September 29, 1998
Office of International Affairs
National Telecommunications and Information Administration
Department of Commerce
14th Street and Constitution Avenue, N.W.
Re: Docket No. 980422102-8102-01; Elements of Effective Self-Regulation for the Protection of Privacy and Questions Related to Online Privacy
Mars, Incorporated is pleased to provide these comments on Elements of Effective Self-Regulation for the Protection of Privacy and Questions Related to Online Privacy, 63 Fed. Reg. 30729 (June 5, 1998). Our comments below focus on the proposed nine "characteristics of effective self-regulation for privacy" set forth in the discussion paper. We also address, in particular, the current availability of an effective self-regulatory mechanism to protect children's privacy online and offer some suggestions on ways to improve compliance.
Like many other companies, Mars supports self-regulatory mechanisms to protect consumer privacy. In particular, Mars is a strong supporter of the self-regulatory guidelines designed to protect children developed by the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc. (BBB) (CARU Guidelines). The NTIA Notice raises a variety of very important questions about consumer privacy which deserve more reflection and thought. With regard to children's online privacy, however, the Federal Trade Commission's (FTC) recent report, Privacy Online: A Report to Congress, June 1998 (FTC Privacy Report), emphasizes that, substantively, CARU has "got it right." While more work is needed to publicize the existence of the CARU Guidelines for online privacy and improve the level of compliance with them, the self-regulatory picture on children's privacy is very encouraging. More importantly, appropriate mechanisms already exist to provide the kind of consumer redress and company accountability which is part of an effective self-regulatory program on children's online privacy.
Background
The explosive growth of the Internet in a relatively few number of years has been astonishing. Companies, consumers and the government are still feeling their way through this exciting new medium. Consequently, there is every reason to believe that an expanded public education campaign on privacy, targeting both consumers and businesses, will, in a relatively short period of time, improve awareness of this important issue dramatically.
There is general agreement that of all the characteristics of effective industry self-regulation for privacy, notice is the most important. Most of the other elements of effective privacy self-regulation which we believe are also important - choice, accountability and consumer recourse - flow directly from the notice or awareness element. While the rate of compliance with this element certainly requires significant improvement in the U.S., it is worth mentioning that, despite the existence of the European Data Directive, very few European Internet sites provide any notice whatsoever of their privacy policies. We suspect that many more sites in the U.S. offer notice of their privacy policies than do sites operating in jurisdictions which have adopted privacy legislation. We believe that a U.S. effort encouraging consumers to look for and ask about privacy notices, and urging web site providers - many of whom are global companies - to offer clear and accurate summaries of their privacy policies, will very quickly result in adoption of privacy policies and full disclosure of those policies, not just here, but throughout the world.
CARU has worked long and hard to create a workable children's privacy self-regulatory program for the interactive environment. The FTC's report is encouraging in its recognition that the CARU Guidelines are consistent with the principles outlined in FTC staff writings on the subject of children's privacy on the Internet. See FTC Privacy Report at p. 17. Proceedings like the NTIA privacy discussion, and prior FTC Workshops on the subject, will help expand awareness of the CARU Guidelines.
As the FTC has noted, CARU not only has established a baseline for the content of a children's online privacy program, but also has an enforcement mechanism in place to promote compliance with its Guidelines. The compliance rate, found by the FTC to be about 50%, is actually surprisingly good considering the youth of the online medium, and CARU figures suggest that compliance is even higher. Improvement, however, is needed. We believe that the FTC should take the lead in encouraging consumers to look for privacy notices and companies whose web sites appeal to children to adhere to the CARU Guidelines. Companies that specify in their privacy notices that they adhere to CARU Guidelines in essence take a "privacy pledge." Companies that fail to make good on these promises would not only violate the CARU Guidelines, triggering the self-enforcement mechanisms offered under that program, but would also be vulnerable to enforcement action by the FTC for deceptive advertising under Section 5 of the Federal Trade Commission Act (FTCA). Although we do not believe it is essential, as we believe the CARU program already incorporates severe consequences for failure to adhere to its policies, if CARU is willing to explore a seal-type program, focused on web sites which appeal to children, the Company would be willing to participate in those discussions.
