[Congressional Record Volume 146, Number 65 (Tuesday, May 23, 2000)]
[Senate]
[Pages S4254-S4255]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                            INTERNET PRIVACY

  Mr. KERRY. Mr. President, last night, the FTC released its report on 
Internet privacy. We are, all of us, in the midst of an Internet 
revolution in this country. It is extraordinary, when we think about 
it, to take note of the fact that the Internet has only been in 
existence about 6 or 7 years now. During that time, it has had a 
profound impact on everybody's life, particularly on business, and 
increasingly on consumer opportunity.
  I have tremendous respect for the work the FTC has done on this 
issue. Its monitoring of web sites and the convening of working groups 
have been very helpful in educating all of us on a very complicated new 
arena. The FTC plays an important role in oversight and regulating our 
economy, and I think it is fair to say that its Commissioners have 
navigated admirably through the complexity of the new economy.
  But--and here is the ``but,'' Mr. President--at this particular 
moment in time, I very respectfully disagree with the regulatory 
approach to Internet privacy proposed by the FTC. Let me be clear. Yes, 
consumers have a legitimate expectation of privacy on the Internet, and 
they will demand it, and I personally want that right of privacy 
protected. But I also believe that they want an Internet that is free 
and that gives them more choices rather than fewer. I believe that a 
regulatory approach mandated by in-depth, detailed congressional 
legislation at this particular point in time could actually harm 
consumers in the long run by limiting their choices on the Internet.
  On the Internet today, we can buy and sell anything. We can research 
everything from health information to sports scores to movie reviews. 
We can keep track of our stock portfolios, tomorrow's weather, and the 
news throughout the world. And we do most of that free of charge. The 
reason we can surf from page to page for free is because the Internet, 
like television, is supported by advertising--or is struggling to be 
supported by advertising. Obviously, access is by subscription in most 
cases; but the point is that advertising is increasingly growing. 
Business spent more than $1.9 billion to advertise on the web in 1998, 
with spending on electronic advertising expected to climb to $6.7 
billion by 2001.
  It is this advertising that is the reason we don't have a 
subscription-based Internet--at least at this point in time. That would 
clearly limit a lot of people's online activities, and it would 
contribute to the so-called digital divide. Instead, we have an 
Internet that we can freely explore. It is my sense that people like 
this model of the Internet, and they understand that the banner ads 
they see on their screens are necessary in order to try to keep the 
Internet free.
  What I don't think people understand is that, at least for now, the 
model for Internet advertising is going to include ads that are 
narrowly targeted to particular customers. The jury is still out on 
whether a targeted model is going to work. Currently, the click-through 
rates--the average percentage of web surfers who click on any single 
banner ad have fallen below the 1-percent mark, compared with about 2 
percent in 1998. Some see that as a sign that the advertising model on 
the Internet has failed. Others say the percentages are lower, but that 
is because more and more ads are being placed. What it tells me is that 
it is simply too soon for the Congress of the United States to step in 
and prevent that model from running its course. If, for the time being, 
we allow or acknowledge that the economy of the Internet calls for 
targeted advertising, we must also recognize that it won't attract 
customers if they believe their privacy is being violated.
  Finding the fine balance of permitting enough free flow of 
information to allow ads to work and protecting consumers' privacy is 
going to be critical if the Internet is going to reach its full 
potential. I believe that we in Congress have a role to play in finding 
that balance, although we should tread very lightly in doing so.
  In the past, I have argued that self-regulation was the best answer 
for consumers and the high-tech industry itself in relation to privacy. 
I hope we can continue to focus on self-regulation because Congress 
will, frankly, never be light-footed enough--nor fast-footed enough--to 
keep up with the technological changes that are taking place in the 
online world.
  However, poll after poll shows that consumers are anxious that their 
privacy is not being protected when they go on line.
  For example, a 1999 survey by the National Consumers League found 73 
percent of online users are not comfortable providing credit card or 
financial information online and 70 percent are uncomfortable giving 
out personal information to businesses online. Moreover, due to privacy 
concerns, 42 percent of those who use the Internet are using it solely 
to gather information rather than to make purchases online.
  Likewise, a Business Week survey in March 2000 noted that concern 
over privacy on the Internet is rising. A clear majority--57 percent--
favor some sort of law regulating how personal information is collected 
and used. According to Business Week, regulation may become essential 
to the continued growth of e-commerce, since 41 percent of online 
shoppers say they are very concerned over the use of personal 
information, up from 31 percent two year ago. Perhaps more telling, 
among people who go online but have not shopped there, 63 percent are 
very concerned, up from 52 percent two years ago.
  In addition to it being too early in the process for Congress to 
embark on sweeping legislation, I believe there are still a number of 
fundamental questions that we need to answer. The first is whether 
there is a difference between privacy in the offline and online worlds.
  I think polls like that are the result of the failure, so far, of 
industry to take the necessary initiative to protect consumers' 
privacy. But we should not neglect to notice that industry is making 
progress. When the Federal Trade Commission testified before the 
Commerce Committee about this time last year, it cited studies showing 
that roughly two-thirds of some of the busiest Web sites had some form 
of disclosure of privacy policies. This year, the FTC reports that 90 
percent of sites have disclosure policies. Likewise, last year the FTC 
found that only 10 percent of sites implemented the four core privacy 
principles of notice, choice, access and security. This year the FTC 
reports that figure at 20 percent. That is still not high enough, but 
this is a five-year-old industry. We've seen significant improvements 
without the need for intrusive congressional intervention. It is simply 
too soon to write off a market driven approach to privacy.
  Most of us don't think about it. But I want to make a point about the 
distinction between the offline and online world. When you go to the 
supermarket and you walk into any store and swish your card through the 
checkout scanner, that scanner has a record of precisely what you 
bought. In effect, today in the offline world, people are getting 
extraordinarily detailed information about what you are purchasing. The 
question, therefore, is to be asked: Is there some kind of preference 
about what happens at the supermarket, or any other kind of store, and 
is that somehow less protected than the choice you make 
online? Likewise, catalog companies compile and use offline information 
to make marketing decisions. These companies rent lists compiled by 
list brokers. The list brokers obtain marketing data and names from the 
public domain and governments, credit bureaus, financial institutions, 
credit card companies, retail establishments, and other catalogers and 
mass mailers.

