<DOC> [107th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:71496.wais] PRIVACY IN THE COMMERCIAL WORLD ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS FIRST SESSION __________ MARCH 1, 2001 __________ Serial No. 107-16 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 71-496 WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE W.J. ``BILLY'' TAUZIN, Louisiana, Chairman MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan JOE BARTON, Texas HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RALPH M. HALL, Texas PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey NATHAN DEAL, Georgia SHERROD BROWN, Ohio STEVE LARGENT, Oklahoma BART GORDON, Tennessee RICHARD BURR, North Carolina PETER DEUTSCH, Florida ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois GREG GANSKE, Iowa ANNA G. ESHOO, California CHARLIE NORWOOD, Georgia BART STUPAK, Michigan BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois TOM SAWYER, Ohio HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland JOHN B. SHADEGG, Arizona GENE GREEN, Texas CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri Mississippi TED STRICKLAND, Ohio VITO FOSSELLA, New York DIANA DeGETTE, Colorado ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin TOM DAVIS, Virginia BILL LUTHER, Minnesota ED BRYANT, Tennessee LOIS CAPPS, California ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana GEORGE RADANOVICH, California JANE HARMAN, California CHARLES F. BASS, New Hampshire JOSEPH R. PITTS, Pennsylvania MARY BONO, California GREG WALDEN, Oregon LEE TERRY, Nebraska David V. Marventano, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York Vice Chairman DIANA DeGETTE, Colorado ED WHITFIELD, Kentucky LOIS CAPPS, California BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana JOHN B. SHADEGG, Arizona JANE HARMAN, California ED BRYANT, Tennessee HENRY A. WAXMAN, California STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts GEORGE RADANOVICH, California BART GORDON, Tennessee CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois GREG WALDEN, Oregon ANNA G. ESHOO, California LEE TERRY, Nebraska JOHN D. DINGELL, Michigan, W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Cate, Fred H., Professor of Law, Indiana University School of Law........................................................ 17 Feldblum, Chai R., Professor of Law, Georgetown University Law Center................................................. 67 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center......................................... 61 Rubin, Paul, Professor of Law and Economics, Emory University School of Law.............................................. 47 Singleton, Solveig, Senior Policy Analyst, Competitive Enterprise Institute....................................... 57 Volokh, Eugene, Professor of Law, UCLA Law Center............ 26 Material submitted for the record by: Cate, Fred H., Professor of Law, Indiana University School of Law, letter dated march 8, 2001, enclosing material for the record..................................................... 103 Singleton, Solveig, Senior Policy Analyst, Competitive Enterprise Institute, response for the record.............. 108 (iii) PRIVACY IN THE COMMERCIAL WORLD ---------- THURSDAY, MARCH 1, 2001 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 10:04 a.m. in room 2322, Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Upton, Shimkus, Bryant, Buyer, Terry, Tauzin (ex officio), DeGette, Doyle, John, Harman, Markey, Gordon, Rush, Eshoo, and Dingell (ex officio). Staff present: Ramsen Betfarhad, majority counsel; Yong Choe, majority clerk; Bruce Gwinn, minority professional staff; and Courtney Johnson, minority clerk. Mr. Stearns. The subcommittee will come to order. I want to thank all of you for attending this morning the first hearing of the Subcommittee on Commerce, Trade, and Consumer Protection. In particular, I would like to thank Diana DeGette from Colorado, who is substituting for Eddie Towns, who had to go back to New York City. And I want to thank, of course, all of the members of the subcommittee. I want to thank, of course, our distinguished witnesses for appearing before this panel, and I look forward to their testimony and hearing their answers to our questions. I plan on and expect that this subcommittee, all of us working together, will create a productive and distinguished record for the 107th Session. I look forward to working with each and every subcommittee member. The subcommittee's jurisdiction is broad and encompasses areas which pose some difficult and complicated questions. Privacy is just one such question. I'd like to take a moment to briefly outline my priorities for this subcommittee. They are, one, privacy and other e-commerce issues; two, international trade, specifically as it relates to e-commerce; and three, discrete consumer protection issues, such as continued work on tire safety, car safety; and, four, these mega-mergers that we see today. The subcommittee is the front-line subcommittee on the topical issue of privacy. We, I believe, must create a forum for open and honest discussion on the subject. Moreover, I think the subcommittee must also advance the cause of e- commerce by examining and, if need be, addressing some of the more significant issues confronting e-commerce, both at home and abroad. The international dimensions of e-commerce will be another focal point of our subcommittee's actions. Developments beyond our shores, in particular in the European Community, relating to e-commerce necessitate our careful examination and heightened vigilance on the matter. Finally, there are a myriad of consumer protection issues that we will pursue. Today, we begin to address what may be one of the most difficult and important issues confronting Congress this session. That issue is information privacy in the commercial world. Today's hearing is the first in a series addressing the issue of information privacy. I believe it is incumbent upon us to create a forum for open and honest discussion. Precisely for these reasons, we must ask today's witnesses, a distinguished group of scholars and thinkers on the matter, to place the issue in its proper historical context. It is rare that you have a hearing without legislation in place. And so, today, I seek to establish this forum to have the proper historical, intellectual and jurisprudential contexts before we even begin. We must raise the fundamental issues that are implicated in this discussion. It would not be an understatement to suggest that information privacy in the commercial context is a complex and indeed a vexing issue. The testimony today will attest to its complexity, scope and breadth. For example, the issue of privacy transverses such varied areas of common law as contracts, torts and property, and information privacy as it relates to commercial activities carries with it an implication well beyond the world of commerce. Today, we will hear testimony advising us to be vigilant and careful when contemplating information privacy fixes for the commercial world, for we may risk triggering serious Constitutional questions and violations. In addressing the issue of information privacy, we must be mindful of the First Amendment, a cornerstone of the American democracy. The testimony also informs us of the tremendous benefits that have accrued to our economy and the American consumer from the tradition of a free flow of information within the commercial context, and we are warned of the negative repercussions that attach to a restrictive information regime in the commercial world. On the other hand, we must also be advised that information privacy rights have enabled the development of new commercial services. I