Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
Document 85 of 261.
Copyright 2000
Federal News Service,
Inc.
Federal News Service
View Related Topics
May
18, 2000, Thursday
SECTION:
PREPARED TESTIMONY
LENGTH:
5078 words
HEADLINE:
PREPARED TESTIMONY OF JODIE BERNSTEIN DIRECTOR OF THE BUREAU OF CONSUMER PROTECTION THE FEDERAL TRADE COMMISSION
BEFORE THE
HOUSE
COMMITTEE ON THE JUDICIARY SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY
SUBJECT - "ONLINE PRIVACY: RECENT COMMISSION INITIATIVES"
BODY:
Mr. Chairman and Members of the Subcommittee, I am Jodie Bernstein, Director of the Bureau of Consumer Protection of the Federal Trade Commission. I appreciate this opportunity to report on the Commission's recent initiatives in online privacy, and, in particular, the history and implementation of the Children's Online Privacy Protection Act.
I. Introduction and Background
A. FTC Law Enforcement Authority
The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far- reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce) With the exception of certain industries and activities, the FTCA provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce.3 Commerce on the
Internet falls within the scope of this statutory mandate. B. Privacy Concerns in the Online Marketplace
Since its inception in the mid-1990's, the online marketplace has grown at an exponential rate. Recent figures suggest that as many as 90 million Americans now use the Internet on a regular basis.4 Of these, 69%, or over 60 million people, shopped online in the third quarter of 1999.5 In addition, the Census Bureau estimates that retail e-commerce reached $
5.3 billion for the fourth quarter of 1999.6
With this remarkable growth in e-commerce has come increased consumer awareness that online businesses are collecting and using personal data, and increased consumer concern about the privacy of this data. Recent survey results demonstrate that 92% of consumers are concerned (67% are "very concerned") about the misuse of their personal information online.7 The level of consumer unease is also indicated by a recent study in which 92% of respondents from online households stated that they do not trust online companies to keep their
personal information
confidential.8 The Commission's online
privacy
efforts have been directed in large measure toward engaging the private sector in addressing these concerns, to ensure the continued growth of the online marketplace.
C. The Commission's Approach to Online Privacy - Initiatives since 1995
Since 1995, the Commission has been at the forefront of the public debate on online privacy. The Commission has held public workshops; examined Web site information practices and disclosures regarding the collection, use, and transfer of personal information; and commented on self-regulatory efforts and technological developments intended to enhance consumer privacy? The Commission's goal has been to understand this new marketplace and its information practices, and to assess the costs and benefits to businesses and consumers.
In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy.10 Based in part on its extensive survey of over 1400 commercial Web sites, the Commission concluded that effective self- regulation had not yet taken hold.n The Commission recommended that Congress adopt legislation setting forth standards for the online collection of personal information from children; and indeed, just four months after the 1998 Report was issued, Congress enacted the Children's Online Privacy Protection Act of 1998 ("COPPA"), which authorized the Commission to issue regulations implementing the Act's privacy protections for children under the age of 13.n COPPA and the Commission's Rule implementing the Act are discussed in greater detail below.
In the 1998 Report, the Commission deferred its recommendations with respect to the collection of personal information from online consumers generally. In subsequent Congressional testimony, the Commission discussed promising self-regulatory efforts suggesting that industry should be given more time to address online privacy issues. The Commission urged the online industry to expand these efforts by adopting effective, widespread self-regulation based upon the long- standing fair information practice principles of Notice, Choice, Access, and Security, and by putting enforcement mechanisms in place to assure adherence to these principles.13 In its 1999 report to Congress, Self-Regulation and Privacy Online, the Commission again recommended that self-regulation be given more time, but called for further industry efforts to implement the fair information practice principles and promised continued Commission monitoring of these efforts.14
In February and March of this year, the Commission conducted its second survey of U.S. commercial Web sites. The survey assessed websites' compliance with fair information practices by analyzing the nature and substance of their stated policies regarding the collection, use and disclosure of personal information gathered from consumers online. The Commission will report to Congress in the near future on the results of its 2000 survey.15
Last week, the Commission issued a final Rule implementing the privacy provisions of the Gramm-Leach-Bliley Act.16 The Rule requires a wide range of financial institutions to provide notice to their customers about their privacy policies and practices. The Rule also describes the conditions under which those financial institutions may disclose personal financial information about consumers to nonaffiliated third parties, and provides a method by which consumers can prevent financial institutions from sharing their personal financial information with nonaffiliated third parties by opting out of that disclosure, subject to certain exceptions.
