STATEMENT OF

THE HONORABLE ANDREW J. PINCUS

GENERAL COUNSEL

DEPARTMENT OF COMMERCE

SUBMITTED TO

THE SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY

COMMITTEE ON THE JUDICIARY

UNITED STATES HOUSE OF REPRESENTATIVES



MAY 18, 2000



Thank you for the opportunity to testify here today. The rapid growth in the use of the

Internet, for both personal and commercial purposes, has led to increased public concern about personal privacy. In fact, privacy is one of the most important concerns of Internet users. The promise of information technologies--their ability to facilitate the collection, re-use and instantaneous transmission of information--can, if not managed carefully, pose risks to personal privacy. This Administration has worked hard to protect the privacy of personal information that is communicated online and is proud of its record. During my testimony, I will summarize some of the Administration's efforts in this area. I will also mention a number of private sector initiatives that are designed to address privacy concerns.

A Framework for Global Electronic Commerce, issued by the Administration on July 1, 1997, recognizes that it is essential to assure personal privacy in the networked environment if people are to feel comfortable doing business online. In the Framework, President Clinton and Vice President Gore set forth three privacy priorities for their administration: encouraging private sector development and adoption of effective codes of conduct, rules and technological solutions to protect privacy on the Internet; developing recommendations on the appropriate role of government in privacy protection; and ensuring that means are developed to protect the privacy of children.

With regard to children's, financial, and medical information-the highly sensitive categories of information--this Administration has supported technologically neutral legislative solutions to protect privacy online. In other areas, we have worked with the business community, privacy advocates, and academics to create effective self-regulatory regimes. We have also acted with the knowledge that the Federal Trade Commission ("FTC") has enforcement powers that allow it to protect consumers from unfair and deceptive trade practices that affect privacy interests. In addition, there are a number of statutory or regulatory regimes that apply to an equal degree both online and off-line. The Fair Credit Reporting Act is an example of one such regime.

Fair information practices form the basis for the Privacy Act of 1974, the legislation that

protects personal information collected and maintained by the United States government. In 1980, these principles were adopted by the international community in the Organization for Economic Cooperation and Development's Guidelines for the Protection of Personal Data and Transborder Data Flows. Principles of fair information practices include awareness, choice, appropriate levels of security, data integrity, consumer access to their personally identifiable data, and accountability.

In 1997, the President directed the DOC and the Office of Management and Budget ("OMB") to work with the private sector to develop and implement effective, consumer-friendly, self-regulatory privacy regimes. In response to that directive, the DOC has engaged in significant consultations with industry, members of the academic community, public interest groups and the international community to consider what characteristics of a self-regulatory program would be necessary to protect privacy effectively. Throughout these consultations, we have pointed to the principles of Fair Information Practices as a necessary basis of private sector self-regulation. In addition to the Fair Information Practices that I will describe below, a self-regulatory privacy regime should include mechanisms to ensure compliance with the rules and appropriate recourse to an injured party when rules are not followed. When companies make assertions that they are abiding by certain privacy practices and then fail to do so, they may be liable for deceptive practices and subject to action by the FTC or other appropriate regulatory authorities.

Awareness, a first fair information principle, requires notice to the consumer of the identity of the collector of their personal information, the intended uses of the information, and the means by which they may limit its disclosure. Companies are responsible for raising consumer awareness and can do so through privacy policies that articulate the manner in which a company collects, uses, and protects data, and the choices they offer consumers with regard to their personal information. Companies should display their privacy policies prominently, so that they are available before consumers are asked to provide personal information to the company. Privacy policies must be written in clear and easily understood language. Finally, consumer education that teaches individuals to ask for relevant knowledge about why personal information is being collected, what the information will be used for, how it will be protected, the consequences of providing or withholding information, and any recourse they may have, helps consumers to understand privacy policies.

