Electronic Marketplace (May 2000).
10. For citations to the relevant academic literature, see Paul M.
Schwartz, Beyond Lessig's Code for Internet Privacy, 2000 Wisc. L. Rev.
744, 768-69.
11. Junkbusters & the Electronic Privacy Information Center, Pretty
Poor Privacy: An Assessment of P3P and Internet Privacy 6 (June 2000)
.
12. Jeffrey L. Seglin, As Office Snooping Grows, Who Watches the
Watchers?, N.Y. TIMES, June 18, 2000, at Bus. Sec. 4.
13. Id.
14. Larry Armstrong, Someone to Watch Over You, Business Week, July
10, 2000, at 189.
15. See, e.g., Fred H. Cate, Principles of Internet Privacy, 32
Conn. L. Rev. 877 (2000).
16. For a recent summary and discussion of the poll data, See
Federal Trade Commission, Privacy Online 2 (May 2000). As the FTC
states, ``surveys show that those consumers most concerned about
threats to their privacy online are the least likely to engage in
online commerce, and many consumers who have never made an online
purchase identify privacy concerns as a key reason for their
inaction.'' Id.
17. Mike Langberg, Low cost net devices not about to push aside PC,
Mercury Center, July 14, 2000.
18. Marcia Stepanek, Weblining, Bus. Wk., Apr. 3, 2000, at 2.
(http://www.businessweek.com/2000/00--14/b3675017.htm>.
19. Id.
20. Pew Internet & American Life Project, Trust and Privacy Online
4 (Aug. 20, 2000).
21. Id. at 12.
22. Id. at 16.
23. BusinessWeek/Harris Poll: A Growing Threat, Bus. Wk., Mar. 20,
2000, at 1. .
24. Trails of Personal Info Compromise Net Shopper's Privacy, USA
Today, Dec. 20, 1999.
25. 117 S.Ct. 2329 (1997).
26. Id. at 2434.
27. Reno v. ACLU, 117 S.Ct. 2329, 2344 (1997).
28. Benjamin Barber, A Place for Us 76 (1998).
29. Id.
30. Reno, 117 S.Ct. at 2352.
31. Brian Underdahl & Edward Willett, Internet Bible 247 (1998).
32. Jerry Kang, Information Privacy in Cyberspace Transactions, 50
Stan. L. Rev. 1193, 1198 (1998).
The Chairman. Thank you, Dr. Schwartz.
Senator McCain.
Senator McCain. Thank you, Mr. Chairman.
Professor Schwartz, you state that polls have consistently
shown that many Americans decline to engage in cyberspace
transactions because of concerns about privacy. Why, if it is
in the business's interest to improve privacy protections, do
you think businesses aren't doing it?
Mr. Schwartz. Well, I think it is for the reasons that I
have described in my testimony--we don't have a well-
functioning privacy market currently. I think there are a
number of reasons for this market failure, one of which is a
kind of collective action problem. It is difficult for all of
our privacy needs to be felt collectively in the market.
My hope, by the way, Senator, is that in time the market
will respond, and my view is the legislation that the Committee
is discussing will create the kind of environmental shock to
the existing privacy market on the Internet that will create
privacy-enhancing organizations and companies.
Senator McCain. Mr. Rotenberg, a report published by
Consumers International in January suggested there was
widespread noncompliance in Europe with the EU's privacy
directive, which as we all know imposes very strict limitations
on the collection, processing, storage, and disclosure of
personal data, both offline and online. What do you think this
says about the possible effectiveness of laws as a means of
ensuring privacy protections?
Mr. Rotenberg. Senator, the study by Consumers
International focused on a very narrow issue in the area of
privacy protection, and that was simply whether notices were
being posted by companies that were operating on the Internet.
The privacy directive in the European Union provides a great
many rights and also creates institutions, such as Federal-
level privacy officials that actively intervene on behalf of
consumers to protect privacy interests. So I think taken as a
whole, the privacy approach in Europe works fairly well, but it
is certainly the case that on some of these specific matters,
like the posting of privacy notices, there is always a question
of compliance, and the CI report reflected this.
Senator McCain. Do you believe that there are any
limitations that the First Amendment may impose on our ability
to legislate privacy restrictions, as opposed to countries that
don't have a First Amendment?
Mr. Rotenberg. Yes, I think there are, particularly in the
areas of political speech, of course. Our very important First
Amendment tradition, which sanctifies the right of people to
speak even when the majority may disagree with them, weighs
very heavily against any legislation by Congress. But here, of
course, we are not really talking about political speech. We
are talking about business practices, commercial
communications, and there the Court has recognized----
Senator McCain. But communications on the Internet could
be----
Mr. Rotenberg [continuing]. A different approach.
Senator McCain [continuing]. Interpreted as a form of
speech obviously.
Mr. Rotenberg. Yes. And I think the Court would certainly
consider the nature of the communications, as it has done in a
number of recent cases. Both Fred Cate and I have discussed
this issue, and there is the U.S. West case in the Tenth
Circuit, where I think there was quite a bit of deference shown
to commercial communications, but the more recent cases from
the D.C. Circuit and the D.C. District Court suggest that
courts are willing to uphold privacy regulations where the
nature of the speech is purely commercial.
Senator McCain. Mr. Cate, the issue of opt-in versus opt-
out of any proposed legislation seems to dominate a lot of our
debate and discussion. How critical is this element to this
overall debate in regards to privacy?
Mr. Cate. Well, Senator, from my view, opt-in as a
legislative requirement across the board on the Internet is
fatal. It is a tremendous problem exactly for the reasons I
outlined in my testimony. That is not to say there are no
places where opt-in might not be appropriate. For example,
Congress wisely requested when collecting information online
from very young children, that there be opt-in consent from the
parents. That seems entirely appropriate.
One problem with most online legislation, though, is that
it does not make any distinctions between what most of us might
consider private or sensitive information and all other
information. So to use opt-in, the most restrictive possible
privacy standard available to apply to all of that information,
information that frankly might not be considered very private
and information that could be considered private, is not only
constitutionally fatal, but it also really creates an
impediment without creating any benefit along with it, because
it protects under opt-in information that is routinely
disclosed or seen in the offline world, and this just makes no
sense from a market perspective.
Senator McCain. I would be glad to listen to Mr. Schwartz
and Mr. Rotenberg's comments on that as well, but I think we
also need to put this into context. Every time we make a phone
call, it is recorded. Every time we go to Safeway and pay with
a credit card, it is recorded. We are in a situation, not just
on the Internet, but basically where all of our activities are
recorded and are, to some degree, public property, which many
of us are either oblivious to or don't care about.
But the fact is our lives now are not just confined to
betrayal of privacy on the Internet. It is basically the way we
conduct our communications and our transactions in our daily
lives.
Go ahead, Mr. Schwartz and Mr. Rotenberg.
Mr. Schwartz. Senator McCain, I absolutely agree with you
about this, about your point about these new data trails that
we leave, not only on the Internet but at the supermarket and
making calls. What I have argued for the in the past is
thinking about the right mixture of both opt-in and opt-out
rules in legislation. I think the touchstone should be trying
to figure out how to make privacy protection work at the least
cost to consumers, including transaction costs. And in my view,
that is going to require a mixture of both kinds of rules.
Senator McCain. Mr. Rotenberg.
Mr. Rotenberg. Senator, I will say that I think the opt-in
approach reflects the common-sense approach that before
business makes use of your information for another purpose, it
should ask your permission. And this is the sense that most
people have about the use----
Senator McCain. At Safeway?
Mr. Rotenberg. Well, I think if Safeway is actually
planning to sell your data, yes, and to sign up for one of
those programs, in effect you are opting in. If they were to
take the data--it is an interesting example, in fact. If they
were to take the data from you after you had made the decision
not to opt into their program, I think virtually everyone would
agree that that would be a violation of your privacy, and as to
the example of telephone records, toll records and content and
so forth, that information is subject to Federal law, and
restrictions are in place, so that you do have some confidence
when you make telephone calls, that information will not be
disclosed.
Senator McCain. Thank you, Mr. Chairman.
The Chairman. We are alternating from side to side in order
of appearance.
Senator Rockefeller.
Senator Rockefeller. In following up, Mr. Rotenberg, what
you just said, in fact, this morning I received a phone call
from a telephone company calling center, in which they said
that somebody last night had made a long distance call at great
expense using my credit card in New Jersey.
Well, I have a son that goes to college in New Jersey----
[Laughter.]
Senator Rockefeller [continuing]. But it was a very
different area code number. And so--and partially in response
to what Senator McCain is saying--this was a very classic
example of my rights being protected, because if somebody has
that telephone number and is using it, which is obviously the
case, and was using it in a very expensive fashion--it was a
rather long phone call--they said, ``We think you should cancel
your credit card number,'' which was against their business
interests.
Now, obviously we are going to get another one, but there
is going to be a period of time when I am not going to be
using, you know, their number. And so that was an example where
my privacy was specifically being protected, either because of
Federal law, which you can answer, or because they desired to
keep me on as a customer, because they knew that I would
eventually see that there was somebody making an expensive
phone call that simply had my number and had no right to have
my number.
Is that a Federal law making them do that?
Mr. Rotenberg. Well, I don't know if it is a Federal law
that they contact you, but privacy laws certainly allow and
anticipate that companies will need to do this. In fact, in the
Federal wiretap statute, it is understood that telephone
companies will from time to time listen in on telephone calls,
and the reason that they do this is to assess the line quality,
to measure their own service and to improve it.
Privacy laws don't operate as an obstacle to ensuring
better service or enabling the detection of fraud where it is
appropriate. The concern really arises when they take that
information and say, ``Well, maybe this would be of interest to
someone else, or maybe we should just disclose it''. That is
where privacy law says, ``This is really not related to the
delivery of that service,'' the performance of our business
responsibilities. Here we need to have some understanding about
what the rules would be.
But in your example, I don't think there is anything there
that is inconsistent at all, as you say, with privacy
protection.
Senator Rockefeller. Right. Mr. Cate, you indicated in your
written statement that you oppose privacy laws. Does that also
mean that you oppose laws that protect personal information
collected from our children?
Mr. Cate. Senator, I don't believe I did indicate I opposed
the privacy laws in my statement. If I gave the impression, it
was in error. I certainly support privacy laws and certainly
support privacy. I oppose privacy laws that are unnecessarily
expensive or don't create a benefit at the same time.
Senator Rockefeller. Now, this is exactly where I want to
be, so you need to answer my question.
Mr. Cate. I strongly support privacy laws that protect
information collected from children.
Senator Rockefeller. What about medical records?
Mr. Cate. It would depend on the type of record and the
context----
Senator Rockefeller. Now, what do you mean, it would depend
upon? I mean, you say the word ``depend upon,'' and anybody can
go in any direction and nobody will ever know.
Mr. Cate. Senator, that is, in fact, the standard the
Supreme Court has long used for evaluating the
constitutionality of restrictions on expression is how great is
the interest and how closely does the law serve that interest.
Senator Rockefeller. I don't serve on the Supreme Court. I
serve on the Commerce Committee. I would like an answer to my
question. Do you support medical privacy?
Mr. Cate. I certainly support medical privacy. Yes, sir.
Senator Rockefeller. It depends on what nature.
Mr. Cate. I support privacy. Yes. Absolutely.
Senator Rockefeller. And absolute privacy or privacy
absolutely?
Mr. Cate. My support is absolute. I don't believe you can
have absolute privacy.
Senator Rockefeller. OK. I will accept that. What about
race?
Mr. Cate. Excuse me. I----
Senator Rockefeller. Race, ethnicity.
Mr. Cate. I believe your ethnicity is something that is in
many cases reasonably discerned from your appearance, and so,
no. I don't believe----
Senator Rockefeller. I am talking about the Internet. I am
not talking about face to face conversations.
Mr. Cate. Well, I certainly don't oppose the collection of
that information if you disclose it.
Senator Rockefeller. Uh-huh.
Mr. Cate. In fact, Federal law requires the disclosure of
that in many instances.
Senator Rockefeller. Now, wouldn't regulations--if you
opposed these things or at least several of these things, these
regulations would impose a cost on industry, but you accept
that cost on industry.
Mr. Cate. I accept that cost if it generates a benefit that
exceeds that cost, of course.
Senator Rockefeller. What do you mean by ``it creates a
benefit''?
Mr. Cate. If the net gain to society from a law is greater
than the cost it imposes on society, that would generally
indicate to me it is a desirable law.
Senator Rockefeller. Uh-huh. OK. Last year you wrote an
article opposing privacy protections. That may have been where
I got my first bias from, in terms of my question. It said,
``you believe it is wrong for Congress to prohibit states from
selling people's home addresses and driver's license
information in an effort to prevent stalking or identity
theft''. Do you believe this still?
Mr. Cate. I believe that it is wrong for Congress to
prohibit the states from making available the information that
is in the public record unless it is first demonstrated that
there is substantial risk of harm from that information being
made available. At the time that Congress enacted the Driver's
Privacy Protection Act and since then, it has not made that
demonstration, and so I believe it was an inappropriate law.
Senator Rockefeller. Would the other two witnesses be
willing to comment?
Mr. Rotenberg. Well, I think contrary to what Fred Cate has
said, in recent opinions, the Trans Union versus FTC, and the
RISG versus the FTC, the Courts have held that, in fact, a
showing has been made by Congress in the area of financial
privacy that outweighs the commercial speech interest, so
actually I am not quite sure what his point is. I mean, he is
correct that there is an analysis under the so-called
intermediate level scrutiny view of these types of regulations
that requires some demonstration of harm, but the recent
decisions, I think, bode well for privacy.
Now, as to the Driver's Privacy Protection Act, he may not
be familiar with this. I know Senator Boxer is, because she was
involved in the passage of that legislation, but it flowed from
a very unfortunate incident involving a young woman in
California, and because of that, the state of California and
subsequently the Congress passed legislation to place certain
restrictions on access to DMV records.
I think even though these points are fairly well
established, there is still some risk in saying that we should
not have privacy legislation unless we can show that a lot of
harm has occurred. A great many people believe to day that they
would like to have privacy legislation, so that harm doesn't
occur. It would be a good reason to legislate, to avoid the
harm that might otherwise take place. But I think the showing
as to previous legislation has been established.
Senator Rockefeller. My time is up, Dr. Schwartz. I don't
know if----
The Chairman. Yes. That's all right. Go ahead.
Mr. Schwartz. Very briefly, I supported the Driver's
Privacy Protection Act. I think people, when they get a
driver's license, expect the state to use that for driving-
related information and not to have it turn into commercial use
by private organizations, and I think the Driver's Privacy
Protection Act tried to limit the use of such information to
only compatible usage.
On the First Amendment issue, I do think there is going to
be increased scrutiny of privacy legislations by Courts. I also
believe, however, that constitutional privacy legislation can
and should be crafted. The cases that we have heard reference
to, the Trans Union opinion from the D.C. Circuit and the more
recent District Court decision regarding the Individual
Reference Services Group, a decision from April 30, 2001, I
think indicate how Congress can do it. Namely, they have to
carefully identify the particular notion of privacy and the
interest to be protected, and then try to craft legislation
narrowly to further that interest.
The Chairman. That is what we have got to do.
Senator Rockefeller. Thank you, gentlemen.
The Chairman. Thank you.
Senator Allen.
Senator Allen. Yes. I would like to ask--each of these
folks. I have a lot of questions. At least my microphone works.
As far as the platform for privacy preferences, P3P, it
seems to me that that is emerging possibly as an industry
standard, and it is an automated way for users to be informed,
knowledgeable, and obviously a way of the private sector
handling it, and in putting the decisions in the hand of the
consumers. Mr. Cate, what is your view of P3P as a development
and a way of securing the privacy decisions that all of us
share a concern about?
Mr. Cate. Well, Senator, I think it is a terrific
development, and I think it is a perfect example of the ways in
which technologies may help consumers protect our own privacy,
and frankly, do so far more effectively than law can, because
it would work outside of just the reach of U.S. law. It would
not be concerned with jurisdictional boundaries and things like
that.
I think we still have to have some degree of awareness of
the fact, for example, that all of our computers today allow us
to establish whether we accept cookies or not. However,
virtually none of us actually exercise that choice, so the fact
that we may now have a technology available, readily available,
affordably, in fact, at no additional cost available, that
allows us to set our privacy preferences. It will simply be
interesting to measure as an empirical matter how many people
actually take the trouble to do so and then act consistently
with that.
Senator Allen. Mr. Cate, let me ask you some more questions
here. I have been studying this privacy, various principles and
legislation over the years, whether it was the Wyden-Burns bill
or Senator McCain's bill or Senator Hollings' bills or Hatch-
Leahy, and so forth and so on, Senator Edwards' bill as well.
Do you believe that whatever principles are applied in any
legislation should apply to offline as--at least similarly as
it does to online?
Mr. Cate. Yes, sir, I do believe that.
Senator Allen. Do you have an understanding of the
preemption of state laws? What is your view on the preemption
of state laws? I know you talked about opt-in and opt-out, but
I am trying to get your views on a broader section than opt-in
and opt-out.
Mr. Cate. I certainly think Internet commerce, online
commerce, is one place where preemption would be appropriate. I
am not, you know, generally--I mean, my own legal scholarship
does not support preemption as a general matter, but in a place
where you have an intrinsically form of interstate commerce and
which it is not--Mr. Rotenberg mentioned businesses facing 50
standards. Forget about that. It is consumers facing 50
standards that is the problem, and a single standard that a
consumer----
I mean, imagine the complexity. We worry about the Gramm-
Leach-Bliley complexity, but imagine if we were getting notices
from every single state that were different, instead of the
variety of notices that were seen under one Federal law. If
there is ever a case for preemption, I believe this is it.
Senator Allen. Well, as far as--in the event that there is
a violation of those privacy standards, how best would that be
enforced?
Mr. Cate. I believe the, if you will, sort of traditional
enforcement mechanisms would be either through the Federal
Trade Commission or through the states' attorneys general, and
that that would seem appropriate in this instance as well, so
that states would continue to play a critical role in enforcing
these standards but would not play a role in writing these
standards.
Senator Allen. Implicitly, then, you are saying that you
would not prefer or would not suggest a private right of
action.
Mr. Cate. I implicitly am saying that and am happy to say
so explicitly as well, sir.
Senator Allen. And why not?
Mr. Cate. I think there are a number of reasons. One is,
frankly, private rights of action tend to not be the best
enforcement action, precisely because they become just add-on
cases, so that if there is a complaint to the FTC, the FTC
launches an investigation, and then we see the emergence of
these additional cases, class actions and so forth, and it is
unclear what is gained. You know, once the Government has acted
or a state attorney general has acted, has brought a case, what
the additional benefit is of these other cases.
Also I think the potential damages are quite significant.
Again, my good friend Mr. Rotenberg used the example of 500 or
$1,000 incident, but if you take an online service provider
that has, say, 20 million customers, and you have one single
disclosure of information and you multiply it $1,000 times 20
million customers, I think that sort of fairly modest fine
could be seen as fairly punitive.
Senator Allen. I would like to ask Mr. Rotenberg and Mr.
Schwartz to comment on the impact, to the extent that they can,
on United States companies due to the European Union's privacy
directive, what impact that has had on consumers, but mostly to
U.S. companies in Europe, if either of you could comment on
that.
Mr. Rotenberg. Senator, I can't speak for U.S. companies,
but I can say this, that as a result of the EU directive and
the safe harbor arrangement that was negotiated between the
United States and Europe, European consumers have now at least
a bit of confidence that when they do commerce with U.S. firms,
they will get the type of privacy protection that has been
traditionally associated with European privacy law. It has, in
effect, raised the standard of practice for U.S. firms, allowed
further entry into European markets, and opened up new
commercial opportunities, and I think this is or should be good
news. I mean, this is the way the privacy laws should operate.
The goal is not to restrict business activity. The goal is
to promote consumer confidence and enable firms to conduct
business in a way where privacy is protected, and I think the
EU data directive and the safe harbor arrangement have
furthered that goal.
Senator Allen. Mr. Schwartz.
Mr. Schwartz. As I testified, I am very encouraged by the
important information age companies that are signing up for the
safe harbor. The EU directive has been a long time coming. It
was enacted in 1995. It took effect in 1998. European countries
are now harmonizing their legislation to reflect its high
standards, and now we have the safe harbor arrangement. I think
we can hope, at least, that it is going to have a positive
impact on American companies. The hope is that American
companies will provide the same level of protection to the
personal information of American citizens that they do to the
transfers of information from Europe that they are pledged to
protect under the safe harbor.
Senator Allen. Thank you. Thank you, Mr. Chairman.
The Chairman. Very good.
Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman.
Gentlemen, last week Eli Lilly blamed a programming error
for a problem where they accidentally disclosed email addresses
of about 600 medical patients. My question to you is: Do you
all believe--we can just go right down the row, start with you,
Mr. Rotenberg--that with a sensible privacy policy in this
country, that those kinds of problems and ones that could
conceivably far more serious would be less likely?
Mr. Rotenberg. Yes, Senator. I think a good privacy policy,
backed up with enforcement, would make those incidences less
likely.
Senator Wyden. Mr. Cate.
Mr. Cate. No, Senator, I do not. In fact, I would note that
information was collected pursuant to an opt-in requirement.