Law Enforcement Actions
The Commission has also brought several law enforcement actions, pursuant to its mandate under the FTC& to remedy online companies' unfair and deceptive practices with respect to the collection and use of consumers' personal information. In February, 1999, the Commission settled charges that GeoCities, one of the most visited websites, had misrepresented the purposes for which it was collecting personal identifying information from both children and adults.17 In the Liberty Financial case, the Commission challenged allegedly false representations by the operator of a "Young Investors" site that information collected from children in an online survey would be maintained anonymously.18 Most recently, in the ReverseAuction.com case, the Commission settled charges that this online auction site had obtained consumers' personal identifying information from a competitor's site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their business.
19 These cases demonstrate the Commission's ongoing commitment to protecting consumers' online privacy as an integral part of its law enforcement mission.20
II. Protecting Children's Online Privacy
A. Public Concerns about Children's Online Privacy
Children are among the fastest growing populations on the Internet. The number of children online has almost tripled in just the last two years, growing from nearly 10 million in 1997 /21 to almost 26 million by the end of 1999.22 That number will continue to rise as the Internet becomes an increasingly integral part of American culture, education, and commerce.
Online marketers have responded to this growth with sites targeting children and offering a diverse array of products, services and other features. Like sites targeted to older consumers, these sites often collect personally identifying information from young consumers. Our 1998 survey found that of the 212 children's websites surveyed, 89% were collecting personal information from children, including names, home addresses, e-mail addresses, and in one case, information about family finances.23 However, only 24% of those sites posted privacy policies, and only 1% of those sites sought parental permission to collect such information.24 These practices were in sharp contrast to parents' beliefs about what information should be collected from their children. A 1997 Louis Harris/Allan Westin survey found that 72% of parents objected to the collection of names and addresses from their children, even if that information was used only within the company, and 97% of parents objected if the information was to be released to third parties?
B. Children's Online Privacy Protection Act (COPPA)
Reacting to these concerns, in October 1998 Congress enacted the Children's Online
Privacy Protection Act, the first federal legislation specifically to address online privacy. The statute was enacted with the support of a broad coalition of industry, privacy advocates and consumer groups, and drew heavily on the experience of industry self-regulatory groups in attempting to establish workable guidelines for the protection of children's privacy online.
The legislation requires operators of commercial websites directed to children under 13 to: /26
- provide parents with notice of their information practices; obtain verifiable parental consent before collecting most personal information from children; provide parents with access to the information collected from their children; limit data collection to that which is reasonably necessary to participate in the activities offered at the site; and maintain the security and confidentiality of the information they collect.
COPPA required that the Commission issue rules implementing these requirements within one year of its enactment. Like the legislative consideration of COPPA, our rulemaking process, too, drew on the accumulated expertise of online businesses, self-regulatory groups, State Attorneys General, and privacy and children's advocates. We received over 145 comments and held a widely attended workshop to gather information to help us craft a rule that would be both effective and enforceable, yet flexible enough to accommodate the rapid technological innovation that characterizes this ever-changing medium. As required by COPPA, we issued the final Rule in October 1999, and it became effective last month.
