July 2, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Agency
14th & Constitution Avenue, N.W., Room 4898
Washington, D.C. 20230
Re: Docket No. 980422102-8102-01
Dear Ms. Coffin:
The Coalition of Service Industries (CSI) is pleased to respond to the Department of Commerce's request for comments on the "Elements of Effective Self-Regulation for the Protection of Privacy" and to address specific questions concerning online privacy protection. We commend the DOC for issuing the draft of its "Elements" paper, which serves as a useful guide to the development of effective self-regulatory, online privacy policies by businesses.
It is widely accepted that the concern over privacy may deter consumers from fully using the Internet. A February, 1998 Business Week/Harris survey showed that 61% of computer users would be more likely to use the Internet if the privacy of their personal information and communications were protected, and 78% of current online users said they would be more likely to increase use of the Internet if their privacy was protected. A June, 1998 Harris survey confirmed the privacy concerns of Net users. Despite the public's privacy concerns, there has been explosive growth in use of the Internet, from only 3 million users in 1994 to an estimated 100 million users worldwide in 1998. Today, people use the global Internet to communicate, research, educate, entertain, bank and shop for goods and services. Nearly 2 million businesses are using the Internet to serve existing customers, seek prospective customers, reduce production, inventory and delivery costs and communicate more effectively.
If consumers are so concerned about the privacy of their personal information, why are so many people using the Internet today and why are so many more people expected to use it in the near future? One reason for the apparent contradiction is that people express their opinions, fears and wishes to survey takers, but they are often willing to trade-off their concerns for such practical benefits as lower prices, more choices and greater convenience. Another possible reason is that people may be more concerned about the trustworthiness of online product and service providers than in privacy. Thus, people are more likely to deal online with reputable, trusted companies than in new or unknown firms displaying their products or services on their Web sites. Because there is a high level of distrust in unknown companies, many users of the Internet refuse to provide personal information to Web sites that ask them to register, or they purposely provide incorrect information. Recent surveys by Yankelovich Partners for the AICPA, Greenfield OnLine for the BBB and ITAA all point to public concerns about trust and security that impede widespread acceptance of electronic commerce.
A key factor inhibiting the growth of electronic commerce and banking is the lack of a uniform, predictable legal framework in the U.S. and a safe, secure online environment. For electronic commerce and banking to thrive, a relationship of trust must be established between buyers and sellers of products and services. As a result, consumers will feel confident in purchasing goods and services from reputable merchants and suppliers, and businesses will be assured of payment. Today's environment is characterized by inconsistent state-by-state legal and regulatory regimes with differing protections, standards and levels of security. Conflicting state regimes governing electronic authentication make electronic commerce and banking costly and inefficient, reduce the incentive for new market entrants, and confuse consumers. Such an environment impedes the growth of electronic commerce and banking and disadvantages consumers who are prevented from obtaining lower costs, more choices and greater convenience. A secure, nationally uniform system of electronic authentication, using robust encryption, will help to establish acceptable levels of identity, security and trust.
The following comments respond to the questions posed by the Department:
1. We believe all 9 of the characteristics of effective self-regulation for privacy are relevant and useful as a framework for company policies and practices. However, companies must have flexibility to develop and implement privacy and security policies that meet the needs of their customers and markets, without onerous cost and compliance burdens. CSI has developed a rational method of assessing the adequacy of a company's data protection practices using a simple checklist that addresses transparency (i.e., disclosure of information policies and practices), consumer choice and access to personal account information, data security and enforcement. To be useful in assessing adequacy, a checklist should: establish objective criteria for measuring data protection; be uniformly applicable across all industry sectors; be easy to use, replicate and administer; provide a scale to measure various levels or degrees of adequacy; provide an incentive for companies to achieve high ratings on the adequacy scale; and help determine whether self-regulation is enforceable. The attached checklist meets the above criteria and should be a useful tool for measuring adequacy of data protection. (Attachment A)
2. Companies and individual industry sectors should implement their self-regulatory policies consistent with industry-specific laws and regulations governing the protection of customer information, industry best practices and guidelines and their markets. Some industry sectors, such as financial services, are regulated more heavily than others, and some laws (e.g., FCRA) cross industry lines. The financial services sectors address privacy through a combination of self-regulation, contracts, case law, federal and state laws and regulations. In industry sectors where little or no regulation exists, enforceable industry guidelines may be appropriate.