have highlighted just a few interesting observations extrapolated from today's testimony. There are many more, my colleagues. But today's testimonies are a testimony to the richness and complexity of the debate we as a subcommittee are embarking upon this morning. So I encourage all members to take the time to carefully examine the issues before us, and I hope you will find, as I am sure you will, this hearing helpful as we move this process forward. In closing, I would like to reiterate my commitment to having a close working relationship with all subcommittee members. I look forward to bipartisanship and a willingness to put together legislation that is meaningful. With that, I will call upon Ms. DeGette for her opening statement. Ms. DeGette. Thank you, Mr. Chairman. Mr. Chairman, I was privileged to work with Mr. Towns on the previous Financial Services Subcommittee and know I can speak for both of us in saying that all of the members of the minority, particularly myself and Mr. Towns, look forward to working with you on these important issues of privacy. I want to commend you for quickly holding this first hearing on the topic. I know it is a very complex topic, and those pesky little Constitutional issues do creep up. I am glad that you recognize that, too. We all know that it is an important subject and one that needs to be addressed. I also want to welcome the witnesses here today. I know I speak for all of the members in saying we look forward to hearing your testimony. Over the past few years, my constituents have become more and more interested and concerned about personal privacy protections. I personally believe that the diversity of views among different industries and consumer groups, coupled with the complexity of the issue, will make it a very challenging task for policymakers. However, I think that there is a consensus that we need to address both the perceived and real fears that people have with respect to their privacy, particularly in this electronic age. As I mentioned, I was on the Financial Services Subcommittee and was privileged to be a conferee on the Gramm- Leach-Bliley legislation that overhauled the financial services industry. Privacy was a big issue during those negotiations. Some think that the final language was a good compromise; some think it went too far; and many think it didn't go far enough. One thing everyone has an agreement on: it was no easy feat to try to strike a balance between preserving the competitiveness of business and protecting the privacy of consumers. I think that that is an issue that the Federal legislators will struggle with for many years to come. I do think, though, that there are two dirty little secrets in the context of this issue. The first is privacy can actually be good for business. The second is information sharing can actually be good for consumers. Certainly, the issue of privacy can be a new opportunity for increased consumer confidence and trust in business. I know there are many companies that are already busily working customers with their own privacy policies. Every consumer who participates in the new economy has privacy concerns on one level or another, and I know that everyone will work together who has a stake in privacy issues to ensure that the rights and responsibilities of consumers are balanced with that of business. Privacy should and needs to be at the top of every company's priority list. It should be noted that more than one expert on this topic has called privacy not just a social or moral issue but the single most important business decision a company can make today. And I want to talk just a moment about medical privacy. Congress acted in a bipartisan fashion in 1996 when it mandated that a sweeping medical records privacy bill be passed by 1999. The goal was not met, and as everyone here knows, the Clinton administration wrote the new HIPAA regulations at the end of last year. I have heard from many constituents back home who are in the health care industry that these new regulations are too burdensome, and the bar has been set too high. I am sympathetic with those concerns, but I do believe that the administration needs to work with this subcommittee and the rest of Congress to modify the regulations rather than simply withdrawing them, because I do believe that medical records privacy is a critical issue. Mr. Chairman, again, I look forward to hearing from the witnesses today, and I particularly look forward to working with you and the rest of these members on these complex issues over the next 2 years. Mr. Stearns. Thank you. And now, we have our distinguished chairman of the committee here for his opening statement. Mr. Chairman? Mr. Tauzin. Thank you, Mr. Chairman. Good morning. I want to welcome everyone here today, especially the panel of witnesses. I remember when I first entered the Louisiana legislature, Cliff, and I had my first chance to examine my own law professors---- What a wonderful experience that was to be able to ask them a few tough questions for a change. I want to also acknowledge to all of you: this is the first official action of the Subcommittee on Commerce, Trade, and Consumer Protection, and I particularly want to welcome Chairman Stearns to this endeavor. This committee is going to be an extremely busy committee this year, and information privacy is obviously one of many big concerns of this committee, but it is a huge one, and I want to congratulate you, Cliff, for making it the first inquiry of this session. I also want to welcome two members who are not here now, but your ranking member, Mr. Towns, who has been a dear friend for a long time, and he and the vice-chairman of the committee, Deal, are going to be great assets to you as you move forward with this and other hearings, and I want to wish you all well, particularly the new members of the subcommittee, as they are new members of the committee. This issue is particularly intriguing, and I am glad you are starting with an examination of the legal foundations, philosophical basis. We need to think through what privacy has meant in this country and how it has been applied in the context of the various jurisdictions and the U.S. Constitution. Hearing from professors who have thought about, written about and understand many of the complex issues is a good start. I want to thank you for that. But I also want to point out, as did Ms. DeGette, that this is not a new issue for us. I think if you looked at the books, you would see about 17 statutes on privacy that have been enacted by the Congress over the years: consumer credit--not just the financial services bill and medical privacy but quite a host of smaller but nevertheless important privacy bills that were written in the brick and mortar world to protect people's privacy and, at the same time, protect free speech and the free flow of information. It is a delicate balance. The other thing I want to point out to you is that while the last administration certainly had a great interest in this subject matter, that we asked the GAO to look at Federal online sites and discovered that the Federal Government was not doing a very good job of protecting people's privacy, in fact, ironically onsites that people don't necessarily visit voluntarily. For example, the IRS site, which is sort of a site you have got to go to if you don't want to file on paper, and we discovered they even had a cookie on that site. So we discovered some bad features of our own Federal protection of privacy on Federal Websites, and we need to pay attention, and I know you will look at that, Cliff, as you go forward with these hearings. I also wanted to point out that every time we have hearings on this, people's positions start shifting. I was