Senator Wyden. Mr. Schwartz.
Mr. Schwartz. I think that we have incidences of what has
been called the ``revenge effects'' of technology. In the
information age, it is very, very difficult to avoid the
consequences of the kinds of networks that we see, so I don't
think privacy policies will make that go away. What we need is
ongoing vigilance against these so-called ``revenge effects,''
as we have more and more use of technology in our lives.
Senator Wyden. Mr. Rotenberg, I think one of the key
questions is whether we are going to have one standard or 50. I
touched on it; so did you. I am curious whether you think that
preemption, something that would ensure one standard, is
inherently bad. In other words, if the U.S. Senate set the bar
in the right place and did it in a fashion so as to ensure
sufficient flexibility to promote the innovation that you are
talking about, what would you be concerned about if the
Congress went about it that way?
Mr. Rotenberg. Well, Senator, as I said in my statement, my
concern really flows from studying the history of privacy law
in the United States and seeing the Federal baseline enabling
states to innovate and respecting our Federal form of
government. I think those traditions are important ones,
because states, in given that freedom, oftentimes will come up
with better solutions. We have seen this.
I mean, 10, 12 years ago, there was a lot of discussion
about Caller ID, for example, and it was the state regulatory
authorities that took the initiative there and led to the
development of stronger privacy protection for telephone
customers. Today there is a big debate taking place about the
privacy of genetic information, and this is another area where
Congress has focused attention, but it has been the states that
are leading.
So I appreciate your point. I think if there were, as you
said in your statement, meaningful privacy protection with
preemption, that would certainly be better than a weak statute.
But even meaningful privacy protection, I think, would lose an
opportunity that history suggests we should try to preserve.
Senator Wyden. Well, I want it understood that as we work
on this issue, I want to make sure we don't close off the
opportunity for that state innovation that you are talking
about. I mean, with the Electronic Signatures Bill, for
example, we worked very hard to ensure that there was a role
for the Federal Government, and there was a role for the
states, and I would just hope that we could figure out a way at
the end of the day to have one standard rather than 50 and do
it so as to encourage the innovation you are talking about.
Last question I wanted to ask each of you is: Is it the
case that there are people today in the private sector who are
doing the job right? Is there a company, more than one company,
a set of organizations, that we can look to that really sets
the bar in the right place? Why don't we start with you, Mr.
Schwartz, and just kind of go down the----
Mr. Schwartz. Sure. I think one interesting development has
been marketing companies who are shifting to opt-in because of
their belief that they will get higher quality information from
consumers that they will be able to sell at a higher price. The
difficulty from the consumers' viewpoint is--and this gets back
to my point about the failure in the privacy market--it is hard
to keep your information from being collected from the other
companies. So you are kind of stuck there. You would rather do
business with the good opt-in companies, but you are stuck with
the Hobson's choice of doing business with everyone.
Another, I think, positive development is P3P. However, I
don't think technological solutions will be a silver bullet. I
think you run into a chicken and the egg problem, where unless
a lot of consumers decide they want to use P3P, and unless a
lot of companies enable their sites to be P3P enabled, it may
never take off.
Senator Wyden. That would be your answer to the question,
that P3P is in line with where you think we ought to be going
in this country.
Mr. Schwartz. My solution is that I think that both opt-in
companies and P3P are part of the solution, but I don't they
are going to get us everywhere where we want to get without
privacy legislation.
Senator Wyden. OK. Mr. Cate.
Mr. Cate. Senator, I don't know that we necessarily see any
perfect solutions in the market, and I feel like I should also
note in many instances privacy being a very personal concept,
privacy is in the eyes of the beholder. I was interested to see
that USA Today on Monday cited American Express's privacy
policy as one that it disliked the most. Three weeks ago in
California, the chairman of the banking and finance Committee
there in the assembly cited American Express as the finest
example of a privacy policy that had been mailed out and had it
distributed to every person in the audience in the hearing
room, so that they could copy that example. So it is a little
hard to figure out sort of what is best.
But I would say, I think many online companies have done a
very good job in being clear about what they do with
information, about making clear about what consumers' rights
and opportunities are, and in really building consumer support
and confidence. That is really the name of the game.
Senator Wyden. Mr. Rotenberg.
Mr. Rotenberg. Senator, we have had a simple measure for
this question from the start. The question we ask is simply
this: Are companies fully applying and enforcing fair
information practices? That is the standard for us. On the
technology, we think----
Senator Wyden. But is there a company out there--you are
one of this country's premier privacy authorities, and your
view counts a lot with me. Is there a company or an
organization in your view that is doing the job right today?
Mr. Rotenberg. Senator, in my view, there are many
companies that are doing a good job addressing privacy issues,
but frankly part of trying to maintain our role in the privacy
debate has required also that we keep some distance from these
companies. We don't consult for them. We don't advise, and we
don't endorse. We are interested solely in promoting the very
best privacy protections for American consumers, and we will
recognize when companies do a good job. But I would be very
reluctant to name a company this morning.
Senator Wyden. My time has expired, but be assured that I
am going to ask you this question privately, because I value
your view. Nobody is talking about endorsing a product. What we
would like to know is whether there are some people out there
that are doing the job right, so it can help us as we try to
fashion legislation.
I thank you, Mr. Chairman.
The Chairman. Very good. Senator Stevens passes, so Senator
Boxer.
Senator Boxer. Thank you, Mr. Chairman.
This is one of the most fascinating issues, because I think
that it is simplistic to say there is an anti-business or a
pro-business view, regardless of how you view this. My view is
that when you look at the polling, it says 79 percent of those
who did not buy gifts online in the 2000 holiday season said
they did not like to send credit card or other personal
information over the Internet. So some people aren't going
online, because they are a little afraid that their information
will be sold.
Also, concern about privacy is the single most cited reason
Internet users give for not making purchases and for non-net
users declining to even go on the Internet. So I think if we do
come up with something that is a smart, good, balanced plan
here, I think we will, in fact, be helping consumers and
business. That is why I work with John Kerry and Senator
McCain, because I felt we did so try to come up with that
balance.
I wrote the Driver's Privacy Protection Act, and it was, in
fact, the State of South Carolina, Mr. Chairman, that
questioned that Driver's Privacy Protection Act. They wanted to
sell people's licenses, and they appealed the constitutionality
of this particular law all the way to the Supreme Court, and I
was in the audience when the Court heard the case. It was a 9-0
decision, upholding the Driver's Privacy Protection Act, and I
think it is because of the nature of what was happening with
these lists.
They were being sold without people's permission, and as
Mr. Rotenberg said, it was a very tragic case that led me to
write this particular law, because people were stalking other
people, finding out who belonged to what license. So having
said that, you would think that I am for the most--the
strictest kind of privacy on the Internet. But I think what we
are coming up with here is the fact that there isn't a one--
this is my view--a one-size-fits-all kind of deal.
Having seen the Eli Lilly horrible situation, which Mr.
Cate said, ``Well, people opted in'', they didn't opt-in to
have the fact that they are taking a certain drug put out on
the Internet with their email address. They opted in to be
reminded about taking the medicine, so there was a misuse here.
So, I guess, Mr. Cate, I want to ask you this, and you kind
of answered it, but I want to get it on the record in a clearer
way. Do you think that as we try to work together--and I really
think there is a desire for us to do that--on a national
privacy act regarding the Internet--because you are right; if
you have 50 different laws, it is a nightmare. If you have this
kind of law, do you think we could put our heads together and
come up with opt-in and opt-out combinations, because frankly
if I buy cookies online, I think opting out is saying, ``Look,
I opt-out. Something pops up on the screen; don't sell my name
to other cookie people''. You know, that is OK, and if somebody
makes a mistake, and I get something about cookies, it is no
big deal. But if I am taking a certain medicine, and I want to
retain my privacy, that is a whole other deal.
So do you think--do you see that as that we could, in fact,
fashion something without being too specific, because I don't
think that is the way we should do it. Is there a way that we
can have broad categories for opt-in and opt-out?
Mr. Cate. Yes, Senator. I think that is absolutely correct.
Senator Boxer. And may I ask the other gentlemen if they
could see that there is a--did you want to add something to
that or----
Mr. Cate. I always want to add something, but I will stop
there in deference to my colleagues.
Senator Boxer. Mr. Schwartz, Mr. Rotenberg, can you see
that as a possible way for us to go?
Mr. Schwartz. Yes. I absolutely think that a mixture of
both opt-in and opt-out rules, as I said before, would be the
way to take care of this at the least cost to consumers. I also
think, to follow up on your point, that there is a tradition of
privacy legislation helping industry. An example would be the
Fair Credit Reporting Act which I think contributed to the
explosion in credit card use because of the consumer confidence
about that information.
I recently saw that cell phone manufacturers and cell phone
companies are calling for legislation about wireless location
dates, because they think that cell phone use will stagnate
unless there are limitations on how that information is used.
So I think pro-privacy legislation can also help industry.
Senator Boxer. And, of course, the Fair Credit Reporting
Act does apply to the Internet, so that is good.
Mr. Rotenberg, this idea of us working together on a
combination of opt-in, opt-out?
Mr. Rotenberg. Well, Senator, I have a somewhat different
view of this issue than my colleagues. I think you need both
opt-in and opt-out; I think they go together. But the
relationship is a little bit different than the one described
by Mr. Cate and Mr. Schwartz. I think you need opt-in at the
front end to obtain real and meaningful consent, so that
everyone understand what they are getting themselves into, and
I think you need the right to opt-out on an ongoing basis if
you decide that you are no longer satisfied with the
relationship. I think it is the nature of all commercial
transactions that common-sensically, we understand the exchange
of things for value in this fashion.
Now, I appreciate it is convenient to say, ``Well, maybe if
it is less sensitive information, opt-out would work, and for
more sensitive information, opt-in might work'', and certainly
bills have been done on that basis. I am aware of it. But I do
believe that over time, the better approach, particularly
because there is difficulty always in drawing that line, is to
say, ``Let's have explicit opt-in at the front end; let's
obtain meaningful consent, and let's retain a right to opt out
if someone isn't happy''.
Senator Boxer. Well, I agree with the two-to-one decision
of the panel. Thank you.
The Chairman. Thank you very much.
Senator Nelson.
Senator Nelson. Mr. Chairman, I did not make an opening
statement, only to express my gratitude for the opportunity of
being part of this Committee, and----
The Chairman. We will include your statement in the record
if you want.
Senator Nelson. Well, I am going to make it right now if--
--
The Chairman. Make yourself at home.
Senator Nelson. I want to start out by saying that I, too,
as Jay Rockefeller, would be outraged if there was a history of
my transactions available to the public such as this. I come to
this discussion today with some interest and some background in
this area, for a Supreme Court decision back in the mid-90s
entitled, Barnett Bank v. Bill Nelson, in my capacity as
insurance commissioner, decided on a technical reason, that
heretofore banks and insurance companies could merge, and I
knew as insurance commissioner that there was the threat of the
loss of privacy, that after Gramm-Leach-Bliley, we have seen
exactly that.
We have seen in the merger of banks and insurance companies
that a person's personally identifiable medical information,
because they had a physical exam in order to get a life
insurance policy, and the life insurance policy now being a
part of a bank holding company, that that information can be
shared within that holding company. Even worse, that
information can be shared outside of that holding company by
contracting in a marketing agreement with a third party.
And so when it comes to the issue of privacy on today's
discussion on the Internet, I approach this with the view that
there are certain things that are inviolate to keep us from
moving to the age of Big Brother, that clearly we ought to
have, and in my judgment it would be for personally
identifiable medical information.
As the Senator from Oregon had just pointed out with Eli
Lilly, in this particular case they are saying it is a mistake,
but let me tell you what the mistake was. It was 600 people on
Prozac, now information totally available to the world, on very
personally identifiable medical information. So when it comes
to the question of whether or not you should share this
privacy, I think it ought to be with the express written
consent on medical information.
On personally identifiable financial information, in the
merger of banks and insurance companies, I think using the term
of art here, opt-in, which is express consent, that clearly it
ought to be. And so I come to this discussion intrigued that
there really ought to be a basis of common sense that would
govern us here.
For example, when we get on in the Internet to interactive
television, what is going to be the privacy on that? Shouldn't
we be having the right of privacy on an interactive television
conversation over the Internet?
So, Mr. Chairman, I will defer from asking any questions
and look forward to learning a lot, but that is clearly the
background that I bring to the table. And I am absolutely
fascinated in this. I filed the legislation to correct what I
consider the promises that were made in 1999 in the enactment
of the Financial Services Modernization Act, otherwise Gramm-
Leach-Bliley, of which that huge gaping hole on not protecting
privacy has not been filled when, in fact, it was promised. And
I look forward to working with you, Mr. Chairman, on this.
The Chairman. You are one of the best witnesses we have
had.
[Laughter.]
The Chairman. I will include in the record Monday's
editorial in USA Today that verifies just exactly your idea
about Gramm-Bliley, Confusing Privacy Notices Leave Consumers
Exposed. We will include that in the record.
[The information referred to follows:]
[From USA Today, July 9, 2001]
Confusing Privacy Notices Leave Consumers Exposed
(Our view: Millions of records open up as people fail to `opt out.')
financial privacy
Imagine spreading out all of your most personal financial data on
the kitchen table, then having hordes of strangers storm in to browse,
copy, share it with business partners and sell it to telemarketers. You
could keep your privacy only by following detailed, legalistic
instructions each time a new snooper tries to barge through the door.
Millions of bank customers and credit card holders are in this
situation this week, only the instructions are so confusing, many
unwittingly threw them away.
Welcome to the system Congress set up in 1999 to protect financial
privacy. Banks, credit card companies and others who know how you spend
your money can share and sell that information unless you explicitly
``opt out.''
Because fewer opt-outs mean more profit, the results are no
surprise. When a July 1 deadline rolled around for giving customers
their choice, the financial institutions made the notices as confusing
as possible.
Just look at some of the notices consumers have received:
One sent by American Express is written at the graduate-
school level, according to a report for consumer advocates by
readability expert Mark Hochhauser. Little help to the 92% of adults
with less education.
Wells Fargo Bank sent out a notice that is 10 pages long,
with no phone number to call to opt out. Consumers must fill out a
form, detach it and mail it at their own expense. A Wells Fargo
spokesman says it didn't want to ``overload'' its phone system.
The notice from Chevron Credit Bank offers a toll-free
number, but it's open only weekdays 7:30 a.m.-4:30 p.m. PT. But to
apply for a credit card? That number's available until 11 p.m. weekdays
and until 5:30 p.m. Saturdays.
Little wonder, then, that despite widespread public concern about
financial privacy, fewer than 1% of consumers had exercised their right
to opt out by mid-June, the American Bankers Association (ABA)
estimates. An ABA survey in May found 41% could not even recall
receiving a notice.
The bankers trade group offers transparent excuses, saying
institutions merely followed model notices put together by regulators.
But nothing in the regulations prevents a bank from adding plain
English on top of the legalistic jargon. Something like: ``If you don't
want us to share your personal data with telemarketers, here's what you
can do.''
Congress caved in to the opt-out system pushed by the financial-
services industry, which showered politicians and their parties with
nearly $200 million in the decade before the bill was passed.
Had Congress listened to consumer groups and privacy advocates
instead of its campaign contributors, it would have instead created a
far more protective ``opt in'' rule. That would have required banks to
get customers to say yes before any information could be shared.
You can bet that if bankers had to go begging for consumer
permission to sell this private data, the notices would be plenty clear
and quite memorable.
It's not too late to tell banks they can't dispense your financial
history at will. Customers can say no at any time.
But if lawmakers want to protect consumer privacy in the future,
they need to make would-be snoopers ring the doorbell first.
The Chairman. Senator Edwards.
STATEMENT OF HON. JOHN EDWARDS,
U.S. SENATOR FROM NORTH CAROLINA
Senator Edwards. Thank you, Mr. Chairman. Am I allowed to
ask Senator Nelson questions?
[Laughter.]
Senator Edwards. Well, first of all, I want to thank the
Chairman for his leadership in this area. He has been a real
force for protecting people's individual privacy, and we
appreciate all the work the Chairman has done in this area.
I start with a very simple idea, which is that people ought
to have control over their own personal private information,
and married with that a practical idea which is when I think,
for example, in the context of financial services--and I was
involved in that legislation--when you mail somebody something,
whether you have an opt-in or opt-out policy, as a practical
matter, 90-plus percent of people pay little or no attention to
it. And so I think you essentially decide the result when you
choose either opt-in or opt-out, if they are the exclusive
remedy.
What I would like to talk about is what I think I heard Mr.
Schwartz mention a few minutes ago, which is maybe a more
creative solution to this dilemma, something that would allow
us to put together some of the technology innovations that have
been done by people like Microsoft with P3P and legislation,
because it seems to me there ought to be some way to marry
these concepts, opt-in, opt-out, and the use of technology, in
a way that is effective, that allows people to really maintain
control over their information, but at the same time, doesn't
hinder the use of the Internet.
Now, I don't know what that solution is, but if we get away
from just the academic conceptual idea of the only choice, the
Hobson's choice in this case, is between opt-in or opt-out and
ignores the use of technology, it seems to me that those things
ought to work together in combination in some fashion, and I
would just like to hear a comment from each of you on that
subject.
Mr. Rotenberg. Well, Senator, we have been thinking about
that issue for a long time, and we have been doing so in part
because we think that to effectively protect privacy,
legislation will not be enough. I mean, I am happy to be here
today and explain the need for legislation, but I think we also
need very good technology. Our organization EPIC was at the
forefront of the battle to reform encryption policy, because we
saw the need to make strong tools for online privacy available,
and we continue to promote the availability of good technology
for privacy.
But I have to say this, Senator, and I know again I am
probably going to be in the minority side of a two-to-one
opinion. I do not believe that P3P as currently conceived is
going to promote online privacy, because it lacks the essential
elements of privacy protection, of setting the bar high enough
to limit the collection and use of personal information to
afford any real safeguards.
Senator Edwards. Can I interrupt you just a minute?
Mr. Rotenberg. Yes.
Senator Edwards. I understand that, and I understand there
are concerns with that particular technology. But my question
is more conceptual. Is there not a way to----
Mr. Rotenberg. Yes.
Senator Edwards [continuing]. Use technology in combination
with legislation?
Mr. Rotenberg. The key, I believe, to privacy solutions
using technology is to minimize the collection of personally
identifiable information. You see, it is the collection of the
data about you, your address, the members of your family, your
financial circumstances, all of this that gives rise to the
privacy problem.
I mean, if we were talking about the environment, we would
basically be talking about a form of pollution. It is sort of
the byproduct of production. If we can find a way to limit the
generation of that personal information and still enable online
commerce and still enable people to receive and exchange
information, I think we will go a very long way by technical
means to protecting privacy online.
It is the reason, for example, that people who study
Internet privacy feel so passionately about anonymity. Now, to
a lot of us, you may think, Well, I am little bit concerned
about people who want to be anonymous. But if you think about
it for a moment, most transactions, cash-based transactions,
most activities, walking down a street, reading a book, going
into a movie theater, these are all essentially anonymous
transactions.
And so we see the bedrock for online privacy in the
technological realm as trying to preserve anonymity, and from
that, a lot of things, I believe, will be possible, and I think
it coexists very nicely, in fact, with legislation, because
legislation says, ``And at the point that you start to collect
personally identifiable information, then we are going to
impose some legal burdens on you, but if you can do what you
want to do without collecting data----
Senator Edwards. But shouldn't people have the personal
privilege or right to decide they don't mind if their personal
information is being collected?
Mr. Rotenberg. Absolutely. I mean, we do not argue against
the right that everyone has to disclose information, to go on a
television talk show, to do whatever they wish to publicize
their private life. That is a choice that every person always
has. The question is: Do they have the right, even in the most
public of careers, to then spend time with their family, to
then pick up a telephone, to then have a private conversation
with a colleague, and not have that information disclosed to
others?
And for that to happen in the online environment, I think
we are going to need very strong techniques.
Senator Edwards. Thank you, Mr. Rotenberg. Mr. Cate and Mr.
Schwartz, I want an answer, but please make it very brief,
because I have got one other subject I want to cover very
clearly.
Mr. Cate. Yes, Senator, I agree. I think you put your
finger right on the point, which is that the goal of privacy
law should be to empower consumers, to put as many tools as
possible into our hands, and technology is clearly one of those
critical tools.
Senator Edwards. Mr. Schwartz.
Mr. Schwartz. I think that good legislation can stimulate
their use of the right kind of technology. I think as a model
for that, the Child's Online Privacy Protection Act allows
industry to draft safe harbor standards as to how to get
parents' consent at the least cost to parents. Those safe
harbor standards are scrutinized by the FTC, and the FTC has to
approve them. This legislation didn't try to micro-manage the
way industry could go about getting parental consent, but let
industry figure out how to do it at the cheapest cost using
technology.
Senator Edwards. Thank you. I want to continue to work with
you on this issue, because I think there is a way to do this.
Second, I want to change the subject briefly and talk about
something called location privacy, which is--this whole privacy
issue fascinates me, but location privacy has been something I
have been thinking about a lot recently.
You know, everyone in this room who has a cell phone, a
pager, a Palm Pilot, somebody, some company somewhere knows
where they are, and people who use these OnStar directional
systems in their cars, which are becoming more and more
prevalent, also people are going to know where they are in
their automobiles.
