Internet Privacy

May 26, 2000 at 12:00 AM EDT

RAY SUAREZ: And joining us now to discuss privacy online, Robert Pitofsky, chairman of the Federal Trade Commission; Christine Varney is executive director of the Online Privacy Alliance, representing high-tech companies that support voluntary privacy practices on the Internet; and Marc Rotenberg, executive director of the Electronic Privacy Information Center, a research organization focusing on privacy issues concerning the Internet. Mr. Pitofsky, let’s start with you. Bring us up to today. What did you try first and what have you found about how it worked that makes you seek a legislative remedy?

ROBERT PITOFSKY, Chairman, Federal Trade Commission: Well, we’ve issued three reports. We’ve been looking at this question for about five years. We’ve issued reports over the last three years. There’s a lot of common ground here. I mean, nobody thinks that privacy is not worth protecting. The only issue is, how do you get there? Will self-regulation do it? I don’t think self-regulation has been a failure. On the contrary, much has been achieved. But I’m not sure self-regulation is ever going to get to the finish line all by itself without some legislative support. That’s really what the issue is about.

RAY SUAREZ: And in your recommendations, did you try to craft the, let’s say the least intrusive solution for this point?

ROBERT PITOFSKY: Well, I hope we did. You listed the four information practices that we think should be supported. Certainly notice and choice are the heart of any. If you don’t know what’s happening to the information, and you can’t say “leave me out,” then have you no rights at all. On access, which means can you check to see whether there are errors in the database, we said reasonable access. We said there are some kinds of information where no access at all would be required. So we are trying to make sure that we protect consumers’ rights on the Internet, rights to privacy, which we think are so important. But we certainly don’t want to do that by hampering the growth of the Internet, which, itself is a tremendously pro-consumer development.

Debating the proposals

RAY SUAREZ: Well, Christine Varney, people who are not industry experts might listen to that statement and say, “gee, it doesn’t sound like he’s slamming on the brakes or throttling what’s going on on the Internet. What’s the problem?”

CHRISTINE VARNEY, Online Privacy Alliance: As well they should. I think that the Chairman has laid out the problem very accurately. We’ve been working for over five years, industry and government and consumers together, to come to up with meaningful privacy protections for consumers.

Congress has enacted three laws recently: The Children’s Online Privacy Protection Act which protects data from and about children, the Financial Services Modernization Act, that does have some has privacy provisions. We can argue about the adequacy of them – and the Health Insurance Affordability and Accountability Act, whose regulations are not even finished yet, which does protect medical and health-related information. I think the question that I really have is at this point we have got three very strong laws, the children’s is the only one which is fully implemented. The other two are not yet implemented. I would like to see us go a little slow. Let’s get these laws up and running.

Let’s look at the last, you know, 10 percent of Web sites that don’t have notice and figure out how we get there. The Chairman’s absolutely right. It is a combination of self- regulation, legislation, and enforcement. And the Federal Trade Commission today has the authority to prosecute those Web sites that don’t do what they say they’re doing. They’ve done it and they’ve done a good job. If anything, I’d like to see them get more resources to do prosecution as opposed to creating regulatory framework.

RAY SUAREZ: All kinds of industries would prefer self-regulation over legislative regulation. But what do you do about the bad actors? If you were to continue with a self-regulating model, how do you take those people who go too far and sanction?

CHRISTINE VARNEY: Well, I think one of the things, as a former government enforcer, that I’ve always thought is, good laws don’t stop bad people from doing bad things. They merely give prosecutors and in some cases private citizens, more tools to go after them. So, I think we have to remember that we have a lot of law in place right now. The question is whether or not existing law is adequate. As we discussed earlier, the FTC has the authority right now to prosecute bad actors under certain circumstances. I’m not sure that an additional grant of regulatory authority is going to get us all the way there in the least intrusive manner.

RAY SUAREZ: Mark Rotenberg, are the legislative remedies proposed by the FTC enough for you and your group?

MARC ROTENBERG, Electronic Privacy Information Center: Well, I think the proposals, Ray, are fairly modest, actually. They seem to track what the industry has said that they are currently doing, those four principles actually mirror the principles that Miss Varney’s group and other industries self-regulatory organizations say that they’re currently following. So I guess one question you can ask at the outset is if these four principles are already being adopted by industry organizations, why they’re not prepared to see them backed up in law? But I think a second point that really needs to be made at the outset here is that the privacy problems on the Internet are getting more severe over time, which is to say that as we allow this experiment in self-regulation to go forward, the techniques for capturing personal data through Web advertising, through Web bugs and through cookies are accelerating rapidly. And there is a real risk, I think, that if we don’t put in place a legislative framework very soon, we could quickly lose control of this problem.

RAY SUAREZ: Can you give us an example of the kind of personal data that you’re talking about, and the bad uses to which it can be put?

MARC ROTENBERG: The interesting thing about the Internet is that you can capture people’s activities, their interests, when they visit a Web site, when they read a news story, online, for example. If they go to your Web site, that information can be logged. And we’ve never experienced this in the off-line world. The type of information that marketers typically had in the off-line world was purchase information. And if you bought a sweater one year, a different product the next year, the company that sold you that sweater might well sell you a related accessory. But on the Internet, the information is far more detailed. And what it’s leading to is the creation of detailed personal profiles on consumers operating online. And I think, as the Chairman has said quite rightly, consumers today are facing an unfair choice. To go online and to take advantage of electronic commerce they’re increasingly being asked to give up their privacy. And it seems to me that that’s a choice that consumers should really not have to face.