  I have been collecting the catalogs that I have received just in the 
last few weeks from not one online purchase, and I have been targeted 
by about 50 catalogs just on the basis of offline purchases that have 
been made and not because of an online existence.
  Even in politics, off-line privacy protections may be less than those 
we are already seeing online. For example, we all know that campaigns 
can and do get voter registration lists from their states and can 
screen based on how often individuals vote. They will take this data 
and add names from magazines--Democrats could use the New Republic and 
Republicans might choose

[[Page S4255]]

the National Review--and advocacy groups, and target all of them. With 
those combined lists, campaigns decide which potential voters to target 
for which mailings. The campaigns will also often share lists with each 
other and with party committees. All of this goes on offline.
  On the other hand, when I go to the shopping mall and I walk into a 
store and look at five different items, five sweaters, or five pairs of 
pants, whatever it may be, and I don't buy any of them, there is no 
record of them at all. But there is a record of that kind of traveling 
or perusal, if you will, with respect to the web.
  There are clearly questions that we have to resolve with respect to 
what kind of anonymity can be protected with respect to the online 
transaction.
  I just do not think this is the moment for us to legislate. I think 
we need to study the issue of access very significantly.
  There is a general agreement that consumers should have access to 
information that they provided to a web site. We still don't know 
whether it is necessary or proper to have consumers have access to all 
of the information that is gathered about an individual.
  Should consumers have access to click-stream data or so-called 
derived data by which a company uses compiled information to make a 
marketing decision about the consumer? And if we decide that consumers 
need some access for this type of information, is it technologically 
feasible? Will there be unforeseen or unintended consequences such as 
an increased risk of security breaches? Will there be less rather than 
more privacy due to the necessary coupling of names and data?
  Again, I don't believe we have the answers, and I don't believe we 
are in a position to regulate until we have thoroughly examined and 
experienced the work on those issues.
  I disagree with those who think that this is the time for heavy-
handed legislation from the Congress. Nevertheless, I believe we can 
legislate the outlines of a structure in which we provide some consumer 
protections and in which we set certain goals with which we encourage 
the consumer to familiarize themselves while we encourage the companies 
to develop the technology and the capacity to do it.
  Clearly, opting in is a principle that most people believe ought to 
be maximized. Anonymity is a principle that most people believe can 
help cure most of the ills of targeted sales. For instance, you don't 
need to know if it is John Smith living on Myrtle Street. You simply 
need to know how many times a particular kind of purchase may have been 
made in a particular demographic. And it may be possible to maintain 
the anonymity and provide the kind of protection without major 
legislation. It seems to me that most companies will opt for that.
  In addition to that, we need to resolve the question of how much 
access an individual will have to their own information, and what 
rights they will have with respect to that.
  Finally, we need to deal with the question of enforcement, which will 
be particularly important. It is one that we need to examine further. I 
believe that there is much for us to examine. We should not, in a 
sense, intervene in a way that will have a negative impact on the 
extraordinary growth of the Internet, even as we protect privacy and 
establish some principles by which we should guide ourselves. I believe 
that the FTC proposal reaches too far in that regard.
  I hope my colleagues in the Senate will join me in an effort to 
embrace goals without the kind of detailed intrusion that has been 
suggested.
  I thank the Chair.

                          ____________________