FTC Activities and Fair Information Practices

The FTC conducted or sponsored several surveys between 1997 and 2000 to
determine the extent to which commercial website operators abided by four fair
information practices — providing notice to users of their information practices
before collecting personal information, allowing users choice as to whether and how
personal information is used, allowing users access to data collected and the ability
to contest its accuracy, and ensuring security of the information from unauthorized
use. Some include enforcement as a fifth fair information practice. Regarding
choice, the term “opt-in” refers to a requirement that a consumer give affirmative
consent to an information practice, while “opt-out” means that permission is
assumed unless the consumer indicates otherwise. See archived CRS Report
RL30784, Internet Privacy: An Analysis of Technology and Policy Issues, by Marcia
Smith (available from author), for more information on the FTC surveys and fair
information practices. The FTC’s reports are available on its website
[http://www.ftc.gov].

Briefly, the first two FTC surveys (December 1997 and June 1998) created
concern about the information practices of websites directed at children and led to
the enactment of COPPA (see above). The FTC continued monitoring websites to
determine if legislation was needed for those not covered by COPPA. In 1999, the
FTC concluded that more legislation was not needed at that time because of
indications of progress by industry at self-regulation, including creation of “seal”
programs (see below) and by two surveys conducted by Georgetown University.
However, in May 2000, the FTC changed its mind following another survey that
found only 20% of randomly visited websites and 42% of the 100 most popular
websites had implemented all four fair information practices. The FTC voted to
recommend that Congress pass legislation requiring websites to adhere to the four
fair information practices, but the 3-2 vote indicated division within the Commission.
On October 4, 2001, Timothy Muris, who had recently become FTC Chairman, stated
that he did not see a need for additional legislation at that time. (Mr. Muris was
succeeded as FTC Chairman on August 16, 2004 by Deborah Platt Majoras.)

Advocates of Self Regulation
In 1998, members of the online industry formed the Online Privacy Alliance
(OPA) to encourage industry self regulation. OPA developed a set of privacy
guidelines, and its members are required to adopt and implement posted privacy
policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust have
established “seals” for websites. To display a seal from one of those organizations,
a website operator must agree to abide by certain privacy principles (some of which
are based on the OPA guidelines), a complaint resolution process, and to being
monitored for compliance. Advocates of self regulation argue that these seal
programs demonstrate industry’s ability to police itself.

Technological solutions also are being offered. P3P (Platform for Privacy
Preferences) is one such technology. It essentially creates machine-readable privacy
policies through which users can match their privacy preferences with the privacy
policies of the websites they visit. One concern is that P3P requires companies to
produce shortened versions of their privacy policies, which could raise issues of
whether the shortened policies are legally binding, since they may omit nuances and
“sacrifice accuracy for brevity.”5 For more information on P3P, see
[http://www.w3.org/P3P/].

Advocates of Legislation
Consumer, privacy rights and other interest groups believe self regulation is
insufficient. They argue that the seal programs do not carry the weight of law, and
that while a site may disclose its privacy policy, that does not necessarily equate to
having a policy that protects privacy. The Center for Democracy and Technology
(CDT, at [http://www.cdt.org]) and the Electronic Privacy Information Center
(EPIC, at [http://www.epic.org]) each released reports on this topic. EPIC’s most
recent report, Privacy Self Regulation: A Decade of Disappointment, argues that the
National Do Not Call list, which restricts telemarketing phone calls, demonstrates
that government regulation can be more effective than industry self regulation.
Calling telemarketing a 20th century problem, the report concludes that the FTC has
given self regulation a decade to work in the Internet privacy arena, and it is time for
the agency “to apply the lessons from telemarketing and other efforts to address the
21st century [sic] problem of Internet privacy.”6

Some privacy interest groups, such as EPIC, also feel that P3P is insufficient,
arguing that it is too complex and confusing and fails to address many privacy
issues. An EPIC report from June 2000 further explains its findings
[http://www.epic.org/reports/prettypoorprivacy.html].

Privacy advocates have been particularly concerned about online profiling,
where companies collect data about what websites are visited by a particular user and
develop profiles of that user’s preferences and interests for targeted advertising.
Following a one-day workshop on online profiling, FTC issued a two-part report in
the summer of 2000 that also heralded the announcement by a group of companies
that collect such data, the Network Advertising Initiative (NAI), of self-regulatory
principles. At that time, the FTC nonetheless called on Congress to enact legislation
to ensure consumer privacy vis a vis online profiling because of concern that “bad
actors” and others might not follow the self-regulatory guidelines.

Congressional Action
Many Internet privacy bills were considered by the 107th and 108th Congresses.
Other than extending an existing prohibition regarding federal websites (see next
section), none cleared Congress. Several bills were introduced in the first session of
the 109th Congress (see table at end of report).

Endnotes

5 Clark, Drew. “Tech, Banking Firms Criticize Limitations of Privacy Standard.”
NationalJournal.com, November 11, 2002.
6 EPIC. “Privacy Self Regulation: A Decade of Disappointment,” by Chris Jay Hoofnagle.
March 4, 2005. [http://www.epic.org/reports/decadedisappoint.pdf], p. 5.