I. Data Collection in Cyberspace - An Overview:
Individuals disclose personal information on the Internet both actively and passively; individuals are sometimes informed about the passive disclosures, but other times data is collected without their knowledge. "Active" disclosures are voluntary, and often made in the context of online registrations, surveys, and forms in exchange for access to a site or content on a site, or for "rewards" such as sweepstakes entries, prizes, coupons, or purchase discounts. Active disclosures are typically made site by site, when individuals input individual bits of personal data. Alternatively, uniform disclosures can be made through use of a dossier complied by the user, which can be used to manage what information is disclosed, and to whom.
Passive information gathering is often preferred by data collectors, because individuals may decline to actively provide personal information without compensation such as coupons, discounts, or access to content, or may refuse to disclose personal information altogether. Data is often collected passively though the use of "cookie files." Cookie files are installed on a user's computer when that user visits a web site, and transmit information about how the user used that site, and also what other sites the users visited, how those sites were used, and potentially even information about the contents of the user's hard drive
Knowing passive disclosures are made when a site alerts users that data will be collected. Users should then assume that everything they do will be monitored, including which parts of a site they access, which banner ads they click on, etc. A record of online travel through and across web sites is called a "clickstream." Cookie files can also be installed without a user's knowledge, resulting in "unknowing" passive disclosures of personal information by individuals.
The Netscape explanation of a cookie file, accessible at: http://whatis.com/cookie.htm is as follows:
Cookies are commonly used to rotate the banner ads that a site sends so that it doesn't keep sending the same ad as it sends you a succession of requested pages. They can also be used to customize the pages they send you based on your browser type or other information you may have provided the Web site. Web users must agree to let cookies be saved for them, but, in general, it helps Web sites to serve users better.
An overview of the privacy issues raised by cookie files is provided by "The Cookie Controversy" by Lori Eichelberger, posted to Cookie Central and accessible at http://www.cookiecentral.com/ccstory/index.html . What follows is an excerpt of this article:
Cookies and Advertising
With the increasing commercial applications of the Internet, it was probably inevitable that cookies would quickly be utilized for advertising purposes. Since cookies can be matched to the profile of a user's interests and browsing habits, they are a natural tool for the "targeting" of advertisements to individual users. Marketing consultants such as DoubleClick, Inc. and MtachLogic quickly began to utilize cookies to increase the efficiency of the placing of advertisements on websites ( Williamson). Their intent is to target advertisements such as changing banner ads to users whose profiles match those of likely consumers of the advertised products. For example, DoubleClick was retained by the 3M Corporation to help target Internet banner advertising for an expensive multi-media projector to those users who would be most likely to purchase it. DoubleClick made use of the information cookies provided about user browsing habits to match the banners with users who had a history of selecting high-technology sites (Moukheiber, 342). DoubleClick also indicates that another reason for using cookies is to prevent users from "being bombarded with the same ad over and over again" by keeping track of how many times a user has been shown a banner at any website on which DoubleClick customers advertise. In addition, consecutive banner advertising can be shown to a user as they visit successive DoubleClick customer sites. Infoseek also matches advertising to user interests stored in their cookie: "a person who performs repeated searches on baseball topics may be shown an ad for the Sportsline Website" (Vonder Haar).
"The Cookie Controversy" by Lori Eichelberger, posted to Cookie Central and accessible at http://www.cookiecentral.com/ccstory/index.html
II. Data Privacy Protections in the United States:
Personal information is valuable, especially in the age of e-commerce. E-commerce companies glean as much information as possible about a customer to enable 'one-to-one marketing' by building an electronic storefront tailored to each individual. After gathering personal data and tracking shoppers' movements about the Internet, online retailers can display products to suit each customer's tastes and price range, and list customized specials and sales:
It's not just that technology collates existing information like public records in new and ways. It also creates new kinds of information. One of the most interesting is "clickstream" monitoring, a page-by-page tracking of people as they wander through the Web. Your clickstream reveals your interests and tastes with unnerving precision. (Did you go from slate.com to a Volvo dealer's Web site? Did you then buy some brie from peapod.com, the online grocery? You may be one of those limousine liberals we've been hearing about.) And when Web merchants combine clickstream analysis with another new software technique known as "collaborative filtering," which makes educated inferences about your likes and dislikes based on comparing your user profile with others in the database, they have a marketing tool of high potential not only for customer satisfaction but also for abuse.
"Knowing You All Too Well" by Peter McGrath in Newsweek, accessed on 3/25/99 at http://www.newsweek.com/nw-srv/printed/us/st/ty0113_2.htm
Players in the information industry, who profitably buy, collect and sell huge data banks of personal information about Americans, have successfully lobbied against government regulation of their practices. The Clinton Administration has asserted that "U.S. companies should not be forced to give people access to personal information about themselves."1 When President Clinton has spoken in favor of consumer privacy, his specific focus has been on individual financial information and medical records, rather than general personal data.2 The Privacy Act of 1974 , the United States' most comprehensive privacy law to date, addresses the automation of records held on individuals by the federal and state governments but not those gathered by private entities. The Privacy Act of 1974, 5 U.S.C. Section 552a, "Records maintained on individuals" (1994) is accessible at http://law2.house.gov/uscode-cgi/fastweb.exe?getdoc+uscview+t05t08+27+0+\ +%28Privacy%20W%2F2%20Act%20w%2F2%201974%29%20%20AND%20%28%285%29%20ADJ%20USC%2\ 9%3ACITE%20%20%20%20%20%20%20%20%20.
For an excellent multifaceted article on data collection in cyberspace, see Jerry Kang, Information Privacy in Cyberspace Transaction, 50 STANFORD L. REV. 1193, which is accessible at
http ://www.law.ucla.edu/faculty/kang/Scholarship/cprivacy.pdf . An abstract of this article follows:
Cyberspace is the rapidly growing network of computing and communication technologies that have profoundly altered our lives. We already carry out myriad social, economic, and political transactions through cyberspace, and, as the technology improves, so will their quality and quantity. But the very technology that enables these transactions also makes detailed, cumulative, invisible observation of our selves possible. The potential for wide-ranging surveillance of all our cyber-activities presents a serious threat to information privacy. To help readers grasp the nature of this threat, Professor Jerry Kang starts with a general primer on cyberspace privacy. He provides a clarifying structure of philosophical and technological terms, descriptions, and concepts that will help analyze any problem at the nexus of privacy and computing-communication technologies. In the second half of the article, he focuses sharply on the specific problem of personal data generated in cyberspace transactions. The private sector seeks to exploit this data commercially, primarily for database marketing, but many individuals resist. The dominant approach to solving this problem is to view personal information as a commodity that interested parties should contract for in the course of negotiating a cyberspace transaction. But this approach has so far failed to address a critical question: Which default rules should govern the flow of personal information when parties do not explicitly contract about privacy? On economic efficiency and human dignity grounds, Professor Kang argues in favor of a default rule that allows only "functionally necessary" processing of personal information unless the parties expressly agree otherwise. The article concludes with a proposed statute, entitled the Cyberspace Privacy Act, which translates academic theory into legislative practice.