And it seems to me that that--and I think there is some
recognition of this--that is information that is private, and
people may want to maintain some control about. I am
introducing legislation today, in fact, on this subject, to
provide people control over that information and specifically
to require their permission in order for whatever company has
that information to give it to--sell it or use it, give it to
third parties.
But I am interested in each of your perspectives on that
issue, whether you think it is important to protect people's
personal information about where they are located, particularly
when they don't want that information disclosed, but the only
reason somebody else has it is because they are using a cell
phone or they are using a pager, or they are using one of these
new systems.
I might add that we have been working with the people
involved in all of those industries, and I think they are
concerned about the same thing. I think they care about their
customers' privacy, so they have been working very closely with
us on this, but I am interested in your comments about that,
starting with you, Mr. Rotenberg.
Mr. Rotenberg. Senator, I think this is one area where
establishing privacy protection at the front end could help
establish consumer confidence in the offering of these new
services and give people the assurance that when they take
advantage of some of these new services, their privacy will be
protected. I really wonder at this point, with the recent
experience of the Internet, if the cellular industry wants to
go through the whole self-regulatory exercise again with
everything that came about from that.
Senator Edwards. If I could interrupt you just a minute,
one of our goals in this is to try to deal with this on the
front end, so that is one of the things we hope to accomplish.
Mr. Rotenberg. Right. I mean, some of the practical
problems that have been identified, for example, is how do you
provide a privacy notice on a cell phone screen? It is just--it
is not going to work. I think my colleague, Mr. Cate, even
acknowledged recently that this seemed to be an area where
legislation was appropriate. And I think here again, good
privacy legislation will be good for consumers; it will protect
their data. It will be good for business, because they will be
able to provide some assurance to their customers that their
information won't be misused.
Senator Edwards. Mr. Cate and Mr. Schwartz, my time is up.
Just give me a couple sentences each, please.
Mr. Cate. I agree. I think it is a critical issue. I think
in reality it is going to be a tremendously vexing issue,
because it shows the difficulty of this sort of dialog of
notice and choice and all of this, because there is, as Mr.
Rotenberg says, ``really very little room in that for a
screen''.
And finally it highlights the fact that, I think, frankly
what most people in the cases we have seen so far are worried
about is Government coming and subpoenaing those records, and
no amount of privacy policy is going to deal with that, because
you can't insert a contract to protect you from a Federal
action.
Senator Edwards. Mr. Schwartz.
Mr. Schwartz. I just want to comment on one thing which is
a knowledge gap in this area. It is not only that we have to
worry about cookies and web bugs, but here we have another area
in which there is likely to be an information asymmetry between
the people who collect the information and the consumers. I
think legislation could help that, because you are not going to
have a negotiation when there is that gap in knowledge.
Senator Edwards. I thank the witnesses very much, and I
thank the Chairman for his indulgence.
The Chairman. Thank you.
Senator Kerry.
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Thank you, Mr. Chairman.
Let me begin, if I may, by just saying to my colleagues
that I am circulating a letter and ultimately will be putting
in a resolution on P3P, urging all of us in the Senate to make
our web sites P3P compliant, and ultimately that we should be
urging all government entities to do so. The chicken and egg
issue that was raised earlier is a real issue. You won't have
the software developed and available unless people are making
machine-readable capacity at their sites and vice versa, so it
goes together, and I think we need to set the example and try
to move on that.
Second, with respect to the issue raised by Senator Boxer
and Senator Edwards, I have talked to Senator Hollings, our
Chairman, about this. Senator McCain and I will be
reintroducing our legislation, but with some added detail this
time. I think the mistake we made before and I think the
mistake we are all making here in this discussion is that this
is being made somewhat more complicated than it needs to be,
and that is because we are confusing medical and financial
requirements and demands with privacy with a pure commercial
transactional demand, and there are distinctions.
There are distinctions, obviously, in the Supreme Court in
terms of commercial speech, and there are distinctions in the
weights that we have heard discussed here about what sort of
public interest is measured against the restraint that we put
in place to support that interest. And in the balance--and I
have talked to the Chairman about this privately--I believe
there is a mix and match here, that there is a much easier way
to have opt-in, where opt-in is appropriate, almost obviously,
as a matter of common sense, on medical information and
financial information, but that precisely because of the
delicate nature of the commercial transaction and the status of
the Internet and all of the interest we have in its future
development and the potential for sales, et cetera, and the
need to still fulfill the full measure the experiment here
about whether or not you can survive on advertising or not or
how it is going to work, there is a marketing component where
there is just no harm, where you can't measure harm, and we
shouldn't be getting so excited about it.
The mistake, I think, that Senator McCain and I made was we
were silent on the issue of medical and financial, because they
were being sort of dealt with out there in the other universe,
and I don't think you can be. I think it is too easy for people
to say, ``Well, wait a minute; how are you going to deal with
this particular component''. It is absolutely clear, Mr.
Chairman, that financial information deserves the most privacy
you can give it, and there ought to be sufficient protection.
Likewise, medical, absolutely. What we have heard described
here is unacceptable by any standard.
But--and, again, here is where we are all missing
something--the debate is really not so much centered on opt-in
versus opt-out if you have adequately adhered to the five
principles that have been set out by the FTC and by most
observers with respect to notice, adequate notice; adequate
choice; adequate access; adequate security; and adequate
enforcement. If you have each of those sufficiently, then opt-
in/opt-out becomes a much more diminished sort of argument. And
I see you are nodding your head, Professor Schwartz, and I
think you would agree that there is sort of a confusion here.
Now, if--let me ask you each sort of a fundamental question
here. Are we concerned--should this Committee be concerned with
a generic American citizen right to privacy, or are we
concerned with some specialized thing called privacy on the
Internet?
Professor Schwartz.
Mr. Schwartz. There are two trends here that are colliding.
One is the trend of convergence. The Internet is now being
incorporated into more aspects of our life, so we may be
accessing it through a telephone or a television. It becomes
increasingly difficult then to view the Internet as an
abstraction. The difficulty, however--and I don't have a
solution to this--is that the American tradition of privacy
legislation has been sectoral in focus. So to that extent it is
quite appropriate to be looking at privacy legislation for the
Internet. That has traditionally been the way that we have done
it, but there is this tension----
Senator Kerry. Well, I don't disagree. I don't disagree at
all, but I think each of you--Mr. Rotenberg, you and I have
discussed this in previous hearings. We have kind of been over
this ground before, and I think we are talking past each other
a little bit. If privacy is the concern of Americans--and
Senator raised this earlier a little bit--you have a right to
privacy in Stop-and-Shop or Safeway or any store, just as you
do on the Internet.
If the information when you walk into a department store is
used to market to you, do you deserve the same protection for
that as you do for the marketing, for the browsing that you do
within the Internet, if the only harm is the potential that you
are going to receive a solicitation? So is the protection the
same?
Mr. Schwartz. I think the concern for privacy, yes, is the
same, and the focus of legislation, to the extent that you want
to have legislation, should be at the moment of collection to
the extent you see that there is harm.
Senator Kerry. But you see--and I think each of you would
agree with this--if we--we wind up picking winners and losers.
If we are only focused on the Internet transaction, we create a
requirement that applies to a sale in one place but doesn't
apply to a sale in another place. Where is the equity in that,
Mr. Rotenberg?
Mr. Rotenberg. Well, Senator, I understand your point, and
I don't think it is appropriate to impose different rules, but
at the same time----
Senator Kerry. But we are being asked to.
Mr. Rotenberg. Not exactly, sir. You see, the Internet by
its nature, because it is an interactive digital environment,
creates privacy risks that simply do not exist in the physical
world. If you go into a supermarket, the only cookies you are
going to find are on aisle 7, and they are going to have a blue
bag around them. But if you go onto the Internet, every web
site that you go to potentially is going to try to place a
tracking technique on your computer. There is----
Senator Kerry. I agree with that. I completely agree with
that, but that then depends--you see, but the question is still
the same. Does the same right of privacy attach to the
potential of a solicitation that comes out of the tracking of
your purchases over a period of time at a store versus the
tracking that takes place of your browsing or journeys on the
Internet? That's question No. 1.
And No. 2: If we were to adequately do the mix and match
that we have talked about, so that you have the adequate
notice, the adequate security, the adequate enforcement, the
adequate choice, and you are opting into that or opting out, as
the choice may be according to what the potential harm is, you
can provide the protection for the financial, provide the
protection for the medical, prohibit the cookies, maybe even
make an opt-in where cookies are involved, make an opt-in where
you have the lack--where you have any other kind of tracking
for your journeys as a whole, but not interfere necessarily
with the more mundane, normal, transactional, routine effort
that people are more concerned about.
And that is where, I think, you find the most concern in
terms of whether or not it is a choice of opt-in/opt-out
ultimately. It seems to me you can provide the adequate
protection and provide for a range of technological fixes
simultaneously. Would you like to comment?
Mr. Cate. Yes, Senator, I would. I think that is exactly
correct. In other words, when you said earlier focus on the
harm, where is the harm, that that is exactly the point. If
Congress were to deal with the issues where there is a real
threat of harm or sensitive financial or sensitive medical
information, as you have already dealt with the situation of
children, much of this issue would presumably go away.
The problem has been that many of these laws being
interpreted much more broadly, so, for example, Gramm-Leach-
Bliley, which I think everybody would support some level of
privacy protection for financial information, but in the hands
of Federal regulators, financial information got defined to
include your ZIP code; it got defined to include your address;
it got defined to include things that most of us don't mean
when we mean financial information.
We already see from HHS the same movement in health
information, where in order to have health information de-
identified, it has to be de-identified, for example, to the
year of treatment. Well, I just don't think the month I was
treated is highly sensitive medical information, as I was
trying to intimate earlier in the dialog with Senator
Rockefeller, so it depends on how you define these.
But if you define them so you deal with information that
poses real risks, that is precisely where a legislative
solution is desperately needed.
Senator Kerry. All right. Fair enough.
Well, I think, Mr. Chairman, that is precisely what our
bill will set out to do this time, and I certainly want to work
with you to see if we couldn't make that mix and match
adequately, but what we are going to do is not be silent this
time. I think we are going to be more specific, more
comprehensive in that regard, and it seems that if you have
adequate notice, choice, access, security and enforcement, and
then measure the act of sort of opening up your site and
deciding where you want to go, that is a form of opt-in in and
of itself.
I mean, the minute you turn on your computer and sit down
at it, you are opting in, and the key here is to know where you
are going in terms of the cookies and the other intrusions that
people are not necessarily aware of today.
Thank you, Mr. Chairman.
The Chairman. I won't be silent either.
Senator Cleland.
STATEMENT OF HON. MAX CLELAND,
U.S. SENATOR FROM GEORGIA
Senator Cleland. Thank you very much, Mr. Chairman. I opted
in to coming to the hearing, but after seeing the complexity, I
am about to opt out.
I am--I guess my mind seeks to make some sense of all this
by trying to search for the fundamental issue here. We talked
in terms of privacy, and of course, the American people want
private transactions, whether it is on the telephone, whether
it is watching television, whether it is on the Internet, or
whether it is shopping. I wonder if the ultimate issue is not
so much privacy or even secure telecommunications or even
interactive communications, but in terms of what we are after
here, a comfort level by the consumer without which the
commerce does not move forward.
I mean, after seeing the printout of what Jay Rockefeller
catches on his Internet, I am kind of glad I don't have a
computer at home. I don't have a television, so I am being more
disconnected, not so much for fear of invasion of privacy but
hearing what I hear about how people can track me if I had a
computer and access to Internet, that gives me pause as a
citizen, and our citizens out there have great concern about
this.
I wonder if the ultimate question is about who chooses
what, not so much what they choose, opt-in, opt-out, but who
chooses. Who is empowered here and who is disempowered? I mean,
it seems like the whole great blessing of the Internet can also
be a curse. We can sow to the wind, and we can reap the
whirlwind. We have sown to the wind, and it is a blessing in
the sense that we are more connected. We know more about each
other than we ever thought we would ever know, and a lot of
that is good; a lot of that is healthy.
But I think people basically want the power themselves to
determine when anybody knows anything about them. It is one
thing to turn on a TV, a one-way interaction here, and watch it
while sitting in the privacy of my home. It is another thing to
turn on a television in the privacy of my home and realize
everybody is watching me. That is a whole new dimension here,
and as we get into interactive television and other forms of
interactive communication, where I am, what I am watching, what
I am doing and how I am communicating will be more and more
broadly known.
So I think therein is the challenge here: how to continue
to lower the barriers that have been there for communications,
how to open up communications, whether it is e-commerce or
personal communications, but then how to retain the power of
the individual to be empowered to determine when other people
see me, see what I am doing, and have access to me and my
information.
I mean, it seems to me that that might be the crux of the
matter. I get lost in the opt-in/opt-out, although I identify
with Mr. Rotenberg here that maybe we talk about a blend here.
But how knows where to draw the line, and is it really possible
to draw that line in legislation? I mean, I don't think I am
quite smart enough to. I mean, I do see where the European
Union has tried to do it and where some 70 companies have
signed up with the EU privacy safe harbor concept, including
Microsoft.
The safe harbor requires notice, opt-in for sensitive
personal information, opt-out for commercial marketing personal
information, and a right of reasonable access and security.
Safe harbor also prohibits the onward transfer of personal
information to third parties unless those parties also adhere
to the safe harbor concept. So, I mean, that is the European
Union. They have moved on it, and some 70 companies have signed
up. That is one way to go about it, to increase the sense of
security about what people are communicating about.
But I wonder if the real answer isn't this whole question
of who determines whether or not I am looked at, whether or not
I am tracked. Mr. Rotenberg, do you want to comment?
Mr. Rotenberg. Well, Senator, I was going to say that I
actually thought your point really goes to the heart of the
issue, perhaps more so than the debate over opt-in and opt-out
and preemption or private right of action, all those other
specific provisions. What privacy laws seek to do is to give
people the ability to control the use of their personal
information, to enable people to do business with their banks
and to give sensitive information to doctors and a whole host
of other things.
But at their core, the intent is to address the concern
that you identified: How do we control this information about
us? And I think the reason that we need to stay focused on that
issue as opposed to some of these other line-drawing issues is
that first of all, those line-drawing issues are very
difficult, and second, they can be misleading. It is tempting
to say, for example, that medical information, financial
information, is particularly sensitive, so that we will give a
high standard to, and we will do something else with the rest
of the information.
But what do you do when you find out, for example, that
rental car companies now have the ability to track you when you
are driving your car, and they know, for example, when you
drive too fast? Millions of Americans learned this past week
that that was taking place, and they were very upset about it.
It didn't fall neatly into the bin marked, Medical information,
or the bin marked, Financial information, but it was, I think,
very much a part of what you were describing. It is the ability
to control information about oneself.
Senator Cleland. If they ever find out what we are doing on
a Saturday night date in the car, then we will all be in
trouble.
Mr. Cate.
Mr. Cate. Senator, I think you are exactly right. The
question is, you know, who makes the decision and on how much
knowledge--you know, what knowledge or information do they have
when they make it? I think when you think in the context of the
Internet, we have talked a lot about the ability of the
Internet to be a privacy compromising technology. It is also a
privacy-protecting technology. It offers the ability to appear
to the world without appearing physically, the ability to block
a fair amount of information about oneself.
The list that has been circulated of Mr. Rockefeller's
browsing habits, which I have not seen but would love to,
Senator is taken from his computer, the computer obtained in
his office, just like if a checkbook were in the office or if a
credit card statement were in the office. And interestingly,
the technology is there to block the recording of cookies, to
clear out the cache so that there is no record of where the
computer has been; in other words, to put the individual
entirely in the driver's seat.
But even the failure to exercise that means only that if
somebody breaks in your office or is authorized to come in and
look for that information, they find it. And there is a
question of how much farther should law go to protect us.
Senator Cleland. Mr. Schwartz.
Mr. Schwartz. I think the point about trying to empower and
shifting power to consumers is a critical one in this debate,
and I also agree with you regarding this issue about the
comfort level for consumers, which we have discussed today, and
about how good privacy legislation will hopefully stimulate e-
commerce and increase this comfort level.
Senator Cleland. Thank you all very much. My time is up,
Mr. Chairman. Thank you.
The Chairman. Very good.
Senator Ensign.
STATEMENT OF HON. JOHN ENSIGN,
U.S. SENATOR FROM NEVADA
Senator Ensign. Thank you, Mr. Chairman. It is great to be
back on the Committee, by the way. We----
The Chairman. Glad to have you back, too.
Senator Ensign. This whole issue of privacy--and I think,
first of all, some of it has been generated by the movies that
we grew up watching and some of the books that we grew up
reading, but, we live in the world today where some of those
things are becoming reality.
I also think that some of this being generated by the
Internet because people don't understand technology; they
don't--they are afraid of it. A lot of this, it seems to me, is
being put on the Internet which came out of telemarketing and
mass mailing. I mean, that is where, people are sick of getting
things in the mail, and--I know I am.
I will give you a great example, and I will compliment a
company. I doubt if anybody from the Bose Company is here
today, but I just bought one of those new Bose wave radios, and
I was very impressed by the company, because at the register,
they asked me if I wanted to sign up for the warranty
information. I never fill those things out--I don't think
anybody does hardly anymore--because they know that you are
just getting put on some mailing list. Well, right there, they
gave an opt-out provision, and they said, ``Do you want to be
on our mailing list''. And, of course, I said, ``no''.
But it is that type, I think, of thing that people are so
sick of, that now this is being put on the Internet, that they
think it is going to be much worse, and I think that--and what
I would like your comment on, and I would like to start with
you, Mr. Cate, is the idea that, first of all, people don't
understand what they are trying to protect themselves from. Do
they really understand--I mean, we all want--none of us want
our personal identify to be stolen and somebody go get our
credit cards, you know, and get a driver's license and go and
ruin us. I mean, those are the horror stories that we hear
about.
But at the same time--and I will use this example. I am
from Nevada. You come and you stay in a hotel. You register in
that hotel. You give them all of your information, including
credit card information. That hotel now will periodically
contact you and say, ``We are having a special, a discount
during a certain period of time''. Well, you have signed up.
You didn't necessarily opt in to get that information, but at
the same time, you kind of like it. Some people might; some
people might not.
And, you know, and the marketplaces determines whether or
not companies are going to go more toward the opt-out or opt-in
provision right up front. Because more and more people are
demanding that.
But I guess what I would like your comment on is: How
careful do we have to be that we don't ruin some of this
interaction between a company that you have voluntarily given
your information to and still protecting the privacy and
getting the public to understand what privacy truly is?
Mr. Cate. Thank you, Senator. You have raised a number of
issues. I think there is no question about what much of sort of
the angst we see about the Internet that is called privacy
might be somewhat more undifferentiated, and if you would do
follow-up questions and surveys, you find that on the Internet,
security seems to really be the major issue. I am not
suggesting it is not related to privacy, but we should
recognize that it is a very different issue.
What people are worried about, as I think Senator Boxer
read out, is if I provide my credit card, will it be safe
getting to you? And no amount of opt-in or opt-out or anything
is going to do one thing about that, so if we want to respond
to that concern, that should be identified more clearly.
It is also interesting that, of course, we, even people who
spend a lot of time on the Internet or think we understand some
little something about it, nevertheless find ourselves behaving
somewhat, you know, irrationally. You know, will I provide my
US Air--my Visa card to US Air when I buy a ticket online? You
know, I worry, is it safe, but I provide it over the phone, or
I provide it at a restaurant where the guy disappears with it
for 20 minutes. I don't have any idea where it is, and I feel
great. And, you know, it just shows that I am behaving like an
idiot. I mean, that doesn't necessarily suggest that there
should be legislation requiring that I be made to feel better.
On the question of sort of the interaction with companies,
I think this does reflect the fact that although we all
complain about junk mail, everybody does--it doesn't matter
what side of this issue you are on; I have never anyone who
didn't. On the other hand, it is interesting. If you talk to
people in companies, the customer service center reports that
the most frequent complaint letter they get related to direct
mail is not, why did you send it, but why didn't you send it.
My neighbor got a coupon; why didn't I. Why am I no longer
getting the catalog in the mail? Why am I no longer getting
these offers?
And the thing that we really don't like is anybody else
getting something we didn't get. And so, you know, we have to
worry about whether there really is much harm----
Senator Ensign. Not to interrupt you on that, but I haven't
ever had anybody complain that they didn't get one of my mail
pieces in a campaign.
[Laughter.]
Senator Ensign. Sorry.
Mr. Cate. There are so many things I should say to that,
but none that I would, so--you know, so I think you are right
and especially on the Internet, where the only relationship
that most consumers have with their companies that they do
business with is information. The only way my banker or airline
company or whatever that I deal with online knows me is through
information, so the only way they know what to offer me, what
to show me, what meets my interest, is by collecting and using
that information. To cut that off only hurts me.
Senator Ensign. Just before the other--and I want both of
you to follow up. Also maybe incorporate being somewhat
familiar with health information--I mean, that seems to be one
of our most previous things that we want private, and we talk
about balancing all of this. And yet if you are into the study
of epidemiology, the spread of diseases, we know that what you
don't want is your medical information made public, because
those are private things you wouldn't want them to know. But--
you also don't want to have somebody perhaps discriminate
against you on a job if they find something out, or just some
people are just real private about those kinds of things.