just in Silicon Valley the last week or so, and I have seen a different tone. There was a don't do anything attitude for a long time now, and at the conference we had at Landsdowne and meetings I am having lately with folks in the Valley, there is a different attitude. The attitude is you better do something, because we will have 50 states acting and 1,000 other jurisdictions acting, and we will have so many policies and conflict that interstate commerce will get bogged down. And maybe we need to have a common policy that we all understand. Second, I know you will focus on the great advances made in the private sector, the new self-policing organizations; the new seal of approval organizations, the things that private industry is doing to better inform and give consumers a better chance to protect their own information when they want to. Particularly, I hope you will examine the technological advances that give consumers more security in the information age in regards to information they want to keep private. And finally, punting might be good in football, but this committee is finished punting. As we meet in this room, downstairs, we are meeting on the Patients First project, a project to deeply involve this committee in the health care issues of this country again. Here on this level, this amazingly complex set of issues that face you, I am excited that you are not punting either. The last thing we ought to do is turn this one over to regulators. We ought to make the policy here. We ought to make it carefully; we ought to make it targeted; we ought to make sure it helps, not impedes, e- commerce. We ought to make sure that when we get through, consumers feel like they are getting a good deal out there, and they have got better control of the information that is pertinent but nevertheless important and sometimes very personal to them. Mr. Stearns and members of the committee, I want to wish you well. I am delighted, frankly, that you are engaged like this, and Cliff, you know you will have my full support and the support of the entire staff, as I know Mr. Towns will offer his support and his staff to you as well. Good luck and bon voyage. Mr. Stearns. Mr. Chairman, thank you for your confidence, and, of course, we look forward to your continued support and your input in this very awe-inspiring attempt to try to come up with a fair, balanced approach that weighs the risk for consumers but also providing the opportunity for technology advancement. So I appreciate your support. Mr. Dingell, the ranking member of the full committee. Mr. Dingell. Thank you, Mr. Chairman. This is an important hearing, and I commend you for having it. Privacy is not only important to those who don't have it, but it is an essential need of electronic commerce and communication if they are to fulfill their promise. It is not a new issue to this committee. For more than 20 years, we have had privacy provisions for sensitive business information in virtually every major bill that has gone through the committee. For example, in the Safe Drinking Water Act in 1975, the committee gave business strong privacy protections not unlike those advocated today by consumers, Internet users and most of us in our relationships with our health care providers, our financial institutions and our employers. The act limited information that EPA could collect from business. It also required that EPA give business the ability effectively to opt out or to prevent the agency from publicly releasing sensitive business information. We had a choice to make, and the committee chose to satisfy industry's concerns about sensitive information, so that EPA could get reliable access to the information it needs but not to intrude excessively into the privacy of business or to impair the needs of business to protect business and trade secrets or other matters of concern to business. Today, individuals need the same kind of assurances that business has gotten and demanded so that the commercial potential of the Internet and the benefits of electronic communication can be fully realized. Without public trust as to the protection of privacy, there will be no ability of business to utilize electronic communications the way they can and should be. There are a lot of stories about harm that individuals can suffer when privacy is abused today. I would commend to the committee a recent article entitled ``Gene Gap Creates New Frontier for Discrimination.'' This article makes the point that there are strong possibilities that women, for example, who are being examined for breast cancer will refuse to get genetic testing. This has already happened. And their reason, of course, is fear of genetic discrimination;. There are privacy problems in the financial area, and these are extreme. They are exacerbated by the unfortunate action which the Congress took during the prior session with regard to the financial deregulation legislation that passed last year. Already, we are hearing that there are major problems in banking. Plaintiffs' attorneys now say that fewer than one quarter of the people involved in one case against the Bank of America, the Nation's third-largest bank, have ever been Bank of America customers. But nonetheless, the bank is being sued for having obtained thousands of credit reports and then selling them to entities that were not affiliated with the bank. So if you want your financial privacy, you better be starting to be concerned about this matter and about the defects and failures, because it appears that the Congress has permitted Pandora to open the box, and the devils which attack privacy are now moving widely through our society. Individuals must have power to control how and when and with whom their personal information is shared. To accomplish this task, the efforts and cooperation of many are going to be needed, and active supervision of this subcommittee and of this committee will be required. Business is going to have to establish strong self-policing practices and procedures to ensure compliance with privacy guidelines. The Government is going to have to see that honest men are kept honest by a good statutory framework that will punish wrongdoing, which hurts ordinary citizens, and failing that, we can look forward to nothing but trouble in this area. Mr. Chairman, I look forward to working with you and other members of the subcommittee on this important issue. Thank you. Mr. Stearns. I thank you, Mr. Dingell. Mr. Shimkus, opening statement? Mr. Shimkus. Thank you, Mr. Chairman. I just want to echo what my good friend and colleague Diana DeGette said, and I'm going to use it from now on, Diana. Privacy will be very good for business, and information sharing is and will be found to be very good for the consumer. Marrying those two so that they don't bleed into each other, and we have legal and the Constitutional debate, that is the challenge. That is why you are there to help us, really educate us, on these difficulties. I look forward to hearing your testimony and welcome, and I yield back my time, Mr. Chairman. Mr. Stearns. Mr. Doyle? Mr. Doyle. Thank you, Mr. Chairman. I want to thank you for convening this hearing to examine individual and consumer privacy protection issues in our growing high-tech economy. This hearing should provide a forum to address privacy concerns in cyberspace as our Internet and electronic commerce sectors continue to expand and evolve. In recent years, we've witnessed more and more traditional old economy industries and businesses offer their goods and services online, speaking to the fact that e-commerce provides a never-before-seen ease of accessibility and convenience to an increasing volume of consumers. Newly minted companies immediately turn to