A short, practitioner-oriented presentation of the themes of this art icle, published in the ABA Human Rights Magazine (Winter 1999) under the title: Cyberspace Privacy: A Primer and Proposal is accessible at http://www.abanet.o rg/irr/hr/winter99_kang2.html
Online collection of personal data from adults in this country is "self-regulated." In other words, web sites that collect personal information from adults visiting the site decide what data they would like to collect, and what if any information about this data collection they will disclose to site visitors. The Federal Trade Commission (FTC) recently authored "Self-Regulation and Privacy Online: A Report to Congress" (July 1999), in which it concluded that "legislation to address online privacy is not appropriate at this time" because "self-regulation is the least intrusive and most efficient means to ensure fair information practices online, given the rapidly evolving nature of the Internet and computer technology." A copy of this lengthy report is available at:
A copy of the prepared statement by the FTC that accompanied submission of the report to Congress, accessible at: http://www.ftc.gov/os/1999/9907/pt071399.htm , follows:
"Self-Regulation and Privacy Online"
Subcommittee on Telecommunications,
Trade, and Consumer Protection
Committee on Commerce
United States House of Representatives
July 13, 1999
Mr. Chairman and members of the Subcommittee, I am Robert Pitofsky, Chairman of the Federal Trade Commission ("FTC" or "Commission"). I appreciate this opportunity to present the Commission's views on the progress of self-regulation in the area of online privacy.(1)
I. Introduction and Background
The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far-reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.(2) With the exception of certain industries, the FTCA provides the Commission with broad law enforcement authority over entities engaged in or whose business affects commerce(3) and with the authority to gather information about such entities.(4) Commerce on the Internet falls within the scope of this statutory mandate.(5)
In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy.(6) Based in part on its extensive survey of over 1400 commercial Web sites, the Commission concluded that effective self-regulation had not yet taken hold.(7) The Commission recommended that Congress adopt legislation setting forth standards for the online collection of personal information from children; and indeed, just four months after the 1998 Report was issued, Congress enacted the Children's Online Privacy Protection Act of 1998.(8) As required by the Act, on April 20, 1999, the Commission issued a proposed Children's Online Privacy Protection Rule, which implements the Act's fair information practices standards for commercial Web sites directed to children under 13, or who knowingly collect personal information from children under 13.(10) Commission staff is reviewing comments on the proposed rule and will issue a final rule this fall.
When the 1998 report was released, there were indications that industry leaders were committed to work toward self-regulatory solutions. As a result, in Congressional testimony last July the Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs.(11) In the ensuing year, there have been important developments both in the growth of the Internet as a commercial marketplace and in consumers' and industry's responses to the privacy issues posed by the online collection of personal information. The Commission has just issued a new report on these developments, Self-Regulation and Online Privacy: A Report to Congress (June 1999) ("1999 Report").(12) The 1999 Report assesses the progress made in self-regulation to protect consumers' online privacy since last June and sets out an agenda of Commission actions in the coming year to encourage industry's full implementation of online privacy protections. I am pleased to present the 1999 Report's findings to the Committee.
II. The Current State of Online Privacy Regulation
The new survey results show, however, that, despite the laudable efforts of industry leaders, significant challenges remain. The vast majority of the sites in both the GIPPS and OPA surveys collect personal information from consumers online.(19) By contrast, only 10% of the sites in the GIPPS sample,(20) and only 22% of the sites in the OPA study,(21) are implementing all four substantive fair information practice principles of Notice/Awareness, Choice/Consent, Access/Participation, and Security/Integrity.(22) In light of these results, the Commission believes that further improvement is required to effectively protect consumers' online privacy.
In the Commission's view, the emergence of online privacy seal programs is a particularly promising development in self-regulation. Here, too, industry faces a considerable challenge. TRUSTe, launched nearly two years ago, currently has more than 500 licensees representing a variety of industries.(24) BBBOnLine, a subsidiary of the Council of Better Business Bureaus, which launched its privacy seal program for online businesses last March, currently has 42 licensees and more than 300 applications for licenses.(25) Several other online privacy seal programs are just getting underway.(26) Together, the online privacy seal programs currently encompass only a handful of all Web sites. It is too early to judge how effective these programs will ultimately be in serving as enforcement mechanisms to protect consumers' online privacy.
The self-regulatory initiatives discussed above, and described in greater detail in the 1999 Report, reflect industry leaders' substantial effort and commitment to fair information practices. They should be commended for these efforts. Enforcement mechanisms that go beyond self-assessment are also gradually being implemented by the seal programs. Only a small minority of commercial Web sites, however, have joined these programs to date. Similarly, although the results of the GIPPS and OPA studies show that many online companies now understand the business case for protecting consumer privacy, they also show that the implementation of fair information practices is not widespread among commercial Web sites.
Based on these facts, the Commission believes that legislation to address online privacy is not appropriate at this time. We also believe that industry faces some substantial challenges. Specifically, the present challenge is to educate those companies which still do not understand the importance of consumer privacy and to create incentives for further progress toward effective, widespread implementation.
First, industry groups must continue to encourage widespread adoption of fair information practices. Second, industry should focus its attention on the substance of web site information practices, ensuring that companies adhere to the core privacy principles discussed earlier. It may also be appropriate, at some point in the future, for the FTC to examine the online privacy seal programs and report to Congress on whether these programs provide effective privacy protections for consumers.
Finally, industry must work together with government and consumer groups to educate consumers about privacy protection on the Internet. The ultimate goal of such efforts, together with effective self-regulation, will be heightened consumer acceptance and confidence. Industry should also redouble its efforts to develop effective technology to provide consumers with tools they can use to safeguard their own privacy online.
The Commission has developed an agenda to address online privacy issues throughout the coming year as a way of encouraging and, ultimately, assessing further progress in self-regulation to protect consumer online privacy:
- The Commission will hold a public workshop on "online profiling," the practice of aggregating information about consumers' preferences and interests gathered primarily by tracking their movements online. The workshop, jointly sponsored by the U.S. Department of Commerce, will examine online advertising firms' use of tracking technologies to create targeted, user profile-based advertising campaigns.
- The Commission will hold a public workshop on the privacy implications of electronic identifiers that enhance Web sites' ability to track consumers' online behavior.
- In keeping with its history of fostering dialogue on online privacy issues among all stakeholders, the Commission will convene task forces of industry representatives and privacy and consumer advocates to develop strategies for furthering the implementation of fair information practices in the online environment.
