June 25, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration (NTIA)
14th Street and Constitution Avenue, NW
Washington, DC 20230
Dear Ms. Coffin:
Thank you for giving the public the opportunity to comment on your staff discussion paper, Elements of Effective Self Regulation for Protection of Privacy. In my law practice I concentrate on Internet and information law topics, and I have seen that along with the exciting opportunities provided by the Internet, a number of controversial issues have developed within the unique environment of cyberspace. One of the most significant issues involves the personal privacy that is jeopardized as increasing amounts of personal information are collected and revealed electronically. I am very interested in informational privacy issues and have written several articles, including: Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 SAN DIEGO LAW REVIEW 1153 (1997) and Everyone Knows You're a Dog: The EU Data Protection Directive and Personal Data, 1 JOURNAL OF INTERNET LAW 14 (March 1998).
In particular, I would like to comment on questions #1, #3 #5, and #10 as published in the June 5, 1998 FEDERAL REGISTER notice requesting comments.
Question #1: The discussion paper sets out nine specific characteristics of effective self regulation for privacy: awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification and consequences. Which of the individual elements set out in the draft discussion paper do you believe are necessary for self regulation to protect privacy? To what extent is each element necessary for effective self regulation? . . .
All nine specific characteristics are very important elements of privacy protection, and should be required whenever personally identifiable information--information that identifies a particular individual--is collected. Awareness, with its components-- notification, privacy policies, and consumer education-- is necessary whenever personal information is collected. Entities which collect personal information should be required to explicitly inform individuals when personal information is being collected and how this information might be used. Without awareness that personal information is being collected and how it will be used, consumers cannot make informed decisions about how much, if any, information to provide. The awareness element is particularly important in the online arena. This is because in the online arena, there are so many ways of collecting information surreptitiously. Much has been written about "cookies," and it is generally agreed that "cookies" are a relatively harmless means for Web site operators to learn about visits to their Web sites. However, cookies may become a means to invade personal privacy when combined with other online data collection practices, such as on-site registration and the collection of "clickstream" data. Many Web sites require on-site registration, including name, address, e-mail address, and sometimes interests and other personal information, in order to obtain access or certain benefits. "Clickstream" data is electronic records of user activity which online service providers can use to track an online user's navigation on the service. By using a combination of on-site registration and cookies and/or clickstream data, a Website owner has the means to develop an extensive profile of an individual, all without the knowledge of the individual. I have provided more information on this topic in my article, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, which is available on the Internet at http://www.info-law.com/lost.html.
The elements, choice, data security, data integrity, and consumer access are all particularly important in situations in which entities collect, maintain, use, or disseminate records of identifiable personal information. When providing information which identifies them personally, individuals must have choice as to whether to divulge certain data, and/or to prevent additional uses of the data. Similarly, data security and data integrity must be ensured when entities collect identifiable personal information, and data subjects must be able to access records pertaining to them in order to make corrections when there are errors.
Accountability, consumer recourse, verification, and consequences are also essential elements for all situations in which companies collect personal data. The history of self regulation in the information industry indicates that without effective accountability and consequences for violations of fair information policies, self regulation in the information industry will not be sufficiently effective. For example, information industry fair information practice codes have been in existence since the early 1990s, but have not prevented fair information practice violations. As noted by Professors Paul M. Schwartz and Joel R. Reidenberg, in DATA PRIVACY LAW (1996) on pages 216-17: "[T]he Direct Marketing Association's (DMA) Code of Fair Information Practices stipulates that marketers should notify individuals of the collection of data for marketing purposes. The marketing departments of many companies belonging to the DMA, however, collect data directly from individuals for sale to third parties without notifying individuals. The code is not systematically honored by companies engaged in direct marketing activities."
Question #3 Please submit examples of existing privacy policies. In what ways do they effectively address concerns about privacy in the information to which they apply? In what ways do they fail?
