Copyright 2000 eMediaMillWorks, Inc.
(f/k/a Federal
Document Clearing House, Inc.)
Federal Document Clearing House
Congressional Testimony
October 3, 2000, Tuesday
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 6014 words
COMMITTEE:
SENATE COMMERCE, SCIENCE AND TRANSPORTATION
HEADLINE: TESTIMONY CONSUMER INTERNET PRIVACY
TESTIMONY-BY: MARC ROTENBERG , ELECTRONIC PRIVACY
INFORMATION CENTER
BODY:
October 2, 2000 Prepared
Testimony and Statement for the Record of Marc Rotenberg, Executive Director,
Electronic Privacy Information Center Washington, DC on S.809 Online Privacy
Protection Act of 1999 S.2606 Consumer Privacy Protection Act of 2000 S.2928
Consumer Internet Privacy Enhancement Act of 2000 before the Senate Commerce
Committee My name is a Marc Rotenberg.' I am the Executive Director of the
Electronic Privacy Information Center (EPIC) in Washington DC and an adjunct
professor at Georgetown University Law School where I teach information privacy
law.' I am grateful for the opportunity to appear before the Committee today. I
also appreciate the Committee's ongoing efforts to explore the important issue
of Internet privacy. I will focus my comments on the need to ensure strong
privacy safeguards for the Internet based on Fair Information Practices. These
guidelines are the basis for almost all privacy laws, and provide the framework
to evaluate the proposals currently before the Committee. I will address
specific provisions of the Online Privacy Protection Act, the Consumer Privacy
Protection Act, and the Consumer Internet Privacy Protection Act. I will
recommend that the Committee adopt strong, sensible provisions that safeguard
the interests of consumers and provide clarity and a level playing field for
businesses. I will also address some of the issues that are not addressed
directly in the legislative proposals, such as the need to protect online
anonymity. STATUS OF INTERNET PRIVACY Mr. Chairman, at the outset, I wish to
make three brief points concerning Internet privacy. First, we believe that
there is widespread public support for legislation in this area and also that
industry recognizes that such legislation is appropriate and necessary. Polling
data routinely shows that the public believes that privacy laws for the Internet
are needed. And although industry groups have objected as a general matter to
government regulation of the Internet, in the area of online privacy I believe
most will concede that legislation is likely.' Second, while we recognize that
commercial web sites have made progress in developing and posting privacy
notices, we do not believe that these policies alone protect online privacy. In
fact, privacy notices without other substantive rights operate more like warning
labels or disclaimers than actual privacy safeguards. Although it would be
tempting to pass legislation based simply on the notice requirement, we believe
such a bill over the long term would reduce the expectation of privacy and the
level of online protection. A substantive privacy measure must provide more than
notice. Third, we believe that enforcement mechanisms must remain flexible. Any
legislation that leaves a central agency in the position to limit enforcement at
the local level or prevents an individual from pursuing a privacy complaint in
court could significantly undermine the protection of privacy interests. And to
the extent that the FTC plays a central role in overseeing the enforcement of
privacy, it is vitally important that formal reporting requirements be
established so that this Committee, the Congress, and the public will be able to
evaluate the effectiveness of privacy protection in the United States. PRIVACY
LAWS AND THE ROLE OF FAIR INFORMATION PRACTICES The basic goal of privacy
legislation is to outline the responsibilities of organizations that collect
personal information and to provide rights to those individuals that provide the
Personal information. These rights and responsibilities are commonly refer-red
to as "Fair Information Practices." Fair Information Practices ensure that
consumers have control over their personal data and that companies abide by
ethical business practices. Fair Information Practices have provided the basis
for privacy legislation across both the public and private sectors. The Fair
Credit Reporting Act of 1970 placed requirements on credit reporting agencies,
restricting their ability to disclose information about individual consumers and
providing a right of access so that individuals could inspect their credit
reports and determine whether decisions affecting their ability to obtain a loan
or receive credit were based on accurate and complete information.'. Since 1970,
privacy laws based on Fair Information Practices have covered educational
recordS6, cable subscriber recordS7 , ernail8, video rental records9, and
telephone toll records". The recently passed Children's Online Privacy
Protection Act" requires parental consent before information is collected from
minors and access to any information already collected. For more than
twenty-five years, the United States has established privacy laws based on Fair
Information Practices directly in response to the development of new
technologies, such as computer databases, cable television, electronic mail,
movies on video tape, and fax machines. Far from discouraging innovation, these
baseline privacy standards have promoted consumer trust and confidence as new
services have emerged. Privacy laws have also provided businesses with clear
rules and a level playing field. Fair Information Practices have also
contributed to the development of privacy laws around the world. Important
international agreements such as the Organization for Economic Co- operation and
Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data and the recently concluded Safe Harbor arrangement have been