But at the same time, that information is very important
for us when we are, you know, talking about especially
communicable diseases or studying--for instance, in Nevada
right now, there is this leukemia cluster going on with kids.
Well, if you don't know that there are 11 cases, if that
information isn't shared, we don't know that there is a
leukemia cluster going on.
And so, just if you could, incorporate some of those
thoughts into your response.
Mr. Rotenberg. Senator, I need to say again that it is I
don't think generally the view of the privacy community to
oppose online marketing. I think the question is, how can you
do it in a way that is fair, you know, and acceptable to
consumers. Frankly, if you do it in a way that is not fair and
acceptable, then you get a lot of backlash, and we have seen
that.
Now, I said earlier that I think the right approach is opt-
in coupled with opt-out, and in fact, in terms of the history
of the Internet, this is common sense to most people. If you
want to get on a mailing list, if you want to receive
information about a topic area, you subscribe to the list, and
you get it for as long as you want, and if you are not happy
about it or if you lose interest, you unsubscribe, and the
relationship ends.
What a lot of the marketing companies try to do, in effect,
is they said, ``Oh, we are not really concerned if you are
interested in this; we think you are interested in this; we are
going to put you on the list, and we are going to make it
difficult for you to get off the list''. Now, I think in that
kind of relationship, people understandably aren't going to be
very happy, so what I think a good privacy law does is
establish those practices that allow businesses and consumers
to say, ``OK, we all agree to this; I want to get that
information, and this is going to be made to work''.
And I think, of course, in the medical privacy area, it is
particularly important to do that, as Eli Lilly learned this
past week with their inadvertent mailing.
Mr. Schwartz. Let me begin by saying something about health
information. You are absolutely right that having anonymous
information and good statistical data sets is critical to the
nation's public health. This is something on which I have been
privileged to work with Department of HHS. The Center for
Disease Control and the National Center for Vital Health
Statistics look at these issues very carefully to make sure
that there are high-quality, statistical data sets for the
nation's scientists to work with.
The second thing I would like to say is that I think what
you are describing, Senator, is the development of a mass-
market Internet. We have gotten there quickly. There are people
who say that every year in Internet time is about 7 years off
the Internet because everything changes so quickly. We have
moved very quickly from a first generation Internet in which
there were only scientists on it to now I don't know how many
generations in which everybody is on it. I have to tell you
personally this is something I have felt, because my mother a
number of years ago decided to get a computer at home, and for
a while, I felt like I was on full-time tech support in
addition to teaching law and going about my life. So now
everybody is on the Internet, and it is not surprising that
Congress is thinking about consumer protection legislation.
And I think in the history of this country, as other
devices such as the automobile, such as commercial aviation,
move into the mass market, Congress has stepped in to try to
stop some of the abuses.
Senator Ensign. Thank you, Mr. Chairman.
The Chairman. Very, very good. This has been an outstanding
panel. The Committee is indebted to you, and we will leave it
open for questions or any add-ons that you may have and your
observations.
We have got to move now to panel number 2 as quickly as we
can. We thank them for their patience. We have got Hans Peter
Brondmo, author of ``The Engaged Customer; '' Les Seagraves,
the vice president of Earthlink; Paul Misener, of Amazon, he is
the vice president of global public policy; Jason Catlett, the
president and founder of Junkbusters; and Ira Rubinstein, the
associate general counsel of Microsoft.
And I realize the hour is getting late, and we are going to
have--you see the interest of the Senators here, and we are
going to have to give everyone just as much time as you
possibly need. We will include the statements in their entirety
in the record, and we will ask you if you can please summarize
them in 5 minutes, so that will take the next half-hour here
with this important panel.
Mr. Seagraves, are you ready?
STATEMENT OF LES SEAGRAVES, VICE PRESIDENT
AND CHIEF PRIVACY OFFICER, EARTHLINK INC.
Mr. Seagraves. Mr. Chairman and members of the Committee, I
am the chief privacy officer for Earthlink. I appreciate this
opportunity to speak to you about Earthlink, privacy, and
legislation.
Earthlink, based in Atlanta, is the nation's second largest
Internet service provider, connecting approximately 5 million
customers to the Internet through dial-up, broad band, and
wireless services. We have built our company and customer base
over the last 7 years by providing fast, reliable connections
and superior customer service and technical support.
Our focus on customer service has immersed us in the
privacy debate. While we generate the majority of our revenue
from monthly subscription fees, there is always the temptation,
not to mention a compelling business case, to sell our valuable
customer information to third parties. But early in our
company's history, we decided to forego additional revenue we
could make from selling our customers' personal information in
exchange for gaining our customers' long-term trust by
protecting their privacy.
This decision continues to be a tough one. On one hand,
Earthlink stands on the threshold of renewed profitability with
pressure from shareholders and the investment community to
squeeze out every extra dollar we can, and with the devaluation
of Internet advertising, merchants are increasingly willing to
pay for targeted personal information.
On the other hand, we are an ISP with a strong focus on
customer service. Our customers rely on us not only to give
them fast, reliable Internet connections, but to help them
enjoy the best possible online experience. If our customers
have technical problems, they can use our tech support. To
reduce spam, they look to us to provide both service-side and
client-side filters. And regarding their personal information,
they look to us to protect their privacy. We have gladly
accepted this role and continue to garner high levels of
customer satisfaction and loyalty.
As an ISP, we are not just running a web site. We have lots
of detailed customer information that would be quite valuable
to affiliates or partners or other third-party marketers. Opt-
in versus opt-out really isn't an issue for us, because we
don't share customers' personal information. Although our
privacy policy may seem to be typical notice, choice, access,
and security, the fact is Earthlink has chosen not to be in the
business if selling, sharing, or renting customers' personally
identifying information, and this is a huge distinction between
Earthlink and many other companies that collect information
online.
We believe that good privacy means good business. Trust
equals revenue. Earthlink has highlighted privacy in its
national advertising campaign with great response. I think it
is important to point out the forces that control Earthlink's
actions and decisions on privacy today. First, a strong stance
on privacy is just good business. On the outside, we are guided
by the FTC privacy guidelines and Section 5 of the FTC Act. On
the inside, we do what we say we are going to do. This is one
of the core values and beliefs developed by former Earthlink
chairman and MindSpring founder, Charles Brewer. If we make a
huge privacy mistake, we would be severely penalized by the
press, our customers, and the market.
Under most of the pending and proposed Federal legislation
in Congress today, Earthlink probably already complies without
making any changes. We have a solid privacy policy. We notify
customers of the information we collect, and although we say we
give customers a choice of sharing their information, so far we
have not asked to make that choice. Customers can access their
information 24 hours a day. Our network security involves some
of the most advanced practices in the industry.
Federal legislation would have certain benefits. It could
set a much needed Federal standard for privacy policies and
practices. It could preempt state law, eliminating the need for
Earthlink to navigate 50 different state privacy laws. It would
also help to weed out those companies that abuse the privacy of
consumers.
Congress should exercise care not to create a regulatory
mine field for good companies like Earthlink that do their best
to comply. Legislative requirements should not prevent us from
clearly and effectively communicating with our customers about
their privacy and choices. Legislation should not strain the
ability of Government by enforcing broad laws that focus on
technical compliance rather than on actual harm to consumers.
Most of our customers want to take advantage of the
convenience and the innovation that the Internet provides. They
want to get the best prices for the merchandise and services.
They don't want to have to log in to every web site. They want
an Internet that is customized to their tastes and preferences.
They also want protection from fraud and misuse of their
information. Our customers would benefit from the creation of a
standard that clearly gives them the information they need to
make intelligent decisions about their own privacy.
By encouraging the same technical innovation that brought
us the Internet, Congress can rely on the private sector as a
partner in protecting privacy. If you must pass privacy
legislation, focus on setting a standard, not creating
regulatory barriers. Focus on getting customers meaningful
information they really need to make decisions. Focus on
helping good companies like Earthlink provide services that
people really want and use and thereby drive the economy.
Thank you again for the opportunity to testify.
The Chairman. Thank you, sir.
[The prepared statement of Mr. Seagraves follows:]
Prepared Statement of Les Seagraves, Vice President and
Chief Privacy Officer, EarthLink, Inc.
Mr. Chairman and Members of the Committee: My name is Les Seagraves
and I am the Chief Privacy Officer for EarthLink. I appreciate this
opportunity to speak to you about EarthLink, privacy and legislation.
EarthLink, based in Atlanta, is the nation's 2nd largest Internet
Service Provider, connecting approximately 5 million customers to the
internet through dial-up, broadband and wireless services. We have
built our company and customer base over the last 7 years by providing
fast, reliable connections and superior customer service and technical
support.
Our focus on customer service has immersed us in the privacy
debate. While we generate the majority of our revenue from monthly
subscription fees, there is always the temptation, not to mention a
compelling business case, to sell our valuable customer information to
third parties. But early in our company's history we decided to forgo
the additional revenue we could make from selling our customers'
personal information in exchange for gaining our customers' long term
trust by protecting their privacy.
This decision continues to be a tough one. On one hand, EarthLink
stands on the threshold of renewed profitability with pressure from
shareholders and the investment community to squeeze out every extra
dollar we can. And with the devaluation of internet advertising,
merchants are increasingly willing to pay for targeted personal
information.
On the other hand, we are an ISP with a strong focus on customer
service. Our customers rely on us not only to give them fast, reliable
internet connections, but to help them enjoy the best possible online
experience. If our customers have technical problems, they can use our
award-winning technical support. To reduce spam, they look to us to
provide both server-side and client-side filters. And regarding their
personal information, they look to us to protect their privacy. We have
gladly accepted this role and continue to garner high levels of
customer satisfaction and loyalty.
why is earthlink different?
As an ISP, we're not just running a website. We have lots of
detailed customer information that would be quite valuable to
``affiliates'' or ``partners'' or other third-party marketers. Opt-in
versus opt-out really isn't an issue for us because we don't share
customers' personal information. Although our privacy policy may seem
to be the typical notice, choice, access and security, the fact is that
EarthLink is not in the business of selling, sharing or renting
customers' personally identifying information. This is a huge
distinction between EarthLink and many other companies that collect
online information. We believe that good privacy means good business.
Or put another way, trust equals revenue. EarthLink has highlighted
privacy in its national advertising campaign with great response.
While we believe that our current privacy policy meets industry
best practices, we are currently working on a new privacy policy which
should set an example for proper clarity and scope. We will, in clear
plain language, explain how and what information we collect, what we do
with it and what a customer can do to protect their information. We
have developed the following privacy principles as an internal guide to
our day to day business activity:
1. We will let our customers know all of the personal information
that we collect and what we do with it.
2. We will not give, sell or share personally identifying
information to anyone except to:
comply with valid law enforcement requests for information
deliver our service to our customers
honor agreements where customers come to us through third-
party promotions.
3. No one else will use the information that our customers give to
us to contact our customers except on our behalf.
4. Our customers will be able to choose what non-essential
information they provide to us.
5. Our customers will be able to choose how we contact them.
6. Our customers will have access to all of their personal
information.
7. We will take care to secure all customer information that we
have.
8. We will insure that all of our partners and contractors abide by
and agree to these principles.
why is earthlink doing this?
I think it is important to point out the forces that control
EarthLink's actions and decisions on privacy today. First, a strong
stance on privacy is just good business. On the outside we are guided
by the FTC privacy guidelines and Section 5 of the FTC Act. On the
inside we do what we say we are going to do, this is one of the Core
Values and Beliefs developed by former EarthLink Chairman and
MindSpring founder Charles Brewer. If we make a huge privacy mistake,
we would be severely penalized by the press, our customers and the
market.
what would be the advantages to earthlink if federal legislation
passed?
Under most of the pending and proposed Federal legislation in
Congress today, EarthLink probably already complies without making
significant changes. We have a solid privacy policy. We notify
customers what information we collect. Although we say we give
customers a choice of sharing their information, so far we have not
asked them to make the choice. Customers can access their information
24 hours a day through the internet or the telephone. Our network
security involves some of the most advanced practices in the industry.
what would be the advantages to earthlink if federal legislation
passed?
Federal legislation would have certain benefits. It could set a
much needed Federal standard for privacy policies and practices. It
could preempt state law, eliminating the need for EarthLink to navigate
50 different state privacy laws. It would also help to weed out those
companies that abuse the privacy of others.
what are earthlink's concerns about legislation?
Congress should exercise care not to create a regulatory minefield
for good companies like EarthLink that do their best to comply.
Legislative requirements should not prevent us from clearly and
effectively communicating with our customers about their privacy.
Legislation should not strain the ability of government by enforcing
broad laws that focus on technical compliance rather than the actual
harm to consumers.
In the media, much of the debate about privacy legislation seems to
focus on opt-in versus opt-out provisions. While important, these
provisions should be viewed in their proper context as part of the
single information practice of notice. And we should all recognize that
no standard is foolproof. Even with the stricter opt-in standard, if
the boxes on the screen are already checked, is it still opt-in? With
either an opt-in or an opt-out standard, the bottom line is to ensure
customer notice and consent.
We should further note that any proposed new privacy legislation
would not be the first. Congress has a long history of enacting laws
that address the use of personal information, including the Gramm-
Leach-Bliley Act, the Health Insurance Portability and Accountability
Act (HIPAA), the Children's Online Privacy Protection Act (COPPA), the
Electronic Communications Privacy Act (ECPA), and many others.
However, Congress should also be aware of the unintended
consequences that can result from even the best intentioned
legislation. While few would argue with the goal of COPPA to prevent
the collection of information from young minors, the cost of compliance
proved to be too great for many legitimate, independent, local kid-
oriented websites. In an online world where an increasing amount of web
traffic is concentrated in a relative handful of sites owned by large
media and software companies, privacy protection should not further
reduce diversity on the World Wide Web.
how would legislation effect earthlink's customers?
Most of our customers want to take advantage of the convenience and
innovation that the internet provides. They want to get the best prices
for merchandise and services. They don't want to have to log in to
every web site. They want an internet that is customized to their
tastes and preferences. They also want protection from fraud and misuse
of their information. Our customers would benefit from the creation of
a standard that clearly gives them the information they need to make
intelligent decisions about their own privacy. By encouraging the same
technical innovation that brought us the internet, Congress can rely on
the private sector as a partner in protecting privacy.
conclusion: suggestions to lawmakers
If you must pass privacy legislation, focus on setting a standard
not creating regulatory barriers. Focus on getting customers meaningful
information they really need to make decisions. Focus on helping good
companies like EarthLink provide services that people really want and
use and thereby drive the economy.
Thank you again for the opportunity to testify.
* * * * * * *
earthlink core values and beliefs
What's important at EarthLink? We are convinced that the key to
creating a truly great organization is an intense focus on the values
that guide its people's actions. These are EarthLink's ``Core Values
and Beliefs''. If we don't seem to be living up to them, call us on it!
We respect the individual, and believe that individuals
who are treated with respect and given responsibility respond by giving
their best.
We require complete honesty and integrity in everything we
do.
We make commitments with care, and then live up to them.
In all things, we do what we say we are going to do.
Work is an important part of life, and it should be fun.
Being a good businessperson does not mean being stuffy and boring.
We love to compete, and we believe that competition brings
out the best in us.
We are frugal. We guard and conserve the company's
resources with at least the same vigilance that we would use to guard
and conserve our own personal resources.
We insist on giving our best effort in everything we
undertake. Furthermore, we see a huge difference between ``good
mistakes'' (best effort, bad result) and ``bad mistakes'' (sloppiness
or lack of effort).
Clarity in understanding our mission, our goals, and what
we expect from each other is critical to our success.
We are believers in the Golden Rule. In all our dealings
we will strive to be friendly and courteous, as well as fair and
compassionate.
We feel a sense of urgency on any matters related to our
customers. We own problems and we are always responsive. We are
customer-driven.
The Chairman. Mr. Brondmo.
STATEMENT OF HANS PETER BRONDMO, AUTHOR, ``THE ENGAGED
CUSTOMER'' AND NETCENTIVES, INC. FELLOW
Mr. Brondmo. Chairman Hollings, members of the Committee, I
thank you for inviting me to participate in this very important
hearing about Internet privacy.
I am a technology entrepreneur. I am an author, and I am a
consultant to industry on the usage of customer information and
email to build customer relationships. The company I founded in
1996, NetCentives, today manages over 50 million relationships
with customers. It manages customer information, opt-in and
opt-out, on over 50 million people on behalf of some of the
leading corporations in this country.
At the center of the debate about Internet and privacy is a
very simple question. Who owns information about an individual?
Does a person have rights to and control of the information
being gathered about him or her? Or should whoever collects the
information be able to use and commercially exploit that
information in any manner they see fit?
My remarks this morning will revolve around this broader
issue of information ownership, specifically how we think about
collecting and using personally identifiable information
consistent with our beliefs both in personal liberty and in
free enterprise. I begin by suggesting that we consider
personal information to be a capital asset, just like we do
financial information.
It goes without saying that no modern business survives
today in a fiercely competitive marketplace if it keeps its
financial assets in disarray, not knowing how much working
capital is available, and not knowing who is managing the
money. Yet that is exactly how most companies manage their
customer information assets today. They don't know what they
have got; they don't know who has got what; and they don't know
what data bases contain what information.
It turns out that a comparison between financial assets and
information assets provides a powerful model for thinking about
information ownership. To illustrate this, let's consider the
following familiar example from the banking world.
Like many Americans, I have some savings, and I have a
stock portfolio. I have chosen to hand over control of my
financial assets to professional asset managers. I keep my
money in a local bank, and I work with a stockbroker. When
selecting my bank and stockbroker, I have two primary selection
criteria: trust and returns. If I do not trust a bank, I will
not give them my money, and if the competition, the bank next
door, consistently out-performs and offers better returns, what
will I do? I will withdraw my money, and I will deposit it with
the bank next door, with the competition.
As individuals, I believe that we are increasingly becoming
aware that our personal information also has value, and just as
we will choose to deposit our financial assets with asset
managers based on trust and returns, we are learning to apply
the same two criteria when we deposit our personal information
with a business, and if that business breaches our trust or
does not manage our information in order to generate a return
in the form of good service, convenience, what will we do? We
will withdraw it, and we will deposit it with a competitor who
does.
In short, the expectation is that we own and control our
personal information. Yet while the individual may own the
information about themselves, we must also realize that it is
this information when used properly which enables businesses to
build relationships with its current and prospective customers,
and to realize significant financial gain from its ongoing
interactions with those customers.
Without access to personally identifiable information,
companies cannot get to know their prospects and customers, and
if they cannot know and enter into personal dialog with these
very people they do business with, it is equivalent to not
being able to greet a customer when she first walks into your
store, or even worse, not being able to develop a relationship
with that customer and recognize her for her loyalty when she
returns to that store over and over again.
Yet does the customer want the store to know her before she
has even introduced herself? Does walking into a store for the
first time constitute some implicit permission for the store to
dip into a data base and look up who she is? Would she be
comfortable if the grocery store knew how many children she has
the very first time she entered? Would she be concerned if the
grocer sold their knowledge about her low-fat diet to her
insurance provider without explicit permission?
The issue is one of personal choice about personal data,
and these are exactly the questions we are debating when we are
discussing notice, choice, access, and security.
In summary, the new thinking that must be adopted in order
to realize the potential value and benefits inherent in the
smart use of customer information is based on the following two
principles: first, that the individual owns and controls his or
her personal information and chooses to deposit that
information with companies based on expectations of trust and
returns; second, that businesses represent themselves as the
custodians, not the owners, of personal information. They
invest in and actively manage that information asset in order
to generate returns for the customers and for their
shareholders.
To ensure broad adoption of these principles, I believe
that government regulation is necessary. While it is not the
role of Government to dictate to companies what they may do
with information nor what information they may collect, it is
the responsibility, in my view, of the Federal Government as an
extension of its constitutional duty to protect civil
liberties, to ensure that the use of information is based on
clear notice, consent, and always under the control of the
individuals to who it belongs.
Mr. Chairman, members of the Committee, change is always
difficult. As we all know, it is difficult at the personal
level, and it can be painful and sometimes expensive at the
corporate level. When change came to the auto industry a few
decades ago, it was resisted, not embraced. We all know the
consequences. It is in my humble opinion time for all corporate
America to change the way it uses and manages customer
information. Leaders who embrace this change will stand to win
big. Those who resist it will be left behind.
I am encouraged by your leadership in this area, and thank
you for the opportunity to address the Committee this morning.
The Chairman. We thank you.
[The prepared statement of Mr. Brondmo follows:]
Prepared Statement of Hans Peter Brondmo, Author,
``The Engaged Customer'' and Netcentives, Inc. Fellow
Chairman Hollings, Senator McCain and Members of the Committee
thank you for inviting me to participate at this important hearing on
Internet privacy. My name is Hans Peter Brondmo and I am a technology
entrepreneur, author and consultant to industry on the usage of
customer information and email to build customer relationships. I
believe that these hearings are timely because we find ourselves at a
fork in the road where one path can lead us to a win both for
individual rights and for industry, while the other takes us down a
treacherous path where all parties loose. Strong leadership and
decisive action will ensure that we choose the correct path.
