DEPARTMENT OF COMMERCE
[Docket No. 980422102-8102-01]
RIN 0660-AA13
Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy
AGENCY: National Telecommunications and Information Administration, Department of Commerce.
ACTION: Notice and request for public comment.
SUMMARY: The Department of Commerce, along with the Office of Management and Budget has been asked to report to the President on industry efforts to establish self-regulatory regimes to ensure privacy online and to develop technological solutions to protect privacy. The President also directed the Commerce Department and the Office of Management and Budget to ensure that means are developed to protect children's privacy online. The Department of Commerce requests comments on various aspects of Internet Privacy including the effectiveness of self regulation for privacy. Specifically, the Department of Commerce seeks comment on the staff discussion paper "Elements of Effective Self Regulation for Protection of Privacy." It also asks for responses to specific questions concerning online privacy protection. In addition, the Department seeks input on the specific instances in which government action may be necessary to protect privacy on the Internet.
DATES: Comments must be received by July 5, 1998.
ADDRESSES: Mail written comments to Jane Coffin, Office of International Affairs, National Telecommunications and Information Administration (NTIA), Room 4898, 14th St. and Constitution Ave., NW, Washington, DC. 20230, or email comments to privacy@ntia.doc.gov. Messages to that address will receive a reply in acknowledgment. Comments submitted in electronic form should be in ASCII, WordPerfect (please specify version), or Microsoft Word (please specify version) format. Comments will be posted on the NTIA website at http://www.ntia.doc.gov. Detailed information about electronic filing is available on the NTIA website, http://www.ntia.doc.gov. Paper submissions should include three paper copies and a version on diskette in a format specified above.
FOR FURTHER INFORMATION CONTACT: Jane Coffin, NTIA, (202) 482-1890.
SUPPLEMENTARY INFORMATION
Background
The rapid growth in the use of the Internet, for both personal and commercial purposes, has led to increased public concern about personal privacy. The promise of information technologies--their ability to facilitate the collection, re-use and instantaneous transmission of information--can, if not managed carefully, diminish personal privacy. A Framework for Global Electronic Commerce, issued by the Administration on July 1, 1997, recognizes that it is essential to assure personal privacy in the networked environment if people are to feel comfortable doing business online.
There are a number of statutory or regulatory regimes that continue to apply in an online environment (e.g., the Fair Credit Reporting Act). For Internet industries and commercial activities not covered by statute or regulation, however, the Administration has called on the private sector to develop self-regulatory mechanisms to protect privacy online. The President directed the Department of Commerce and the Office of Management and Budget to work with the private sector to develop and implement effective, consumer-friendly, self-regulatory privacy regimes. These regimes should enable consumers to choose how their personal information will be used, ensure adoption of and adherence to fair information practices, and provide for prompt, efficient dispute resolution.
The Administration supports private sector efforts to implement effective self-regulatory privacy regimes for the Internet. These include mechanisms for facilitating consumer awareness of privacy principles and the exercise of choice about whether and under what circumstances to disclose personal information online, evaluating private sector adoption of and adherence to fair information practices, and dispute resolution. The Administration also anticipates that technology tools will empower consumers to exercise choices about their privacy. If, upon evaluation, this approach proves not to be effective, other government action may be needed.
The Department of Commerce has talked with industry, members of the
academic community, public interest groups and the international community
to consider what characteristics of a self regulatory program would be
necessary to protect privacy effectively. The Department seeks the views
of the public regarding the draft discussion paper, "Elements of Effective
Self Regulation for Protection of Privacy" ("the draft discussion paper"
published below), which proposes the elements that should be present in
a self regulation regime that effectively protects privacy online, while
encouraging industry to craft methods of implementing those elements that
best serve its needs and the needs of its consumers. The Department also
seeks comment on issues surrounding self regulation and online privacy.
Specifically, the Department seeks information on the following:
1. The discussion paper sets out nine specific characteristics of effective
self regulation for privacy: awareness, choice, data security, data integrity,
consumer access, accountability, consumer recourse, verification and consequences.
Which of the individual elements set out in the draft discussion paper
do you believe are necessary for self regulation to protect privacy? To
what extent is each element necessary for effective self regulation? What
are the impediments and costs involved in fulfilling each element of a
self regulatory scheme? What are the competing interests in providing each
element? How would the inclusion of each element affect larger, medium
sized, and smaller companies? What advantages or disadvantages does each
element hold for consumers? What are the challenges faced by companies
in providing each element? How do these challenges depend upon the size
and nature of the business?