RAY SUAREZ: Are stories coming back to FTC regulators, back to your office are the kinds of experiences that people are having that lead you to have this concern that you want a legislative remedy for?

ROBERT PITOFSKY: Sure. And let me put a sharper point to the – to the issue. If people put out a privacy policy and then they don’t do what they say, we can and we have challenged it. The problem is that about 40 percent of the Web sites that are out there now either say nothing or they say something in such a confusing way that nobody can figure it out – ten pages of legal jargon that the average person isn’t going to figure out, so they don’t know what their rights are. Without legislation, there’s no way for us to get at that kind of behavior and self-regulation won’t get at it either, because, as you pointed out, we’re talking about some bad actors here. We’re talking about some unprincipled people. If you go to them and say shape up, we have a self-regulatory rule and we want you to abide by it, they’re making a lot of money, putting together a profile that – the books you read, the music you listen to, the drugs you buy, the cosmetics you buy, the tours you take – and they say I’m – that’s very nice about your self-regulation but I think I’m going to sell this information and make the profit that I’m already making. I think self-regulation itself would be more effective if there were a law that they could point to and back themselves up, and the most successful self-regulation programs I’m aware of, they all work in exactly that way.

Giving consumers a choice

RAY SUAREZ: Well, have there been exaggerations of just how much retailers put a value on this kind of data mining?

CHRISTINE VARNEY: Well, I think there has been a lot of concern about what’s potentially possible. And I think that both Marc and the chairman would agree that the actual practices today are not where they could be and may be in the future. The question is: What kind of law and combination of law and best practices is going to restrain them and give consumers a meaningful choice. If there is a company that is doing what the chairman just described, I’d like to know their name because I’d like to go talk to them and see if we can’t get them to behave in a better way, but I really think that what you’ve got to be careful about here is what Americans care deeply about is the abuse and misuse of their personal and financial information, their personal health and medical information, including the purchasing of drugs, and the information about their children, those issues have been dealt with. Do most Americans care if a company is trying to serve them up an Internet page that they think is going to be reflective of their interests when none of that data is there? Not really. Not if they know that it’s happening, if they have complete choice that’s easy. And on the point that – you know – many of these privacy policies are ten pages long and written by lawyers, well, I think the industry would be happy to sit down with the government and say, okay, you want to make ’em easier, let’s make them easier, but let’s get your guarantee that you’re not going to prosecute us for not having full disclosure, because it takes ten pages to do full disclosure.

RAY SUAREZ: Well, Marc Rotenberg, what about Christine Varney’s point that most Americans are pretty easy going about the kinds of information that they are often asked for and then come to certain places, insurance, medical records, those kind of things, that’s when the concerns rise, and there are already regulations for that?

MARC ROTENBERG: Well, first of all, I disagree with Christine’s characterization of the current legal protections for financial information and for medical information. I think most people look at those laws and regulations agree that this is very weak stuff. Even the President, himself, has committed to introducing stronger privacy legislation to protect consumer financial records, so I would hardly call that adequate protection. But I think more generally if you want to talk about the views of Americans on this issue, I think their views are quite clear that they believe they’re entitled to some legal rights when they go on the Internet. They don’t understand, for example, why it is if they go to a Web site and give some information for one purpose, there’s a product shift or loan approved or for some other reason, that information is going to be sold to a third party for some other purpose. Much of privacy protection is really common sense. It’s about building trust and confidence in relations between consumers and businesses, and I think the chairman again has made a point well. We’re operating in an environment right now on the Internet where that trust and confidence is not in place, because we don’t have those baseline privacy standards.

RAY SUAREZ: Let me come back – because he makes an interesting point. Why not just shift the balance of power and even things out a little bit? Yeah, you can have this information but just tell me you’re taking it – you can have it but just ask me if you can have it.

CHRISTINE VARNEY: I think one of the things that’s important to remember here is that this is truly a place where good business judgment and good public policy intersect, when the Federal Trade Commission did their survey, they went through the 100 most popular Web sites, and I think they found in overwhelming percentage of those Web sites offer notice and choice. You can say no, don’t share my information. I tell consumers all the time, when you go to a Web site, look for the privacy policy. If you can’t find one, don’t shop there. And when you find one, exercise your choice. If you don’t want your information shared, say, no. Now, I believe that there are different standards that need to be in place for health and medical, financial, and children. And Marc is right. There is a lot of disagreement over whether or not protections in the Financial Services Organization Bbill are adequate and we’re going to be revisiting those this year.

RAY SUAREZ: So what do you feel you need?

ROBERT PITOFSKY: Let me just say after five years it’s not an overwhelming percentage. Notice and choice for the best companies is 60%. For all companies is 40%. Look, we need modest, sensible legislation to make self- regulation work. And that’s what our report says. I don’t think we should go wild. I don’t think we should burden the Internet. But you put it very well. I don’t mind you collecting this information, but if you’re going to collect it and sell it to a third party that I don’t know and I’ve never heard of, I want a chance to say leave me out.

RAY SUAREZ: Chairman Robert Pitofsky, guests, thank you very much.