- One task force will focus upon understanding the costs and benefits of implementing fair information practices online, with particular emphasis on defining the parameters of the principles of consumer access to data and adequate security.
- A second task force will address how incentives can be created to encourage the development of privacy-enhancing technologies, such as the World Wide Web Consortium's Platform for Privacy Preferences (P3P).
- The Commission, in partnership with the U.S. Department of Commerce, will promote private sector business education initiatives designed to encourage new online entrepreneurs engaged in commerce on the Web to adopt fair information practices.
- Finally, the Commission believes it is important to continue to monitor the progress of self-regulation, to determine whether the self-regulatory programs discussed in the 1999 Report fulfill their promise. To that end, the Commission will conduct an online survey to reassess progress in Web sites' implementation of fair information practices, and will report its findings to Congress.
The Commission is committed to the goal of full implementation of effective protections for online privacy in a manner that promotes a flourishing online marketplace, and looks forward to working with the Subcommittee as it considers the Commission's 1999 Report.
1. The Commission vote to issue this testimony was 3-1, with Commissioner Anthony concurring in part and dissenting in part. Commissioner Anthony's statement is attached to the testimony. Commissioner Swindle's concurring statement is also attached. My oral testimony and responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any Commissioner.
2. 15 U.S.C. § 45(a).
3. The Commission does not have criminal law enforcement authority. Further, certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance are wholly or partially exempt from Commission jurisdiction. See Section 5(a)(2) of the FTC Act, 15 U.S.C. § 45(a)(2), and the McCarran-Ferguson Act, 15 U.S.C. § 1012(b).
4. 15 U.S.C. § 46(a). However, the Commission's authority to conduct studies and prepare reports relating to the business of insurance is limited. According to 15 U.S.C. § 46(a): "The Commission may exercise such authority only upon receiving a request which is agreed to by a majority of the members of the Committee on Commerce, Science, and Transportation of the Senate or the Committee on Energy and Commerce of the House of Representatives. The authority to conduct any such study shall expire at the end of the Congress during which the request for such study was made."
The Commission also has responsibility under approximately forty additional statutes governing specific industries and practices. These include, for example, the Truth in Lending Act, 15 U.S.C. §§ 1601 et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. §§ 1666 et. seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 30 rules governing specific industries and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of information to prospective franchisees; and the Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices.
5. The Commission held its first public workshop on online privacy in April 1995. In a series of hearings held in October and November 1995, the Commission examined the implications of globalization and technological innovation for competition issues and consumer protection issues, including privacy concerns. At a public workshop held in June 1996, the Commission examined Web site practices in the collection, use, and transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children. The Commission held a second workshop in June 1997 to explore issues raised by individual reference services, as well as issues relating to unsolicited commercial e-mail, online privacy generally, and children's online privacy.
These efforts have served as a foundation for dialogue among members of the information industry and online business community, government representatives, privacy and consumer advocates, and experts in interactive technology. Further, the Commission and its staff have issued reports describing various privacy concerns in the electronic marketplace. See, e.g., Individual Reference Services: A Federal Trade Commission Report to Congress (December 1997); FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure (December 1996); FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996).
The Commission has also brought enforcement actions under Section 5 of the Federal Trade Commission Act to address deceptive online information practices. In 1998 the Commission announced its first Internet privacy case, in which GeoCities, operator of one of the most popular sites on the World Wide Web, agreed to settle Commission charges that it had misrepresented the purposes for which it was collecting personal identifying information from children and adults through its online membership application form and registration forms for children's activities on the GeoCities site. The settlement, which was made final in February 1999, prohibits GeoCities from misrepresenting the purposes for which it collects personal identifying information from or about consumers, including children. It also requires GeoCities to post a prominent privacy notice on its site, to establish a system to obtain parental consent before collecting personal information from children, and to offer individuals from whom it had previously collected personal information an opportunity to have that information deleted. GeoCities, Docket No. C-3849 (Feb. 12, 1999) (Final Decision and Order available athttp://www.ftc.gov/os/1999/9902/9823015d&o.htm ).
Since the fall of 1994, the Federal Trade Commission has brought 91 law enforcement actions against over 200 companies and individuals to halt fraud and deception on the Internet. The FTC has not only attacked traditional schemes that have moved online, like pyramid and credit repair schemes, but in addition, the FTC has brought suit against modem hijacking, fraudulent e-mail marketing, and other hi-tech schemes that take unique advantage of the Internet. The Commission pioneered the "Surf Day" concept and has searched the Net in tandem with law enforcement colleagues around the world, targeting specific problems and warning consumers and new entrepreneurs about what the law requires. The Commission has also posted "teaser pages" online, i.e., fake scam sites that give consumers education just when they are about to fall victim to an Internet ruse.
6. The Report is available on the Commission's Web site athttp://www.ftc.gov/reports/privacy3/index.htm .
7. 1998 Report at 41.
8. Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. No. 105-277, 112 Stat. 2681, ________ (Oct. 21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998). The Act requires, inter alia, that operators of Web sites directed to children under 13 or who knowingly collect personal information from children under 13 on the Internet: (1) provide parents notice of their information practices; (2) obtain prior, verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions); (3) upon request, provide a parent with the ability to review the personal information collected from his/her child; (4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child; (5) limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and (6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.(9)
9. Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681, ________ (October 21, 1998), reprinted at 144 Cong. Rec. H11240-42 (Oct. 19, 1998).
10. 64 Fed. Reg. 22750 (1999) (to be codified at 16 C.F.R. pt. 312).
11. Commission testimony on Consumer Privacy on the World Wide Web before the House Subcommittee on Telecommunications, Trade and Consumer Protection, Committee on Commerce (July 21, 1998) (available athttp://www.ftc.gov/os/1998/9807/privac98.htm ). The Commission also presented a legislative model that Congress could consider in the event that then-nascent self-regulatory efforts did not result in widespread implementation of self-regulatory protections. Id. at 5-7.
12. A copy of the Report is attached as an appendix. The Report is available on the Commission's Web site atwww.ftc.gov/reports/privacy99/index.html .
13. The report is available athttp://www.msb.edu/faculty/culnanm/gippshome.html [hereinafter "GIPPS Report"]. The following analysis is based upon the Commission's review of the GIPPS Report itself; Commission staff did not have access to the underlying GIPPS data.
14. GIPPS Report, App. A at 5.
16. The GIPPS Report discusses findings on the information practices of 361 Web Sites drawn from a list of the 7,500 busiest servers on the World Wide Web. The list, a ranking of servers by number of unique visitors for the month of January 1999, was compiled by Media Metrix, a site traffic measurement company. As larger sites are more likely to have multiple servers, the largest sites on the Web had a greater chance of being selected for inclusion in the sample drawn for the GIPPS survey. See GIPPS Report, App. A at 2; App. B at 9 n.iii. The Commission's 1998 Comprehensive Sample was drawn at random from all U.S., ".com" sites in the Dun & Bradstreet Electronic Commerce Registry, with the exception of insurance industry sites. 1998 Report, App. A at 2. Unlike the Media Metrix list used in the GIPPS sample, the Dun & Bradstreet Registry does not rank sites on the basis of user traffic.