the Internet as an effective resource to reach potentially unlimited numbers of customers worldwide. The sudden serve in e-commerce popularity demonstrated a public confidence and willingness to indulge in this innovative medium. Although the recent slowdown in the high-tech and e-commerce industries have created some financial headaches for businesses and investors alike, utilizing the capabilities of the Internet for commerce will remain high on the priority list for competitive industries in the Twenty- First Century. As more households in America turn to online entities for goods and services, protecting the privacy of users has exploded to the forefront of discussions. In my view, one of the fundamental issues governing the evolution of a thriving high-tech and e-commerce sector in the American economy will be the level of consumer trust in online institutions and communication. Without trust in digital systems and networks, the benefits of this growing economy will be severely limited, and the American public will miss a golden opportunity. Information privacy concerns are a double-edged sword for e-commerce. Routine information about users and their usage might be used to assist online service providers in government, business and medical areas to provide efficient, informed and highly personalized customer service. Lacking the trust and assurance that their information is truly protected online, consumers will turn away from online resources. Ensuring consumer trust in online transactions means enhancing online security measures and information sharing practices, thus creating a need for highly trained software and system engineers and companies, spawning more economic growth. I believe that we in Congress must continue to examine the best means possible to foster and promote sustained economic growth in the high-tech sectors of our economy. Realizing that a critical component of any sustainable growth is high consumer confidence and trust in the available services, we must look at the role the Federal Government must assume to achieve effective results. I am aware that in the past, far-reaching Federal regulations have created unnecessary burdens on business, to the point where some industries found it economically unfeasible to continue without significant restructuring or downsizing. That is not to say that Federal agencies design to choke firms out of business by promulgating excessive regulations; rather, the Government responded to a definite need to ameliorate certain abusive practices and situations by those industries. But at times, we simply reacted too harshly. It would be unfortunate if a similar situation was to occur with our budding high-tech economy. In closing, Mr. Chairman, it is my sincere hope that we may find a happy medium from today's discussions in which the privacy and trust of concerned citizens is protected and upheld, while industry practices responsible utilization of consumer information sources as a means to enhance and develop online e-commerce assets. Thank you, Mr. Chairman. Mr. Stearns. I thank my colleague, and I want to welcome one of the newest members to our full committee at Commerce, and I enjoy having him on my subcommittee, Mr. Buyer. Mr. Buyer. No, I pass. Mr. Stearns. Okay. Mr. Buyer. I want to hear the witnesses. Mr. Stearns. Mr. Markey, for an opening statement? Mr. Markey. Thank you, Mr. Chairman very much, and thank you for having this very important hearing today. We have come a long way in 1 year. A year ago, the industry generally was saying don't tax us; don't force us to give privacy protections; don't pass laws that protect us engaging in fraud, or else, you will ruin the industry. And thank God we didn't do anything on anything, because the industry did it to itself obviously. I will also add another thing: don't expect us to make money or have any revenues, you know. And the stock market has reflected their view of that. Although it was belated, it obviously has now taken at least half of the air out of that bubble, and so, at least, now, we can discuss these issues without fear that anything we might do in the privacy front would be then responsible for knocking half of the value off of the Nasdaq. Because obviously, privacy had nothing to do with it. It had to do with the irrational exuberance of those who were investing in the Nasdaq. So without question, privacy is a looming legislative issue in this Congress. At today's hearing, we can get a brief glimpse of the simmering policy issues that are of increasing concern to Americans throughout many segments of our society, including financial privacy; Internet privacy; medical privacy and genetic discrimination. Let me briefly just touch on a few of these issues. With respect to financial privacy, this committee approved legislation which would have given consumers the ability to say no to having their banking, their brokerage or their insurance records shared with affiliates of a huge financial holding company or with third parties. Unfortunately, the House Republican leadership gutted this provision, replacing it with a loophole-ridden privacy provision. We need to close those loopholes so that consumers have control over how their most sensitive financial secrets are disseminated. With respect to medical privacy, what we have right now is the story of medical privacy on hold. The red light is blinking, but nobody seems to be picking up on the fact that the American people want medical privacy standards. And by law, these protections should have been established a whole year ago. In 1996, Congress promised Americans that specific health privacy protections would be in place by February of 2000. We are over a year late with our promise. I think we have put medical privacy on hold for long enough. For this reason, I am particularly concerned that the Department of Health and Human Services has recently announced a recent decision to open up the Health Insurance Portability and Accountability Act privacy regulation for a 30-day comment period. I am drafting a letter to be sent to the Secretary, and I hope to get bipartisan support urging the rule's timely implementation. While this rule isn't perfect, it is a carefully crafted first step toward a comprehensive privacy standard, and once implemented, I plan to introduce legislation to improve it. With respect to online privacy, it is no secret that I have long been advocating action to put common sense privacy rules on the books to protect privacy in cyberspace. I believe that such action will be good for business, and it will increase consumer confidence in the medium. It is clear that industry self-regulation alone is a failure and is insufficient. Our current policymakes absolutely no sense. It is anti-consumer because it doesn't afford anything remotely resembling comprehensive protections consumers deserve. Beyond undermining consumer confidence, however, the lack of legal privacy requirements also creates an inverse system of rewards and risks for the industry. If a company posts a privacy policy and then subsequently violates it, the FTC can take action under its authority to police unfair and deceptive practices. Conversely, if a company posts no policy at all and then engages in personal information hijacking, it is legally able to continue on its merry way. The company is shielded by the privacy paradox: as long as it never promises to protect privacy, it can never be accused of deceiving its customers. Again, I have argued that what we must have is a national privacy policy that continues and urges self-regulatory efforts but complements such efforts with the promotion of technological tools and enhanced privacy as well as a set of meaningful, enforceable privacy