Choice, a second fair information principle, requires that consumers are given the opportunity

to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. Consumers must be provided with simple, readily visible, available, and affordable mechanisms--whether through technological means or otherwise--to exercise this option. For certain kinds of information, e.g., medical and financial information or information related to children, more rigorous mechanisms for choice are sometimes appropriate. A number of factors determine the type of choice that is appropriate in a particular setting. For example, the Administration has taken the view in proposed medical privacy rules that individuals must affirmatively consent (i.e. opt-in choice) to the disclosure of their health records for non-health related purposes.

A third fair information principle, security, holds that companies creating, maintaining, using

or disseminating records of identifiable personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, alteration or destruction. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to their own.

A fourth principle, data integrity, requires that companies keep only personal data relevant

for the purposes for which it has been gathered, consistent with the principles of awareness and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current.

A fifth fair information principle, access, means that consumers should have the opportunity for reasonable, appropriate access to information about them that a company holds, and be able to correct or amend that information when necessary. The extent of access may vary from industry to industry depending on the nature of the information collected, the number of locations in which it is stored, the nature of the enterprise, and the ways in which the information is to be used.

A sixth principle, accountability, holds companies accountable for complying with their privacy policies. A self-regulatory privacy regime should include mechanisms to ensure compliance with the rules and appropriate recourse to an injured party when rules are not followed. Such mechanisms are essential tools to enable consumers to exercise their privacy rights, and should, therefore, be readily available and affordable to consumers. Companies that collect and use personally identifiable information should offer consumers mechanisms by which their complaints and disputes can be resolved. Such mechanisms should be readily available and affordable. One such mechanism is verification to attest that the assertions businesses make about their privacy practices are true and that privacy practices have been implemented as represented. The nature and the extent of verification depends upon the kind of information with which a company deals--companies using highly sensitive information may be held to a higher standard of verification. The failure to comply with fair information practices should have consequences. Ultimately, sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion. When companies make assertions that they are abiding by certain privacy practices and then fail to do so, they may be liable for deceptive practices and subject to action by the FTC or other appropriate regulatory authorities.

Based on these principles, I would like to describe some of the specific actions we have taken to protect the privacy of American consumers. I will also address some of the initiatives that the private sector has pursued to enhance privacy protections online.



Online Privacy: Administration Initiatives on Self-Regulation and Industry Improvement

In June of 1998, the FTC reported to Congress on the state of privacy practices online. The FTC found that the practices of Web sites demonstrated a real need for implementing basic fair information practices. The FTC report encouraged industry progress in addressing consumer concerns regarding online privacy through self-regulation. It pointed to effective self-regulation as a desirable means to protect privacy online because it allows firms to respond quickly to technological changes and employ new technologies to protect consumer privacy. The report did conclude, however, that an effective self-regulatory system had yet to emerge. Finally, the FTC recommended that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. As I will discuss later, that legislation is in place, with the full support of this Administration.

Also in June of 1998, the DOC requested comments from the public on various aspects of Internet privacy, including the effectiveness of self regulation for privacy. It also asked for responses to specific questions concerning online privacy protection and input on the specific instances in which government action may be necessary to protect privacy on the Internet. A review of these comments has aided the DOC in its initiatives to improve the handling of consumers' private information.

In that same month, Secretary Daley opened the DOC's two-day online privacy summit by challenging the private sector to implement enforceable privacy protections to ensure that consumers can feel confident that their personal information is safe online. The Secretary called on industry to move swiftly to enact a self-regulatory regime to protect privacy in business transactions on the Internet and warned that without meaningful progress, the government may have to explore regulatory solutions.