COPPA and its implementing rule contain several important features. First and foremost, both the Act and the Rule employ flexible performance standards rather than static rules. This not only provides website operators with flexibility in choosing how to comply, but also leaves room for the growth of new technologies. For example, COPPA's definition of the key concept of "verifiable parental consent" encompasses "any reasonable effort, taking into account available technology," to ensure that a parent receives the required notice and consents to the operator's collection of information. This flexible standard will encourage the development of new products and services that can help make compliance with the Rule easy and inexpensive.27 In fact, the Commission has committed to undertake a review in eighteen months to determine whether new and developing technologies are available for use in obtaining "verifiable parental consent" under the Rule.
Another feature of the Act and Rule is a "safe harbor" provision, designed to encourage continued self-regulatory efforts to protect online privacy. Over the years, self-regulatory groups have developed substantial expertise in monitoring, detecting, and addressing online privacy problems. Website operators have long consulted with the self- regulatory groups on the privacy issues they face. Under COPPA, self- regulatory programs can now apply to have their programs accepted as "safe harbors" from Commission or State Attorney General enforcement.28 Several proposals are currently under review by the Commission.
C. Implementing the COPPA Rule
Now that the Rule is in effect, the Commission is attempting to address two key issues: business and consumer education and enforcement.
1. Education
The Commission has used a variety of creative, novel and cost effective ways to educate parents, children and website operators about the provisions of the COPPA. As it has in all its education efforts, the Commission has made extensive use of the Internet to disseminate its messages.29 In November, shortly after the final Rule was announced, a Compliance Guide was posted on the FTC website.30 E- mails were sent to major children's sites, participants in COPPA workshops, and commentors in the rulemaking to alert them to the guidance. In addition, the Commission is holding informal seminars to educate online businesses about the need to comply with COPPA.
In February, the FTC issued a Consumer Alert geared to parents, introducing them to the new law. The Alert was sent to more than 14,000 news media, as well as to websites, parent organizations and schools through organizations like the PTA and the National Association of Elementary School Principals. The media milling alone resulted in more than 100 interviews with Commission staff about the provisions of the Rule. Articles appeared in hundreds of newspapers, including the print and web editions of USA Today, the Wall Street Journal and the New York Times, and on radio and television networks and stations. Media exposure no doubt contributed to the fact that the Consumer Alert was accessed more than 32,000 times on the FTC's website in April alone.
At the same time, the FTC developed a Kidz Privacy website where information about COPPA was placed. Major national corporations and privacy advocacy groups joined in our outreach efforts.31 Among the participants: AOL, Center for Democracy and Technology, Center for Media Education, Chancery Software, CyberAngels, Disney/Go.com Network, Headbone.com, Lycos, Microsoft, NetFamilyNews, NetNanny Software, Surfmonkey. com, and Wiredkids. All these sites link to the FTC site. In addition, Chancery Software designed and printed 40,000 bookcovers and bookmarks with children's online privacy tips to distribute to school children. To ensure that all organizations interested in protecting children's privacy online have the opportunity to participate in the COPPA Public Awareness Campaign, the Commission is publishing a notice in the Federal Register with details on how to participate.
In addition to sections for kids, adults, business and the media, the Kidz Privacy website also includes radio public service announcements and a banner public service announcement that can be downloaded and placed on any website. The banner would enable viewers at any site on the web to click directly to the Kidz Privacy site. In May and September, radio public service announcements will air which refer listeners to the FTC website and the Commission's Consumer Response Center for more information.
The Consumer Response Center provides education and assistance to individual consumers and businesses who contact us by calling our toll free helplines (877-FTC-HELP and 877-ID-THEFT), by writing us, or by using our online complaint form at www.ftc.gov.
CRC counselors provide information, assist consumers in resolving their complaints where possible, and enter complaints into the Commission's extensive complaint database which is used for law enforcement.32 The CRC is now responding to some 40,000 contacts a month, covering a broad spectrum of inquiries and complaints.33 With the implementation of COPPA and growing consumer awareness and concern about privacy, we may begin to receive more inquiries and complaints in this area.