At the center of the debate about Internet and privacy is a simple
question: Who owns information about an individual? Does each person
have rights to and control of the information being gathered about him
or her or should whoever collects the information be able to use and
commercially exploit it in any manner they see fit? While the question
may be simple the answers are complex.
My remarks today focus on the broader issue of information
ownership in which I propose a framework for how we think about
collecting and using personally identifiable information, consistent
with our belief both in personal liberty and in free enterprise. I will
return to this framework momentarily. First let me take a brief look at
where we find ourselves at this moment in time.
It seems that historically the rules which govern what information
a company can collect about its customers and prospects and what they
can do with this information favors industry over individual rights.
For example, there have been egregious instances in which many a credit
worthy individual has been summarily denied a home mortgage, auto loan
or educational financing on the basis of incorrect personal data that
had been surreptitiously collected and never submitted to the person
for verification. Erroneous data often has been through the hands of
several firms without the individual's knowledge, making correction
impossible. Meanwhile, without effective recourse, a deserving
individual's personal life is severely damaged.
The attitude that dominates the current business environment is
that Federal privacy legislation will hamper free enterprise and limit
industry's ability to grow and innovate. I disagree with this attitude
and believe that we need to move away from the mindset that any
information a company captures about their customers is theirs to
exploit and even sell in whatever manner they see fit. I would like to
propose that industry allows the free market to determine the value of
their integrity. If customers trust the organizations they do business
with and these businesses have integrity, customers will award them
with access to their personal information. If not, it seems only
reasonable that a customer must be allowed to inspect or withdraw that
information. An obvious question is why now? If we have managed so far,
why can we not continue on the same program? And the answer is
obvious--The Internet. According to what we read, every device and tool
we rely on to enhance our lives will soon be connected to the Internet:
our automobiles, our homes, our cellular telephones, our television
sets, our hand-held cameras, our Jacuzzi tub, our electronic credit
card. And while the benefits are many including pervasive access to
information and the ability to communicate regardless of location,
there is a dark side. These devices will pass along information about
who is using them, where they are located and perhaps even details
about what a person is doing. This information about individuals can be
collected and analyzed in ways that were not possible prior to the
Internet. The potential threats to privacy are enormous.
While the new technologies present fantastic opportunities and real
threats to individual rights it is also important to recognize that the
challenges posed to industry are real and formidable as well. Internet
technologies are changing the manner in which companies conduct
commerce. They are fundamentally impacting the way businesses
communicate with and service their customers. It's a fact that
personally identifiable information is a key ingredient to
individualized and successful commerce in an information economy. Just
as fossil fuels powered the industrial revolution and new
transportation technologies made it possible to achieve economies of
scale, information is the fuel of the global economy and the Internet
is the engine powering an explosive growth. My experience has convinced
me that if the ability to collect and use customer information is
compromised, American industry will be at a competitive disadvantage.
That said, business as usual will not do.
While some industry leaders are holding themselves to high
standards, a majority of businesses still think in old terms regarding
how to realize value from personally identifiable information.
Corporations needs to come to terms with a new definition of the value
they realize from such information both in order to safeguard personal
liberties and in order to realize the vast potential of properly
managed information.
Central to this definition of value are two assumptions: first that
customer information is a precious capital asset and second, that the
individual, not the company they do business with owns and controls
information about themselves.
Acting on these two assumptions, let me return to the framework
that I made earlier reference to. It goes without saying that no modern
business survives long in today's fiercely competitive marketplace if
it keeps its financial assets in disarray not knowing how much working
capital is available and who has the money. Yet that's exactly how most
companies manage their customer information. They don't know what
they've got, they don't know who has what and they don't know what
databases contain what information. It turns out that the comparison
between financial capital and information capital is a good way to
illustrate the new framework. Consider the following familiar example
from the banking industry.
Like most Americans, I have money in the bank and I have a stock
portfolio. I have chosen to hand over my financial assets to
professional asset managers. I keep my money in a local bank and a I
work with a stockbroker. When selecting my bank and stockbroker I had
two primary selection criteria: TRUST and RETURNS. If I do not trust a
bank I will not give them my money. And if the competition, the bank
next door, consistently offers better returns what will I do? I will
withdraw my money from my current bank and deposit it with the
competition.
As individuals we are increasingly becoming aware that our personal
information has real value. And just as we will choose to deposit our
financial assets with asset managers based on TRUST and RETURNS, we are
learning to apply the same two criteria when we ``deposit'' our
personal information with a company. And if that company breaches our
trust or does not manage our information in order to generate a return
in the form of good service and convenience, we will withdraw it and
deposit it with a competitor who does.
Information that an organization collects about the individuals it
interacts with should be treated like a capital asset. It is this
information, when used properly, which enables a company to build
relationships with their current and prospective customers and to
realize significant financial gain from its ongoing interactions with
those customers. Without access to personally identifiable information
companies cannot get to know their prospects and customers. And if they
cannot know and enter into a personalized dialogue with the very people
they do business with, it is equivalent to not being able to greet a
customer when she walks into a store. Or even worse, not being able to
develop a relationship with that customer and recognize her for her
loyalty when she returns to that store over and over again.
Yet does the customer want the store to know who she is before she
has introduced herself? Does walking into a store for the first time
constitute implicit permission for the store to dip into a database and
look up who she is? Would she be comfortable if a grocery store knew
how many children she has the very first time she entered? Would she be
concerned if the grocer sold their knowledge about her low-fat diet to
her insurance provider without her permission and knowledge? The issue
is one of personal choice about personal data. And these are the types
of questions we are asking when we discuss ``opt-in'' policies, notice
and access.
To address these important concerns, I offer four principles that
exemplify the new thinking I believe must be adopted in order to
realize the potential value and benefits inherent in the smart use of
customer information.
Organizations (data vendors) represent themselves as the
custodians--not owners, of personal information
Organizations invest in and actively manage the
information they gather about individuals in order to generate a return
to those individuals as well as to all other constituents
(shareholders)
The individual owns and controls his or her personal
information and chooses to deposit it with a company based on
expectations of TRUST and RETURNS.
Individuals receive many benefits such as better service
and more relevant information, timesavings and achieve higher
efficiencies as an organization gets to know them by collecting and
appropriately utilizing personal information about them.
While the argument that industry self regulation can address all
these principles may seem appealing, it is my belief that unless we
have uniform and consistent rules providing a foundation for these
principles the individual cannot rely on for protection and
consistency. Furthermore it means we do not have a level playing field
for industry.
Let me share with you an example that illustrates some common
misconceptions and hurdles that confront those who favor giving
customers proper notice, access and control of their personal
information. And while this example illustrates a company that did the
right thing in the end, it also illustrates that doing right by the
customer is doing right by the business and therefore that
appropriately written legislation will have a net positive impact on
business.
The email marketing company I founded in 1996 has worked for
several years with an online music retailer. Some time ago the retailer
was experiencing a customer satisfaction problem because they were
sending too many promotional emails to their customers. Once you had
made a purchase from the company you were added to their marketing
database and began receiving electronic commercials. It was very
difficult to stop the flood. We argued for better notice and a simple
and straightforward unsubscribe mechanism, making it easy for customers
to remove their name from the mailing list. The company hesitated to
heed our advice for seemingly logical reasons: They had spent tens of
millions of dollars on marketing to attract their customers and we were
telling them that if a customer wanted to disengage, it should not only
be possible, it should be easy. They could not convince themselves that
``letting a customer go'' was good business. As their satisfaction
problems continued to grow the music retailer finally decided to
perform a test with a small sub-segment of their customers. They
implemented a very simple one-click unsubscribe process for the test-
customers making it easy for them to stop the emails or modify their
personal profile. To the retailer's great surprise, they discovered
that their new process had no negative impact on the business
whatsoever. The people that complained about receiving too many emails
were not likely to make any more purchases. More astonishing was the
fact that when the company rolled out the new functionality to their
whole customer base and promoted on their e-commerce web-site how easy
it was to opt-out, their level of opt-in improved significantly. People
were more comfortable signing up when they knew they were in control
and it would be easy to disengage from the service should they not want
it in the future. Providing customers with the ability to easily access
and change their personal profile information, including removing their
names altogether built trust and confidence. The music retailer
profited from making it easy for its customers to unsubscribe or
disengage.
As this example illustrates determining what is appropriate notice
and what represents adequate permission in order to collect personally
identifiable information is not simple. Furthermore it would also seem
that there is no single solution appropriate for all situations. My
experience has convinced me that opt-out with notice may be an
appropriate level of protection in many instances. Yet there are also
many cases where strict opt-in is the only appropriate solution. In
situations where information is being collected strictly for internal
use in an organization, my opinion is that an appropriate level of
protection is afforded by requiring opt-out with notice. Where there
may be possibilities that personally identifiable information will be
transferred to an external organization that an individual is
interacting with, it seems the only appropriate solution is to require
full opt-in.
What is key here is the concept that no matter the circumstance,
every firm must assume full responsibility for protecting personal data
entrusted to it, whether by customers, employees or prospects.
Implementation will necessarily vary with circumstances but as in
matters of law, policies will indicate intent.
Finally we must acknowledge the considerable cost to industry
implicit in requiring stricter enforcement of notice, permission and
complete access to and control of personal information. In my opinion
the requirement that industry provides individuals with access to and
control of personally identifiable information will be the most costly
component to implement as it probably requires that such information be
centralized.
Most organizations do not have the technical ability to centralize
their customer information today, nor do they have the internal
processes to enforce uniform and appropriate use of customer
information. That said, it is feasible to implement such solutions with
existing technology and developing best practices business processes to
support such an initiative is a question of good management.
Furthermore, the policy changes an organization must undertake to
implement proper privacy protection for its members and customers are
the same initiatives essential to focusing the organization around its
customers, an important trend in business and marketing. In other
words, the investment made to protect the individuals' privacy, is an
investment in best business practices and will generate handsome
returns when made a corporate priority.
America is a country of innovators and inventors. The way
personally identifiable information is managed by industry must change
and I am convinced that the spirit of innovation and creativity will
lead us to new and significantly enhanced solutions. I have no doubt we
can create options that support industry's need to collect, combine and
even share personally identifiable information, all without
compromising individual privacy.
In order to drive this change, I believe that government regulation
is necessary. While it is not the role of government to dictate to
companies what they may do with customer information, it is the
responsibility of the Federal government as an extension of its
constitutional duty to protect civil liberties to ensure that the use
of information is based on the consent and always under the control of
the individuals to whom it belongs. We need a foundation for major
change as well as a level playing field and only Federal legislation
can establish the required ground rules. While industry self-regulation
can work in some cases and in some states, it will not be an effective
way to ensure that a win-win scenario for the all citizens of America
and for industry alike. When it comes to protecting privacy and
empowering a competitive data industry, the Federal government, in my
opinion, has an indispensable role to play.
Mr. Chairman, and Members of this Committee I am encouraged by your
leadership in this area and thank you for the opportunity to address
the committee this morning.
The Chairman. Mr. Misener.
STATEMENT OF PAUL MISENER, VICE PRESIDENT,
GLOBAL PUBLIC POLICY, AMAZON.COM
Mr. Misener. Thank you, Chairman Hollings, very much, and
members of the Committee. My name is Paul Misener. I am
Amazon.com's Vice President for Global Public Policy.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of
personal information is important to our customers, and thus it
is important to us. Indeed, as Amazon.com strives to be Earth's
most customer-centric company, we must provide our customers
the very best shopping experience, which is a combination of
convenience, personalization, privacy, selection, savings, and
other features.
At Amazon.com, we manifest our commitment to privacy by
providing our customers notice, choice, access, and security.
Amazon.com was one of the very first online retailers to post a
clear and conspicuous privacy notice, and last summer, we
proudly unveiled our updated and enhanced privacy policy by
taking the unusual step of sending email notices to all of our
customers, then totaling well over 20 million.
We also provide our customers meaningful privacy choices.
In some instances, we provide opt-out choice, and in other
instances, we provide opt-in choice. We are an industry leader
in providing our customers access to the information we have
about them. They may easily view and correct as appropriate
their contact information, payment methods, purchase history,
and even the click stream record of products they view while
browsing Amazon.com's online stores.
Finally, Amazon.com vigilantly protects the security of our
customers' information. Not only have we spent tens of millions
of dollars on security infrastructure; we continually work with
law enforcement agencies and industry to share techniques and
develop best practices. It is very important to note that other
than obligation to live up to pledges made in our privacy
notice, there is no legal requirement for Amazon.com to provide
our customers the privacy protections that we do.
So why do we provide notice, choice, access and security?
The reason is quite simple. Privacy is important to our
customers, and thus it is important to Amazon.com. We simply
are responding to market forces. Indeed, if we don't make our
customers comfortable shopping online, they will shop at
established brick-and-mortar retailers who are our biggest
competitors. These market realities lead us to conclude that
there is no inherent need for privacy legislation.
That said, we have been asked whether Amazon.com could
support a privacy bill. Perhaps we could, Mr. Chairman, but
only under certain circumstances. Under no circumstances would
we support a state or local law governing online privacy. Not
only would such laws be constitutionally suspect, a nationwide
web site like Amazon.com would find it difficult, if not
impossible, to comply with 50 or more sets of conflicting
rules.
At the Federal level, Amazon.com could support a bill that
would require notice and meaningful choice, but only if it
would preempt inconsistent state laws, bar private rights of
action, and address both online and offline activities. Please
allow me to briefly address each of these points.
First, any Federal privacy legislation applied to online
activities must preempt inconsistent state laws. Even though
such laws most likely would fail a constitutional challenge,
the expense and uncertainty of litigation should be avoided
with a congressionally adopted ceiling.
Second, Amazon.com could support a privacy bill only if it
would bar private rights of action. The threat of aggressive
private litigation would cause companies to balkanize their
privacy notices for the sake of legal defensibility at the
expense of simplicity and clarity. Ten-page privacy statements
in fine print legalese would become the norm.
A regulatory body such as the Federal Trade Commission, on
the other hand, could balance the competing interests of legal
precision and simplicity. A class action plaintiff's lawyer
would have no such motivation.
Third and finally, Amazon.com believes that privacy
legislation must apply equally to online and offline
activities. It makes little sense to treat information
collected online differently from the same and often far more
sensitive information collected through other media, such as
mail and warranty registration cards, point of sale purchase
tracking, and magazine subscriptions.
On the one hand, such parity is necessary in fairness to
online companies, but more importantly, it would be misleading
to American consumers to enact a law that applies only to
online entities, because for the foreseeable future, the
putative protections of such a law would apply only to a tiny
fraction of consumer transactions. Last year, online sales
accounted for less than 1 percent of retail business.
Obviously any law that addresses only online transactions
could not benefit consumers much at all, compared to one that
equally addresses online and offline activities. Moreover, to
the extent it provides real consumer benefits, a law that
addresses only online activities would have the perverse effect
of failing to provide any benefits to those on the less
fortunate side of the digital divide. Indeed, consumers who,
because of economic situation, education or other factors are
not online would receive no benefits from a new online-only
law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response
to consumer demand and competition. We believe market forces
are working and thus believe there is no inherent need for
legislation. Nonetheless, Amazon.com could support limited
Federal legislation, but only if it preempts state laws, only
if it bars private rights of action, and only if it applies to
offline as well as online activities.
Thank you again for inviting me to testify, Mr. Chairman. I
look forward to your questions.
The Chairman. Thank you very much.
[The prepared statement of Mr. Misener follows:]
Prepared Statement of Paul Misener, Vice President,
Global Public Policy, Amazon.com
Chairman Hollings, Senator McCain, and members of the Committee, my
name is Paul Misener. I am Amazon.com's Vice President for Global
Public Policy. Thank you for inviting me to testify today.
A pioneer in electronic commerce, Amazon.com opened its virtual
doors in July 1995 and today offers books, electronics, toys, CDs,
videos, DVDs, kitchenware, tools, and much more. With well over 30
million customers in more than 160 countries, Amazon.com is the
Internet's number one retailer.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal
information is important to our customers and, thus, is important to
us. Indeed, as Amazon.com strives to be Earth's most customer-centric
company, we must provide our customers the very best shopping
experience, which is a combination of convenience, personalization,
privacy, selection, savings, and other features.
At Amazon.com, we manifest our commitment to privacy by providing
our customers notice, choice, access, and security. Please allow me to
address each briefly:
Notice. Amazon.com was one of the first online retailers to post a
clear and conspicuous privacy notice. And last summer, we proudly
unveiled our updated and enhanced privacy policy by taking the unusual
step of sending email notices to all of our customers, then totaling
over 20 million people.
Choice. We also provide our customers meaningful privacy choices.
In some instances, we provide opt-out choice, and in other instances,
we provide opt-in choice. For example, Amazon.com will share a
customer's contact information with our trusted partner Greenlight.com
only after that customer makes an opt-in choice.
Access. We are an industry leader in providing our customers access
to the information we have about them. They may easily view and correct
as appropriate their contact information, payment methods, purchase
history, and even the ``click-stream'' record of products they view
while browsing Amazon.com's online stores.
Security. Finally, Amazon.com vigilantly protects the security of
our customers' information. Not only have we spent tens of millions of
dollars on security infrastructure, we continually work with law
enforcement agencies and industry to share security techniques and
develop best practices.
It is very important to note that, other than an obligation to live
up to pledges made in our privacy notice, there is no legal requirement
for Amazon.com to provide our customers the privacy protections that we
do.
So why do we provide notice, choice, access, and security? The
reason is simple: privacy is important to our customers, and thus it is
important to Amazon.com. We simply are responding to market forces.
Indeed, if we don't make our customers comfortable shopping online,
they will shop at established brick and mortar retailers, who are our
biggest competition. Moreover, online--where it is virtually effortless
for consumers to choose among thousands of competitors--the market
provides all the discipline necessary. Our customers will shop at other
online stores if we fail to provide the privacy protections they
demand.
These market realities lead us to conclude that there is no
inherent need for privacy legislation. That said, we have been asked
whether Amazon.com could support a privacy bill. Perhaps we could, but
only under certain circumstances.
Under no circumstances would we support state or local laws
governing online privacy. Not only would such laws be constitutionally
suspect, a nationwide website like Amazon.com would find it difficult
if not impossible to comply with fifty or more sets of conflicting
rules.
At the Federal level, Amazon.com could support a bill that would
require notice and meaningful choice, but only if it would preempt
inconsistent state laws, bar private rights of action, and address both
online and offline activities. Please allow me to briefly address each
of these points.
Preempt State Law. First, any Federal privacy legislation applied
to online activities must preempt inconsistent state laws. As I noted
earlier, it would be virtually impossible for a nationwide website to
comply with inconsistent rules from multiple jurisdictions. Even though
such laws most likely would fail a constitutional challenge, the
expense and uncertainty of litigation should be avoided with a
Congressionally adopted ceiling.
Bar Private Rights of Action. Second, Amazon.com could support a
privacy bill only if it would bar private rights of action. The threat
of aggressive private litigation would cause companies to balkanize
their privacy notices for the sake of legal defensibility, at the
expense of simplicity and clarity. Ten-page privacy statements and
fine-print legalese would become the norm. A regulatory body such as
the Federal Trade Commission, on the other hand, could balance the
competing interests of legal precision and simplicity. A class action
plaintiffs' lawyer would have no such motivation.
In addition, the aforementioned uniformity necessary to run
nationwide websites would be destroyed by a host of trial lawyers suing
companies all across the country. A single authority, such as the FTC,
could provide the nationwide approach that private litigation cannot.
Parity with Offline Activities. Third, and finally, Amazon.com
believes that privacy legislation must apply equally to online and
offline activities, including the activities of our offline retail
competitors. It makes little sense to treat information collected
online differently from the same--and often far more sensitive--
information collected through other media, such as offline credit card
transactions, mail-in warranty registration cards, point-of-sale
purchase tracking, and magazine subscriptions.
On one hand, such parity is necessary in fairness to online
companies. It simply would not be equitable to saddle online retailers
with requirements that our brick-and-mortar or mail order competitors
do not face.
But more importantly, it would be misleading to American consumers
to enact a law that applies only to online entities because, for the
foreseeable future, the putative protections of such a law would only
apply to a tiny fraction of consumer transactions. Last year, online
sales accounted for less than one percent of all retail business.
Obviously, any law that addresses only online transactions could not
benefit consumers much at all compared to one that equally addresses
online and offline activities such as using a grocery store loyalty
card or subscribing to a magazine.
Moreover, to the extent it provides real consumer benefits, a law
that addresses only online activities would have the perverse effect of
failing to provide any benefits to those on the less fortunate side of
the digital divide. Indeed, consumers who, because of economic
situation, education, or other factors, are not online would receive no
benefits from a new, online-only law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response to
consumer demand and competition. We believe market forces are working
and, thus, believe there is no inherent need for legislation. We firmly
oppose the adoption of any non-Federal privacy law that addresses
online activities. Nonetheless, Amazon.com could support limited
Federal legislation, but only if it preempts state laws, only if it
bars private rights of action, and only if it applies to offline as
well as online activities.
Thank you again for inviting me to testify, I look forward to your
questions.
The Chairman. Mr. Catlett.
STATEMENT OF JASON CATLETT, PRESIDENT
AND CEO, JUNKBUSTERS CORP.