There has been significant progress in private sector self-regulation since the FTC's June 1998 report and the DOC's privacy summit. The DOC conducted extensive outreach to the business community, privacy advocates, and academics to address the privacy concerns. An important example of private sector progress to calls for increased privacy protections was the creation of third-party seal organizations that certify a web site's compliance with its privacy policy. More than 2,000 web sites belong to these organizations, nearly double the number that participated last year. BBBOnLine and TRUSTe are among the most prominent. According to TRUSTe, they currently have 1,582 licensees, with almost 1,000 applicants in various stages of the approval process. The percentage of small to medium sized businesses participating in this seal program is encouraging. Overall, 85 percent of TRUSTe's licensees report annual gross revenue of $10 million or less. Furthermore, more businesses are applying for TRUSTe seals. This year, TRUSTe reports that 150 to 200 companies apply for their seal per month, up from 100 to 150 companies last year. The private sector has also displayed awareness of the need to comply with TRUSTe's seal requirements as their business models change. Of TRUSTe's current licensees, one-third have asked TRUSTe for a new approval after changing their online privacy practices. BBBOnLine has 482 licensees and 1,028 applicants. Approximately 60 new companies apply for the BBBOnLine privacy seal every month. The creation of the Online Privacy Alliance("OPA") in June of 1998 represents another meaningful response by industry to the need to strengthen privacy protections online. The OPA brings together more than 80 of the largest companies doing business on the Internet and 23 business organizations that represent thousands of other companies in an alliance to promote privacy online. The OPA participated in the DOC's Privacy Summit and enacted guidelines implementing the fair information practices described in the Framework involving notice, choice, access, and security. The OPA developed its cross-sector guidelines to accommodate a broad range of industry sectors that include marketers, individual reference services companies, brick and mortar establishments and even small Web startups. All these industry sectors can use the OPA guidelines to establish privacy practices and post privacy policies that best suit their business models and customer expectations.

For instance, after the formation of the OPA, BBBOnLine and TRUSTe modified their own licensee requirements to be consistent with the OPA. Other seal programs have incorporated the OPA Guidelines to meet the needs of their respective industry sectors. The Entertainment Software Rating Board (ESRB) has established a seal for software-related industries and CPA's WebTrust program leverages the CPA brand to instill confidence in its seal program. Further, new technologies such as the Platform for Privacy Preferences ("P3P") and palm-sized Internet interfaces can easily be incorporated into this self-regulatory model.

The May 1999 release of the Georgetown Internet Privacy Policy Survey and the ("OPA") Top 100 survey demonstrated that the private sector initiatives that I have just described represent significant improvement in online self-regulation in one year. The Georgetown Survey looked at 364 ".com" Web sites, a random sampling selected from the 7,500 most visited Web sites. The Georgetown Survey found 65.7 percent had posted at least one type of privacy disclosure (privacy policy notice or an information practice statement). The OPA survey showed that 94 percent of the top 100 Web sites had posted at least one type of privacy disclosure, up from 71 percent from last year.

In March of 1999, IBM announced that it would strengthen consumer privacy online by choosing to restrict its advertising to sites that post privacy policies. Secretary of Commerce William H. Daley then wrote letters to top web advertisers, urging them to follow IBM's lead. In the last year, companies including Microsoft, Disney, Intel, Compaq, Novell, American Express, and Proctor and Gamble have heeded the Secretary's call and implemented advertising policies that mirror IBM's. These market leaders, which account for more than one-third of America's top 20 web advertisers, use their resources to bring real privacy protection to Internet users by creating incentives for more web sites to provide privacy protection.

NetCoalition.com, a group of leaders in the information technology industry, is campaigning to educate web users on privacy issues -- teaching them how they can protect their privacy. Recently, NetCoalition.com sent a letter from ten of the information technology industry's top executives to 400 Internet companies asking them to develop comprehensive privacy policies, inform Web users about their information collection practices, give consumers access to the information that companies have collected, and allow users some control of how such information is used.