2. Rule Enforcement
We have been impressed by the substantial commitment the online industry has made to implementation of the statute and their commitment to the fair information practices principles that underlay it. Nonetheless we believe that along with education, enforcement will play a critical role in the Act's success. Initially, we expect to receive referrals from industry self-regulatory groups, privacy advocates, competitors, and consumer groups. We also will analyze complaints collected by the CRC to identify rule violations. In addition, the Commission intends, as it has done on many occasions, to hold "surf' days in which FTC staff work together with other enforcement agencies to identify sites that are not in compliance with the law. The Commission also is holding joint training sessions with our State law enforcement partners, to help facilitate active and coordinated enforcement of the Rule.
For the most part, website operators have been working diligently to comply with the Rule. In some instances the benefits go beyond the online environment. For example, one offline magazine which also operates a website has revised its policies on publishing the full names and ages of children making submissions to its magazine, and now posts those submissions using only the child's first name and age.
III. Conclusion
The Commission will continue its efforts, in close cooperation with its private sector partners, to expand its consumer and business education campaigns, and to assure broad compliance with the law. We look forward to working with the Subcommittee to address these online privacy issues and are pleased to answer any questions you may have.
FOOTNOTES: 1 My oral testimony and any responses to questions reflect my own views and are not necessarily the views of the Commission or any other Commissioner.
2 15 U.S.C. Section 45(a).
3 The Commission also has responsibility under 45 additional statutes governing specific industries and practices. These include, for example, the Truth in Lending Act, 15 U.S.C.
Sections 1601 et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. Sections 1666 et. seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 30 rules governing specific industries and practices, e.g., the Used Car Rule, 16 CFR. Part 455, which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of information to prospective franchisees; the Telemarketing Sales Rule, 16 CFR. Part 310, which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices; and the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312. The Commission has also issued a final rule implementing the Gramm-Leach- Bliley Act, 15 U.S.C. Sections 6801 et seq., which is discussed below.
The Commission does not, however, have criminal law enforcement authority. Further, under the FTC& certain entities, such as banks, savings and loan associations, and common carders, as well as the business of insurance, are wholly or partially exempt from Commission jurisdiction. See Section 5(a)(2) and 6(a) of the FTC Act, 15 U.S.C. Section 45(a)(2) and 46(a). See also the McCarran-Ferguson Act, 15 U.S.C. Section 1012(b).
4 The Intelliquest Technology Panel, Panel News, available at <http://www.techpanel.com/news/index.asp> (hereinafter "Technology Panel") (90 million adult online users as of third-quarter 1999). Other sources place the number in the 70-75 million user range. See Cyber Dialogue, Internet Users, available at <http://www.cyberdialogue.com/resource/data/ic/index. html> (69 million users); Cyberstats, Internet Access and Usage, Percent of Adults 18+, available at <http://www.mediamark.com/cfdocs/MRI/cs_f9a.cfm>(75 million users).
5 Technology Panel. This represents an increase of over 15 million online shoppers in one year. See id
6 United States Department of Commerce News, Retail E-commerce Sales for the Fourth Quarter 1999 Reach $
5.3 Billion, Census Bureau Reports (Mar. 2, 2000), available at <http://www.census.gov/mrts/www/current.html>.
7 Alan F. Westin, Personalized Marketing and Privacy on the Net: What Consumers Want, PRIVACY AND AMERICAN BUSINESS (Nov. 1999) at 11. See also IBM Multi-National Consumer Privacy Survey, prepared by Louis Harris & Associates Inc. (Oct. 1999), at 72 (72% of Internet users very concerned and 20% somewhat concerned about threats to personal privacy when using the Internet); Forrester, Online Consumers Fearful of Privacy Violations (Oct. 1999), available at <http://www.forrester.com/ER/Press/Release/0,1769,177,FF.html> (two- thirds of American and Canadian online shoppers feel insecure about exchanging personal information over the Internet).
8 Survey Shows Few Trust Promises on Online Privacy, Apr. 17, 2000, available at <http://www.nyt. com> (citing recent Odyssey survey).