Elements of Effective Self-Regulation for Protection of Privacy
The NTIA notice treats separately "principles of fair information practices" and "enforcement mechanisms." We also treat these elements separately below.
A. Principles of Fair Information Practices
Awareness
The first and perhaps most important aspect of safeguarding personal privacy online is for companies to disclose when and how they collect personal data, and how they use it.
Privacy expectations may differ depending on the type of information sought, the reason for seeking the information, and how it will be used. Consumers may be much more willing to provide information to a company who agrees to use it only for internal purposes (like filling an order for merchandise, adding a name to a list to receive coupons, etc.) than they might be to a company which plans to sell that data to others. Marketing or business needs differ as well. A healthcare provider needs detailed personal medical data, and a mortgage company needs detailed financial information, to effectively offer their products and services. Thus, it is neither practical nor desirable to adopt a "one-size-fits all" privacy protection policy. Various degrees of caution may need to be exercised depending on the type of information collected (e.g., financial, health, etc.), or the audience involved (e.g., children).
We agree that different industry sectors should develop their own guidelines on fair information practices for the collection of data. With children, however, the answer is simple. The CARU Guidelines already provide appropriate and well-thought-out standards to protect the privacy of young children online. Companies whose web sites may appeal to children should be encouraged to adhere to CARU Guidelines and post notice of their adherence publicly.
Self-regulation and reliance on market forces is far preferable to legislation in achieving compliance with the notice element. After all, the existence of the EU Data Directive has not resulted in a large number of companies posting privacy notices on EU-based sites. The example set by major players in industry, coupled with a demand for privacy protection from the public and a cooperative public education campaign, will drive an ever larger number of companies to disclose their privacy policies. This is especially true where a consensus exists on the basic standards, as is the case with children's online privacy. The government can play an important role here by urging consumers to look for privacy statements, to ask sites which they visit on line to provide information on their privacy policies, and to avoid visiting sites where they have questions about the policies. From a public perception standpoint, if a CARU "seal" or other symbol of adherence to CARU policies is deemed desirable, Mars would be interested in participating in discussions about a focused program.
Choice
The issue of choice is intimately related to the question of notice, and equally important. So long as the data collector offers notice and specifies what personal data will be collected and how it will be used, the consumer can agree, or not, to provide data. Choice, however, does not necessarily mean free and unfettered access to all information on a particular web site. A web site provider may certainly condition access to certain parts of the site on providing personal data, and it is not possible for visitors to engage in certain functions, like ordering certain merchandise online, without doing so.
Where children are concerned, the CARU Guidelines require web providers to remind children to ask a parent for permission before collecting personally identifiable information. The notice must be in language understandable to a child. Where real world, personally identifiable information which would enable the recipient to directly contact the child off-line is collected, or where personally identifiable information would be publicly posted, web site providers who collect this identifiable information online should make reasonable efforts, in light of the latest available technology, to ensure that prior parental permission is obtained.
Debate has arisen about the form of these consents, with some urging "snail mail" forms in all cases. E-mail consents are suitable and appropriate to the medium, and should be deemed acceptable as specified in the CARU Guidelines. As participants in the panel noted, the burden of obtaining hard-copy consents is considerable. Any initiative to mandate that this be done in all instances, while difficult enough for larger companies to meet, will no doubt disproportionately affect smaller companies. And, the opinion of legal experts regarding the scope of First Amendment protection that should be accorded to this medium suggests that differential treatment of online activities from other, more traditional marketing activities is not warranted.
Data Security
Of course companies creating, maintaining, using or disseminating records involving identifiable personal information must take reasonable measures to ensure its reliability for its intended use, and reasonable precautions to protect it from loss, etc. Companies who collect and use personal information for internal purposes, like developing a list of customers who order products on line, or seeking consumer input to evaluate product taste, appearance and other preferences, jealously guard that information from their competitors. To maintain the confidentiality of that data, companies must have procedures in place to protect it from disclosure. Company or product-specific web sites can thus be expected to be very secure. These sites typically would share information only with advertising agencies, market research firms, or research and development arms of the company, and would never sell or otherwise disclose the data to third parties.
We do agree that where data is sold to third parties, different security concerns may exist. Again, however, this simply reinforces the point that tailored policies, not blanket rules, are best designed to protect consumers while allowing businesses to provide necessary and desirable products and services.