guidelines that protect all Americans in the online environment. I think at this point, everyone is familiar with the essential ingredients of fair information practices. What we need to do now is proceed with a more detailed, rigorous examination of how these principles can be fleshed out legislatively so that beyond our discussion of privacy principles, we can better explain to consumers and industry of how these key privacy rights will work operationally in the online environment. I encourage both the industry and privacy advocates to articulate in a more detailed fashion what they would like to see in any legislation that this committee considers. I want to commend you, Mr. Chairman. I think we are at the beginning of a very, very important process that I hope will produce, by the end of this year, an online privacy bill of rights that will give every American the protection which they need for their family's secrets. Thank you, Mr. Chairman. Mr. Stearns. I thank my colleague. Mr. Terry? Mr. Terry. I am going to pass, but I want to hear what a privacy bill of rights entails. But I want to flesh out my philosophy on privacy through questions to the panel. Thank you. Mr. Stearns. Ms. Harman for an opening statement? Ms. Harman. Thank you, Mr. Chairman. One of the primary reasons I sought to join the Energy and Commerce Committee was to serve on this subcommittee, and I am very pleased to see that this subject is first up. I represent a district which 10 years ago was heavily dependent on defense and aerospace. In the last 5 or 10 years, it has transformed itself into the heart of Southern California's digital coast. The new industrial base is e-commerce, multimedia, Web design, telecommunications and other high-tech businesses, and all of them have significant presence in Venice, El Segundo and the South Bay of California. The success and future of those businesses depends to a large degree on consumer confidence in the Internet, and confidence requires control, giving consumers control over the information that consumers reveal when they are online. How to achieve real consumer control or real consumer choice is tricky, and numbers of our members have just commented on that. I believe that industry self-regulation and code-based solutions like the P3P protocol have a role, but they are probably not the entire answer. The Federal Government also has a role, and one component of that role needs to be, in my opinion, to preempt some State regulations so that interstate commerce is not impeded. The proliferation of multiple State standards has prompted industry to seek Federal Government help; to seek partnerships. That, in my view, is good, and so is drawing bright lines around personal health and financial records. Numbers of members this morning have talked about potential abuses. I would just like to mention one real abuse that I learned of last fall while holding hearings on this subject in my district. One woman told me that her husband had been diagnosed with cancer and in this regard was also tested for HIV/AIDS. While he was in the hospital, she happened to sneak a look at his medical chart which, instead of saying HIV pending, because he had been tested, said HIV positive. Of course, the test turned out to be negative. She insisted that the chart be changed. But imagine if that information was routinely used by insurance companies, employers or credit card companies. That man's future would have been seriously affected by an inaccurate statement on his medical chart. And so, it is absolutely critical that we find the right ways to protect medical privacy and the related issue of financial privacy. I am looking forward to this hearing, Mr. Chairman, and to future hearings and to playing as important a role as I can on fashioning a balanced and bipartisan piece of legislation that deals with this critical issue. Thank you very much. Mr. Stearns. I thank my colleague. Mr. John, opening statement if you have one? Mr. John. Thank you, Mr. Chairman. I have a copy of my statement that I would like to submit for the record, and in the interest of time, I would just like to say thank you for this hearing. I think this is very important. And my comments reference, among other things, an article that was in the Wall Street Journal on February 20 that talks about and compares Europe's Web privacy with the United States and how, over the last 5 years, the European Commission has put a wealth of regulations on the books, and they commissioned a study that basically said that there is a balance between what happens in the United States; that self- regulation is not that bad; that some of these regulations have been overburdening, and actually, in the United States, according to the study, there are a lot more privacy protections for consumers without the regulations. Although I don't think it is absolute, I think it is an interesting read to start us off and to see where we are going and learn from a case study that was actually funded by the EU to learn about privacy and government and private industry's involvement in how you get to that ultimate goal of which I don't think any of us really know or have our finger on, which is consumer protection and also not stifling economic growth. So I would urge each member of the committee to take a look at this article. It is very interesting. With that, I yield back my time and look forward to the witnesses. [The prepared statement of Hon. Christopher John and the Wall Street Journal article follow:] PREPARED STATEMENT OF HON. CHRIS JOHN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF LOUISIANA Mr. Chairman, thank you for assembling today's panel of experts on privacy matters. I believe that this Subcommittee's focus on privacy will be one of the most important issues that this Congress faces, and I look forward to their testimony. Mr. Chairman, recent analysis has shown that as goes the NASDAQ, so goes consumer confidence in this country. Granted, these movements have not been rigorously tested statistically, but the point that is relevant to this Subcommittee and this hearing remains: consumer trust and confidence are fundamental to the success of the increasingly global Internet economy and privacy is a critical component of the ``trust and confidence'' measure that consumers hold. It applies to both e-commerce in general and the practices of specific companies in particular. We have an opportunity during the 107th Congress to ensure that we provide the best environment for future economic growth while ensuring adequate consumer protections in this regard. I do not believe that these are mutually exclusive goals. Having said that, I do not have the equation that solves the vexing problem we are dealt here today--resolving American's desire for one- stop shopping on the Internet without making themselves more vulnerable to tracking by criminals, businesses and even the government. However, I would like to submit for the record a recent Wall Street Journal article entitled, ``Europe Lags Behind U.S. on Web Privacy.'' It suggests, via a European consumer's organization study, that Internet users' privacy is better protected in the U.S. than in Europe, despite the privacy directive that exists there. In all fairness, it does not endorse the private sector solution that we have allowed in the U.S. and it is critical of our lack of provisions regarding right to redress. However, I think the lessons and challenges that the article outlines should be paramount on all of our minds as we move forward in discussing privacy matters in this Subcommittee and in this Congress. Thank you, again, Mr. Chairman for holding this hearing. These matters are of extreme importance to my constituents in the 7th