9 The Commission held its first public workshop on privacy in April 1995. In a series of hearings held in October and November 1995, the Commission examined the implications of globalization and technological innovation for competition and consumer protection issues, including privacy concerns. At a public workshop held in June 1996, the Commission examined Web site practices regarding the collection, use, and transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children. The Commission held a second workshop in June 1997 to explore issues raised by individual reference services, as well as issues relating to unsolicited commercial e-mail, online privacy generally, and children's online privacy.
The Commission and its staff have also issued reports describing various privacy concerns in the electronic marketplace. See, e.g., FTC Staff Report: The FTC's First Five Years Protecting Consumers Online (Dec. 1999); Individual Reference Services: A Federal Trade Commission Report to Congress (Dec. 1997); FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (Dec. 1996); FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996). Recently, at the request of the Department of Health and Human Services ("I- IHS"), the Commission submitted comments on HHS' proposed Standards for Privacy of Individually Identifiable Health Information (required by the Health Insurance Portability and Accountability Act of 1996). The Commission strongly supported HHS' proposed "individual authorization" or "opt-in" approach to health providers' ancillary use of personally identifiable health information for purposes other than those for which the information was collected. The Commission also offered HHS suggestions it may wish to consider to improve disclosure requirements in two proposed forms that would be required by the regulations. The Commission's comments are available at <http://www.ftc.gov/be/v000001.htm>.
10 The Report is available on the Commission's Web site at http://www.ftc.gov/reports/privacy3/index.htm.
11 1998 Report at 41.
12 15 U.S.C. SectionSection 6501 et seq.
13 Prepared Statement of the Federal Trade Commission on "Consumer Privacy on the World Wide Web" before the Subcommittee on Telecommunications, Trade and Consumer Protection of the House Committee on Commerce, U.S. House of Representatives (July 21, 1998), available at <http://www.ftc.gov/os/1998/9807/privac98.htm>.
14 Self-Regulation and Privacy Online (July 1999) at 12-14 (available at <http://www.ftc.gov/os/1999/9907/index.htm#13>).
15 The Commission has supplemented its own fact-finding by soliciting public input on pressing issues related to the implementation of fair information practices online. In December 1999, the Commission convened an Advisory Committee on Online Access and Security, a group comprising 40 e-commerce experts, industry representatives, security specialists, and consumer and privacy advocates, to advise the Commission on options for implementing the fair information practice principles of Access and Security online. The Advisory Committee's Report, which was presented to the Commission earlier this week, will be discussed in the Commission's upcoming report to Congress on online privacy. The Advisory Committee proceedings are available at <http://www.ftc.gov/acoas>.
In November, 1999, the Commission, together with the Department of Commerce, held a public workshop on "online profiling," the practice of aggregating information about consumers' interests, gathered primarily by tracking their movements online, and using the resulting consumer profiles to deliver targeted advertisements on Web sites. The Commission will soon report to Congress about concerns raised by online profiling, as well as industry's self-regulatory efforts in this area. The transcript of the Workshop, as well as public comments filed in connection with the Workshop, are available at <http://www.ftc.gov/bcp/profiling/index.htm>.
16 16 C.F.R. Part 313; available at <http://www.ftc.gov/opa/2000/05/glbpressl.htm>.
17 GeoCities, FTC Dkt. No. C-3849 (Feb. 12, 1999) (consent order).
18 Liberty Financial, FTC Dkt. No. C-3891 (Aug. 12, 1999) (consent order).
19 FTC v. ReverseAuction. corn, Inc., No. 00-0032 (D.D.C Jan. 6, 2000) (consent decree).
20 Since the fall of 1994, the Federal Trade Commission has brought over 125 law enforcement actions against over 360 companies and individuals to halt fraud and deception on the Internet. The FTC has not only attacked traditional schemes that have moved online, like pyramid and credit repair schemes, but also has brought suit against pagejacking, mouse trapping, modem hijacking, fraudulent e-mail marketing, and other hi-tech schemes that take unique advantage of the Internet. The Commission pioneered the "Surf Day" concept, and has searched the Net with over 250 law enforcement or consumer groups worldwide, targeting specific problems and warning consumers and new entrepreneurs about what the law requires. The Commission has also posted "teaser pages" online, i.e., fake scam sites that educate consumers to enable them to avoid Internet roses.