17. Online Privacy Alliance, Privacy and the Top 100 Sites: A Report to the Federal Trade Commission at 3, 8 (1999) (available athttp://www.msb.edu/faculty/culnanm/gippshome.html ). The following analysis is based upon the Commission's review of the OPA Study report itself; Commission staff did not have access to the underlying OPA Study data.
18. 1998 Report at 28.
19. Ninety-three percent of the sites in the GIPPS survey, GIPPS Report, App. A at 3, and 99% of the sites in the OPA Study, OPA Study at 3, 5, collect personal information from consumers.
20. The GIPPS results show that thirty-six sites in the sample (or 10%) posted at least one survey element, or disclosure, for each of the four substantive fair information practices. GIPPS Report at 10 and App. A at 12 (Table 8C). Thirty-two of these sites (or 8.9%) also posted contact information. Id. Georgetown University Professor Mary Culnan, author of the GIPPS Report, reports the number of sites posting disclosures for the four substantive fair information practice principles and for contact information in two additional ways: as a percentage of sites in the sample that collect at least one type of personal information (9.5%); and as a percentage of sites in the sample that both collect at least one type of personal information and post a disclosure (13.6%). GIPPS Report, App. A at 12 (Table 8C).
21. Twenty-two sites in the OPA Study (or 22%) posted at least one survey element, or disclosure, for each of the four substantive fair information practices. OPA Study at 9-10 and App. A at 10 (Table 6C). Nineteen of these sites (or 19%) also posted contact information. Id. Professor Culnan also reports the number of sites posting disclosures for the four substantive fair information practice principles in two additional ways: as a percentage of sites in the sample that collect at least one type of personal information (22.2%); and as a percentage of sites in the sample that both collect at least one type of personal information and post a disclosure (23.7%). OPA Study, App. A at 10 (Table 6C).
22. The Commission's 1998 Report discussed the fair information practice principles developed by government agencies in the United States, Canada, and Europe since 1973, when the United States Department of Health, Education, and Welfare released its seminal report on privacy protections in the age of data collection, Records, Computers, and the Rights of Citizens. 1998 Report at 7-11. In addition to the HEW Report, the major reports setting forth the core fair information practice principles are: The U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (1977); Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); U.S. Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (1995); U.S. Dept. of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995); The European Union Directive on the Protection of Personal Data (1995); and the Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996). The 1998 Report identified the core principles of privacy protection common to these government reports, guidelines, and model codes: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. 1998 Report at 7-11.
The Notice/Awareness principle is the most fundamental: consumers must be given notice of a company's information practices before personal information is collected from them. The scope and content of the notice will vary with a company's substantive information practices, but the notice itself is essential. The other core principles have meaning only if a consumer has notice of an entity's information practices and his or her rights with respect thereto. Id. at 7.
The Choice/Consent principle requires that consumers be given options with respect to whether and how personal information collected from them may be used.(23)
23. Although choice in this context has been traditionally thought of as either "opt-in" (prior consent for use of information) or "opt-out" (limitation upon further use of information), id. at 9, interactive media hold the promise of making this paradigm obsolete through developments in technology. Id. "-" "-" ' - - -
24. Information about TRUSTe is taken from materials posted on TRUSTe's Web site, http://www.truste.org, and from public statements by TRUSTe staff. Several hundred additional companies have joined the TRUSTe program but are not yet fully licensed. See "TRUSTe Testifies Before House Judiciary Committee," May 27, 1999 (press release available athttp://www.truste.org/about/about_committee.html ).
25. Information about BBBOnline is taken from materials posted on the BBBOnline Web site, located athttp://www.bbbonline.com , and from other public documents and statements by BBBOnLine staff.
26. CPA WebTrust, the online privacy seal program created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants, currently has 19 licensees (program description available athttp://www.cpawebtrust.org ). The Electronic Software Rating Board's ESRB Privacy Online program was launched on June 1, 1999 (description available at http://www.esrb.org ).
Some private sector efforts at self-regulation have emerged, including "seal" programs such as those administered by Truste3, the Better Business Bureau's Online Privacy Program4, and the Online Privacy Alliance5. Commercial web sites that carry an online "seal" (a unique logo) purport to subscribe to the set of privacy principles articulated by the organization providing the seal.
The complaint also charged that GeoCities engaged in deceptive practices relating to its collection of information from children. According to the FTC, GeoCities promoted the Official GeoCities GeoKidz Club and contests for children in the Enchanted Forest neighborhood. Children wishing to join in these activities were required to complete forms that solicit personal identifying information. The agency charged that GeoCities misrepresented that GeoCities itself operated the GeoKidz Club and certain contests, and that the information collected online through the club and contests was maintained by GeoCities. According to the complaint, the Club and contests were run by third-party "community leaders" hosted on the GeoCities Web site, who collected and maintained the information. The full text of the FTC' s Complaint against GeoCities can be found at: http://www.ftc.gov/os/1998/9808/geo-cmpl.htm
GeoCites ultimately entered into a consent decree, which: prohibited GeoCities from misrepresenting the purpose for which it collects or uses personal identifying information from or about consumers; required GeoCities to post on its site a clear and prominent Privacy Notice, telling consumers what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information; prohibited GeoCities from misrepresenting either the identity of a party collecting any personal identifying information or the sponsorship of any activity on its Web site; and, presaging C.O.P.P.A., required GeoCities to obtain parental consent before collecting personal identifying information from children 12 and under. The settlement additionally required GeoCities to provide, for five years, a clear and prominent hyperlink within its Privacy Notice directing visitors to the FTC's Web site, http://www.ftc.gov, to view educational material on consumer privacy. The full text of the Consent Decree can be found at: http://www.ftc.gov/os/1998/9808/geo-ord.htm
The FTC's detailed analysis of the Consent Decree (a recitation of what it believes was being accomplished) can be found at: http://www.ftc.gov/os/1998/9808/9823015.ana.htm .
Contemporaneous mainstream media articles about the GeoCities case include:
"Trade Commission Says GeoCities Violated Privacy Rules" by Jeri Clausing in the 8/13/98 issue of the New York Times, accessible (if you accept cookie files and are willing to register) at: http://www.nytimes.com/library/tech/98/08/cyber/articles/13geocities.html
"Is Customer Privacy on the Web Just Lip Service?" by Mark Gimein posted to the CNN site on 8/27/98, accessible at http://www.cnn.com/TECH/computing/9808/27/privweb.idg/
1. Web sites have a virtually unfettered ability to collect personal information from adults in cyberspace because they are free to "self-regulate." Is "self-help" in the form of online anonymity the only way an adult in the United States can keep some degree of control over collection and distribution of her personal information?