Data Integrity
Where notice and choice are provided, and a consumer affirmatively offers personal information, it is hard to see how data integrity is really a serious problem. In the online environment, the consumer who chooses to offer personal data is uniquely in a position to assure its accuracy and to correct data, updating address information as needed, for example, to place an order. No doubt online marketers would be glad to correct this information.
Consumer Access
Consumers should have the opportunity for reasonable appropriate access to information about them that a company holds, so that the information can be corrected as necessary. If consumers have been given notice and choice up-front, however, and have chosen to provide personal information, the company's response may vary. While certainly companies would be glad to correct address and other information, or to delete from mailing and e-mail lists names of those individuals who are no longer interested in receiving information from the company, companies should not be required to delete personal information entirely from their databases. Indeed, a company may be legally required to retain certain information, as, for example, with respect to reports of product failures or consumer complaints or injuries. It would improper, and potentially conflict with existing legal obligations, to require companies to delete all personal information in their possession upon request.
Accountability
Major companies have a stake in maintaining their integrity and reputation with consumers. This alone provides ample incentive for most companies - particularly those offering a company- or product- specific web site - to adhere to their stated privacy policies. Mars believes that consumers have confidence in its reputation, and will trust the Company to keep its word about privacy, just as they have confidence in the quality of its products. For smaller companies who may not have achieved the level of consumer confidence that a major company might enjoy, there may be value in organizations who offer "seals" or other assurances as indicia of compliance with stated privacy policies. We do not believe, however, that anyone benefits by cumbersome and expensive legislation or self-regulation.
Fortunately, the CARU process provides an existing mechanism to assure accountability and adherence to agreed upon national standards to protect children's privacy. We provide further thoughts on this aspect below.
B. Enforcement
The three aspects of enforcement addressed by NTIA include consumer recourse, verification and consequences. Existing mechanisms under CARU offer an effective enforcement mechanism that responds to the most essential elements identified by NTIA.
Consumer Recourse
Notice provides the first avenue of consumer recourse. The consumer who does not see a posted privacy policy, or who objects to the content of a posted privacy protection policy, can choose not to visit the site. Parents can and should monitor sites with their children in this regard, and discuss with them the importance of privacy. Where children are concerned, a parent who does not see a reference to the CARU Guidelines can simply exit the site. A parent who questions whether the site is in fact adhering to a stated policy of compliance with the CARU Guidelines can initiate a complaint in accordance with established procedures.
Verification
NTIA suggests that some sort of "verification" to provide "attestation that the assertion businesses make about their privacy practices are true and that privacy practices have been implemented as represented" is needed. While a verification process may be useful in inspiring consumer confidence where companies deal with highly sensitive medical or financial information, for companies who collect data for the purpose of selling it, or for companies that may not have a national reputation, we question the value - and expense - of a blanket rule requiring "verification." An unwanted layer of confusion and bureaucracy should not be interjected into what, at least with respect to children, should be a relatively simple process. For many companies, like Mars, a statement of adherence to CARU Guidelines can be taken as a statement that it has adopted reasonable methods to comply with its stated policy at that site.
A "verification" component in fact may actually create new privacy concerns. From this standpoint, "audits" necessarily involve access by some entity or individual to personal data collected on-line. This fact would presumably have to be disclosed in a stated privacy notice. Of course, to assure credibility by the business community, access by consultants or employees of competitors to company databases must be strictly prohibited as part of any "verification" process. Third party audits are expensive, and the task of assuring that confidential information is maintained free from disclosure to competitors will increase the costs of any "verification" process. Indeed, one can quickly see yet another cottage industry growing up around verification - an "audit the auditors" program. Again, this will increase costs without providing parallel benefits.
This is a direct corollary to the point made above: a "one size fits all" privacy policy will not serve consumers or industry well. The extent to which certain types of internal or external verification procedures may be desirable or necessary to enhance consumer confidence in this emerging medium may well change depending on the type of information collected and the reputation of the company involved. We do not view verification to be an essential element of a sound self-regulatory program to protect personal privacy online, and the CARU program is proof of that. Nevertheless, Mars is willing to further explore a possible CARU-based "seal" program geared to the CARU Guidelines.