Congressional District of Louisiana. I look forward to the hearing today. ______ [Tuesday, February 20, 2001--The Wall Street Journal] Europe Lags Behind U.S. on Web Privacy MORE AMERICAN FIRMS LET CUSTOMERS GUARD DATA, STUDY FINDS By Ben Vickers Internet users' privacy is better protected in the U.S. than in Europe, despite the raft of privacy regulations that have been approved by the European Commission over the past five years, according to European consumers organizations. The U.S. model of voluntary self-regulation of the use of private data collected online appears to work better, according to a commission-funded study by United Kingdom-based Consumers International, a federation of more than 250 consumer organizations in 110 countries. The study reveals, for example, that 80% of European Web sites don't comply with current EU law that requires the sites to give online customers the chance to opt out of allowing their personal data to be stored and reused. In the U.S., however, almost 60% of most-popular sites offer their users the chance of opting out of having their data stored and reused. Fewer sites in Europe collect data on users, compared with the U.S. overall. But of those that do, the study says, only about a third comply with the EU rule on offering public privacy policies. More than 63% of European Web sites collect information on users, but only 32% point them to their privacy policy, which explains that company's use of private data. In the U.S. a massive 90% of sites collect information on users, but 62% of these point users to their privacy policy, according to the study. ``Despite tight EU legislation . . . U.S.-based sites tend to set the standard for decent privacy, policies,'' the survey of 751 Web sites, concludes. There are five separate EU Directives that regulate online privacy, plus sections of the European Treaties and Charters, such as the recently finalized European Charter of Fundamental Rights. Privacy Directive Two-thirds of the 15 EU-member states have passed the Privacy Directive into their national law. Those who haven't done so yet have until January next year to complete the process. Most of the other directives are already being applied, and some will soon be due for revision. Each EU member state now has a data-privacy commissioner and a national enforcement agency that monitors compliance with the new laws. But many countries are still adapting their existing agencies to enable them to carry out the work of monitoring the Internet. And Europe is taking a long time to get around to applying its privacy regulations. ``The evidence is that enforcement [of the regulations] is simply not happening,'' says Anna Fielder, director of Consumers International in London. ``When you talk to the national regulators who are supposed to make sure the rules are applied, they always complain of a lack of funding and a lack of staff for an enormous amount of work,'' she says. Although references to the Fundamental Rights and the threat represented by privacy abuses pop up in any parliamentary debate on the privacy issue, the resources for enforcement of privacy rules are not adequate, Consumers International says. But consumers' organizations, which lobbied hard for the privacy regulations, consider the EU on the right track, despite the lack of enforcement now and the lead the U.S. appears to have in self- regulation. `A Right to Redress' ``Consumers in the EU have a right to redress. There is a law, there is an enforcement agency in each state . . . Redress in the case of abuse is not available in the U.S. with the voluntary systems they have,'' says Ms. Fielder. In Europe, consumers have someone who will represent them in the case of a dispute and laws to back up their claims, she says. At a debate on the need for updating EU privacy regulations last January, Gregory Rohde, the U.S. assistant secretary of commerce for communications and information, told members of the European Parliament that there was a need for ``clear, consistent, and enforceable rules.'' Mr. Rohde pointed out that while the U.S. has taken very limited action in regulating privacy protection, it has only regulated for financial services, health-care information and for the protection of child privacy online. ``But we are starting to see a shift towards stronger governmental action in the U.S.,'' Mr. Rohde told members of the European Parliament. ``Up to this point, the U.S. has chosen to allow the emerging Internet and new communications systems to develop without broad-scale government regulation,'' he said. Online Trading A focus of the commission's electronic commerce strategy this year is to increase consumer confidence in online trading, according to EU Health and Consumer Protection Commissioner David Byrne. ``E-commerce in Europe is being held back by several key worries,'' Mr. Byrne told European Parliament members. ``These are related to the risk of online fraud and data protection.'' One solution being encouraged in Europe is a code of conduct and trustmarks--a certification offered by third parties that guarantees minimum standards in areas such as respect of privacy and protection of, personal data. Similar initiatives exist in the U.S., where the private sector has produced third-party verification of privacy policies like Truste (www.truste.org) or Better Business Bureau Online (www.bbb.org). Almost all sites using third-party certification are based in the U.S., according to the commission survey. The commission says it hopes to encourage their development in Europe. Meanwhile, it has posted a first version of e-commerce ``best practices'' that resulted from consultations with industry players on its ``e-confidence'' forum on the Internet, (http:// econfidence.jrc.it). Online consumer-confidence building is also one of the objectives of the recently approved ``Brussels Regulation,'' which allows online consumers to settle disputes in the courts of their country of residence, as is the case for online consumers who are resident in the U.S. The commission has also recognized the need for introducing credit- card charge-back systems in Europe. Online consumers using credit cards in Europe aren't able to call on card companies to mediate in the case of a dispute with an online supplier, as in the U.S. The charge-back system has given a major boost to the credit-card sector in the U.S., according to Mr. Byrne, who has had contacts with credit-card issuers to look at promoting the system in Europe. But privacy remains a major concern to online consumers. A survey by American Express Co., covering 10 countries, found 79% of the financial-services company's clients considered privacy and security as major issues in online shopping. Unwanted E-Mail The scale of the problem is indicated by the volume of unwanted e- mail dispatched over the Internet. The abuse of private data feeds the turnover of unsolicited e-mail messages, and is expected to cost Internet users 10 billion euros ($9.2 billion) world-wide this year, according to figures just released by the commission, which is also preparing regulations for this area. America Online estimates that one third of the e-mail messages arriving on its servers are unwanted. The balance between consumer protection and marketplace freedoms that both the EU and the U.S. say they are seeking--though with different approaches--is exemplified in the Safe Harbor certification scheme for U.S. companies willing to Comply with EU Privacy laws in their dealings with EU clients. Companies that don't adhere to the Department of Commerce Plan could find themselves facing court cases in Europe over private-data abuse. Mr. Stearns. I thank my colleague, and just for members' information, we have a copy