2. Is government regulation of data collection in cyberspace desirable, and if so, what form should such regulation take?
Part of the impetus for the FTC's suit against GeoCities was its collection of personal information from children. Congress demonstrated reluctance to allow unfettered "self-regulation" by web sites with respect to the collection of personal information from children by passing the Children's Online Privacy Protection Act of 1998. The full text of this follows, and is also available (if you have Adobe Acrobat) at: http://www.ftc.gov/ogc/coppa1.pdf
TITLE XIII--CHILDREN'S ONLINE PRIVACY PROTECTION
SEC. 1301. SHORT TITLE.
This title may be cited as the ``Children's Online Privacy Protection Act of 1998''.
SEC. 1302. <<NOTE: 15 USC 6501.>> DEFINITIONS.
In this title:
(1) Child.--The term ``child'' means an individual under the age of 13.
(2) Operator.--The term ``operator''--
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).(3) Commission.--The term ``Commission'' means the Federal Trade Commission.
(4) Disclosure.--The term ``disclosure'' means, with respect to personal information--
(A) the release of personal information collected from a child in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the website and does not disclose or use that information for any other purpose; and
(B) making personal information collected from a child by a website or online service directed to children or with actual knowledge that such information was collected from a child, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through--
(i) a home page of a website;
(ii) a pen pal service;
(iii) an electronic mail service;
(iv) a message board; or
(v) a chat room.
(5) Federal agency.--The term ``Federal agency'' means an agency, as that term is defined in section 551(1) of title 5, United States Code.
(6) Internet.--The term ``Internet'' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(7) Parent.--The term ``parent'' includes a legal guardian.
(8) Personal information.--The term ``personal information'' means individually identifiable information about an individual collected online, including--
(A) a first and last name;
(B) a home or other physical address including
street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.
(9) Verifiable parental consent.--The term ``verifiable parental consent'' means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.
(10) Website or online service directed to children.--
(A) In general.--The term ``website or online service directed to children'' means--
(i) a commercial website or online service that is targeted to children; or
(ii) that portion of a commercial website or online service that is targeted to children.
(B) Limitation.--A commercial website or online service, or a portion of a commercial website or online service, shall not be deemed directed to children solely for referring or linking to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.
(11) Person.--The term ``person'' means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
(12) Online contact information.--The term ``online contact information'' means an e-mail address or another substantially similar identifier that permits direct contact with a person online.
SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION AND USE OF PERSONAL INFORMATION FROM AND ABOUT CHILDREN ON THE INTERNET.
(a) Acts Prohibited.--
(1) In general.--It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).
(2) Disclosure to parent protected.--Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iii) to the parent of a child.
(1) In general.--Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, regulations that--
(A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child--
(i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices for such information; and
(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;
(B) require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that website or online service, upon proper identification of that parent, to such parent--
(i) a description of the specific types of personal information collected from the child by that operator;
(ii) the opportunity at any time to refuse to permit the operator's further use or maintenance in retrievable form, or future online collection, of personal information from that child; and
(iii) notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child;
(C) prohibit conditioning a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and
(D) require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
(2) When consent not required.--The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of--
(A) online contact information collected from a child that is used only to respond directly on a one- time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;
(B) a request for the name or online contact information of a parent or child that is used for the sole purpose of obtaining parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if parental consent is not obtained after a reasonable time;
(C) online contact information collected from a child that is used only to respond more than once directly to a specific request from the child and is not used to recontact the child beyond the scope of that request--
(i) if, before any additional response after the initial response to the child, the operator uses reasonable efforts to provide a parent notice of the online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(ii) without notice to the parent in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child, in regulations promulgated under this subsection;
(D) the name of the child and online contact information (to the extent reasonably necessary to protect the safety of a child participant on the site)--
(i) used only for the purpose of protecting such safety;
(ii) not used to recontact the child or for any other purpose; and
(iii) not disclosed on the site, if the operator uses reasonable efforts to provide a parent notice of the name and online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(E) the collection, use, or dissemination of such information by the operator of such a website or online service necessary--
(i) to protect the security or integrity of its website;
(ii) to take precautions against liability;
(iii) to respond to judicial process; or
(iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
(3) Termination of service.--The regulations shall permit the operator of a website or an online service to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator's further use or maintenance in retrievable form, or future online collection, of personal information from that child.
(c) Enforcement.--Subject to sections 1304 and 1306, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(d) Inconsistent State Law.--No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this title that is inconsistent with the treatment of those activities or actions under this section.
SEC. 1304. SAFE HARBORS.
(a) Guidelines.--An operator may satisfy the requirements of regulations issued under section 1303(b) by following a set of self- regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).
(1) Self-regulatory incentives.--In prescribing regulations under section 1303, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children under the regulatory requirements described in subsection (b) of that section.
(2) Deemed compliance.--Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 1303 if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 1303.
(3) Expedited response to requests.--The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.
(c) Appeals.--Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5, United States Code.
SEC. 1305 ACTIONS BY STATES.
(a) In General.--
(1) Civil actions.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates any regulation of the Commission prescribed under section 1303(b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with the regulation;
(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may consider to be appropriate.
(A) In general.--Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(i) In general.--Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) Notification.--In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(1) In general.--On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) Effect of intervention.--If the Commission intervenes in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(3) Amicus curiae.--Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.
(c) Construction.--For purposes of bringing any civil action under subsection (a), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) Actions by the Commission.--In any case in which an action is instituted by or on behalf of the Commission for violation of any regulation prescribed under section 1303, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that regulation.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) Service of process.--In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 1306. ADMINISTRATION AND APPLICABILITY OF ACT.
(a) In General.--Except as otherwise provided, this title shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(b) Provisions.--Compliance with the requirements imposed under this title shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et. seq.), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et. seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) Exercise of Certain Powers.--For the purpose of the exercise by any agency referred to in subsection (a) of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this title shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (a), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this title, any other authority conferred on it by law.
(d) Actions by the Commission.--The Commission shall prevent any person from violating a rule of the Commission under section 1303 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title. Any entity that violates such rule shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this title.
(e) Effect on Other Laws.--Nothing contained in the Act shall be construed to limit the authority of the Commission under any other provisions of law.
SEC. 1307. REVIEW.Not later than 5 years after the effective date of the regulations initially issued under section 1303, the Commission shall--
(1) review the implementation of this title, including the effect of the implementation of this title on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and
(2) prepare and submit to Congress a report on the results of the review under paragraph (1).
SEC. 1308. EFFECTIVE DATE.