Consequences
As we have noted repeatedly throughout these comments, failure to adhere to stated privacy policies, like adherence to the CARU Guidelines, results in the offending company facing a rather powerful and unpleasant series of potential consequences. First is the embarrassment a company faces if a consumer accuses it of failing to adhere to stated privacy policies. Second is the complaint process established by the self-regulatory body to resolve consumer complaints. Third is the potential that if the complaint cannot be resolved, the matter will be referred to the FTC. Indeed, to the extent that a notice reflects a type of contract with the user, or an express representation about treatment of information, other legal remedies may be available to the consumer.
Responsible companies do not lightly post privacy policies without taking steps to ensure that their internal practices allow for compliance. This no doubt accounts for the failure of some companies to proceed with posting privacy notices at this time. The likelihood of adverse legal action by the FTC or a counterpart state agency, on top of action via the existing CARU process, or even private action, acts as a powerful incentive for companies to comply. For that reason, Mars is concerned that the focus by NTIA and others on a certifying seal or logo, on "bad actor" lists, or on disqualification from association membership really misses the point, as do those who suggest that statutory damages and an elaborate system of citizens suits will truly protect personal privacy.
Education is key. An educational program urging consumers to look for privacy notices, and for businesses to post these notices, will result in more requests for information on privacy by consumers. The market acts as a powerful tool. Consumers who do not find a stated privacy policy, or believe the stated policy is not adequately protective, and who simply exit the site, will quickly signal to the company disappointment in a failure to specify privacy practices. They can also provide input to the web provider regarding privacy expectations. As more and more companies in various business sectors post privacy notices, their competitors will follow suit, fearing that failure to do so will lead to a drop off in web site traffic and potentially, particularly for those sites which sell merchandise online, a loss in sales. While seal or trust mark programs may be very helpful for certain organizations, the potential for FTC enforcement or other legal action against those who fail to adhere to their stated representations about compliance with CARU or other express representations about the handling of personal data already exists.
Privacy is a complex issue. Whether privacy concerns revolve around information collected from children, or financial, health or other data in a sensitive category, the bottom line is that the marketplace is robust enough to allow for different types of self-regulatory systems, geared to the particular audience or data at issue. Some may rely on seals or logos. Some may not. Given the FTC's expression of support for the CARU Guidelines, however, it seems logical that consumers are likely to respond positively to notices stating a policy of following the CARU Guidelines for children's online privacy. This is especially true if government and industry work together to promote CARU. The kind of "take the pledge" program which we envision in the children's arena offers the benefit of appropriate, substantive rules of the game developed under an existing, proven self-regulatory regime. It is backed by the potential for a government enforcement mechanism or other legal redress avenues for those rare instances where the industry-sponsored complaint process does not result in satisfactory resolution of the problem.
Conclusion
Responsible action by responsible companies will continue, and there is every reason to believe that the successful track record of self-regulation in the children's area will continue to expand. Consumers and industry alike will benefit by promoting self-regulatory programs like CARU. The fact that there is a relatively high rate of compliance now with CARU Guidelines for online privacy protection of children is encouraging. We disagree that some sort of third party "verification" process is an essential element of a self-regulatory program to protect the personal privacy of children, as existing self-regulatory mechanisms, coupled with the potential for legal action by the FTC and other remedies, are in place. Mars would, however, participate in an industry initiative to promote awareness and adherence to the CARU Guidelines through use of a "seal" or through other means.
The Internet environment is still evolving. Industry, government and consumer groups must work together to enhance the potential of the medium, to achieve consumer trust, and to do so without imposing artificial constraints on an emerging medium which deserves the ultimate in First Amendment protection on free speech. We happen to believe that the best and most cost-effective way to do so is for market forces and self-regulatory programs on privacy to continue to mature. This will result in more companies developing privacy policies geared to their activities and site, and pledging adherence to their stated privacy principles. Failure to actually comply will engender an adverse consumer response and potential legal action by appropriate government authorities.
Respectfully submitted,
John D. Murray
Staff Officer - Franchise
Of Counsel:
Sheila A. Millar
Keller and Heckman LLP
1001 G Street, N.W.
Suite 500 West
Washington, D.C. 20001
(202) 434-4143