[ga-sys] US Privacy Issue - Fair Information Practice Principles

[Joanna Lane <jo-uk@rcn.com>]

http://www.ftc.gov/os/1998/9803/privacy.htm#N_24_

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION ON "INTERNET PRIVACY"
Before the SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY of the HOUSE
COMMITTEE ON THE JUDICIARY, UNITED STATES HOUSE OF REPRESENTATIVES,
Washington, D.C., dated March 26, 1998.

<snip> 

Many consumers care deeply about the privacy and security of their personal
information in the online environment and are looking for greater
protections.(23) During the Commission's first privacy workshop, a consensus
emerged among workshop participants regarding four important considerations
that would assist in protecting online privacy. These considerations
include: 

NOTICE concerning Web sites' information practices, i.e., how commercial Web
sites will use personal information they collect from consumers;

CHOICE in how Web sites will use consumers' personal information;

ACCESS to consumers' own information collected, maintained, or used by Web
sites;  

and SECURITY of consumers' personal information maintained by Web sites from
improper or unauthorized use by third parties.(24)


<snip>
Commitment to Self-Regulation

The Commission has also learned that members of the online industry are
aware of the need to address consumers' concerns. Throughout the series of
Commission workshops on these issues, the online industry has asserted that
self-regulation is the most efficient and effective means of creating online
privacy protections.

___________________________________________________________________

(About 2 years later, the FTC posted its third report, claiming consensus
for strikingly similar recommendations to those made earlier.)
_____________________________________________________________________

http://www.ftc.gov/reports/privacy2000/pitofskystmtonlineprivacy.htm


STATEMENT OF CHAIRMAN PITOFSKY
Privacy Online: Fair Information Practices in the Electronic Marketplace
May 22, 2000
------------------------------------------------------------------------

The Commission today issues its third report on the extent to which
self-regulation is providing or is likely to provide protection for
consumers against unjustified invasions of privacy in the online world.(1)
There is now wide agreement on the required elements of privacy protection,
referred to as the Fair Information Practice Principles. With respect to
personally identifiable information, an adequate privacy program should
include:

1. Notice -- clear and conspicuous -- of what information is collected from
consumers, how it will be used by the collecting parties and whether it will
be disclosed to other entities;
 
2. Choice which offers the opportunity for consumers to decide whether they
want their personally identifiable information to be used for any purpose
other than completion of the transaction. Choice encompasses both internal
and external uses of such information.
 
3. Reasonable access by consumers to review the information collected on
them and a reasonable opportunity to correct any errors or delete the
information. 
 
4. Adequate security within the company as to how information will be
handled.


<snip> 
 
Also, when we probe beneath the surface and assess compliance with the Fair
Information Practice Principles, a less than encouraging picture emerges.
For example, only 20 percent of the Web sites in the random sample implement
each of the four principles.(7) The fact that only one in five of the
busiest commercial Web sites provides basic privacy protections is
disappointing. Also, in the most popular group, the percent of sites
satisfying the four criteria is only 42.(8)
 
Even if we use a less exacting analysis, recognizing in part the
difficulties associated with satisfying Access and Security standards, which
the Advisory Committee's report cogently highlighted, the numbers remain
troubling. Taking Access and Security out of the picture, and looking solely
at the data for sites that implement only the principles of Notice and
Choice, we find, for the random sample, we have 41 percent compliance; 60
percent in the most popular group.(9)
 
Finally, the results of the seal program survey were particularly striking -
8 percent in the Random Sample; 45 percent in the most popular group display
a seal.(10) These numbers speak for themselves. Efforts to monitor and
enforce standards have barely scratched the surface.


The question is not whether industry self-regulation has passed or failed a
test. The question rather is whether the progress of online implementation
of Fair Information Practice Principles continues to suggest that no
legislation is warranted. Notwithstanding tangible gains, based on the
overall data, a majority of the Commission finds that self-regulation alone,
without some legislation, is unlikely to provide online consumers with the
level of protection they seek and deserve. Accordingly, a majority of the
Commission recommends that Congress consider legislation to complement
self-regulation.

Despite this conclusion, I want to emphasize that there will continue to be
an important role for self-regulation in ensuring the protection of privacy.
The private sector has every incentive to engage in effective
self-regulation so that electronic commerce reaches its full potential. I
continue to support self-regulatory initiatives and believe they are vitally
needed to complement any legislation in this area.

Also, it is imperative that any such legislation not be unduly burdensome or
expensive. It must energize, rather than hamper, the important aspects of
consumer welfare provided by a fully developed online commercial market
place. In particular, many important issues remain that will need to be
addressed by Congress and others. The Advisory Committee's report spotlights
the complexities surrounding implementation of "Access." Substantial
questions remain as to how much access is "reasonable," to what types of
information access should be afforded, and at what cost to the business
community and to consumers. The answers to these questions are not
self-evident and will require careful consideration. Also, while issues
surrounding "Adequate Security" may prove less daunting, they too present
challenges. 

In addition, the Commission has become increasingly aware, as discussed in
portions of the Advisory Committee report, that it is difficult to
distinguish between consumers' privacy rights in the online universe, where
consumers may provide personal identifying information in connection with
purchase of a product on the Internet, and the offline world, where there
are many arrangements whereby consumers provide personal information such as
in connection with filling out warranty cards or applying for magazine
subscriptions. Clearly, numerous offline commercial activities can also be
accomplished online. We did not set out to study in detail the information
practices in the offline area, and therefore will note only that there may
be little reason to distinguish among consumer privacy rights online and
offline in the future.

In sum, consumers should not have to forfeit their privacy online in
exchange for the rich benefits of e-commerce. A well-crafted approach, in
fact, will benefit the growth of e-commerce and provide important
protections to consumers. The Commission's legislative recommendation does
not, in my view, signal a rejection or failure of self-regulatory
initiatives. Rather, based on what I have seen to date, legislation is now
needed to ensure consumers' online privacy is adequately protected. I
strongly urge self-regulation to complement any legislative actions in this
area.

___________________________________________________________________________

Regards,
Joanna

--
This message was passed to you via the ga-sys@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-sys" in the body of the message).
Archives at http://www.dnso.org/archives.html