In July of 1999, the FTC released "Self-Regulation and Privacy Online: A Report to Congress." The 1999 report presented the results of FTC's examination of developments in the growth of the Internet as a commercial marketplace and in consumers' and industry's responses to the privacy issues posed by the online collection of personal information. The FTC noted that significant progress industry had made significant progress in providing consumers with notice of their practices and concluded that legislation to regulate online privacy was not necessary. The report cited the Georgetown Internet Privacy Policy survey and the OPA Top 100 survey as evidence of private sector progress. OPA guidelines and the seal programs as evidence of industry leaders' substantial effort and commitment to fair information practices. The 1999 report also concludes, however, that only a small minority of commercial web sites have joined these programs and that implementation of fair information practices is not widespread among commercial Web sites. The FTC found that the challenge for industry was to educate those companies which do not understand the importance of consumer privacy and to create incentives for further progress toward effective, widespread implementation.

In July of 1998, Vice President Gore had also called on the DOC to work with the FTC to encourage companies that build profiles about individuals to implement effective self-regulatory mechanisms. The FTC's 1999 report also recommended that the DOC and the FTC held a profiling workshop in November of 1999. This workshop focused on "online profiling," the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online, and using the resulting consumer profiles to create targeted advertising on Web sites. Profiling typically employs "cookies,'' text files placed on users' computers to store information about their computers and their online activities.

At this workshop, Secretary Daley called for industry leadership in protecting consumer privacy in online profiling. During the workshop, the companies in this industry announced the formation of a new self-regulatory group, the Network Advertising Initiative ("NAI"). The NAI committed to develop a web site to provide consumers an opportunity to opt out from the services of these companies. The group also is working on a set of principles to provide effective privacy protection in the area of profiling. Also, as a result of the workshop and the NAI announcement, the Direct Marketing Association ("DMA") added a new component to it privacy policy generator that requires members of the DMA to announce on their sites whether they are using a third-party profiler. The DOC and the FTC also sought public comment addressing various issues related to the practice of online profiling. The comment period closed on November 30, 1999.

Another initiative that the 1999 FTC report called for was the creation of a task force charged with defining the parameters of the principles of consumer access to data and adequate security. This task force is the Advisory Committee on Online Access and Security ("ACOAS"). ACOAS has provided advice and recommendations to the Commission regarding implementation of certain fair information practices by domestic commercial Web sites. Public comments for consideration by ACOAS were due by April 28, 2000. In particular, ACOAS addressed providing online consumers reasonable access to personal information collected from and about them and maintaining adequate security for that information.



International Use of Self-Regulatory Model:

Turning briefly to the importance of the self-regulatory model to the U.S. in the international arena, the safe harbor arrangement that the DOC and the European Commission have tentatively reached clearly demonstrates that self-regulation is seen as an effective means of protecting personal privacy. When the European Directive on Data Protection became effective in 1998, it was not clear how this "adequacy" requirement would apply to the U.S., since the U.S. does not have omnibus privacy legislation like the EU.

Given the billions of dollars in transatlantic trade in services, both the U.S. and the EU recognized the Directive presented a very serious issue. In response, the DOC, working with the European Commission, developed the concept of "safe harbor" to bridge the gap between our different approaches to data protection. In essence, the safe harbor is a self-regulatory framework that provides "adequate" protection for data from Europe. Enforcement of the commitment to abide by the safe harbor rules is assured in several ways, including through self-regulatory seal programs and similar mechanisms. It is also backed by the authority of the FTC and other government agencies to take action against unfair and deceptive trade practices. As Secretary Daley indicated recently, the safe harbor "demonstrates that both the EU and the U.S. recognize that a carefully constructed and well-implemented system of self-regulation, as advocated by the President and the Vice President, can protect privacy rights." Both sides are now in the process of consulting with their respective domestic authorities and constituencies on this "safe harbor" arrangement.

The DOC consulted extensively with the Congress, the private sector, consumer groups and others during the course of the safe harbor discussions. This consultation occurred in many briefings and meetings on the issue, as well as more informally through other exchanges. Indeed, it would not have been possible to conduct the discussions without the thoughtful advice and consultation from the Congress, the private sector, consumer groups, and the American public.



