June 25, 1998

Ms. Jane Coffin

Office of International Affairs

National Telecommunications and Information Administration (NTIA)

Room 4898

14th Street and Constitution Avenue, NW

Washington, DC 20230

Dear Ms. Coffin:

Thank you for giving the public the opportunity to comment on your staff discussion paper, Elements of Effective Self Regulation for Protection of Privacy. In my law practice I concentrate on Internet and information law topics, and I have seen that along with the exciting opportunities provided by the Internet, a number of controversial issues have developed within the unique environment of cyberspace. One of the most significant issues involves the personal privacy that is jeopardized as increasing amounts of personal information are collected and revealed electronically. I am very interested in informational privacy issues and have written several articles, including: Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 SAN DIEGO LAW REVIEW 1153 (1997) and Everyone Knows You're a Dog: The EU Data Protection Directive and Personal Data, 1 JOURNAL OF INTERNET LAW 14 (March 1998).

In particular, I would like to comment on questions #1, #3 #5, and #10 as published in the June 5, 1998 FEDERAL REGISTER notice requesting comments.

All nine specific characteristics are very important elements of privacy protection, and should be required whenever personally identifiable information--information that identifies a particular individual--is collected. Awareness, with its components-- notification, privacy policies, and consumer education-- is necessary whenever personal information is collected. Entities which collect personal information should be required to explicitly inform individuals when personal information is being collected and how this information might be used. Without awareness that personal information is being collected and how it will be used, consumers cannot make informed decisions about how much, if any, information to provide. The awareness element is particularly important in the online arena. This is because in the online arena, there are so many ways of collecting information surreptitiously. Much has been written about "cookies," and it is generally agreed that "cookies" are a relatively harmless means for Web site operators to learn about visits to their Web sites. However, cookies may become a means to invade personal privacy when combined with other online data collection practices, such as on-site registration and the collection of "clickstream" data. Many Web sites require on-site registration, including name, address, e-mail address, and sometimes interests and other personal information, in order to obtain access or certain benefits. "Clickstream" data is electronic records of user activity which online service providers can use to track an online user's navigation on the service. By using a combination of on-site registration and cookies and/or clickstream data, a Website owner has the means to develop an extensive profile of an individual, all without the knowledge of the individual. I have provided more information on this topic in my article, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, which is available on the Internet at http://www.info-law.com/lost.html.

The elements, choice, data security, data integrity, and consumer access are all particularly important in situations in which entities collect, maintain, use, or disseminate records of identifiable personal information. When providing information which identifies them personally, individuals must have choice as to whether to divulge certain data, and/or to prevent additional uses of the data. Similarly, data security and data integrity must be ensured when entities collect identifiable personal information, and data subjects must be able to access records pertaining to them in order to make corrections when there are errors.

Accountability, consumer recourse, verification, and consequences are also essential elements for all situations in which companies collect personal data. The history of self regulation in the information industry indicates that without effective accountability and consequences for violations of fair information policies, self regulation in the information industry will not be sufficiently effective. For example, information industry fair information practice codes have been in existence since the early 1990s, but have not prevented fair information practice violations. As noted by Professors Paul M. Schwartz and Joel R. Reidenberg, in DATA PRIVACY LAW (1996) on pages 216-17: "[T]he Direct Marketing Association's (DMA) Code of Fair Information Practices stipulates that marketers should notify individuals of the collection of data for marketing purposes. The marketing departments of many companies belonging to the DMA, however, collect data directly from individuals for sale to third parties without notifying individuals. The code is not systematically honored by companies engaged in direct marketing activities."

Also, there have been several high-profile instances of Internet service providers violating their own privacy policies. For example, recently it was disclosed that Internet Web host, GeoCities, which has over 1.9 million members, violated its privacy policy by disclosing to third parties members' personal information which was collected as part of its member application process. (Bob Woods, GeoCities Reveals FTC Investigation In IPO Filing, CNN Financial Network (June 1998), <http://www.cnnfn.com/digitaljam/newsbytes/113223.html>. In late 1997, America Online, the largest Internet service provider, violated its privacy policy by revealing the personal information of one of its members to a telephone caller (Philip Shenon, Navy and America Online Settle Case on Gay Privacy, N.Y. TIMES (June 12, 1998)).

For examples of existing privacy policies, I refer to the trade association guidelines which were collected by the Federal Trade Commission (FTC), and which are available online at http://www.ftc.gov/reports/privacy3/append-e.pdf as part of the Federal Trade Commission's June 1998 Privacy Online: A Report to Congress. As indicated in the FTC report, existing privacy policies have failed to effectively protect privacy. In reporting on its study of existing trade association guidelines, as well as its survey of 1,400 Web sites, the FTC notes:

The FTC also notes that of the existing industry policies, none provide a private remedy for aggrieved individuals, and only one industry policy, that of the Individual Reference Services Group (IRSG), provides any enforcement mechanism.

Furthermore, as revealed in the Electronic Privacy Information Center's 1998 survey of Web sites owned by new members of the Directing Marketing Association, few comply with the DMA's privacy protection requirements, which were set out in October 1997. (Electronic Privacy Information Center, Surfer Beware II: Notice Is Not Enough, June 1998, http://www2.epic.org/reports/surfer-beware2.htm).

Unfortunately, existing privacy policies do not effectively address concerns about privacy.

Consumers must be given the opportunity to prevent all secondary uses of their identifiable personal data. Data collectors should be required to notify consumers that the data collector may use the data in unspecified ways and/or disseminate the data to other parties. Also, they must give the consumer an opportunity to prevent secondary uses of the data. I believe that the most effective means of enforcing consumer choice as to secondary uses of identifiable personal data is to provide substantial monetary penalties for noncompliance and the opportunity for redress for those injured by a company's violation.

I believe that the use of self regulation is very important, but that it is unlikely to be sufficient in effectively protecting privacy online. Self regulatory measures offer some privacy protections if uniformly and consistently followed, and they offer the significant benefit of addressing and resolving issues which arise more quickly than through the legislative process or other methods of redress. However, as seen by the privacy breaches associated with the Internet, and in the Federal Trade Commission's Privacy Online: A Report to Congress and the Electronic Privacy Information Center's Surfer Beware II: Notice Is Not Enough, self regulation has not been successful in protecting privacy online. Also, self regulation is even more unlikely to be effective for those companies which are not subject to organization sanctions or government regulations. Legislation which incorporates the basic tenets of fair information practices and which provides a private right of action for aggrieved individuals along with the administrative enforcement powers of a government regulatory authority would be most effective in protecting privacy online.

Furthermore, while concerns about the collection of personal information have intensified with the advent of the Internet because the Internet offers so many new ways of collecting and disseminating personal information, there are also concerns about the collection and dissemination of personal data offline. Massive amounts of data are maintained about individuals in government and private sector databases, and this information is used by government, marketers, credit institutions, and others in making decisions that affect individuals' lives. The privacy issues underlying the collection and dissemination of personal information by these entities need to be addressed as well. What is needed is a comprehensive policy that will guarantee individuals the right to control the collection and distribution of their personal information whatever the format.

For additional information about the effect on personal privacy of the Internet and online services, as well as computerized databases maintained by government, marketers, and others, I invite you to read my articles on privacy issues which are posted on my Web site at http://www.info-law.com.