Mr. Catlett. Thank you, Mr. Chairman. It is an honor to
appear before you again, and I would like to commend the
Committee on its steadfast attention to privacy, particularly
Senators Wyden and Burns for their hard work on junk email.
Rather than reading a prepared statement today, I would like to
comment on some of the examples that you have raised.
Gramm-Leach-Bliley, I think, serves as an excellent example
of the utter failure of the opt-out model. A survey by the
American Banking Association found that 41 percent of people do
not recall having received their notices, so their privacy
interests do not seem to be protected by this.
We could take an example of one of these privacy notices,
which are very confusing and, in my opinion, highly deceptive
in some cases. Let's take U.S. Bancorp's consumer privacy
pledge which opens with the sentence, ``Protecting your privacy
is important to the U.S. Bancorp family of financial service
providers.''
If you read 400 words down, you will then find that the
bank allows itself to disclose all of the information it has to
other financial institutions with which it has joint marketing
arrangements. Indeed, according to the state attorney general
of Minnesota, Mike Hatch, the company has a history of making
such disclosures.
He alleges that U.S. Bank has disclosed the following
information, which is in my written testimony: name, address,
telephone numbers, gender, marital status, home ownership
status, occupation, checking account number, credit card
number, Social Security number, birth date, account open date,
average account balance, automated transactions authorized,
credit card type and brand, number of credit cards, cash
advance amount, behavior score, bankruptcy score, date of last
payment, amount of last payment, date of last statement,
statement balance.
Now, in its defense, the CEO of the bank characterized this
kind of transaction as an industry-wide practice, and as the
bank's privacy statement discloses, it can continue to do this.
Now, I think if you were to ask the average American consumer,
is she happy about having all of this information sold to a
telemarketer, I think we can assume that she would say ``no''.
And yet her interests and wishes are not being served by the
opt-out model. She has to find the statement, read it, go
through the opt-out procedure, and under the limited rights
provided by Gramm-Leach-Bliley, can't even opt out of many of
the uses of information.
So I think this example shows that opt-in is the
appropriate standard. If the bank wishes to be able to sell
information about its customers, it can offer them a month's
free checking in return and obtain their permission. That is
the appropriate standard in my view.
Another example that you have raised was the case of Eli
Lilly accidentally disclosing information about the takers of
Prozac, and I think here is an example of why a private right
of action is essential. You could ask: Is the market going to
punish Eli Lilly for this breach of privacy? Is it plausible,
for example, that a depressive patient sitting in his doctor's
office would say, ``No, no, don't prescribe me Prozac; I don't
like the manufacturer's privacy practices''.
No. I think there is a clear failure here of the market to
provide a feedback, and if a private right of action were
available for $500, then that would clarify the minds of the
manufacturers and provide an incentive get its security
procedures in place and to ensure that that kind of incident
doesn't happen again.
Another example of the private right of action occurred
with Amazon. The Federal Trade Commission found in May that
Amazon had likely been deceptive in its information practice
descriptions that it had given to customers, but it decided to
take no action, in part because Amazon had updated its
description to conform with those practices.
I think if you take the analogy, as we have heard, with
financial information, that if the SEC discovered a company had
misled investors in a prospectus but then changed the figures
and let them off, we would regard that as unsatisfactory. So I
think a private right of action will allow individuals to
continue to defend their interests where a Federal Government
agency may be disinclined to do so.
The next example I would like to take you raised is safe
harbor, which is not an ideal privacy standard in my view, but
it is much higher than the average American gets from the
average company, and I commend Microsoft for recently
announcing that it would adhere to safe harbor, not only for
its European customers but also for all customers worldwide.
I have been a long critic of Microsoft because of their
failure to live up to their own statements of privacy, but I do
hope that they will observe this, and I think it raises the
question of whether Microsoft would support such a standard
being mandated by Federal law and why these many other
companies that have signed on think that the citizens of this
country should not have privacy rights equivalent to those
which they are willing to grant to other countries.
The next example I would like to raise that you have been
discussing is the question of online versus offline. Should
higher standards apply to the online world? My answer is yes
for collection, but no for other types of issues such as access
to information, which I think is very important and onward
forwarding of the information. The Internet provides enormous
opportunities for the collection of information.
If I go into a physical book shop and look at a title on
the shelf, no one is recording that, but an online book shop
is. Traditionally Congress has looked at the ability of
technologies to invade privacy, and applying one standard to
all technology is like saying that a thermal imaging system
which can see through the walls of your house as your body
moves from room to room should be subjected to the same privacy
standards as a photocopier. This is absurd. It is totally
appropriate to have technology-specific controls for collection
of information.
But for principles such as the access to the information
and for the question of whether the permission of the consumer
concerned should be given, provided before it is disclosed for
a secondary purpose, then I think the same standards should
prevail online and offline.
My third point is about P3P, which I have written
extensively on, concluding that it really will not raise the
privacy of the average Internet user, and that it has become
more a pretext for privacy procrastination than a technology
that will improve privacy. But as my time has expired, I will
pass to Microsoft to present on that. Thank you.
[The prepared statement of Mr. Catlett follows:]
Prepared Statement of Jason Catlett, President
and CEO, Junkbusters Corp.
My name is Jason Catlett, and I am President and CEO of Junkbusters
Corp., a for-profit company working with businesses, governments and
legislators to promote privacy and reduce unwanted solicitations such
as junk email. My Ph.D. was in Computer Science, and I have also held
various academic positions, most recently as a fellow at the Kennedy
School of Government, Harvard University (2001-2002 academic year). I'd
like to thank the Committee for inviting me to appear again today, and
for its past hearings on privacy.
Rather than repeating matter from my written statement of May 25
last year or from the testimony today of Professors Rotenberg and
Schwartz (with which I concur), I would like to examine several events
and trends over the past 13 months since I appeared before you all, and
ask how they should inform your deliberations. My view is that recent
experience reinforces the conclusion that strong comprehensive privacy
law is urgently needed, with a private right of action and without the
preemption of state law.
Over the past year businesses have admitted that privacy is a
problem that is not going to go away without legislation. Executives at
companies such as Hewlett-Packard, Dell, Intel, and the American
Electronics Association (a large trade group) have called for Federal
privacy legislation. Many have advocated a weak ``notice and opt out''
bill, but several marketing leaders have come out in favor of an opt-in
standard. Permission marketing, as they call opt-in, has matured from a
radical idea to a mainstream doctrine. Online marketers know that spam
(Unsolicited Commercial Email) has poisoned the good will of online
consumers, and some trade associations have supported opt-in as the
standard for email marketing. As I have testified before your
Subcommittee, I believe this standard should be Federally mandated.
The opt-out model has recently been put to a large-scale test, as
the weak privacy requirements of the Gramm-Leach-Bliley Act (GLB) came
into effect at the beginning of this month. According to a survey by
the American Banking Association, 41% of people do not recall having
received their notices; clearly they have not been served well by the
opt out model. The 36% of people who read their notices may have gained
too rosy a picture of the state of their privacy. For example, US
Bancorp's Consumer Privacy Pledge opens with the assurance that
``Protecting your privacy is important to the U.S. Bancorp family of
financial service providers.'' Four hundred words later, the bank says
it allows itself to disclose all of the information it has ``to other
financial institutions with which we have joint marketing
arrangements.'' Indeed, the bank has not been reluctant make such
disclosures in the past. According to Minnesota Attorney General Mike
Hatch, it sold to a telemarketing company following information about
its customers: ``name, address, telephone numbers of the primary and
secondary customer, gender, marital status, homeownership status,
occupation, checking account number, credit card number, Social
Security number, birth date, account open date, average account
balance, account frequency information, credit limit, credit insurance
status, year to date finance charges, automated transactions
authorized, credit card type and brand, number of credit cards, cash
advance amount, behavior score, bankruptcy score, date of last payment,
amount of last payment, date of last statement, and statement
balance.'' In a prepared statement the bank's CEO characterized this
kind of transaction as an ``industry-wide practice.'' Now, I think it
is reasonable to presume that if the average American were asked in a
plain and direct manner whether she wanted the bank to sell all this
information about her to telemarketers, she would say ``no''. But by
failing to find, read, understand, and respond to a privacy notice, she
has unwittingly allowed this to happen. Under the opt-out model, banks
continue practices against the desires of the majority of their
customers, by making their notices ineffective, vague, and bordering on
deceptive, and by placing the burden on the consumer to try to
understand what they need to opt out of and how. The GLB experience is
a clear illustration of the necessity of an opt-in model for disclosure
and secondary use of information. In their lobbying against opt-in
legislation, banks claimed it would cost them millions if they were
required to obtain consent before selling information about their
customers. This is an understandable motive, but the question for
lawmakers is whose interests should prevail here.
Over the past year the Internet bubble has burst, and some who
lobby against privacy for Internet companies have changed their tune
from ``don't crimp the nascent growth of this new medium'' to ``don't
hit us while we're down.'' One might wonder whether under this logic
there could ever be an appropriate time for privacy rights; I would
suggest this time is long overdue. As Professor Rotenberg concluded
from a Gallup poll, privacy continues to be a major reason for non-
participation, as well as an ongoing concern of online shoppers; this
does not decline as users become more experienced. Forrester Research
has concluded that ``Nearly 90% of online consumers want the right to
control how their personal information is used after it is collected. .
. . Surprisingly, these concerns change very little as consumers spend
more time online.'' Many online retailers have gone bankrupt or are
struggling to achieve profitability, as online consumer spending has
failed to grow as quickly as hoped. Unfortunately the many bankruptcies
have further damaged privacy, as customer databases of companies that
formerly promised never to sell personal information without consent
are sold, usually on an opt-out basis. Consumers typically have no
option to see the information that is being sold about them, so the
opt-out choice is fairly meaningless. This is one reason why access
rights should be included in privacy legislation.
At a public workshop run by the Federal Trade Commission in March,
the major consumer profiling companies refused to allow people access
to their own profiles, or even to provide sample profiles.
Online profiling companies also told the FTC that they are
continuing development of their Consumer Profile Exchange technology
without any committment to observe fair information practices in their
use of it.
In May the Federal Trade Commission found that Amazon and its Alexa
division has likely deceived customers, but it decided ``not to
recommend any enforcement action action at this time,'' in part because
the company had changed its description of its practices. This is a
lamentable non-action for a consumer protection agency that is supposed
to keep companies honest. Imagine if the SEC found that a company had
misled investors with fake figures in a prospectus, then let them off
because they had issued new figures and moved into a new business. To
me this incident is an illustration of the need for a private right of
action. So are many other incidents where companies have made
inadvertent disclosures contrary to their undertakings to consumers,
most recently Eli Lilly's release of the e-mail addresses of 600 people
on Prozac. Companies face too little negative feedback for their
errors. What sufferer of depression is going to tell his doctor not to
write him a prescription for Prozac because of the manufacturer's
record on privacy?
Another trend is that more companies online are posting so-called
privacy policies, but the quality of those policies appears to be
getting even worse. This conclusion was reached in one longitudinal
study by Enonymous. There have also been some prominent examples, such
as Amazon.com's change of policy at the end of August 2000. As customer
of many years, I was shocked to find after a long and careful
examination of their new policy that a company that had previously
undertaken never to sell my information, might now sell the title of
the next book I bought, in the event of a bankruptcy, or in bulk if
they sold a division, such as their book operations.
Dissatisfied, I asked Amazon to delete its records of the books I
had purchased. They have repeatedly refused, saying that their systems
were not designed to accommodate this easily. They also refused my
calls to show their customers all the information they have about them
on request. The laws of several countries in which Amazon operates
require both access and deletion on request, so I find their refusal to
extend these rights to Americans deplorable.
In the past year several nations including Canada and Australia
legislated broad, technology-independent privacy rights rights for
their citizens, partly with an eye toward enabling free data flows with
the European Union. Some fifty companies have signed up with the
Department of Commerce's Safe Harbor program, committing to a privacy
standard that in my opinion is short of ideal, but still far higher
than most companies provide for their American customers, and higher
than almost all proposed Federal privacy legislation. The program
applies only to the data of Europeans, but Microsoft has stated that it
will apply that standard to all its customers, including the U.S. I
wish I could hear an explanation from these companies as to why they
don't want their American customers to have mandated by law a level of
privacy that they are willing to grant to Europeans.
Ever more intrusive collection technologies are being rolled out,
such as online tracking mechanisms, spyware, face recognition systems,
location tracking devices and thermal imaging. To the lobbyist who says
that the Internet shouldn't be held to a higher standard in privacy law
than the offline world, I ask whether he believes that a camera that
can see his body through the walls of his home should be held to the
same privacy standards as a photocopier. Restrictions on data
collection necessarily take into account the means of collection. When
it comes to the use and disclosure of information, I generally agree
that the same principles should apply regardless of how the information
is collected, processed or distributed.
Enthusiasm seems to have waned in the past year for the hope that
``technology got us into this mess, so technology can get us out of
it.'' I am certainly in favor of privacy enhancing technologies: my
company has for several years published such software, and it has been
used by hundreds of thousands of people. But advances in ``cloaking''
technologies are always outstripped by advances in collection
technologies, both in capabilities and degree of adoption. In September
American Express announced that it would roll out in 2001 a ``private
browsing'' service with a startup company called Privada. Privada
recent ceased operations, and AmEx has told me it does not intend to
deliver the service.
P3P has for years been billed as the privacy technology of the
future, and it seems destined to remain so for at least several more
years. Even if the computer-readable privacy notices of P3P were
universally deployed, it would suffer the same problems as human-
readable privacy notices that I have listed above. Microsoft has
implemented a part of P3P in its next browser, but only as an excuse
not to fix the default settings that allows tens of millions of web
bugs to gather click streams in volumes of billions of clicks per day.
Microsoft's ``thermostat setting'' where surfers are required to tell
their PCs how much they will tolerate being surveilled gives a
misleading and dangerous view of privacy. People should not be forced
to trade privacy for participation. People need legally guaranteed
privacy rights to control the data collected about them.
In July 2000 the FTC sanctioned a deplorably low set of standards
proposed by DoubleClick and a few other online advertising companies
under the name of the Network Advertising Initiative. Some of these
companies are no longer with the NAI, having gone bankrupt or withdrawn
on principle to support privacy. The companies require consumers who do
not wish to be tracked to get ``opt-out'' cookies on their browsers.
This is bad policy and bad implementation. People generally believe
that destroying all their cookies will improve their privacy, and do
not realize that this step in fact removes the record of their request
to be anonymous. This opt-out feature is a contemptible excuse for
massive surveillance.
Mr. Chairman, Members of the Committee, as this collection of a
year's events suggests, each week brings another Love Canal of privacy
to light. In previous centuries people enjoyed privacy as an accidental
byproduct of the practical obscurity of personal information. Those
days are gone forever. Privacy will not return to us by accident.
Privacy will not survive without strong acts of will by democratic
government. Privacy will not survive unless citizens have effective
privacy rights created by governments. Privacy requires the diligent
efforts of companies and institutions to comply with mandatory
standards. Few companies will ask you to impose that discipline on
them. But it is up to you to require all organizations that handle
information about people to treat it fairly. Unless you do that, our
society will not enjoy the benefits that our technology and economy
could deliver, and we will be robbed of something that is very
necessary to a dignified human existence: privacy.
I appreciate the opportunity to speak before you today. I would be
pleased to answer your questions.
The Chairman. Thank you very much.
Mr. Rubinstein.
STATEMENT OF IRA RUBINSTEIN, ASSOCIATE GENERAL COUNSEL,
ELECTRONIC COMMERCE POLICY, MICROSOFT CORPORATION
Mr. Rubinstein. Chairman Hollings, members of this
Committee, thank you for the opportunity to testify today. My
name is Ira Rubinstein, and I am associate general counsel for
electronic commerce at Microsoft. Today I would like to talk to
you about our work on Internet Explorer 6, which is the next
version of our popular browsing technology and which is
available to the public today in a preview version and will be
released generally on October 25 when we ship Windows XP.
In particular, what I am going to show you today are tools
in Internet Explorer 6 that will make the privacy policies of
web sites more transparent to consumers than ever before, and
that will give consumers on a broad scale greater control of
their online information than they have ever had. These tools
will also directly address one of the issues that we hear the
most concerns about, online profiling or tracking, which is the
practice of collecting the history of a user's actions across a
series of web sites.
Before I give an overview of these tools, I want to
emphasize that this effort builds on an open industry standard.
We have been working with the Worldwide Web Consortium on a
technical standard called P3P. The goal of P3P is to provide a
common language for a site to describe its data practices, such
as what data it collects, how the site uses it, how it handles
cookies, and so on. The common language helps web sites
describe the important aspects of their information policies
according to a standardized road map.
I hope my slide presentation will come up in a moment, but
I believe you also have a printout of these slides. P3P also
provides a mechanism for a site to provide a machine-readable
version of its data policies. The grand vision of P3P is that
when sites code their privacy policies according to this
standard and consumers have P3P tools in their hands, they can
automatically match their individual privacy settings and
preferences against the practices of the web sites they are
visiting. If the web site satisfies the consumer's preferences,
the consumer enters the web site without incident. if the site
does not match the individual's personal setting, the consumer
at least is warned of that fact before proceeding.
Let me now show you how this will work in Internet Explorer
6, and I would ask you to refer to the handout of the slides
until the computer here reboots. On slide 3, you will see a box
describing the first-time consumer experience when a consumer
connects to a web site whose privacy practices related to
cookies and information reuse do not match the consumer
settings in Internet Explorer 6.0. When this happens, a small
window appears.
By the way, a cookie is a file created by an Internet site
to store information on the user's computer, such as
preferences when visiting that site or in some cases,
personally identifiable information, such as a name or an email
address.
The window that appears when a user first connects to a
site tells the consumer about a new privacy icon which
unfortunately is not on your screen, but it appears in the
lower right-hand corner as a small red eye, and it represents a
warning that Internet Explorer 6 technology has detected a
mismatch between the consumer settings for accepting or
rejecting cookies, and the practices of the web site. I am now
on slide 4, which has a large arrow pointing to that red eye
icon.
This privacy warning will show up every time there is a
mismatch, and this feature by itself does a lot to foster more
transparency about privacy policies than has been imaginable in
the past. In addition, to offer consumers control, we have
provided an easy mechanism that allows the consumer, the
individual, to specify how Internet Explorer 6.0 should handle
cookies and associated data practices.
I am now on slide 5, which you see has--is labeled, Medium,
and has a slighter setting, and the slides are now appearing on
the screen. This is the default setting for P3P in Internet
Explorer 6, and this setting will ship preinstalled and filter
third-party cookies, the cookies that are used to track users
across sites. By default, these third-party cookies will be
blocked unless the third party provides a machine-readable
privacy policy in the P3P format, so that is requirement No. 1,
that the site have a P3P policy.
And in addition, on this slide, the user in this case has
browsed to an MSNBC site, which is using advertising from MSN
and from other sites, but the cookies delivered along with
those advertisements did not have the appropriate P3P policies
associated with them, so they were blocked, and that is because
P3P is still in the early trial stages, and MSNBC, like other
web sites, has yet to deploy the P3P compact policies.
So these cookies from a site other than the one the
consumer was visiting, the site serving the ads, have been
blocked, because these sites have not yet launched their P3P
policies. Moreover, even if the third party has a P3P-compliant
policy in this medium default mode, its cookies will be blocked
if it is reusing a consumer's personally identifiable
information and does not allow for consumer choice, either opt-
out or opt-in, and this approach tracks the arrangement
established last summer between the FTC and the network
advertising companies.
With a single click, however, consumers can change the
setting to a higher or lower level of privacy. The medium-high
setting requires opt-in for third parties' reuse of personal
information and at least opt-out if the site you are visiting,
a first party site, wants to reuse that personal information.
Users can also click to a high setting, which would require all
web sites to obtain opt-in consent before the reuse of PI, and
you can also block all cookies. There is also a low setting
which would allow the user to accept all cookies, which is
effectively the current state of the web today.
Internet Explorer 6 has a number of other features that
help consumers control their privacy. Most importantly, we have
tools that enable consumers to easily capture and read the P3P-
compliant policy of a site. While I am not showing all these
features today, I would like to mention just a few. We have
tools that allow consumers to import settings from some other
source besides Microsoft, so that Center for Democracy and
Technology, for example, which is an organization that has
worked extensively on the P3P standard, is also in discussions
with us about developing their own settings which a user could
then import onto its browser, and since P3P is an open
standard, other companies could easily develop their own P3P
implementation.
Now, we are actively encouraging web sites to deploy P3P
policies, and based on feedback so far, we hope to see a very
significant deployment. I want to emphasize in closing that we
don't view IE6.0 and its P3P implementation as a silver bullet
solution to all online privacy issues, but it is a very
significant step, and it shows that technology can play a
critical role in addressing consumers' privacy concerns.
Fundamentally, we believe we have done work that consumers
want and that will retain their trust in the face of concerns
over the collection and use of personal information. Thank you,
and I look forward to your questions.