built on Fair Information Practices". These international guidelines have become
more important as we move toward a global economy where US firms seek to sell
products online in other countries and US consumers have increasingly made their
personal information available over the Internet to companies operating all
around the world. Because of the central role that Fair Information Practices
have played in the development of privacy law in the United States and the
increasing importance of these principles for online commerce going forward, I
believe they provide the appropriate framework to evaluate the bills now pending
before the Committee. FAIR INFORMATION PRACTICES PRINCIPLES AND CONSUMERS Strong
legal protections built on Fair Information Practices satisfy the basic, common
sense privacy expectations of consumers. The bills under consideration today
follow the rubric of notice, "choice," access, security, and enforcement when
discussing Fair Information Practices. While this is not a complete list of the
obligations that can be found in US privacy law, it is a useful framework for
evaluating privacy measures. All three bills present various approaches towards
upholding Fair Information Practices and establishing baseline standards for
Internet privacy. Notice The first principle of privacy protection is that a
consumer should be provided notice of the collection, use and dissemination of
his or her personal information. A privacy
notice or a privacy policy should tell a consumer when his or
her personal information will be collected, the purpose it will
be used for and whether it will be disclosed to a third party. Simply put, a
privacy notice should be a basic description of what information a company
collects and for what purposes. The problems with current privacy policies have
been brought up by the Committee in earlier hearings. They tend to be long,
confusing, and full of obscure legal language. It is ironic that a principle
intended to make consumers aware of privacy practices has been subverted to one
that misleads and frustrates consumers on a regular basis. There is the
additional problem that companies have found it too easy to change privacy
policies when they wish. This was the problem with Doubleclick that gave rise to
the FTC investigation. Furthermore, although notice is an important part of a
privacy policy it does not by itself constitute privacy protection. Notice must
be accompanied by the other principles of Fair Information Practices. This point
was made clear in EPIC's recent report "Surfer Beware 3: Privacy Policies
Without Privacy Protection". This study found that while the vast majority of
high-traffic e-commerce sites had privacy policies none of those sites displayed
a privacy policy that provided the full range of Fair Information Practices
S.2928, the "Consumer Internet Privacy Enhancement Act", has the most extensive
discussion of notice in comparison to S. 809 and S. 2606. However, it is
possible that the amount of information that this bill requires to be disclosed
will likely overwhelm the average Internet user. The speed and convenience of
shopping online will quickly hit speed bumps if all consumers are expected to
read such notices before transacting business. Consumers should be assured that
baseline principles to safeguard their privacy apply to every site they visit.
They should not be burdened with having to examine and comprehend each line of a
privacy policy before they decide whether or not to transact business with that
specific company. The notice provisions of S. 809, the "Online Privacy
Protection Act of 1999", and S. 2606, the "Consumer Internet Privacy Enhancement
Act", are less burdensome but neither are perfect. While S. 2606 specifies that
notice should be "clear and conspicuous", S. 809 prudently requires that contact
information is provided. While the legislative construction would be difficult,
notice should be able easily understood by most consumers. Of course, contact
information should be included as well. In addition to this basic analysis of
notice, S. 2606 properly addresses a growing trend of Internet companies that
unilaterally change privacy policies on their customers. The requirement of
notice of a policy change and consent before information can be used in
accordance with the new policy would ensure that companies could not change
terms on their customers. Furthermore, it would force companies to think more
carefully the first time they write their privacy policy. Consent The principle
of consent is based on the view that if a consumer provides information for a
particular transaction it should not be used for another purpose without first
obtaining the consent of the consumer. The purpose of this requirement is to
ensure fairness and transparency and to prevent the type of "bait and switch"
that can easily result if a consumer is led to believe that a disclosure of
personal data is necessary for a transaction when it will in fact be used for
another purpose. If I provide my name and mailing address so a book I ordered
online will arrive at my house, the information should not be used for another
purpose without my permission. Opt-in means asking the consumer's permission
before information is collected or used. Opt-out means that a consumer will have
to go through a long, burdensome process to tell a company that she doesn't want
information used in a particular way. Which one will help a consumer control her
information? Which will encourage companies to make it as difficult as possible
to let her exercise that control? We support opt-in as a common-sense standard
that will give consumers a fair chance at controlling their personal
information. The affirmative consent requirement that would be established by S.