21 Cyber Dialogue, "Children on the Internet," InterActive Consumers (May 1997).
22 Cyber Dialogue, "Online Children," InterActive Consumers (Dec. 1999).
23 1998 Report at 31-33.
24 Id. at 35-37.
25 Louis Harris & Associates and Dr. Alan F. Westin, Commerce, Communication, and Privacy Online, A National Survey of Computer Users (1997).
26 COPPA also covers operators of commercial sites who knowingly collect information from children under 13. 15 U.S.C. Section 6502(a)(1).
27 The Commission is aware of recent press reports of websites that have chosen to discontinue services to children under 13 because of perceived difficulties in complying with the Rule. See "Parents Remain Unclear on Online Privacy Law," Cybertimes, New York Times (May 12, 2000). The Commission will monitor these reports as it considers future actions under the Rule.
28 In addition to the FTC, COPPA confers authority on the States to bring actions in Federal District Court to enforce compliance with the FTC's implementing rule. 15 U.S.C. 6504.
29 The FTC has dramatically extended the reach of its educational messages by making available more than 200 consumer and business publications on its website, www.ftc.gov. Last year, views of these publications numbered 2.5 million (up from 140,000 in 1996).
In addition to the FTC's own website, the Commission hosts and maintains www.consumer.gov, a one-stop shop for consumer information from the federal government. The site, which was initiated by the FTC in 1996 with a small group of other agencies, now links to information from over 160 federal agencies and has more than 80,000 unique visits a month. It has housed an array of special education initiatives, involving Y2K, health care quality, consumer fraud, and identity theft, a 21st century crime involving the misappropriation of personally identifying information. The original consumer.gov team received the Hammer Award from the National Performance Review.
30 An important part of the FTC's education mission is to provide guidance to web businesses. Many of these entrepreneurs are small, start-up companies that are new to the Internet and to marketing in general, and are unfamiliar with consumer protection laws. The Commission has several special publications that are especially well- designed to give practical, plain English guidance to this audience (e.g., Advertising and Marketing on the Internet: Rules of the Road; Dot Com Disclosures). The agency also has used other approaches to provide guidance to those who are engaged in e-commerce, e.g., posting compliance guides and staff advisory letters on the Web, using the trade press to promote the availability of information, and holding public workshops on online issues.
31 The FTC often partners with private sector members to disseminate educational messages. For example, the FTC has actively recruited partners to link to its website and to place public service banner announcements provided by the FTC on their sites. Links from the public service banners allow visitors to click through to the FTC site quickly to get the information they're looking for exactly when they want it. Among the varied organizations that have helped drive traffic to the valuable information on www. ffc.gov are AARP, American Express, the Arthritis Foundation, the Better Business Bureau, CBS, CNN, Circuit City, the National Institutes of Health, the U.S. Patent and Trademark Office, and Yahoo.
32 Fraud complaints also are entered into the Consumer Sentinel database which is maintained by the FTC and now contains more than 250,000 consumer fraud complaints. More than 100 organizations contribute complaints to the Consumer Sentinel database, which is shared with over 240 law enforcement agencies in the U.S. and Canada. Consumer Sentinel makes the data available through a secure website and also provides a variety of tools to help law enforcers investigate and prosecute fraud.
33 Contacts range from complaints about get-rich-quick telemarketing scams and online auction fraud, to questions about consumer rights under various credit statutes, to requests for educational materials.
END
LOAD-DATE:
May 19, 2000
Document 85 of 261.
Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.