Sections 1303(a), 1305, and 1306 of this title take effect on the later of--
(1) the date that is 18 months after the date of enactment of this Act; or
(2) the date on which the Commission rules on the first application filed for safe harbor treatment under section 1304 if the Commission does not rule on the first such application within one year after the date of enactment of this Act, but in no case later than the date that is 30 months after the date of enactment of this Act.
Despite the similarity in titles, the Children's Online Privacy Protection Act of 1998 (C.O.P.P.A.) should not to be confused with the Children's Online Protection Act (C.O.P.A., which is sometimes sardonically referred to as Son of the Communications Decency Act or C.D.A.II). C.O.P.P.A. concerns information that is "taken" from children, rather than regulating the scope of information that is "given" to children in cyberspace, the purview of C.O.P.A.. Some privacy advocates believe that C.O.P.P.A. does not offer enough privacy protection for children, while entities that market child-oriented goods and services over the Internet characterize C.O.P.P.A. as a draconian response to a problem that web sites could better solve on their own. The FTC is the agency charged with promulgating regulations to implement C.O.P.P.A.
On April 20, 1999 the FTC issued a Proposed Children's Online Privacy Protection Rule, the full text of which is accessible at: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1999_register&docid=99-10250-filed
The "Overview" section of the proposed rule was as follows:
The Internet offers children unprecedented opportunities for learning, recreation, and communication in ways scarcely imagined a decade ago. Children are actively engaged in a wide variety of online activities. They communicate with one another in online chat rooms and bulletin boards, through online pen-pal services, and by posting personal home pages. They participate in games and contests sponsored by websites, and they use the Internet to access information on all manner of subjects.
Despite its obvious attraction for children, the Internet is also a medium in which children can be placed at risk. As they use the Internet, children, like others, are often asked to provide a wide variety of personal information about themselves. Websites and online services collect this information by such means as registration pages, order forms, contests, surveys, chat rooms, and bulletin boards. In general, they have collected this information, and have in some instances shared it with third parties, without notice to children or their parents. In addition, public posting of children's personal information makes it available to anyone on the Internet, including those who would harm children.
The proposed Rule is designed to assist parents in controlling the flow of their children's personal information on the Internet. It contains a general requirement that operators of websites or online services directed to children (``operators'') not condition children's participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity. This will prevent operators from using popular games and activities as a means of obtaining children's information.
Operators are also required to post prominent links on their websites to a notice of how they collect and use personal information from children. In most circumstances, the proposed Rule requires operators to notify parents that they wish to collect personal information from their children and to obtain parental consent prior to collecting, using, or disclosing such information. Parents then have the option of prohibiting operators from disclosing their child's personal information to third parties. In addition, operators must allow parents the opportunity to review and make changes to any information provided by their children. Parents at any time may also require the operator to delete their children's information and prohibit the operator from collecting any more information from their children in the future. The proposed Rule also requires that operators establish procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
Because the proposed Rule applies to the use or disclosure of personal information and not just its collection, it protects personal information collected from children prior to the effective date of the final Rule if an operator wishes to use such information in the future. Thus, for example, an operator that maintains a database of children's personal information must provide notice to the parent and obtain parental consent prior to using such information once the Rule is effective.
Finally, under the proposed Rule, industry groups or others may seek Commission approval for self-regulatory guidelines. Operators who participate in such approved programs may be subject to the review and disciplinary procedures provided in these guidelines in lieu of formal Commission investigation and law enforcement.
Section 312.1 describes the scope of the regulations under this Act. Section 312.2 contains the definitions of the terms used in the proposed Rule, such as "operator" and "personal information." Section 312.3 sets out the general requirements that operators must follow when seeking to collect, use, and/or disclose personal information from children. Section 312.4 contains the requirements for providing notice on the website and to parents under the various requirements of the proposed Rule. Section 312.5 sets out the procedures by which operators can obtain consent from parents to the collection, use, and/or disclosure of personal information from children. Section 312.6 requires operators to allow parents to review, make changes to, or have deleted the personal information collected from their children. Section 312.7 prohibits operators from conditioning a child's participation in online activities on the provision of more personal information than is reasonably necessary to participate in those activities. Section 312.8 requires operators to establish reasonable procedures to maintain the confidentiality, security, and integrity of the information collected from children. Section 312.9 establishes that violations of the proposed Rule will be treated as a violation of a rule defining an unfair or deceptive act or practice under the FTC Act. Section 312.10 establishes procedures by which industry groups or other persons can request Commission approval for their self-regulatory guidelines. Sections 312.11 and 312.12 address Commission review of the proposed Rule and the proposed Rule's severability.
A (lengthy) evaluation of the Proposed Rule received from a coalition of privacy advocates (including the Center for Media Education and the Consumer Federation of America) is available at: http://www.ftc.gov/privacy/comments/cme.pdf This document argued for strong restrictions on data collection from children, prohibitions on information sharing between commercial entities, and clear, simple, uncircumventable mechanisms for notifying parents about potential collection of data from their children, and for obtaining parental consent or denial of consent.
A diametrically opposed view is exemplified by the similarly lengthy comments of the Direct Marketing Association, Inc., available at: http://www.ftc.gov/privacy/comments/dma.htm The Direct Markers Association "urge[d] the Commission in its final rules to: (1) endorse easy-to-use e-mail-based consent mechanisms that will not chill the availability of interactive sites for children; (2) reject parental "rights" to pick and choose between practices set forth in the operator’s privacy notice, rather than accepting or refusing to consent to the operator’s practices as a whole; (3) clarify certain exceptions to parental consent; (4) reject a parental "right" to alter data an operator has collected; (5) simplify significantly the rules’ lengthy notice requirements; (6) modify the safe harbor provision so that it is less prescriptive, provides greater incentives for operators to join self-regulatory efforts, and leaves room for true self-regulation to resolve compliance problems; (7) make clear that the rules do not apply retroactively to information collected before the statute’s effective date; (8) modify the definition of "collection" so that is does not apply to material submitted to an operator through other media or to inadvertent collection of information; (9) clarify that the statute does not impose strict or vicarious liability for the conduct of third-party contractors where contractors agree to follow the requirements of the statute; and (10) clarify the Commentary’s discussion of security measures." Comments of the Direct Marketing Association at 4.
On October 20, 1999 the FTC announced issuance of its "final rule" with the following press release: (accessed at http://www.ftc.gov/opa/1999/9910/childfinal.htm)
Effective April 2000 Certain Web Sites Must Obtain Parental Consent Before Collecting Personal Information from Children
The Federal Trade Commission today issued the final rule to implement the Children's Online Privacy Protection Act of 1998 (COPPA). The main goal of COPPA and the rule is to protect the privacy of children using the Internet. Publication of the rule means that, as of April 21, 2000, certain commercial Web sites must obtain parental consent before collecting, using, or disclosing personal information from children under 13.