3. Examples of existing privacy policies of CSI member companies that effectively address concerns about privacy can be found on their Web pages.
4. We believe the "Elements" paper covers the essential characteristics of effective self-regulation.
5. Consumers should be given the opportunity to opt-out of having their information provided to third parties. In many industries, federal and state laws already require that consumers be given such a choice, and this is a widely-accepted industry practice today. It is also a common business practice for companies to maintain tight control over customer information provided to external organizations for marketing purposes, by seeding customer lists to detect unauthorized use of customer lists and auditing for compliance with acceptable privacy standards.
6. Many industry sectors already have effective regulatory enforcement mechanisms in place. For example, existing federal law makes unfair and deceptive practices unlawful. Thus, if a company provides its customers with a privacy statement that does not accurately reflect its privacy practices, it can precipitate a challenge by the appropriate regulators.
7. The primary consequence for companies that do not comply with fair information practices is the loss of the customer's trust and business, unfavorable media coverage and loss of future business opportunities. We concur with Secretary Daley's belief that business has the most vested in the success of electronic commerce, which depends on consumer confidence and trust to transact business on the Internet. Market sanctions are severe and swift for companies that fail to maintain the trust of their customers.
8. Public opinion is an effective privacy regulator. Where threats to the privacy or security of consumers have been identified, the response by industry has been swift and decisive. There is evidence that consumers respond to threats to their privacy or security. For example, America Online planned to provide lists of its customers' phone numbers to telemarketers and other direct marketers. Under pressure from its subscribers, the media, politicians and privacy-rights groups, AOL canceled its plans. Another example involved Experian, Inc., one of the three largest credit reporting companies. In response to strong customer demand for information contained in their credit reports, Experian offered people the opportunity to access their reports via the Internet. Technical problems caused some credit reports to be sent to the wrong people, and media coverage of the problem added pressure, so the company shut down the system. The responsiveness of companies to the press and public opinion means that problems are corrected quickly without government action.
9. The bankcard associations (Visa and MasterCard), automated clearing houses (ACHs) and ATM networks are examples of effective self-regulation. Members of these organizations must comply with an extensive body of operating rules pertaining to cardholders, merchants and other parties.
10. In general, self-regulation of online privacy should be permitted across the board. If self-regulation proves to be consistently unworkable, and public opinion fails to correct actual abuses, further steps may be necessary.
11. While difficult to quantify, the costs to implement a self-regulatory privacy regime are likely to be far less than the costs of legislation or regulation.
12. We believe that self-regulatory distinctions need not be made between the online and traditional business environments. The scope of data protection encompasses both privacy and security issues, and online policies should be linked to company policies that protect their customers' information whether online or off.
13. While CSI has not polled its members, it is our understanding that in general they do not receive an appreciable or material number of consumer complaints about privacy. Some CSI members have had privacy policies for a number of years. Others are implementing such policies now. All believe that they are highly responsive to their consumers and to consumer privacy concerns. However, companies offering "look-up" services have entered a special arrangement to assure protection of privacy as the result of public concern.
14. The balance between freedom of information and individual privacy concerns is usually determined by the consumer. Some consumers are more concerned about privacy than others and will take steps to opt-out of being solicited for products and services. Others may be concerned about the collection and use of sensitive personal information (e.g., medical records) and seek to prohibit or restrict companies from using such information. Since there is no one appropriate point at which to strike a balance, but many points on a scale, attempts should not be made to apply a single standard. As we pointed out earlier, many people are willing to trade-off some degree of privacy for lower prices, more choices and greater convenience. The responsibility of business is to disclose clearly its privacy policies to consumers and provide them with privacy choices.
CSI hopes these responses to your questions are helpful, and we thank you for the opportunity to comment.