2. The draft discussion paper notes that individual industry sectors
will need to develop their own methods of providing the necessary requirements
of self regulation. How might companies and/or industry sectors implement
each of the elements for self regulation?
3. Please submit examples of existing privacy policies. In what ways
do they effectively address concerns about privacy in the information to
which they apply? In what ways do they fail?
4. Are elements or enforcement mechanisms other than those identified
in the draft discussion paper necessary for effective self regulation for
privacy protection? If so, what are they? How might they be implemented?
In addition to the fair information practices and enforcement mechanisms
stated in the discussion draft, are there other privacy protections or
rights essential to privacy protection?
5. Should consumer limitations on how a company uses data be imposed
on any other company to which the consumer's information is transferred
or sold? How should such limitations be imposed and enforced?
6. Please comment specifically on the elements set out in the draft discussion paper that deal with enforcement (verification, recourse, and consequences) and suggest ways in which companies and industry sectors might implement these. What existing systems and/or organizations might serve as models for consumer recourse mechanisms, and explain why they might or might not be effective? Would a combination of elements from existing systems and/or organizations be effective? How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary, and in what cases would something such as self certification or assertions that one is "audit-ready" suffice? What criteria should be considered to determine the kind of verification that would be appropriate for a company or sector? What constitutes "reasonable access?" What are the costs/impediments involved in providing access? What criteria should be considered to determine "reasonable access" to information for a company or sector?
7. In the section on consequences, the draft discussion paper states
that "sanctions should be stiff enough to be meaningful and swift enough
to assure consumers that their concerns are addressed in a timely fashion."
Identify appropriate consequences for companies that do not comply with
fair information practices that meet this goal, and explain why they would
be effective.
8. What is required to make privacy self regulation effective? Self-regulatory systems usually entail specific requirements, e.g., professional/business registries, consumer help resources, seals of accreditation from professional societies, auditing requirements. What other elements/enforcement mechanisms might be useful to make privacy self regulation effective? How have these enhanced or failed to enhance a self-regulation regime?
9. Self regulation has been used by the business community in other contexts. Please provide examples and comment on instances in which self regulation is used in an industry, profession or business activity that you believe would be relevant to enhance privacy protection. In what ways does self regulation work in these instances? In what ways does it fail? How could existing self-regulatory regimes be adapted or improved to better protect privacy?
10. Please comment on the extent to which you believe self regulation can successfully protect privacy online. Are there certain areas of online activity in which self regulation may be more appropriate than in others? Why?
11. Please comment on the costs business would incur in implementing
a self-regulatory regime to protect privacy. How do these costs compare
to the costs incurred to comply with legislation or regulation?
12. What issues does the online environment raise for self regulation
that are not raised in traditional business environments? What characteristics
of a self-regulatory system in a traditional business environment may be
difficult to duplicate online? Does the online environment present special
requirements for self regulation that are not present in a traditional
business environment? Does the traditional business environment have special
requirements that are not presented in the online environment? What are
these requirements?
13. What experiences have you encountered online in which privacy has
been at issue? In what instances has privacy appeared to be at risk? In
what instances is it well protected? In what ways have businesses or organizations
been responsive to privacy concerns? How difficult have you found it to
protect your privacy online? What circumstances give rise to good privacy
protection in a traditional business setting or online?
14. The Administration's A Framework for Global Electronic Commerce
cites the need to strike a balance between freedom of information values
and individual privacy concerns. Please comment on the appropriate point
at which that balance might be struck. What is the responsibility of businesses,
organizations or webpages to protect individual privacy? To what extent
do these parties have a right to collect and use information to further
their commercial interests? To what extent is it the individual's responsibility
to protect his or her privacy?
As set forth in A Framework for Global Electronic Commerce, the
Clinton Administration supports private sector efforts to implement meaningful,
consumer-friendly, self-regulatory regimes to protect privacy. To be meaningful,
self-regulation must do more than articulate broad policies or guidelines.
Effective self-regulation involves substantive rules, as well as the means
to ensure that consumers know the rules, that companies comply with them,
and that consumers have appropriate recourse when injuries result from
noncompliance. This paper discusses the elements of effective self-regulatory
regimes--one that incorporates principles of fair information practices
with enforcement mechanisms that assure compliance with those practices.
A. Principles of Fair Information Practices
Fair information practices form the basis for the Privacy Act of 1974, the legislation that protects personal information collected and maintained by the United States government. In 1980, these principles were adopted by the international community in the Organization for Economic Cooperation and Development's Guidelines for the Protection of Personal Data and Transborder Data Flows.