2606 is a "consumer friendly privacy standard" that allows for individuals to
rightly decide how their information held by others should be used. The
exceptions in S. 809 for consent present an issue that the Committee should
consider. S. 809 excludes "transactional information where identifiable
information is not removed" from its consent requirement. While S. 2606
establishes that personally identifying information may only be collected and
used with consent, a great deal of information is collected and tied to unique
identifiers. While it does not establish an opt-in, only S. 809 recognizes that
"transactional information" or clickstream data should be considered personal
information. Within the bill, personal information includes "information that is
maintained with, or can be searched or retrieved by means of' other identifiers.
Transactional information is data generated by online movements - pages visited,
searches conducted, links clicked - and has been at the center of recent privacy
controversies over online profiling. Not including this information as part of
an online privacy bill and protecting it would overlook a major concern of
Internet consumers. Access One of the critical requirements of genuine privacy
protection is to ensure that consumers are able to see the information about
them that is collected. The right of access, which can be found in laws ranging
from the Fair Credit Reporting Act to the Privacy Act to medical privacy laws
across the country, is oftentimes the most effective way that individuals have
to monitor the collection of their date and to object to inappropriate uses of
personal information. Businesses sometimes object to providing access because
they claim that it is too costly. But it is also possible that many
organizations simply don't want to actually show their customers how their
personal information is actually used. This is a risky strategy that we believe
online companies should avoid. In the online world it is much easier to provide
access to profile information. Many websites today, from airline reservations to
online banking, are making information that they have about their customers more
readily available over the Internet. Many of these companies realize the
importance of ensuring the information they have is accurate and developing a
transparent and accountable business-customer relationship. But we need a much
broader right of access in the online world because some bad actors are taking
advantage of technological tools that are beyond the knowledge of most Internet
users. The online world enables far-reaching profiling of private behavior in a
way that is simply not possible in the physical world. This became clear during
the past year over the debate with Doubleclick and it is today a critical issue
with Amazon. Any company that creates a persistent profile on a known user, or
that could be linked to a known user, should be required to make known to that
user all of the information that is acquired and how it is used in decisions
affecting that person's life. The profile should always be only "one-click" away
- there is no reason on the Internet that companies should force users to go
through elaborate procedures or pay fees to obtain this information about them.
It would also be appropriate in many cases to give individuals the right to
compel a company to destroy a file that has been created improperly or used in a
way that has caused some harm to the individual. Data could still be preserved
in an aggregate form, but individuals should be able to tell a company that they
no longer have permission to make use of the personal information that they have
obtained. S.2606 provides the most robust right of access. Providing
"reasonable" access to personally identifying information and the ability to
correct or delete information allows the consumer to control what happens to her
data. S.809 is better than S. 2928 on access, though the numerous exemptions
create several problems. Transactional information, especially where
identifiable information is not removed, has received some of the greatest
recent attention as mentioned above via online profiling. Personal information
that, is used internally or confidentially is the type of information that
should be most subject to access since it is used outside the realm of normal
customer interaction. If one of the goals of access is transparency, the
information which is most hidden should be brought to light. The other
exceptions for discarded data and data that has no impact seem redundant or
unnecessary. The presumption of access is that if personal information is held
by a company, it should be provided to the consumer. Discarded data is not held
by a company and whether data has impact should be a question the consumer
should answer. Enforcement Perhaps the most important element of Fair
Information Practices is enforcement. Absent an effective means to ensure
compliance, privacy principles will have little impact on business practices.
