Privacy Law and Policy Reporter
The US debate about online privacy protection has flared again in response to warnings from the Federal Trade Commission (FTC) and high profile privacy breaches which have not been corrected by industry self-regulation. While the US is still several steps away from getting legislation through Congress, leading ecommerce consultancy group Forrester Research has predicted in a new report that online privacy regulation is likely within the next 12 to 18 months.
In June 1998 the FTC issued its report, Privacy Online: A Report to Congress, which warned that legislation would be necessary if self-regulation failed to provide adequate privacy protection. It promised to monitor the performance of industry over the next year and come back with a recommendation for or against legislation by mid-1999. Following a second survey of website practices conducted in March 1999, the FTC returned to Congress in July with advice to continue to wait and see. While it indicated that significant progress has been made towards the development of industry self-regulation, it also noted that coverage of privacy safeguards was still inadequate and that unless self-regulation produced better outcomes, legislation would become necessary.
The survey confirmed that most sites collect personal information — 92.8 per cent collected personally identifying information and 56.8 per cent collected demographic information such as age, family information, gender, education, income, interests and occupation. The vast majority of those which collect a name and email address (some 83.9 per cent) collect at least one other additional piece of personal information. In percentage terms, the top 10 items of personal information collected by websites are email address (91 per cent), name (81 per cent), postal address (63 per cent), phone number (52 per cent), credit card number (39 per cent), age or birthday (31 per cent), postcode or location (30 per cent), gender (25 per cent), preferences (21 per cent) and occupation and other demographic information (16 per cent). Some 10 per cent ask for information about a person’s income or education.
The FTC’s Self Regulation and Privacy Online report contained its response to the Georgetown survey. It noted the rapid growth of electronic commerce: for example, the growth of online advertising revenues from $906.5 million in 1996 to $1.92 billion in 1998, exceeding those for advertising on outdoor billboards in the US in that year. It noted that 80 million adults in the US are now estimated to be using the internet. But according to the FTC, privacy concerns remain high and are a major constraint on the growth of ecommerce. According to a 1999 AT&T survey, 87 per cent of experienced internet users surveyed in the US say they are somewhat or very concerned about threats to their privacy online. Only one quarter of internet users go beyond just browsing for information to purchasing goods and services online, in part due to their privacy concerns.
After highlighting the outcomes of the survey and noting the significant progress in the development of programs such as TRUSTe, BBB Online, and the Online Privacy Alliance, the FTC stated that nevertheless, not enough progress has been made in establishing privacy policies. However, it concluded that ‘the Commission believes that legislation to address online privacy is not appropriate at this time’. The FTC instead outlined a program of initiatives, including public workshops on issues such as online privacy website tracking of consumer behaviour and improving implementation of fair information practices.
The report also highlighted disagreements among the four federal trade commissioners. Two separate statements were issued by individual commissioners in addition to the report. Commissioner Orson Swindle criticised the report for failing to give sufficient praise to the efforts of industry to protect privacy, commenting that ‘the way to get where we want to be is not through more laws and regulation’. In contrast, Commissioner Sheila Anthony argued that legislation was necessary now: she was ‘dismayed ... with the results of the two studies’ showing that:
there is an enormous gap between the online collection of individually identifiable information and the protection of that information by the website owner’s implementation of fair information practices of notice consent access and security ... industry progress has been far too slow ... I believe the time may be right for federal legislation to establish at least a base line minimum standard.
Just as commissioners disagreed on what conclusions should be drawn from the survey, business and consumer groups also put a very different spin on its meaning:
The next step in the US internet privacy debate is likely to involve a more detailed examination of the effectiveness of self-regulation. Three major privacy seal programs, TRUSTe, BBB Online and the Online Privacy Alliance, have emerged in recent years.
These programs were developed in order to foster consumer confidence and forestall any heavy handed government regulation of internet privacy. They have relatively quickly achieved a high take up among the top websites, but their effectiveness in delivering better privacy safeguards is now under fire. They may have persuaded organisations to post privacy policies, but critics argue they have had little effect on their actual practices. In its comments on the FTC report, the Privacy Rights Clearing House highlighted problems with industry members of TRUSTe, including that:
A major controversy erupted in November 1999 when The New York Times reported that online software distributor Real Networks was collecting information about the musical tastes of 13.5 million Real product users without their knowledge. Real Jukebox, software downloaded through the Real Networks site, was scanning users’ hard drives and transmitting information about their musical interests and music player back to Real Networks. This information was then added to pre-existing customer profile information. Although Real Networks is a member of TRUSTe and displayed its logo on its website, TRUSTe refused to launch an investigation into Real Networks because its licence only covers information collected from consumers over a website, and since the information was actually collected by software downloaded from a website, Real Networks had not violated its TRUSTe licence. TRUSTe did announce, however, that it would review its licence agreements.
Another incident occurred just days later when it was revealed that Sony Music Entertainment’s Infobeat newsletter was disclosing the email addresses of its subscribers to advertisers without their permission.
The sequence of incidents with high profile brand names, often discovered only through a coincidence or random event, suggests that current practices are failing to meet consumers’ expectations of privacy safeguards. Often this appears to be the deliberate result of practices which large corporations should be aware are in breach of privacy principles and are, on one face of it, quite unethical. The seeming ineffectiveness of the self-regulating privacy seal and licence organisations has strengthened the push for a legislated solution.
On the other hand, some large organisations have taken a more proactive stance to encourage adoption of four information practices. IBM, Disney and Microsoft announced in mid-1999 that they would withdraw advertising from sites that do not adhere to fair information practices. While the advocates of self-regulation point to such initiatives to show that the industry is able to police itself, the question is whether these initiatives will ultimately satisfy regulators.
Forrester Research’s report, Privacy Self-Regulation Will Fail, concluded that they should wait, but that legislation is almost inevitable because business and consumer groups cannot reach common ground on privacy principles. In fact, the Forrester report argues that customer-profile driven e-commerce is inherently in conflict with protecting consumers’ privacy:
To avoid regulation, companies must convince the FTC that substantial progress has been made towards fair information principles [but] asking this group to reach consensus is like expecting hospitals, insurers and patients to agree on managed care.
The FTC will revisit the state of internet privacy in March 2000. The prospects of a recommendation for legislation, either at this review or the next, are growing. The experience of the Children’s Online Privacy Protection Act (see 1999 6(4) PLPR55) suggests that any recommendation from the FTC for legislation would carry significant weight with Congress.
Tim Dixon is an Associate at Baker & McKenzie in Sydney and Chairman of the Australian Privacy Foundation.