Principles of fair information practices include consumer awareness,
choice, appropriate levels of security, data integrity, and consumer access
to their personally identifiable data. While the discussion that follows
suggests ways in which these principles can be implemented, the private
sector is encouraged to develop its own ways of accomplishing this goal.
1. Awareness. At a minimum, consumers need to know the identity of the collector of their personal information, the intended uses of the information, and the means by which they may limit its disclosure. Companies are responsible for raising consumer awareness and can do so through the following avenues:
•Privacy policies. Privacy policies articulate the manner in which a company collects, uses, and protects data, and the choices they offer consumers to exercise rights in their personal information. On the basis of this policy, consumers can determine whether and to what extent they wish to make information available to companies.
•Notification. A company's privacy policy should be made known to consumers. Notification should be written in language that is clear and easily understood, should be displayed prominently, and should be made available before consumers are asked to provide personal information to the company.
•Consumer education. Companies should teach individuals to ask for relevant knowledge about why personal information is being collected, what the information will be used for, how it will be protected, the consequences of providing or withholding information, and any recourse they may have. Consumer education enables consumers to make informed decisions about how they allow their personal data to be used as they participate in the information economy. Consumer education may be carried out by individual companies, trade associations, or industry public service campaigns.
2. Choice. Consumers should be given the opportunity to exercise
choice with respect to whether and how their personal information is used,
either by businesses with whom they have direct contact or by third parties.
Consumers must be provided with simple, readily visible, available, and
affordable mechanisms--whether through technological means or otherwise--to
exercise this option. For certain kinds of information, e.g., medical information
or information related to children, affirmative choice by consumers may
be appropriate. In these cases companies should not use personal information
unless its use is explicitly consented to by the individual or, in the
case of children, his or her parent or guardian.
3. Data Security. Companies creating, maintaining, using or disseminating
records of identifiable personal information must take reasonable measures
to assure its reliability for its intended use and must take reasonable
precautions to protect it from loss, misuse, alteration or destruction.
Companies should also strive to assure that the level of protection extended
by third parties to whom they transfer personal information is at a level
comparable to its own.
4. Data Integrity. Companies should keep only personal data relevant
for the purposes for which it has been gathered, consistent with the principles
of awareness and choice. To the extent necessary for those purposes, the
data should be accurate, complete, and current.
5. Consumer Access. Consumers should have the opportunity for
reasonable, appropriate access to information about them that a company
holds, and be able to correct or amend that information when necessary.
The extent of access may vary from industry to industry. Providing access
to consumer information can be costly to companies, and thus decisions
about the level of appropriate access should take into account the nature
of the information collected, the number of locations in which it is stored,
the nature of the enterprise, and the ways in which the information is
to be used.
6. Accountability. Companies should be held accountable for complying
with their privacy policies.
B. Enforcement.
To be effective, a self-regulatory privacy regime should include mechanisms
to assure compliance with the rules and appropriate recourse to an injured
party when rules are not followed. Such mechanisms are essential tools
to enable consumers to exercise their privacy rights, and should, therefore,
be readily available and affordable to consumers. They may take a variety
of forms and businesses may need to use more than one depending upon the
nature of the enterprise and the kind and sensitivity of information the
company collects and uses. The discussion of enforcement tools below is
in no way intended to be limiting. The private sector may design the means
to provide enforcement that best suit its needs and the needs of consumers.
1. Consumer recourse. Companies that collect and use personally
identifiable information should offer consumers mechanisms by which their
complaints and disputes can be resolved. Such mechanisms should be readily
available and affordable.
2. Verification. Verification provides attestation that the assertions
businesses make about their privacy practices are true and that privacy
practices have been implemented as represented. The nature and the extent
of verification depends upon the kind of information with which a company
deals--companies using highly sensitive information may be held to a higher
standard of verification. Because verification may be costly for business,
work needs to be done to arrive at appropriate, cost-effective ways to
provide companies with the means to provide verification.
3. Consequences. For self-regulation to be effective, failure
to comply with fair information practices should have consequences. Examples
of such consequences include cancellation of the right to use a certifying
seal or logo, posting the name of the non-complier on a "bad-actor" list,
or disqualification from membership in an industry trade association. Non-compliers
could be required to pay the costs of determining their non-compliance.
Ultimately, sanctions should be stiff enough to be meaningful and swift
enough to assure consumers that their concerns are addressed in a timely
fashion. When companies make assertions that they are abiding by certain
privacy practices and then fail to do so, they may be liable for deceptive
practices and subject to action by the Federal Trade Commission or appropriate
bank or financial regulatory authority.
Shirl Kinney
Deputy Assistant Secretary and Administrator