The key to enforcement is the independence of the enforcer. Self- regulation has
been an incomplete solution to privacy protection due to this lack of
independence. A company overseeing its financial supporters will not be
effective or independent. In our view, the Safe Harbors created by both S. 809
and S. 2928 lack sufficient oversight to ensure privacy protection. Privacy
advocacy groups like EPIC have documented reasons to be concerned through its
"Surfer Beware" reports." If self-regulation had been effective, the FIV would
not have reluctantly made its recommendation for legislation earlier this
session and we would not be discussing three potential Internet privacy laws
today. All three bills allow State Attorneys General to police unethical
companies that harm the consumers in their jurisdiction. However, all three
allow the FTC to intervene in proceedings and permit its actions to take
precedence over the actions of State Attorneys General. While we recognize the
important role of the FIV in the protection of consumers, it still remains
unclear whether it is the appropriate agency to safeguard privacy interests.
Rather than putting roadblocks in the way of State Attorneys General, we should
allow consumers to be protected by local authorities and other independent
agencies that are available. It is also important to ensure that individual
consumers are able to pursue privacy complaints. For that reason, a right to
private action with a provision of liquidated damages should be provided. This
preserves the right of consumers to pursue privacy complains when necessary.
While S. 2928 does establish a fixed level of civil penalties, S.2606
establishes a private right of action, liquidated damages attorney's fees, and
punitive damages. None of the bills provide for the establishment of a privacy
agency. S. 2606 goes furthest in establishing a FIC Office of Online Privacy but
like the other bills rely on the existing section 5 authority of the Federal
Trade Commission. T he reliance of privacy guidelines on the FTC Act prohibiting
unfair and deceptive business practices has not provided an adequate basis for
the protection of privacy interests and has failed to develop simple dispute
resolution procedures that could assist both consumers and companies resolve
privacy problems. Most consumers are not lawyers, computer experts, or privacy
advocates. For that reason, many countries have created independent data
protection agencies that answer questions and follow up on consumer complaints.
In addition to providing invaluable assistance for consumers, a privacy agency
can bring the consumer perspective to other government agencies and business
groups. These agencies are also generally responsible for public education and
international coordination with privacy agencies in other countries. In order to
help consumers resolve complaints and to penalize unethical companies, they
should have the power to take action when irresponsible companies breach privacy
principles established in law. ADDITIONAL ISSUES State Preemption All three
bills propose state preemption, though S. 2606 will allow for common law tort
and certain other claims to go forward. Limiting the ability of states to
develop additional safeguards to protect the privacy interests of their citizens
is a dangerous precedent and has only occurred in a few statutes. By and large
federal privacy laws operate as a floor and allow states, "the laboratories of
democracy," to develop new and innovate safeguards as required. 16 We believe
this approach should be followed with Internet privacy. Additional Safeguards In
addition to the other substantive provisions to protect privacy on the Internet.
S. 2606 also proposes important amendments that would update current privacy
laws. The Video Privacy Protection Act would be extended to include all video
recordings, recorded music, and book purchases. The Cable Communications Policy
Act would be extended to satellite TV subscriptions. These are sensible
recommendations that build on current laws. Anonymity Finally, although the
bills do not directly address the issue of online anonymity, I would like to
underscore that this issue remains one of the central challenges of Internet
privacy. While anonymity does create some risk, the loss of anonymity in the
online world could significantly undermine any legislative effort to safeguard
privacy. We have noticed a disturbing trend in the last year with more and more
web sites requiring registration and making use of new tracking techniques to
profile Internet users. Legislative safeguards will help limit the worst of the
abuses, but formal recognition of a right to be anonymous in the online world
may be the most robust form of privacy protection in the years ahead. CONCLUSION
We commend the Committee for the important efforts to address online privacy. We
believe that S. 2606 provides the most robust framework to protect privacy on
the Internet, that it is consistent with other privacy laws, and that it is in
the interests of consumers and business to ensure a high standard for privacy
protection in the world of e-commerce. We urge the Committee not to place too
much value on privacy notices without other substantive safeguards. Privacy law
is based on Fair Information Practices, a collection of rights and
responsibilities that help safeguard the interests on consumers in the world of
rapidly changing technology.
LOAD-DATE: October 5,
2000, Thursday