[The prepared statement of Mr. Rubinstein follows:]
Prepared Statement of Ira Rubinstein, Associate General Counsel,
Electronic Commerce Policy, Microsoft Corporation
Chairman Hollings, Ranking Member McCain, Members of this
distinguished committee, thank you for the opportunity to testify
before you today on subjects that are very important to consumers--
Internet privacy and the tools that consumers can use to protect their
privacy. My name is Ira Rubinstein, and I am Associate General Counsel
for e-commerce policy at Microsoft Corporation. At Microsoft, we are
not only dedicated to protecting consumer privacy, but from an even
broader perspective, to building an online community that consumers
trust and to promoting vigorous growth of online opportunities for all.
overview: the marketplace is demanding better privacy tools
Today I would like to share with you just one of the things our
company is doing around the issue of online privacy. For several years,
Microsoft has been at the forefront of promoting privacy online. We
have been developing privacy best practices and procedures under the
leadership of our Director of Corporate Privacy, Richard Purcell. We
have been actively involved in coalitions such as getnetwise.org, which
focuses on building a safer web for our children. Elsewhere in the
company, we are developing futuristic technological tools that have the
potential to ultimately transform how online privacy protection is
delivered to consumers. Today, I would like to discuss with you the
exciting work being done by out Internet Explorer team, the team that
is developing the next version of our browsing technology, Internet
Explorer 6.0.
Because the web is increasingly important in people's lives, one of
the issues customers raise with us more and more is their desire to
know that their privacy is being protected when they go online. When we
receive such feedback, we attempt to the extent possible to incorporate
features that meet this demand and that give consumers better control
of their personal information. In the end, it's our job to build
software that delights our customers. Because of consumer demand,
Microsoft currently has about 25 people working on the privacy
protections in Internet Explorer.
internet explorer 6.0: tackling online tracking
When we talk to our customers, one of the questions they raise most
often is whether their web surfing activities can be tracked. It is an
issue that the Microsoft Internet Explorer team has been working to
address for about eighteen months now. Tracking or profiling is the
practice of collecting a profile or history of a user's actions across
a web site or series of sites. When combined with ``personally
identifiable information,'' such as name, address, phone number or
other identification, whoever collects this profile can market or
target advertising or other services specifically to a customer.
Much of the online tracking you hear about comes through the use of
``cookies,'' small benign pieces of information that a web site stores
on an individual's computer. It is important to note that cookies in
and of themselves are neither good nor bad. Without cookies, the web
wouldn't work as people expect it to. There would be no customization,
no e-commerce and the economics of the web would be called into
question. However, consumers should still be in control of this
technology.
Since most online profiling comes through the use of cookies,
Microsoft has been concentrating its privacy protection mechanisms in
Internet Explorer around cookie management features, which we have
designed to enhance notice and choice of the information practices of
the web sites that consumers use. Based on our experience with a series
of test versions of Internet Explorer and our work with the World Wide
Web Consortium's (the ``W3C's'') Privacy Working Group, we believe that
the next version of Internet Explorer--IE 6.0--will take significant
strides in protecting consumers' privacy.
One of the most challenging things about building software for tens
or even hundreds of millions of people all around the world is that it
needs to work in a way that provides the protection consumers want, but
without disrupting or slowing their web browsing experience. In some of
the earlier test versions of privacy protections in Internet Explorer,
we found that consumers were actually frustrated with tools that
popped-up questions or prompted the consumer every time a cookie might
be used for tracking purposes. It turned out to be too burdensome and
confusing for consumers to understand exactly what was going on behind
the scenes on their computers.
From the significant usability tests that Microsoft does, we know
that if you constantly pop-up privacy questions, users either disregard
them or perform whatever action is necessary to make these pop-ups go
away. Obviously, this behavior undermines the goal of protecting the
user more thoroughly. So we've been working to create a solution that
helps consumers to control cookies. And we've been especially focused
on so-called third-party cookies that can be used to track your
activities across sites--that is, cookies that come from a party other
than the site a consumer is visiting. Our tools help consumers better
understand the source and purpose of the cookie, thereby giving the
consumer more control over whether it is accepted or rejected. Our
tools also offer a default level of privacy protection that is greater
than exists on the web today, so that out of the box, users of Internet
Explorer 6.0 enjoy protections they currently do not have.
protecting privacy through industry standards
Before we get deeper into the details, let us focus on the role
industry standards have played in getting us to where we are today. As
our engineers were examining the best path to take to control cookies
through Internet Explorer, we were simultaneously working with the
World Wide Web Consortium on a technical standard called the ``Platform
for Privacy Preferences Project'' or P3P. The goal of P3P is to provide
a common language for a site to describe its data practices--such as
what data the site collects, how the site uses it, who gets access to
it, how long the data is retained, what consumers should do if they
have a privacy complaint, etc. The common language helps web sites
describe the important aspects of their information practices according
to a standardized road map.
P3P also provides a mechanism for a site to provide a machine-
readable version of its data practices. The grand vision of P3P is that
once sites code their privacy policies according to the standard, and
consumers have P3P tools in their hands, consumers can automatically
match their individual privacy preferences against the practices of the
web sites they are visiting. If the web site satisfies the consumer's
preferences, the consumer enters the web site without incident. If the
site does not match the individual's personal setting, the consumer at
least is warned of that fact before proceeding.
In Internet Explorer 6.0, we take a significant first step in
promoting adoption of the industry's P3P standard by both web sites and
consumers. By providing a default level of protection out of the box,
we are creating incentives for web sites--and especially those that use
cookies in a third-party fashion--to code their privacy policies in the
P3P language. These incentives will exist because we anticipate that
millions of web surfers will choose to upgrade to IE 6.0 in the near
term and will automatically get the protections IE 6.0 offers.
using p3p in internet explorer 6.0
Again, based on our earlier research, consumers want to be able to
automatically control the use of cookies based on the data practices of
the site sending the cookie. The use of P3P technology to help solve
this online tracking problem is a natural fit.
How will this work? You can actually test these tools now by
downloading the public beta version of IE 6.0 at www.microsoft.com/
windows/ie. But to go through them quickly, here is an overview. By
default, in order for third-party cookies to be set to a consumer's
computer, a third party that collects personally identifiable
information must indicate, via a P3P-compliant mechanism, that the site
offers ``notice'' and ``choice.'' By notice, we mean that the site
provides the consumer a machine-readable privacy policy in P3P format,
which clearly states the information collection practices of that
party. If there is no notice, third-party cookies from this site are
blocked automatically by IE 6.0.
By choice, we mean that if a web site is reusing a consumer's
personally identifiable information, then it must allow the consumer to
``opt out'' of or ``opt in'' to that data reuse. If personal
information is being reused, and consumers don't have choice around
that use, then the cookies from that third-party web site are blocked.
This approach tracks the arrangement established last summer between
the Federal Trade Commission and prominent web advertisers. The core of
that arrangement is that a company that tracks users across sites, at a
minimum, must provide notice of that practice and the choice of opting
out of it.
To help consumers understand the concepts of notice and choice, the
first time a consumer connects to a web site whose privacy practices do
not match the default setting in Internet Explorer 6.0, an
informational dialog-box appears. This box attempts to educate the
consumer about a new ``red eye'' privacy icon that appears at the
bottom of the browser window and what this icon means in light of the
user's privacy settings. Then, with Internet Explorer 6.0, as users
browse other sites that attempt to set cookies but do not meet their
privacy settings, the red-eye will reappear, alerting the consumer to
potential privacy issues.
While we have taken care to establish what we believe is a workable
default setting, we've provided a sliding-scale feature that allows
consumers to easily change their privacy settings. With a single click,
consumers can change the default setting to higher privacy settings,
which have more stringent requirements for the use of privacy policies,
or to lower settings, which are less stringent. For example, the
``high'' setting requires all web sites, both first and third-party, to
obtain explicit (opt-in) consent before the reuse of personal
information. We additionally have a feature that allows almost infinite
customizability of the privacy settings, and we have an ``import''
function that allows the consumer to download a third party's privacy
settings (which, for example, may have default settings different from
IE 6.0) and insert them into the browsing technology.
This is just an overview of our technology's features. We are happy
to visit with any congressional office to review the tools in greater
detail.
our other efforts to promote p3p adoption
I also want to mention the fact that, in the run-up to the release
of IE 6.0, we are actively encouraging web sites to deploy P3P-
compliant privacy policies. Through our ongoing work with the top 100
sites on the web, and with the work that the Internet standards body is
doing, by the time that Internet Explorer 6.0 launches this fall, we
hope to see significant deployment. We've also developed what we call a
``Privacy Statement Wizard,'' an automated privacy statement generator
that can help smaller sites become P3P-compliant by creating policies
simply based on the site's answers to a series of questions about its
practices (subject, of course, to legal review by the site's lawyer).
The statement generator is currently available at http://microsoft.com/
privacy/wizard. It also will soon be available at Microsoft's small
business web portal, at http://privacy.bcentral.com.
putting ie 6.0 in perspective
Since P3P is an open standard, not controlled by Microsoft in any
way, we believe that other companies will develop additional privacy-
enhancing technologies that will also interact in an automated fashion
with sites that have posted P3P-compliant privacy policies. In fact,
we've already seen the emergence of tools that provide analysis of P3P
policies, as well as search engines that only return hits from sites
that follow P3P guidelines. Over the long run, we hope to see
widespread adoption of P3P by the web community, as well as increasing
consumer understanding of the power that P3P tools put in their hands
to enhance--and customize--their privacy protection. We believe
strongly that P3P is an empowering technology and that it can address
in a simpler way the complex questions around consumer preferences and
the articulation of sites' privacy policies.
We do not believe that the work we've done in IE 6.0 to enhance
consumer privacy is a silver-bullet solution, but we do believe it is a
significant positive step--showing that technology can play a critical
role in addressing consumers' online privacy concerns. We believe we
have done work that consumers want and that will delight them. We also
believe that allowing individuals to control their own personal
information is an important, enduring mission for Microsoft. It is an
ongoing process, and not just a single, all-encompassing step. We take
it seriously because our customers do. Finally, we believe that these
first steps to include serious privacy protection in Internet Explorer
will lead to positive cooperation in the industry around this topic and
will result in a better Internet and a better economy. In the future,
we at Microsoft expect to do additional work in this area, using P3P or
other technologies, and we would be happy to keep you abreast of those
efforts.
Again, thank you for allowing me to be with you today, and all of
us at Microsoft look forward to a continuing dialogue.
[GRAPHIC] [TIFF OMITTED] T8997.001
[GRAPHIC] [TIFF OMITTED] T8997.002
[GRAPHIC] [TIFF OMITTED] T8997.003
[GRAPHIC] [TIFF OMITTED] T8997.004
[GRAPHIC] [TIFF OMITTED] T8997.005
[GRAPHIC] [TIFF OMITTED] T8997.006
[GRAPHIC] [TIFF OMITTED] T8997.007
[GRAPHIC] [TIFF OMITTED] T8997.008
[GRAPHIC] [TIFF OMITTED] T8997.009
The Chairman. Very, very good.
Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. Mr. Chairman, I
think it has been excellent hearing. It has really been a 3-
hour teach-in on privacy and what it is going to take to get
this done.
Gentlemen--and let me start perhaps with the Earthlink,
Amazon, and Microsoft witnesses. The reason I asked about Eli
Lilly really 3 hours ago is that I am concerned that we are
headed for an Exxon Valdez of privacy. That was a very serious
problem with Eli Lilly, but I think with the bad actors that
all of you have told me exist out there in the private sector,
that we are headed for something far, far worse. If that
tragedy takes place, you will not like the legislative response
that comes from the U.S. Senate, just as sure as the night
follows the day.
So my question to you is: Given the fact that you have
really one chance for one standard, one chance to get a
preemption bill, what would you all at Earthlink, Amazon, and
Microsoft want in terms of your efforts to try to work with us
to see if we can get you something that is reasonable? Let's
start with the Earthlink folks, then Mr. Misener, and then
Microsoft.
Mr. Seagraves. Senator, what we are looking for is
something that gives our customers the information they need to
make informed choices. The components of that would be
something that is simple, something that allows technology to
step in, and something--or legislation that actually does
something, that gives them and promotes good information given
to customers.
Senator Wyden. So, in effect, what you have just said is if
the bill has the elements of the Federal Trade Commission
legislation and they would be binding and enforceable, that
would be something you would support if you could get
preemption in return.
Mr. Seagraves. I think you could basically codify the FTC
guidelines, have the FTC enforce them. We could live with that.
Senator Wyden. Good. Amazon?
Mr. Misener. Senator Wyden, that is an excellent admonition
to us in industry as a matter of sort of legislative strategy.
We already comply fully with the requirements of your bill. OK.
Amazon.com is already doing this pro-privacy, notice, choice,
access, and security on our own in response to our customers'
demands and desires, and so we are very proud of that, and we
certainly could live under the requirements of the bill that
you and Senator Burns introduced in the 106th Congress.
All I have said and all Amazon.com has indicated is that
there is no inherent need for legislation, because we believe
the market is already driving companies like Amazon----
Senator Wyden. But how do you deal with the bad actors?
See, that is the point. The fact is there are a lot of people
out here who don't work closely with Chairman Hollings and
Senator McCain and come to hearings that examine this, and
those are the kind of people that I think are most likely to
produce that Exxon Valdez and do a great deal of damage to the
good work that you all have done. You all have worked too hard
at building up the credibility of this industry to lose it for
some bad actors, and that is why you need a piece of
legislation.
Mr. Misener. Senator Wyden, you make some very compelling
points, and I have to say that the points are so compelling
that we will continue to examine them going forward. I will
say, though, that the incident with Eli Whitney is unlikely to
be prevented by the sorts of legislation we are talking today.
It was an inadvertent mistake. It is not forgivable in many
senses, but the legislation alone won't bar it.
Second, the bad actors----
Senator Wyden. Just so you know and the record is clear, no
bill is ever going to bar accidents. The reason I asked the
question--and I think the answer was good--is we would like to
reduce the risk, and I am convinced that well-written privacy
legislation can reduce it. I interrupted you.
Mr. Misener. That is quite all right. I just want to
conclude by saying that the bad actors that are out there are
going to lose in the marketplace. We have well over 30 million
customers who have said that we have good privacy policies.
They have come to us, and they feel comfortable with us. They
trust us. We believe those bad actors will lose out. The little
ones that are out there, I think it would be very difficult to
enforce against in the first place. There it is, Senator.
Senator Wyden. But once the bad actors have damaged the
credibility of your work and harmed a lot of people, it is
going to be too late to put the horses back in the barn.
Mr. Misener. I fully agree, Senator, and there happens to
be a history in Washington of companies who have done good
things, to come to Washington and ask for legislation that
essentially mimics them so that we erect--so that Government
erects high barriers to entry, so the competitors can't come in
and compete with those companies like Amazon.com who have done
the right thing. We simply have tried to be more pure than that
and not ask for that kind of preemptive legislation.
Senator Wyden. We are going to go at this in a way--and you
have heard it from both sides of the aisle--that is not going
to freeze technology, and we have worked with you enough to
know that I feel very strongly about that.
Microsoft?
Mr. Rubinstein. Senator Wyden, if I might just briefly
follow up on two comments that Mr. Misener made and then
directly answer your question about legislation, first on the
question of accidents, I agree with both of you, that
legislation itself is not in a position to prevent accidents
and the Lilly situation seems to have been a mistake rather
than some intentional act.
Second, on the question of bad actors, I think there is no
such thing as 100 percent compliance. We haven't heard much
about self-regulatory efforts in this hearing, but let me just
mention one point which is that the reach of organizations like
Trust-E and other CL organizations is growing and is
significant. Let me give you a few statistics. Trust-E is now
at 2,000 licensees, which is about 50 percent growth over last
year. Seven of the ten top web sites by traffic are Trust-E
licensees; 50 of the top 100 sites are licensees. And these
licensed sites reach about 145 million web users. So the reach
of the self-regulatory organizations is not small today.
On the question of legislation directly, like--Amazon
described a bill that is representative of the principles that
a number of major industry trade associations have articulated
for acceptable legislation, and Microsoft does not oppose
legislation per se, and we have been in many of your offices
to, you know, review and comment on bills that have been
introduced.
But like many in industry, we believe that Congress needs
to move very deliberately and very cautiously on this question,
both because it is complex and in order to avoid either harming
the Internet industry, which is still in its early stages
despite some of the comments about legislation being introduced
early. Yes. The Telephone Act was introduced in 1936 with
privacy legislation, but the telephone was introduced in the
1890's.
Senator Wyden. Can I just ask one other quick question?
The Chairman. Surely.
Senator Wyden. Thank you, Mr. Chairman.
Just one question about P3P, if I could, Mr. Rubinstein.
What is it going to take on the enforcement side to make P3P
work, because it is very clear that this is useful product. I
share Senator Kerry's view in that regard, and it is going to
be particularly helpful because it is going to help consumers
determine what a web site says it is going to do, but then if
web sites say one thing and then do another, we have got an
enforcement issue, and Senator Hollings has given me this extra
time.
Could you just tell us how envision this enforcement
scenario going forward?
Mr. Rubinstein. Yes. I think that is a very good question,
and you are alluding to the fact that P3P by itself provides no
information about a site's practices but only its policies, and
I think that is true of any technological means for
understanding what a site does. There is no way of measuring
practices through the interactive medium of the web.
What I think that P3P may be able to provide going forward,
however, is additional information, for example, about whether
a site is a subscriber of Trust-E, has been audited by one of
the Big Five accounting firms that does that kind of auditing,
and users may well want to set their P3P preferences so that
they only do business with sites that so indicate, and I think
it can provide greater transparency about enforcement, but
there is no way that it could ultimately be a mechanism to
demonstrate, you know, practices at the moment.
Senator Wyden. Thank you, Mr. Chairman.
The Chairman. Thank you very much.
Senator Allen.
Senator Allen. Thank you, Mr. Chairman. First, I want to
comment you, Mr. Chairman, for an outstanding and very balanced
panel, two panels of witnesses. This is an issue of great
interest to me and on the Republican side, chairing the high-
tech task force, some of these folks we heard, and trying to
find some balance and logic if government action is going to go
forward--and I think there will probably be some, but let's
make sure it is the most beneficial and not anything to thwart
the advantages to our life and our education and information
afforded by the Internet.
I would like to follow up on Senator Wyden's comments. He
asked many of the questions I would, as well as what Senator
Kerry mentioned. I very much agree with the thoughts and
processes through there, and in listening to the various
witnesses here, and I do think it is very important as we go
forward that we do make that distinction between the different
types of information, whether that is medical information,
health-related information versus financial versus regular
consumer information.
And I do think we need to look at each of those categories
differently for the levels of protection that people should get
from the Government versus the other view of the libertarian
view which is generally mine of caveat emptor and making sure
people are informed, knowledgeable, and they make those
decisions and are responsible for the consequences. When you
get to health information or privacy in financial, that is a
different situation. We do need to have protection, stronger
protection there.
Now, Mr. Catlett mentioned that since the Internet, this
mode of information or communication is different than the mail
or the telephone, but you still use the same principles in
applying those basic principles to however the regulations
would be. And, indeed, the privacy bills that have been
introduced over the years, the way I have looked at them, deal
with only information collected via the Internet. But if you
look back in history--and I mentioned this a few weeks ago.
I had lunch with some folks from UPS, and when they started
off, one of the key things for them getting business was to
make sure when shipping packages from Macy's, they wouldn't let
Gimbel's know what they were shipping, and Gimbel's wouldn't
know what--vice versa, Macy's and Gimbel's.
And so when you hear Mr. Seagraves talk about Earthlink and
what you are doing in trying to get a market niche that way and
getting more consumers or customers because of what you do,
that is responding to market forces; the same way with
Amazon.com. Microsoft's involvement in all this is trying to
come up with something that they hope consumers will want. And
so here you have an example of various enterprises that are
responding to the desires. You just have these polls, people
concerned about privacy and misuse of information, abuse of
information.
These three enterprises are all trying to respond to
consumer demand, and I want to commend you all for that, and
you will be a model, I think, for us, and it was very
interesting. I was taking notes as to the different views that
you would have as far as notice and choice, preemption, online,
offline distinctions, but you generally don't think there
should be distinctions, and as far as legal aspects of it, so I
think that what we need to do is listen to the creative
technologists and listen also obviously to those in the private
sector and make sure that we don't do something that thwarts
your industry.
However, the technology or e-commerce industry is going to
need to come up with these ideas for you to grow. Otherwise, I
think it will thwart the growth of e-commerce and the use of
the Internet if people are fearful that their information,
their personal data, will be misused or be subject to spamming
and other aggravations in people's lives. There are things that
are more than an aggravation, but an infringement that we don't
think is appropriate for it.
So I would only conclude by asking this question, following
up on what Senator Wyden asked of Mr. Rubinstein, and that is:
In the event under P3P that someone--you were talking about,
Here is their policies; their question is their practices. And,
again, commending all of the entrepreneurs here and their
companies, but in the event that their practices don't comply
with their policies, what laws currently apply? Would consumer
fraud? Would fraud? It is clearly a violation--I would think
some sort of a violation, a misrepresentation. What current
laws would apply to a company that as a practice knowingly
violates the policies that they set forth to the public as far
as privacy is concerned?
Mr. Rubinstein. Senator, the situation you described seems
to clearly invoke the FTC's jurisdiction under Section 5 of the
FTC Act. P3P presupposes that a site is presenting its policies
in a written statement, and if it misrepresents its practices
based on that policy or it deceives its customers, then it is
clearly subject to FTC enforcement action.