For examples of existing privacy policies, I refer to the trade association guidelines which were collected by the Federal Trade Commission (FTC), and which are available online at http://www.ftc.gov/reports/privacy3/append-e.pdf as part of the Federal Trade Commission's June 1998 Privacy Online: A Report to Congress. As indicated in the FTC report, existing privacy policies have failed to effectively protect privacy. In reporting on its study of existing trade association guidelines, as well as its survey of 1,400 Web sites, the FTC notes:
[D]espite the Commission's three-year privacy initiative supporting a self-regulatory response to consumers' privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practice (notice/awareness). Moreover, the trade association guidelines submitted to the Commission do not reflect industry acceptance of the basic fair information practice principles. In addition, the guidelines, with limited exception, contain none of the enforcement mechanisms needed for an effective self-regulatory regime. In light of the lack of notice regarding information practices on the World Wide Web and the lack of current industry guidelines adequate to establish an effective self-regulatory regime, the question is what additional incentives are required in order to encourage effective self-regulatory efforts by industry. (Federal Trade Commission, Privacy Online: A Report to Congress, June 1998, http://www.ftc.gov/ reports/privacy3/conclu.htm)
The FTC also notes that of the existing industry policies, none provide a private remedy for aggrieved individuals, and only one industry policy, that of the Individual Reference Services Group (IRSG), provides any enforcement mechanism.
Furthermore, as revealed in the Electronic Privacy Information Center's 1998 survey of Web sites owned by new members of the Directing Marketing Association, few comply with the DMA's privacy protection requirements, which were set out in October 1997. (Electronic Privacy Information Center, Surfer Beware II: Notice Is Not Enough, June 1998, http://www2.epic.org/reports/surfer-beware2.htm).
Unfortunately, existing privacy policies do not effectively address concerns about privacy.
Question #5 Should consumer limitations on how a company uses data be imposed on any other company to which the consumer's information is transferred or sold? How should such limitations be imposed and enforced?
Consumers must be given the opportunity to prevent all secondary uses of their identifiable personal data. Data collectors should be required to notify consumers that the data collector may use the data in unspecified ways and/or disseminate the data to other parties. Also, they must give the consumer an opportunity to prevent secondary uses of the data. I believe that the most effective means of enforcing consumer choice as to secondary uses of identifiable personal data is to provide substantial monetary penalties for noncompliance and the opportunity for redress for those injured by a company's violation.
Question #10 Please comment on the extent to which you believe self regulation can successfully protect privacy online. . . .
I believe that the use of self regulation is very important, but that it is unlikely to be sufficient in effectively protecting privacy online. Self regulatory measures offer some privacy protections if uniformly and consistently followed, and they offer the significant benefit of addressing and resolving issues which arise more quickly than through the legislative process or other methods of redress. However, as seen by the privacy breaches associated with the Internet, and in the Federal Trade Commission's Privacy Online: A Report to Congress and the Electronic Privacy Information Center's Surfer Beware II: Notice Is Not Enough, self regulation has not been successful in protecting privacy online. Also, self regulation is even more unlikely to be effective for those companies which are not subject to organization sanctions or government regulations. Legislation which incorporates the basic tenets of fair information practices and which provides a private right of action for aggrieved individuals along with the administrative enforcement powers of a government regulatory authority would be most effective in protecting privacy online.
Furthermore, while concerns about the collection of personal information have intensified with the advent of the Internet because the Internet offers so many new ways of collecting and disseminating personal information, there are also concerns about the collection and dissemination of personal data offline. Massive amounts of data are maintained about individuals in government and private sector databases, and this information is used by government, marketers, credit institutions, and others in making decisions that affect individuals' lives. The privacy issues underlying the collection and dissemination of personal information by these entities need to be addressed as well. What is needed is a comprehensive policy that will guarantee individuals the right to control the collection and distribution of their personal information whatever the format.
For additional information about the effect on personal privacy of the Internet and online services, as well as computerized databases maintained by government, marketers, and others, I invite you to read my articles on privacy issues which are posted on my Web site at http://www.info-law.com.
Susan E. Gindin