of that study. If anybody on the committee would like it, we would be glad to provide that to them. Ms. Eshoo? Ms. Eshoo. Thank you, Mr. Chairman, and as you are talking about copies of things, it might be well for the committee staffs on the majority and minority sides of the aisle to provide for the new members a copy of or summaries of the copies of the testimony of the Federal Trade Commission when they gave testimony in 1999 and then last year before our subcommittee, because it is highly instructive about what they found and how they changed their minds, and I think new members, wherever you land on this, would really benefit for it. So I would ask for unanimous consent that that be provided for our members. Mr. Stearns. I was advised by counsel: this whole thing is on the FTC Website. So, I mean, we are welcome to put this in by unanimous consent, but I think any member, if he or she would like, they can just go on the Website and read it, and they can go back to 1999 and get that testimony. Ms. Eshoo. What? The testimony that they gave? Mr. Stearns. The testimony. Ms. Eshoo. Good; well, I just wanted to make that suggestion. Thank you for holding this hearing and for promptly initiating our discussion and a debate on the issue of privacy. The right to privacy is really so highly valued by all Americans. I always say to my staff that I think privacy runs through the veins of the American people. We have a healthy suspicion of government and Big Brother. We don't want anyone and are resentful of anyone ever looking over our shoulders into anything that we believe just belongs to us, to ourselves. I speak as an American whose privacy I really think was highly violated when, 2 years ago, I found that someone had not only gotten my Social Security number but had filed a fraudulent tax return in my name. So if you don't think that you're vulnerable to something out there, there are stories that can go on and on. And it really brings home very, very quickly what can be done today because of so many of our successes and our breakthroughs relative to technology. But, boy, when it hits the human being, it still has the same effect. So I think that the Congress is poised today or should be poised today not only in the examination of this issue but also to take the right kind of action. This right that Americans have has evolved through the years of judicial examination and, indeed, civic demand, because again, this is an all-American idea and right. Now, we are in the midst of the information revolution, and the parameters have certainly changed. We are faced with complex issues, such as finding the correct balance between the protection of our personal information and the level of freedom necessary for the Internet--because the Internet is different-- to continue to flourish so that we can continue enjoying its benefits. As both a personal communication tool and as an electronic marketplace for consumers and businesses, the Internet has become a significant part of the lives of Americans, and it will continue to in a much larger and profound way. So the privacy of the information that is exchanged is really very, very important to the continued expansion of the Internet. So obviously, we have to find a balance. Members have said that. Balance is a funny word in public policy, because what some people consider to be skewed, other people see it as just right. In January, January 20, when we had just a very small window of opportunity to introduce legislation, the day the new President was inaugurated, Representative Chris Cannon and myself introduced the Consumer Internet Privacy Enhancement Act. We obviously think that this is a prudent way to go. It establishes a floor, not a ceiling. It mirrors the Kerry-McCain legislation that was introduced in the Senate last year, and I believe the Senators will introduce that mirror legislation again. Our laws, I believe, need to catch up with and reflect where we are today. They should, in my view, require Website operators to provide clear and conspicuous notice of how they will use personal information. Moreover, consumers should then have the opportunity to make a choice as to whether they want to comply with the operator's stated use of their information. Websites that violate any of these protections should face rigorous penalties, and our bill addresses each of these needs. Today, for all of the new members, you know this of the committee, it is strictly a voluntary situation. So if someone wants to, fine. Now, the industry, I think, has moved, but the FTC found that there was a need for the Congress to step in. Still, as we protect consumer security, we have to also be sure that we don't legislate an impediment to the free flow of information across the Internet. That is what the Internet is all about. The Consumer Internet Privacy Enhancement Act addresses this factor as well. I want to just summarize and say, Mr. Chairman, that I look forward to being key in this debate and the shaping of legislation. I don't think there is Republican privacy and Democratic privacy. And I think if there is an area that this Congress can certainly--this subcommittee and our full committee--can come up with is something that consumers will hail and say they got it; they understood it; we now have protections that have some teeth in them. If, in fact, it is necessary to have the teeth to sink in; we also have fully recognized what the Internet represents: the free flow of information without damaging an individual and their privacy. So with these considerations in mind, I thank you once again, and if I have any time left, I yield it back. And thank you to the witnesses. We have a wealth of information in front of us. So thank you for being here to enlighten us. Mr. Stearns. I thank my colleague. Mr. Gordon? Mr. Gordon. Thank you, Mr. Chairman. This is an important issue. I am glad that you have targeted it as a high priority for this subcommittee, and I am confident that if we will work hard and listen to the advice of a lot of folks and try to put that through our system here that we are going to have a good bill that will find Anna's balance. Thank you for this hearing. [Additional statements submitted for the record follow:] PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW YORK Thank you Mr. Chairman for holding this hearing on one of the most important issues under the Subcommittee's jurisdiction--the issue of PRIVACY. I also want to join my good friend from Florida in welcoming the witnesses on the panel today, and I look forward to hearing their testimony. Over the past several years, my constituents have become more and more interested and concerned about personal privacy protections. While I personally believe that the diversity of views and the complexity of this issue could make it difficult for us to pass a ``one size fits all'' policy, I do believe that we need to address the perceived or real fears people have with respect to privacy. Mr. Chairman, I also believe we need to act this Congress in the most deliberate and responsible way possible. Recently, I read an account in the press where an industry leader said that we in society have no privacy anyway and that we should just ``GET OVER IT.'' That is an unacceptable view in my mind and one that does not sit well with my constituents. Privacy protection is not only very important but very necessary as well. I would like to encourage my friends who see privacy as a burdensome issue to look at this process as a new opportunity for increased consumer confidence and trust in your businesses. Every consumer who participates in the new economy has privacy concerns on one level or another. I look forward to working with the involved parties to