"This final step achieves one of the Commission's top goals - protecting children's privacy online," said FTC Chairman Robert Pitofsky. "The rule meets the mandates of the statute. It puts parents in control over the information collected from their children online, and is flexible enough to accommodate the many business practices and technological changes occurring on the Internet."
The COPPA was enacted following a three-year effort by the Commission to identify and educate industry and the public about the issues raised by the online collection of personal information from children and adult consumers. The Commission recommended that Congress enact legislation concerning children following a March 1998 survey of 212 commercial children's Web sites. The survey found that while 89 percent of the sites collected personal information from children, only 24 percent posted privacy policies and only one percent required parental consent to the collection or disclosure of children's information. The COPPA received widespread support from industry and consumer groups.
On October 21, 1998, the COPPA was signed into law. The statute gave the Commission one year to issue rules to implement its privacy protections. On April 27, 1999, the Commission published a proposed rule in the Federal Register and requested public comment on a number of its key provisions. The Commission received 145 comments from a variety of sources including Internet businesses, privacy and children's advocacy groups, technology companies, and individuals.
The statute and rule apply to commercial Web sites and online services directed to, or that knowingly collect information from, children under 13. To inform parents of their information practices, these sites will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. With certain statutory exceptions, sites will also have to obtain "verifiable parental consent" before collecting, using or disclosing personal information from children. The rule will become effective on April 21, 2000, giving Web sites six months to come into compliance with the rule's requirements.
The issue of how Web sites can obtain "verifiable parental consent" generated the most interest among the commenters and prompted the Commission to hold a workshop devoted to the issue. The statute defines "verifiable parental consent" as "any reasonable effort (taking into consideration available technology) ... to ensure that a parent of a child ... authorizes the collection, use, and disclosure" of a child's personal information. The comments and the workshop testimony (available upon the Commission's Web site) showed that certain methods of consent provide greater assurances that the person providing consent is the child's parent, but that some of these methods need additional time to develop and become available for widespread use. As noted below, the final rule temporarily adopts a "sliding scale" approach that will allow Web sites to vary their consent methods based on the intended use of the child's information.
Key Provisions of the Final Rule
A Web site operator must post a clear and prominent link to a notice of its information practices on its home page and at each area where personal information is collected from children. The notice must state the name and contact information of all operators, the types of personal information collected from children, how such personal information is used, and whether personal information is disclosed to third parties.
The notice must also state that the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary. In addition, the notice must state that the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information.
Verifiable Parental Consent
The final rule temporarily adopts a "sliding scale" approach that allows Web sites to vary their consent methods based on the intended uses of the child's information. For a two-year period, use of the more reliable methods of consent (print-and-send via postal mail or facsimilie, use of a credit card or toll-free telephone number, digital signature, or e-mail accompanied by a PIN or password) will be required only for those activities that pose the greatest risks to the safety and privacy of children -- i.e., disclosing personal information to third parties or making it publicly available through chatrooms or other interactive activities.
For internal uses of information, such as an operator's marketing back to a child based on the child's personal information, operators will be permitted to use e-mail, as long as additional steps are taken to ensure that the parent is providing consent. Such steps could include sending a confirmatory e-mail to the parent following receipt of consent, orobtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. The "sliding scale" will sunset two years after the effective date of the rule, at which time the more reliable methods would be required for all uses of information, unless the Commission determines more secure electronic methods of consent are not widely available.
Choice Regarding Disclosures to Third Parties
The rule requires operators to "give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties."
Online Activities for which Parental Consent is Not Required
The rule sets forth several exceptions to the requirement of prior parental consent that permit operators to collect a child's e-mail address for certain purposes. For example, no consent is required to respond to a one-time request by a child for "homework help" or other information. In addition, an operator can enter a child into a contest or send a child an online newsletter as long as the parent is given notice of these practices and an opportunity to prevent further use of the child's information.
Coverage of Information Submitted Online
The Federal Register notice accompanying the rule makes clear that the rule covers only information submitted online, and not information requested online but submitted offline.
Role of Schools in Obtaining Consent for Students
The Federal Register notice accompanying the rule makes clear that schools can act as parents' agents or as intermediaries between Web sites and parents in the notice and consent process.
Safe Harbor Program
The statute includes a "safe harbor" program for industry groups or others who wish to create self-regulatory programs to govern participants' compliance. Commission-approved safe harbors will provide Web site operators with the opportunity to tailor compliance obligations to their business models with the assurance that if they follow the safe harbor they will be in compliance with the rule. Sites participating in such Commission-approved programs will be subject to the review and disciplinary procdures provided in those guidelines in lieu of formal Commission action.
The statute authorizes the Commission to bring enforcement actions and impose civil penalties for violations of the rule in the same manner as for other rules under the Federal Trade Commission Act.
Full text of the final rule is available at http://www.ftc.gov/os/1999/9910/childrensprivacy.pdf.
Contemporary mainstream media articles about the Final Rule are available as follows:
"U.S. Sets Rules for Children's Privacy Online" by Jeri Clausing in the 10/21/99 New York Times, accessible at: http://www.nytimes.com/library/tech/99/10/cyber/articles/21privacy.html.
"FTC Weighs In on Kid Privacy" by Declan McCullagh, posted to Wired, 10:35am, 20.Oct.99PDT, accessible at: http://www.wired.com/news/politics/0,1283,32007,00.html.
1. How should verifiable parental consent be obtained? How much control should parents have over their children's "online privacy"?
2. Does the FTC's Proposed Rule effectuate the goals of C.O.P.P.A.? What are the strengths and weaknesses of the Proposed Rule?
III. Personal Data Collection in Europe
Individuals in Europe have significantly more control over their personal information than residents of the United States do. One major manifestation of the desire of European Union members to retain individual control of personal data was passage of the European Data Privacy Protection Directive. An overview of the European perspective is provided by the following article:
""Hands Off that Data - I'm European!" by Karlin Lillington in Salon Magazine, accessible at http://www.salonmagazine.com/21st/feature/1998/07/07feature.html ("[Because I am European] if I return a product registration card, I know that the personal information I offer cannot be sold to others as part of a sales database unless my permission has been obtained. I am never asked, except by the government department that issued it, to identify myself by a nationally assigned number. And any organization that holds any information about me -- banks, medical offices, telephone companies, the supermarket whose loyalty program I belong to, my gym, the video rental shop or the place where I returned a product registration card -- must, at my request, supply me with full details of its computer records bearing my name.").
