To Regulate or Not to Regulate

The Clinton administration and the information industry have been fighting an uphill battle to get their privacy house in order, but the most recent signs are that, even if an occasional battle can be called a victory, they are losing the war. At stake is whether companies that have staked out a presence on the Internet can be trusted to regulate their behavior in such a way as to preserve the privacy of consumers and to protect the integrity of personal information collected at Web sites. While the administration and its commercial allies have talked a good game, the proof that self-regulation is the answer to consumer worries about privacy has not been forthcoming. The report issued by the Federal Trade Commission (FTC) on online privacy, and especially online privacy for children, may be the stake through the heart of online self-regulation.

Children on the Web

The FTC report on online privacy, focusing particularly on Web sites catering to children, surveyed more than 1,400 Web sites and concluded that Congress should pass legislation protecting the privacy of children. The report noted that, "despite the commission's three-year privacy initiative supporting a self-regulatory response to consumers' privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practices. Moreover, the trade association guidelines submitted to the commission do not reflect industry acceptance of the basic fair information practice principles. In addition, the guidelines, with limited exception,
contain none of the enforcement mechanisms needed for an effective self-regulatory regime. In light of the lack of notice regarding information practices on the World Wide Web and the lack of current industry guidelines adequate to establish an effective self-regulatory regime, the question is what additional incentives are required in order to encourage effective self-regulatory efforts by industry." The report added that, "in the specific area of children's online privacy, however, the commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. Such legislation would set out the basic standards of practice governing the online collection and use of information from children. All commercial Web sites directed to children would be required to comply with these standards."

The report recommended several specific items that legislation should include. For the collection of personally identifying information from children under 12:

Where personally identifying information would enable someone to contact a child offline, the company must obtain prior parental consent, regardless of the intended use of the information (opt-in).
Where the personally identifying information is publicly posted or disclosed to third parties, the company must obtain prior parental consent (opt-in).
Where collection of an e-mail address is necessary for a child's participation at a site, such as to notify contest winners, the company must provide notice to parents and an opportunity to remove the e-mail address from the site's database (opt-out).
For personally identifying information collected from children over 12, the commission recommended that:
Web sites must provide parents with notice of the collection of such information and an opportunity to remove the information from the site's database (opt-out).
Without Notice

Given the fact that many commercial Web site operators knew the FTC was monitoring Web site privacy policies, the commission's survey found privacy practices on the Web to be abysmal. Of 674 commercial sites surveyed, 92 percent collected personal information but only 14 percent provided any notice about information practices and only 2 percent had a comprehensive policy. The commission reviewed 212 children's sites, and 89 percent collected personal information. Fifty-four of those sites provided some form of disclosure describing their information practices, but only 23 percent told children to seek parental permission before providing information, and fewer than 8 percent indicated they would notify parents about their information practices. Fewer than 10 percent offered some form of parental control over the collection or use of information from children.

The FTC studied sites in three specific sectors -- health, retail and finance -- where it believed particularly sensitive personal information might be routinely disclosed. The survey found that 88 percent of health sites collected personal information, while only 14 percent disclosed their information practices. At retail sites, 87 percent of sites collected personal information while only 13 percent disclosed information practices. For financial sites, 97 percent collected personal information while only 16 percent disclosed information practices.

Finally, of 111 most-popular sites surveyed, 97 percent collected personal information, and 71 percent had information disclosure practices.

While the results of the survey reveal a significant consumer privacy problem concerning Web sites of all descriptions, the report's conclusion that legislative action is needed to stem the unchecked collection of information from children is equally important as a policy matter. Children's privacy has been a sub-issue on which government has been willing to take action, but the FTC report suggests that legislation may well be needed to solve privacy issues pertaining to adults as well. The report notes that, "if growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential. To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use and dissemination of personal information." The report concludes that "the commission ... will recommend an appropriate response to protect the privacy of all online consumers."

Industry Reaction

Industry representatives differed sharply from the FTC findings. A survey released by InformationWeek magazine indicated that 79 percent of respondents at corporate sites said their businesses had written policies, and 94 percent at government and educational sites said their sites had policies as well. Pat Faley, director of government affairs at the Direct Marketing Association, noted that "self-regulation is the only thing that will work." Don Telage, a senior vice president at Network Solutions, observed that privacy might provide a selling point for business. "It may turn out that privacy policy will be a competitive advantage," he said.

But soon after the report was released, the public got its first glimpse of what a little agency nudging can accomplish. In a filing with the Securities and Exchange Commission, GeoCities, one of the biggest kids' sites on the Internet, admitted that it had been charged by the FTC with "unfair and deceptive practices" by disclosing information collected from children to third parties without telling the children or their parents. To settle the charge, GeoCities agreed to seek parental permission before using information from children under the age of 13. It also agreed to more clearly explain how the data would be used and to give consumers the option of deleting personal information from GeoCities' database.

Self-regulation Solution

The Clinton administration has pushed hard for self-regulation, and the FTC in the past seemed willing to seriously entertain self-regulation as the best solution. But for the agency that has been one of the best hopes to protect consumers from privacy abuses by the private sector to now recommend a legislative fix and abandon self-regulation as a failure is a significant policy switch.

Ira Magaziner, Clinton's pointman on electronic commerce issues, has hinted recently that industry had only a little more time to convince the government that self-regulation could be effective before some kind of government regulation was introduced. According to a story in the Washington Post, White House officials had hoped that the FTC report would show that self-regulation was working. However, the article noted the widespread lack of compliance has instead annoyed White House officials, who have warned that the FTC report may well prompt Congress to take some kind of legislative action that might threaten the commercial viability of business on the Internet.

Certainly, a major reason for trying to get privacy protections in order now is that the European Union's data-protection directive will become effective this October. Government and industry have always seen self-regulation as the most "American" response to this problem -- the kind of laissez faire, free-market solution that appeals to an economic system that frowns upon government intervention. However, if the European Union refuses to recognize the adequacy of the United States' privacy "patchwork," some kind of government regulation may be essential. The FTC noted that the most glaring absence in self-regulatory policies was the lack of any enforcement mechanism. If industry is unwilling to provide effective incentives for observing fair information-practice principles, then government may well step in with civil or criminal remedies.

Harry Hammitt is editor/publisher of Access Reports, a newsletter published in Lynchburg, Va., covering open-government laws and information-policy issues.

September Table of Contents