Technical Solutions to Protect Privacy Online:

The Administration has also worked with the private sector to develop technical solutions to protect privacy online. The Internet technical community has completed work on the specifications for a number of technologies to empower consumers to protect privacy online. These technologies allow consumers to determine their privacy preferences and have them automatically communicated to web site operators. It will take additional time to bring applications based on these specifications to the market, but they will assist individuals, companies, and self-regulatory organizations in the protection of privacy.

For example, the Platform for Privacy Preferences("P3P") will enable Web sites to express their privacy practices to users in a standard format that can be retrieved and interpreted automatically. P3P will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. In essence, P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information. Another example of private sector technical innovation designed to protect online privacy is Microsoft's Kids Passport service. Kids Passport is a turnkey solution that will be available to Web sites for managing parental consent and helping sites comply with the Children's Online Privacy Protection Act ("COPPA").



Privacy in the Federal Government:

The Framework also focused on addressing the appropriate role of government in privacy protection. In March of 1999, the President created the position of Chief Counselor for Privacy to coordinate the federal government agencies' wide range of efforts related to privacy issues. The Chief Counselor for Privacy serves in OMB's Office of Information and Regulatory Affairs, which oversees implementation of the Privacy Act of 1974. This office handles a wide range of privacy-related issues from the public and private sectors.

For example, OMB oversees federal agencies' implementation of the Privacy Act of 1974, 5 U.S.C. Section 552a (1988) protects individuals from most non-consensual government disclosure of private information. In May 1998, President Clinton issued a Memorandum for Heads of Executive Departments and Agencies directing all agency heads to take specific action to assure that the use of new information technologies sustain privacy protections provided by applicable statutes and that information is handled in full compliance with the Privacy Act.

In June of 1999, the OMB directed all federal agencies to post privacy policies on government web sites by September 1, 1999. As of September 1, 1999, 100 percent of all federal agencies have posted privacy policies. By December 1, 1999, federal web sites went a step further and posted these policies at points of entry to the web site and other areas where substantial personal information is collected.



Administration Support for Privacy Legislation Covering Sensitive Information:

The Framework also called on the Administration to ensure that means are developed to protect the privacy of children. Since 1997, the Administration has acted to protect information relating to children and other sensitive information dealing with medical and financial records. We have also supported legislation to prevent the online theft of personal information. In these areas, the Administration recognized that self-regulation was not an appropriate mechanism to safeguard the privacy interests at stake. We chose to pursue legislative solutions because, in these sensitive areas, a stronger response was required.

October 30, 1998, the President signed into law, the "Identity Theft and Assumption Deterrence Act of 1998." This legislation makes identity theft a federal crime, with penalties generally of up to three years imprisonment and a maximum fine of $250,000. Specifically, the legislation penalizes the unlawful use or transfer of personal information with the intent to commit an unlawful act, such as obtaining fraudulent loans or credit cards, drug trafficking, or other illegal purposes. It also directs the FTC to help victims deal with the consequences of this crime.

Looking to the protection of children's information, the President supported and signed COPPA. COPPA ensures that sites aimed at children under the age of 13 must obtain verifiable parental consent before they gather and use personal information received from the children. In the fall of 1999, the FTC issued the final regulations implementing COPPA. The rules went into effect on April 21, 2000. Under the rules, sites must get parental permission via mail, fax, credit card, or digital signature before disclosing a child's personal information to a third party. If a site plans to use the information internally, the company can rely on consent via e-mail from a parent, at least for the first two years. After that, the FTC will require sites to get more "reliable" parental consent (fax, mail, credit card) for all information collected. In addition, the new rules also require children's sites to post privacy notices and give parents the option of prohibiting the sale of information that has been collected for internal use.

Congress discussed financial privacy intensively in the course of its financial modernization debate last year. As the President pointed out when signing the law, the modernization law took significant steps to protect the privacy of financial transactions, but did not go far enough. The President asked OMB, the Department of Treasury, and the National Economic Council to craft a legislative proposal to close loopholes under existing law. On April 30, he announced his plan to protect consumers' financial privacy. This plan would include: