Government Regulation of Web Privacy:
Congress Takes a First Step
Copyright © 1998 Shelley M. Liberto. All rights reserved.
In ruling the Communications Decency Act of 1996 unconstitutional, U.S. District Court Judge Dalzell stated: "...the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects." The strength of the Internet is, as the judge describes, the unfettered freedom of participants on the Web to engage in communications without government interference. This point, having been recognized by the courts, and by Congress in its commitment not to tax the Internet, has one exception: the protection of the consumer's privacy.
On October 7, 1998, the House of Representatives passed H.R. 3787, a new version of the Communications Decency Act, which requires all "Internet Access Services" to take steps to verify the age of adult Web site viewers, such as the use of age verification systems and blocking software. The bill contains an embedded feature targeted for privacy of information submitted by a child user in connection with age verification:
"[An Internet access service] (A) shall not disclose any information collected for the purpose of restricting access to such communications to individuals seventeen years of age or older without the prior written or electronic consent of -- (i) the individual concerned if the individual is an adult; or (ii) the individual's parent or guardian, if the individual is under seventeen years; and
"(B) shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the person making such communication and the recipient of such communication."
This first step by Congress toward regulation of privacy rights on the Internet may be the tip of the iceberg. The Federal Trade Commission has already recommended to Congress its own regulatory scheme. As expected, the debate now raging is whether to allow government intervention by way of regulation or, alternatively, to rely on Internet access services to regulate privacy issues themselves.
Web entrepreneurs have been reluctant to resist the temptation of compiling, using and selling demographic information derived from consumers, particularly children, who visit Web sites. Trade organizations such as the Direct Marketing Association and the Better Business Bureau's Children's Advertising Review Unit have urged online merchants to adopt privacy policies and post them on their Web sites. Likewise, other trade groups such as the Association of National Advertisers and the American Association of Advertising Agencies have notified their members to post their privacy policies. In July of 1997, however, the Federal Trade Commission announced that it would conduct random research to determine whether online merchants had voluntarily complied with the recommendations of these trade organizations.
On June 4, 1998, the FTC released its "Report to Congress on Privacy On-Line." According to the FTC, the Internet community had failed in its ability to impose self-regulations sufficient to avoid federal intervention. The FTC reported that 90% of Web sites collect personal information that imply consumer privacy issues, but only 14% provide any notice of their information-collection practices. Only 2% offer comprehensive privacy policies. The statistic that triggered the greatest concern, however, was that 89% of the 212 children's sites visited by the FTC collected personal information from children, but only 54% of the sites disclosed their information collection practices. FTC Chairman Robert Pitofsky, in his report to Congress, states: "The commission's survey of Web sites tells us that the industry efforts to encourage voluntary adoption of these principles have not met with great success." Accordingly, the FTC recommends that Congress pass legislation specifically targeting the consumer privacy issues spawned by information obtained from children.
The FTC recommends that Web sites "directed to" children 12 years old and younger be required to verify parental consent before collecting personally identifiable information that will enable someone to contact the child, or information that will be publicly posted or disclosed to third parties. In other words, a child's parents must give their consent before personal information is received from a child. If a Web site requests only an email address, parents need only be notified that they may request that the email addresses not be kept in databases. Nevertheless, such a recommendation carries with it many drawbacks from a practical standpoint.
Legislation vs. Self-Regulation
Proponents of government regulation of Web privacy cite several areas of extreme concern: medical records, information gathered from children, the marketing of personal information from credit reports, and identity theft. Medical information is now available in cyberspace, purportedly limited to patient-doctor communications. These communications, however, are frequently protected only by a simple password which can be overcome by clever hackers. Only ten states now have partial protections for the confidentiality of medical information on the Internet. Likewise, young children are not able to give meaningful consent to the use of their personal information and are not aware of the consequences when they respond to requests for it online.
Finally, personal information derived from credit reports is unrestricted, ironically partly at the fault of the FTC itself. Under a questionable decision issued in 1993, the FTC permits the sale of "header information" from credit reports without the usual audit trail required under the federal Fair Credit Reporting Act. This includes information such as Social Security numbers, unlisted phone numbers, and mothers' maiden names. The release of this information, be it sourced at children, medical records, or credit reporting agencies, is not only offensive to our sensibilities to privacy in general, but has led to a new crime on the Internet: "identity theft."
Identity theft is a crime wherein an impostor, with remarkably accurate personal information, is successful in causing online merchants to believe that he/she is someone that he/she is not. The impostor freely executes commercial transactions, charging them to the victim, who has no idea what is going on until the bills arrive. The crime inevitably results in a destruction of credit reputation, and aggressive, sometimes unrelenting, collection efforts against the wrong person.
Persons and organizations that continue to argue for self-regulation, on the other hand, call for a certification system wherein users recognize a familiar logo or trademark indicating membership in trade organizations that are sensitive to consumer privacy issues. In other words, the consumer public will theoretically come to be trained to do business only with members of reputable trade organizations who post and honor their own privacy policies. The Direct Marketing Association "(DMA)" has already developed privacy principles for its members selling online.
Proponents of self-regulation claim that privacy performance is now taking hold, and private sector efforts are paying off. "Seals of approval" for Web sites are now being used by the Better Business Bureau, the On-Line Privacy Alliance, and a commercial venture known as "Truste." Web sites that bear these insignias promise non-disclosure, which promise would presumably be legally enforceable if breached. The FTC, however, recommends government intervention, although not without some very practical problems.
Can Government Regulation Work?
The United States Supreme Court itself adopted the factual finding of Judge Dalzell when addressing the constitutionality of the Communications Decency Act by stating the obvious: "There is no effective way to determine the identity or age of a user." In other words, there simply is no practical way of verifying the age of a Web surfer. This threshold determination is necessary under the FTC scheme. But even assuming a child is truthful in admitting his or her age, verifiable parental consent is yet another problem. The FTC acknowledges the problem by stating:
"Mechanisms for obtaining actual or verifiable parental consent include having the parent: mail or faxa signed form downloaded from the site; provide a credit card number; or provide an electronic (digital) signature. An e-mail message submitted without a digital signature may not be adequateto assure parental consent, since the site operator has no means of knowing whether the message is from a parent or from a child."
The FTC's proposed regulations are therefore impracticable from a commercial standpoint. Furthermore, the FTC seems to ignore the fact that the Internet is a global jurisdiction. Certainly the FTC does not propose that Congress pass legislation to regulate the world. The United States simply cannot reach foreign Web sites to enforce its Internet rules. A one-sided regulatory scheme applicable only to American online merchants may go so far as to create an unfair competitive edge in favor of foreign businesses that are not burdened by such regulations.
The real issue with regard to consumer privacy on the Internet is not whether privacy protections are warranted, but how they can and should be implemented. Although the FTC has correctly identified a problem of privacy pertaining to child input, the proposed regulation simply will not work. Furthermore, when government regulation begins, government taxation inevitably follows. Given that Congress is committed to abstaining from taxation of Web transactions, it would appear unlikely that regulation along the lines proposed by the FTC will come to pass.
On the other hand, Congress may, in a more precise fashion, choose to simply ban activities involving the use of private information regardless of when and how it is obtained. The Direct Marketing Association suggests that some activities be criminalized such as the use of the lists to perpetrate fraud, exposure of personal information to persons and organizations who would harm its users such as children, identity theft, and invasion of the doctor-patient confidentiality relationship. Legislation which targets the use of personal information, combined with a private-sector certification program, would seem to be the best first step toward protecting consumer privacy on the Internet.
Shelley M. Liberto is an attorney specializing in software- and Internet-related issues. His Web page is located at http://www.libertolaw.com.