The full text of the European Data Privacy Protection Directive is available at: http://www.acs.ohio-state.edu/units/law/swire1/psecdir.htm
Though it has it roots in cultural differences, the consequences of the differing views of privacy with respect to personal information may fall heavily upon electronic commerce between the United States and the European Union. The following is a short scholarly article concerning conflicts between "cookie" files and the Directive: Victor Mayer-Schonberger, "The Internet and Privacy Legislation: Cookies for a Treat?" West Virginia Journal of Law and Technology (Issue1). http://www.wvjolt.wvu.edu/wvjolt/current/issue1/articles/mayer/mayer.htm
To resolve the culture clash over data privacy, the Department of Commerce has proposed a voluntary, "safe harbor" approach, accessible at: http://www.epic.org/privacy/intl/doc-safeharbor-1198.html, as follows:
INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES
The European Union’s comprehensive privacy legislation, the Directive on Data Protection, became effective on October 25, 1998. It prohibits the transfer of personally identifiable data to non-EU countries that do not provide an "adequate" level of privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a very different approach to privacy than that taken by the European Community. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. Given those differences, many U.S. organizations have expressed uncertainty about the impact of the "adequacy" standard on personal data transfers from the European Community to the United States.
To ameliorate this uncertainty and provide a more predictable framework for such data transfers, the Department of Commerce is issuing these principles under its statutory authority to foster, promote, and develop international commerce. The principles were developed in consultation with the private sector to facilitate trade and commerce between the United States and European Union. They are intended for use solely by U.S. organizations transferring personal data from the European Union to the United States for purpose of qualifying for the safe harbor and the presumption of "adequacy" it creates. Adherence to these principles by such organizations is entirely voluntary.
Please note that an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy. An organization may also qualify for the safe harbor through membership in private sector developed privacy programs that adhere to these principles. In addition, adherence to these principles is subject to national security, risk management, information security, public interest, regulatory compliance and supervision, and law enforcement requirements as well as to other legal and regulatory obligations, authorizations, and exceptions. Finally, these principles do not apply to proprietary or manually processed information.
1. NOTICE: An organization must inform individuals about what types of personal information it collects about them, how it collects that information, the purposes for which it collects such information, the types of organizations to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language that is readily understood and made available when individuals are first asked to provide personal information to the organization.
2. CHOICE: An organization must give individuals the opportunity to choose (opt out choice) whether and how personal information they provide is used (where such use is unrelated to the use(s) for which they originally disclosed it). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. For certain kinds of sensitive information, such as medical information, they must be given affirmative or explicit (opt in) choice.
3. ONWARD TRANSFER: Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal information they provide (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual. For certain kinds of sensitive information, such as medical information, individuals must be given opt in choice.
4. SECURITY: Organizations creating, maintaining, using or disseminating records of personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, or destruction.
5. DATA INTEGRITY: An organization must keep personal data relevant for the purposes for which it has been gathered only, consistent with the principles of notice and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current.
6. ACCESS: Individuals must have reasonable access to information about them derived from non public records that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses. For instance, access must be provided to an individual where the information in question is sensitive or used for substantive decision-making purposes that affect that individual.
7. ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which individuals’ complaints and disputes can be resolved; (b) systems for verifying that the attestations and assertions businesses make about their privacy practices are true and privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of and consequences for organizations announcing adoption of these principles and failing to comply with the principles.
Sanctions must be sufficient to ensure compliance by organizations and must provide individuals the means for enforcement.
Pertinent mainstream media coverage about the problems for commerce raised by the conflicting views of privacy and personal information between the United States and Europe includes:
"Strict European Privacy Law Puts Pressure on U.S." by Carl S. Kaplan, in the 10/9/98 issue of the New York Times http://www.nyt.com/library/tech/98/10/cyber/cyberlaw/09law.html
"European Law Aims to Protect Privacy of Personal Data" by Edmund L. Andrews in the 10/26/98 issue of the New York Times http://www.nyt.com/library/tech/98/10/biztech/articles/26privacy.html
1. Why do Europe Union members view personal information so differently than the United States that adult Europeans have greater privacy protections than children in the United States?
2. If the European Union accepts some version of the "Safe Harbor Privacy Principles" what might this ultimately mean for personal information privacy in the United States?
IV. Data as Property
In 1996 business consultant Ram Avrahami unsuccessfully tried to recover actual and punitive damages from U.S. News & World Report after it sold his name and address to two publishing companies. He argued that his name was his personal property because the Virginia General Assembly "established and protected a person's property right in his own name" when it promulgated a state Privacy Act that states (in pertinent part):
Any person whose name, portrait or picture is used without having first obtained the written consent of such person . . ., for advertising purposes or for the purposes of trade, such persons may maintain a suit in equity against such person, firm or corporation so using such person's name, portrait or picture to prevent and restrain the use thereof; . . .
Va. Code Ann. 8.01-40 (A) (Michie 1995). Avrahami's Trial Brief is available at: http://www.epic.org/privacy/junk_mail/trial_brief.txt. He discovered the sale of his personal information by intentionally misspelling his name when subscribing to the magazine, and then detecting the same misspelling in several mail solicitations that he received later at his home in Arlington, Virginia. During the trial, US News admitted that it sells without permission the names of its subscribers for 8 cents a name, and Avrahami was ridiculed for suing over eight cents. On June 13, 1996, the Arlington County Circuit Court ruled that Mr. Avrahami did not have property rights in various spellings of his name, that individual names have no value and that the inclusion of names in a mailing list does not constitute a "use for the purpose of trade" and does not violate the Virginia statute.
V. Cyberspace Data is Forever
Finally, the below article discuses the fact that the Internet is "a powerful archiving technology that takes snapshots of our digital lives -- and can store those fleeting images forever." It indelibly makes the point that data that is collected today may be searchable and available in perpetuity:
"The Net NEVER Forgets, " by J.D. Lasica in Salon Magazine, posted 11/25/98 and accessible at: http://www.salonmagazine.com/21st/feature/1998/11/25feature.htmlFootnotes:
2. See "Remarks by the President on Financial Privacy and Consumer Protection" posted May 4, 1999 to the Electronic Privacy Information Center, and accessed 5/5/99 at http://www.epic.org/privacy/financial/clinton_remarks_5_99.html. (Clinton stated in part: "The technological revolution now makes it easier than ever for people to mine your private, financial data for their profit. While some of your private financial information is protected under existing federal law, your bank or broker or insurance company could still share with affiliated firms what you buy with checks or credit cards -- or sell this information to the highest bidder. This law, to put it mildly, is outdated and should be changed -- to give you the right to control your financial information, to let you decide whether you want to share private information with anyone else. I look forward to working with members in the House and the Senate on this issue.") See also "Bill Raises Risk of Violating Medical Privacy, Physicians' Groups Say" posted to the CNN site on 7/22/99 by the Associated Press, accessible at http://www.cnn.com/HEALTH/9907/22/medical.privacy.ap/.
3. Truste: Building a Web You Can Believe In, accessible at http://www.truste.org.
4. BBB Online, accessible at http://www.bbbonline.org/businesses/privacy/index.html.
5. Online Privacy Alliance, accessible at http://www.privacyalliance.org.
Return to Main Module page Return to Learning Cyberlaw home page