I think further, going back to my point about P3P also
being used to identify which sites are enrolled with Trust-E or
other self-regulatory organizations, if such a site was subject
to an FTC action and found to have engaged in illegal conduct,
it would have to lose its Trust-E or BBB Online seal, and that
would have to also be reflected in its privacy statement, so
that P3P tool would eventually detect that.
Senator Allen. Thank you. That answer fits into what
Senator Kerry--one of the various points you were making
Senator Kerry is that in this legislation, I think it would be
advisable to make sure that we put in the legislation, at least
cross-references if not the complete replication, of all the
existing laws that do apply, a variety of areas. You were
talking about in your past experiences, the mistake not making
sure that you listed a lot of different statutes which already
do apply, but I think it is important for folks to understand
that they are not without recourse with some of these ideas
currently. But I think maybe those can be embellished or
reinforced in such legislation.
My time is up, but, Mr. Chairman, again thank you for this
very balanced and informative discussion here for our
Committee. Thank you.
The Chairman. Thank you very much.
Senator Kerry.
Senator Kerry. Thank you, Mr. Chairman.
I thank the witnesses for their comments. Let me mention
that our legislation will have some pretty strict fines and
penalties under the FTC jurisdiction, and there is a clear FTC
enforcement mechanism that may need to be strengthened.
Mr. Rubinstein, if I could just ask you. Looking at your
handouts here for a moment, if I were to have come in under
your new--under the 6.0 that is coming out, if I went to this
web site for CNBC, Wall Street Journal, will there be an
automatic pop-up of this window as I see it, or do I have to go
down and hit the icon down here in the bar?
Mr. Rubinstein. That is a very good question. The way we
have designed IE6.0 is that this window pops up the first time
a user visits a site where its privacy settings don't match the
site's policies, but it does not pop up every time. When we
first began experimenting with cookie management and with P3P
in an earlier version of the browser, Internet Explorer 5.5, we
used that type of approach, and even myself, experimenting with
that beta version, the first time I connected to a site that I
go to almost daily, I got 40 pop-up screens, and like any other
user, I quickly turned the feature off.
So we were particularly concerned about not bombarding
users with repetitive warnings or notices that would either
distract them or lead to a disinterest and thereby really
undermine this whole chicken and egg issue of how you get--they
are deployed.
Senator Kerry. But the first time I were to go to any
particular web site, whether it is informational or
transactional, you are saying that the window itself would pop
up.
Mr. Rubinstein. Well, let me be very clear about this. This
window pops up--we call it a first-time user experience. It is
not going to pop up at every new web site you visit. It is
going to pop up the first time you visit a web site where there
is a mismatch between your setting, which is going to be the
preinstalled----
Senator Kerry. Right. That is under the P3P.
Mr. Rubinstein [continuing]. Default setting. And what this
tries to do is then immediately educate you at this point when
you first see it as to, you know, what this icon means, what
cookies are, what the medium default setting represents. If you
are then satisfied with that setting, this screen won't pop up
again, but if there is a mismatch at some other web sites, the
red eye icon will pop up.
Senator Kerry. Fair enough. So the first time, in effect,
the first time you are user, then, of your new program----
Mr. Rubinstein. Yes.
Senator Kerry [continuing]. Effectively and you go to a
site, you are going to be given the opportunity on that first
use to click in the settings you want, and among those settings
is the opportunity, I notice, to block all cookies.
Mr. Rubinstein. Yes. And there are also--there is a button
for advanced settings which allows some other interesting
capabilities, namely you can block or accept all cookies from a
particular web site, so if you distrust a particular web site,
you add that to your list of blocked sites, and if you like a
particular web site, you can say, ``Don't ask me again about
that site, because I am comfortable with them''.
Senator Kerry. In effect, you are really giving--and I am
not advertising for you, but it seems to me a fairly complete,
broad set of choice. I mean, if we are looking at the choice
application here, this is pretty broad consumer choice. You can
actually set in--I mean, this is opt-in and opt-out
simultaneously.
Mr. Rubinstein. I guess it is opt-in with respect to the
settings. I don't want to oversell it.
Senator Kerry. Well, I am not trying to--I don't want to
over-characterize it either, but I am trying to understand it
properly . I mean, it seems to me that if I can--if I----
Mr. Rubinstein. I would have to say, Senator--I am sorry to
interrupt, but I would have to say that it is opt-out, because
it shifts with the default setting, and unless the user changes
that----
Senator Kerry. I see. Unless you change the setting, you
are automatically stuck with the cookies.
Mr. Rubinstein. Well, you are automatically stuck with
the--if you will, with the medium setting, and the medium
setting, as I said in my oral remarks, has two requirements.
One is that the site has a P3P policy regarding cookies, and
the second is that it offers choice in the form of either opt-
in or opt-out for third-party cookies.
Senator Kerry. Fair enough. Now, that is--what does this
say to us about the P3P? I mean, if you don't have P3P out
there, this isn't going to work.
Mr. Rubinstein. If--well, that is correct. If a site
doesn't have a P3P policy, this doesn't work in the sense that
the full level of information that might otherwise be
available, as well as all of the features that might be
available, aren't there, but if a site doesn't have a compact--
a P3P policy, the red eye will appear.
Senator Kerry. Immediately.
Mr. Rubinstein. So what we are hoping to do is to
incentivize sites to deploy P3P policies in order to avoid
having that red eye appear, and we have also developed tools,
as have other companies like AT&T, called privacy statement
generators, and these are automated ways of generating a P3P
policy. They are very easy to use. You fill in a questionnaire
online, and it spits out a policy which a site ought to have
its own privacy officer or in-house counsel review, but it
makes deploying these compact policies very straightforward and
very easy.
Senator Kerry. Now, Mr. Misener and Mr. Seagraves, let me
ask you a question. There is sort of increasing discussion
among various companies and players within the Internet world,
and you certainly see it behind the scenes, and you see it in
some of the trade discussion, that opt-in may not be as
critical as some people originally thought, opt-in versus opt-
out, and that, indeed, perhaps even the sort of advertising
fears that people had are now not as germane, simply because
some people are questioning whether or not that model is
working at all.
Would you like to comment on both of those observations;
the notion that there seems to be maybe an increasing
acceptance within the industry that this is not as key as some
people though it was originally? And also would you comment on
whether or not advertising appears to be as much a concern as
people had, because maybe the marketplace has made that
decision or is giving strong indicators about it at this point
in time.
Mr. Misener. Senator Kerry, thank you. In Amazon.com's
view, the important thing is always to provide our customers
meaningful choice, and without trying to characterize it in all
instances as either opt-in or opt-out, it should always be
meaningful. I mentioned before in my testimony that Amazon.com,
in its effort to provide our customers that kind of meaningful
choice, often provides what we would call opt-in choice, in
other instances provides what we would call opt-out choice. The
importance is it is meaningful.
For example, when you go to our ToysRUs.com co-branded
site, which provides some toys for some of our customers, you
go there, and Geoffrey the Giraffe from ToysRUs is sitting--
there is a little picture of him sitting inside an Amazon.com
box. It is very clear in just that little picture what is going
on here. There is a ToysRUs.com product being delivered by
Amazon.com.
And there is a whole bunch of wording around it as well
that explains what exactly is going on there, but that is far
more meaningful for the vast majority of consumers out there
than having to read some words about policy. We have told them
in this little picture instantly: this is a ToysRUs product
being delivered by Amazon.com. We thought that was much more
useful and meaningful for them than simply providing the words,
which we also provide.
Senator Kerry. Right. But coming back to this whole
question that Mr. Brondmo raised very clearly and, I think,
logically as he went through the progression, sort of, who owns
this asset. What is the asset, who owns it, and what use is it
put to, is really the issue. And you are sort of going around
that in a sense. You are saying, ``Well, we give this
information to them, but that doesn't deal with the secondary
marketplace issues of the information''.
And so I am trying to get at, you know, how critical--I
mean, the fight here was ostensibly whether opt-in was going to
lose people, a flow of information that was going to be
important to them in terms of their revenue stream, and
ultimate control of an asset. And that is what we are arguing
about.
And my question to you is: Has that changed a bit now? Has
this marketplace in the wake of sort of the shake out and some
maturity and evolution, has it changed in a way? I mean, Mr.
Seagraves was talking about the upside benefits of marketing
the fuller measure of privacy, and I am wondering if you think
it has changed. Is there some legitimacy to this current
discussion?
Mr. Misener. Oh, absolutely, Senator. I appreciate the
question. Amazon.com, in its initial privacy policy notice, had
indicated that it might at some point in the future sell
consumer information to third parties such as telemarketers.
Well, we never did that, and we concluded last year that we
never would do that, because our customers wouldn't like that,
and so we said in our updated and enhanced privacy policy last
year--we made a pledge that Amazon.com is not, emphatically
not, in the business of selling customer information. We want
to protect that customer information, because our customers
think it is important.
And you are right. There was this shift where, earlier on,
we thought we might do that, but we concluded last year that no
way would we do that.
Senator Kerry. Mr. Seagraves.
Mr. Seagraves. Well, as I said, Earthlink does not, you
know, really fall one way or the other right now, because we
don't--we are not asking the customers, because we don't sell
their information. However, that could change so we would need
to make a choice. Do we want opt-in or opt-out? And I think
there is a tradeoff.
Senator Kerry. Do you think it makes a difference?
Mr. Seagraves. I think it does make a difference, and the
tradeoff is this. If you are opt-in, then these are customers
that actively say, ``Yes, we want you to do this''. Then that
information is more valuable, although you have much less of
it. If it is opt-out, you have a lot more people that, you
know, participate and that will give--allow you to use their
information. However, it is not as valuable, because basically
they may have just been lazy.
So, you know, I think you need to balance that as far as
the particular business that you are in. In our case, I think
the value of the information is mostly in bulk, and the
targeted information that you get with opt-in isn't necessarily
all that important to us.
Senator Kerry. Fair enough. Mr. Brondmo, do you want to
comment on that at all?
Mr. Brondmo. Senator, I think you are keying on something
very important here, because there is obviously a maturity that
is happening in the marketplace, and we are learning, and that
learning has to be brought into any future legislation.
My learning in this area has been--I can maybe illustrate
that with a brief example. I worked with a large music retailer
a few years ago, and the music retailer was very hesitant to
take people off their lists as they were marketing to people,
and we were strongly encouraging them to do so, due to an
increasing customer satisfaction problem they were
experiencing. Their rationale was very reasonable. It costs us
a lot of money to get these people to come to our site, to get
them into our data base; why should we be making it easy for
them to get off our site or to not participate?
Finally they did a test. They learned that it had no
substantial impact on their business, because the people that
didn't like hearing from them didn't mind, but more importantly
when they made it very clear up front on their web site how
easy it would be to get off their systems, what they actually
found was an increase in subscription. They found more people
coming in and opting in or not opting out of the program up
front, because they knew it would be simple and easy later on.
Senator Kerry. Now, if there were a prohibition on any
unconsented transfer of financial information, i.e., credit
card or personal identifier, Social Security number, and so
that all that you had conceivably as this asset was a
particular purchase, item of purchase, series of items of
purchase, location of purchase, date, time, et cetera, and that
was the asset, in effect, is there any harm in that transfer,
if it were in an opt-out? And is there, in fact, conceivably a
countervailing benefit to a consumer that hasn't even been
weighed in this discussion? Do you follow me?
Mr. Brondmo. I am not sure I do.
Senator Kerry. Well, for instance, if the asset that a
company has that it either transfers to one of its subsidiaries
or sells to another company is information about someone's
purchase, but it is effectively an almost anonymous piece of
information--not completely; has their address, has a place,
knows what they purchased, and therefore, that company wanted
to know that, because they want to make a secondary
solicitation of some kind, is there some kind of harm done in
that, absent any transfer of any personal or financial
information, no credit card numbers, no Social Security number,
no--nothing but the transaction itself, in effect, which is
supposedly the value people want to hold onto for marketing
purposes.
My question is: Is there any harm whatsoever to that
consumer that is different from the harm in the offline
marketplace today, and is there conceivably an upside benefit
to them that hasn't even been weighed in this discussion?
Mr. Brondmo. Senator, I believe there is potential harm
that can be brought to the consumer in the scenario you
outlined. The primary problem is that if I visit Amazon, I
might look at a number of books. I might leave behind a trail
of information which I have no problem trusting to Amazon, but
if I knew that Amazon would turn that around and--let's for a
moment say that I had political ambitions, and Amazon would
sell that information to anybody who would pay $1 to buy it,
and all of a sudden somebody could come in and look at what
books I had bought, what research I might have done, maybe
books that didn't necessary reflect my opinions or my position,
but that information being available, I believe that that could
potentially be very sensitive information.
I also believe, by the way, that Amazon would be
undermining their own business by giving that information away,
because that is an insight into my relationship that I have
developed with them, which is a key competitive advantage that
they have over their competitor, and they should not be selling
that information.
Senator Kerry. But that information is available today in
the offline world and even worse is available today. I mean,
look at what happened to Justice Thomas in his confirmation
process. We learned what Monica Lewinsky's videos were, I do
believe. I mean, we have had, you know--offline world, you can
do that today.
The Chairman. You don't think we can regulate it, do you?
Senator Kerry. That's my question.
Mr. Brondmo. Well, Senator, that does not change my opinion
with respect to the online behavior.
Mr. Misener. Senator Kerry, you are absolutely right. Just
to answer, of course, Amazon.com does not do what was discussed
just a moment ago. It does make little sense, however, to enact
a law or put in place a regulation that would only govern one
medium.
Senator Kerry. Well, I agree. This is the point that I have
been making for some period of time on this Committee, that if
the right of privacy is what we are talking about, it seems to
me that if you are providing adequate protection for the flow
of financial information, et cetera, if it is the marketing
concept, that is available in any number of ways, through
credit bureaus. I mean, the information that appears on people
publicly in America today is stunning.
And there, you know, it seems to me we have got to look at
this considerably differently or more broadly, I suppose, is
the way to phrase it. But, I mean, would Amazon--would somebody
be able to find out--Senator Rockefeller was asking me that in
a private conversation. I mean, if, for instance, somebody went
in and had a whole series of books that they got because there
was a particular family crisis going on or someone was sick
with a particular disease and they start--all of a sudden they
have ten books on a particular subject, would those books then
be traceable, and therefore, they will be suddenly solicited by
therapists or psychiatrists or a whole bunch of people because
they seem to have an inkling that that is an area those folks
are now concerned about?
Mr. Misener. Absolutely, emphatically not. Amazon.com will
not share that sort of information at all. We will share in
certain circumstances information resulting--or applying to a
particular transaction, e.g., a purchase of wireless services
through our wireless services store, but only in an opt-in
circumstance. The wireless store does not get, for example,
information about the pots and pans that I may have purchased
or the books that I may have purchased, only resulting from
that, but again that is an opt-in circumstance.
Senator Kerry, you are right on point, because 99 percent
of the retail transactions in this country last year were done
offline, so to the extent we apply a new law only to the online
world, we are only touching a very tiny percent, and those
transactions are only those made by those fortunate enough to
be on the fortunate side of the digital divide. Those who
aren't get none of the benefits.
Senator Kerry. And what do you say to people who
distinguish the online world because of its interconnectedness
and capacity to conglomerate transactions which doesn't occur
when you walk individually into a particular store?
Mr. Misener. It is a good question. The capacity to
conglomerate is not inherent only to the online world. The data
bases exist no matter where you are. In the offline world or
wherever, those data bases, that information about you,
generally far more sensitive information than Amazon.com would
ever collect, exists in the offline world. To the extent there
are differences--and I think there are some, but they are very
limited--to the extent there are differences, for example,
third parties tracking you around a site, legislation at that
point would be something that could be appropriate. Amazon.com
bars that.
We do not allow third-party cookies to be served on our
site for that very reason. We don't think our customers should
be subjected to that sort of thing. That is different from the
offline world. But where there are similarities, information
collected, information used for marketing purposes, then it
ought to be treated the same.
Senator Kerry. Well, I thank you very much. It is obviously
a very important area. I just want to emphasize again, for the
benefit of where we are heading here with the Chairman that I
think he is right on target in terms of where we need to be and
being very declarative on the medical and the financial and so
forth. And I think we need to sort of sort through the other
components of this that we have discussed today.
Mr. Chairman, this has been a good hearing, and I thank you
very, very much for your leadership.
The Chairman. I thank you very much, Senator. It has been
an outstanding hearing. I have learned a lot, and it strikes me
that--and you can always get in trouble thinking out loud, but
there is no question that we have got to legislate, but we have
got to legislate cautiously. So in the sense that we legislate
cautiously, some would legislate, as others have introduced
bills last year with opt-out alone, or the FTC guidelines which
are optional, and neither approach has worked. We tried that
with the banking bill, and that's a big uproar as the witnesses
testified, that it is not working.
So you look at the best of the best, namely Microsoft that
opts in for our opt-in, and Schwab, the best of the best
analysts, business-wise says it's not really that much of a
burden; in fact, it is a good business practice. And you find
just that. The best of the best thinks they make money out of
privacy, namely P3P, and otherwise, you have already joined in
to the European safe harbor, and as an American politician, I
am saying to myself, ``Well, can't I give the American
citizenry an equal protection as those citizens in Europe'',
unless there is something wrong with that safe harbor.
Is there anything wrong with that safe harbor that you know
about, Mr. Rubinstein, that you want the Committee to know
about?
Mr. Rubinstein. Well, I do want to comment on the safe
harbor. Microsoft and some hundred other multinationals have
signed up to the safe harbor, but I think we should be very
clear about what the motivation is.
The Chairman. Well, I know the motivation. You all want to
do business in Europe. Go ahead.
Mr. Rubinstein. Well, that is exactly correct.
The Chairman. Sure.
Mr. Rubinstein. As a multinational, we are bound to comply
with European law.
The Chairman. Whoopee. That's right. We are in a global
economy. Every time you mention something around here, some
politician jumps up and says, ``Well, this is a global economy.
OK. So we can pass that point''.
Mr. Rubinstein. But if I can offer an analogy, France has
laws regarding the use of French language on web sites operated
in France. The fact that Microsoft complies with those laws
does not in any way apply that we advocate English-only web
site laws in the United States, so I don't see----
The Chairman. But you have, on the opt-in, you have opted
in. Microsoft favors opt-in.
Mr. Rubinstein. We favor opt-in in an evolving business
model, namely what we call our Hailstorm Services that are
premised entirely on two things. One is identity management, so
those services are all about the most sensitive and personal
information, and No. 2--and I think this is the theme that has
been reflected in all of the comments today--those are
subscription-based, fee-paying services. They are not free web
content or free services, and in that context, we do not favor
opt-in legislation at all.
The Chairman. Well, that is the fundamental question. What
is sensitive? Medical, personal medical and personal financial.
Right?
Senator Kerry. Chairman, can I mention----
The Chairman. Yes.
Senator Kerry. Chairman, I just wanted to say that I
approached this with--I was on the conference Committee, on the
Banking Committee on the Gramm-Leach-Bliley, and I voted then
and we lost on the more stringent opt-in requirements, and we
have seen the results of that. So I think there are some
lessons we can draw from both the maturity of the industry, but
also from what has happened in terms of the regulatory
application process.
So I hope, Mr. Chairman, we can--I think there is room--I
thought there was a lot of sense of possibilities and wisdom
from both panels about the capacity to sort of combine the
pieces here and try to draw some distinctions between the areas
of sensitivity and the commercial side, and maybe we can do
that.
The Chairman. Oh, yes. We are going to do it very
cautiously, but I hope we can get something done. What happens
is that we have got to look into that matter of preemption and
perhaps with the states, let them operate upwards on that
score. And otherwise there will be a debate and probably a
difference of opinion with respect to the private right of
action that Mr. Misener absolutely opposes.
Mr. Misener, what we have found from hard experience--we
had a hearing just last year with respect to the Firestone
tires, and the National Highway Safety Transportation
Administration, NHSTA, and we asked the Secretary--we had 99
million recalls in the past 3 years. This was last year's
hearing, and we asked the Secretary of Transportation how many
had been required by NHSTA. Zero, none, in the 99 million
recalls. They were all done on account of the Pinto case.
And everybody knows that--in fact, we only found out about
the bad tires from personal causes of action and some 200
deaths. That is how it came to our--I never had heard about it
happening in South Carolina or anywhere else until we found out
people were dying in Saudi Arabia, dying down in Venezuela, and
they had been given notice and everything else like that, and
now we find out we had 200 in this country.
So that is why we even consider a personal cause of action.
Somebody thinks, well, this is all lawyers and trying to get
lawyers cases and everything else of that kind. What we are
trying to do is go in in a deliberate fashion, and as Mr.
Seagraves says, not produce a regulatory mine field and not
overreact. Nobody is vindictive about it. And you folks have
been unusually helpful to this Committee. We will probably have
perhaps another hearing, but we are going to work it out.
And we will leave the record open for any further questions
by either the members that could not attend, and otherwise for
any comments and further information you would wish to finish
the Committee. The hour is late. The lunch is ready. Thank you
all very, very much.
The Committee will be in recess until the call of the
Chair.
[Whereupon, at 1 p.m., the hearing was adjourned.]