ensure that the rights and responsibilities of consumers are balanced with those of business. Privacy should and needs to be at the top of every company's priority list. It should be noted that more than one expert on this topic has called privacy not a social or moral issue, but the single most important business decision a company can make today. We in Congress acted in a bipartisan fashion in 1996 when we mandated that Congress pass a sweeping medical records privacy bill by 1999. This goal was not met and so the Clinton Administration had the responsibility to write the HIPPA regulations at the end of last year. Some in the Healthcare industry have been critical of the new regulations, stating that the bar has been set too high and have lobbied the new administration to re-open the regulation writing process. I believe that this would be a grave mistake in judgment by the administration. People need to be given complete control over their personal medical records and now is not the time to turn back the clock. In closing, it is critical that we act in moderation as we delve into this issue. I do not want to see premature, knee-jerk legislation pass just so that we can all go home and say we did something that may turn out to be the wrong decision a week, a month or a year from now. If we are going to pass legislation on this issue, lets be sure to get it right--THE FIRST TIME. Again, I look forward to hearing from all of our witnesses today, and I yield back the balance of my time. ______ PREPARED STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS Mr. Chairman, thank you for holding this important hearing on privacy in the commercial world. This subject is extremely far-reaching and complex and I am glad to see that we have such an esteemed panel of experts here before us. However, before turning it over to the panel, I would like to express my concern over one area which seems to be attracting greater and greater attention lately: medical privacy. As we are all aware, the previous administration issued final regulations last December which would protect the privacy of an individual's medical records from undue intrusion. Those regulations have been re-opened for comment for 30 days by the current administration. While we may disagree on how to protect the privacy of medical records, I think we can all agree on the over-arching need for medical privacy. With recent advances in medical technology, such as the mapping of the human genome, it has become increasingly evident that the privacy of one's medical records is the best defense against genetic discrimination. Since we all can agree on the need for medical privacy, I think it is important to discuss how we can obtain that goal without overburdening the health care community responsible for providing care or establishing a system without adequate enforcement mechanisms such as a private right of action. I look forward to working with my colleagues to ensure that whatever action is taken on the medical privacy regulations, it strikes a balance between operational feasibility for providers and health care facilities and protection of our most sensitive information. Mr. Stearns. I thank my colleagues. We are ready for our panel, the first panel we have and only panel. We have Professor Fred Cate, professor of law, Indiana University School of Law; we have Professor Eugene Volokh, professor of law, UCLA School of Law; Professor Paul Rubin, professor of law and economics, Emory University School of Law; Ms. Solveig Singleton, senior policy analyst at the Competitive Enterprise Institute; Mr. Marc Rotenberg, executive director, Electronic Privacy Information Center; and Professor Chai Feldblum, professor of law at Georgetown University Law School. I welcome all of you here, and we look forward to your opening statements, which, as you understand, are generally 5 minutes. Professor Cate? STATEMENTS OF FRED H. CATE, PROFESSOR OF LAW, INDIANA UNIVERSITY SCHOOL OF LAW; EUGENE VOLOKH, PROFESSOR OF LAW, UCLA LAW CENTER; PAUL RUBIN, PROFESSOR OF LAW AND ECONOMICS, EMORY UNIVERSITY SCHOOL OF LAW; SOLVEIG SINGLETON, SENIOR POLICY ANALYST, COMPETITIVE ENTERPRISE INSTITUTE; MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER; AND CHAI R. FELDBLUM, PROFESSOR OF LAW, GEORGETOWN UNIVERSITY LAW CENTER Mr. Cate. Thank you very much, Mr. Chairman, members of the committee. First, let me thank you both for the opportunity to be here but especially for holding a hearing such as this. It is really quite remarkable to have the chance to be part of the hearing where there isn't a particular bill on the table and in an area as complex as privacy in which the ramifications of regulating too much or too little are so great. The opportunity to look at the issue in its entirety, without breaking it into some small subset, some particular area, is particularly appropriate. So I am very grateful for that. Let me also acknowledge your courage in organizing a panel of primarily law professors, people who, for our very livelihood, never answer a question. This will be an interesting change for us today. In fact, we, of course, normally ask them. I would like to make just three points today in order to stay within the time limit; first, to talk about the critical roles that information plays in our economy and our society; second, the extent to which privacy laws inevitably are in tension with those roles. Many of you and many other people have noted that they would like privacy laws that did not interfere with the flow of information, and those just don't exist. The question is how you draw that balance, how you balance that tension between the two. And finally, I would like to speak just briefly about some of the limits of consent; that consent is not a way out of this dilemma; consent often, instead, exacerbates this dilemma. So to start first with what I have called the information infrastructure, it merely recognizes what I believe the Federal Reserve Board and many others have testified before this committee and others repeatedly: that the accessibility of personal information has created a profound transformation of commerce and the economy in this country. Commerce now depends increasingly on complete, objective and reliable information, and the accessibility, the availability of that information makes it possible to treat consumers as individuals, not as groups. It makes it possible to target services to their specific needs, and it makes it possible to evaluate them for service based on their own records, not on their race or gender or who they know or what they have access to but rather their own demonstrated record in the market. Now, although I have included in my written testimony numerous examples of this, let me suggest just two now. One is, of course, the whole market for consumer credit, where we see in this country, unlike in Europe, which does have restrictive privacy laws, much wider availability of credit; much faster granting of credit; and much cheaper credit, credit available at much lower costs. This is, of course, because information about consumers is routinely collected, subject to Federal law. It is available so that when a decision needs to be made, it does not have to be put together from scratch; and it is available in a reliable form, so that lenders do not have to insure themselves against bad information or missing information as they do in Europe and therefore charge higher interest rates, fees or other charges. Now, maybe a second example of this use of information is, of course, the ability to target interested consumers, and you may wonder why anyone in their right mind would ever speak to Congress about what you are certainly going to interpret as junk mail. But the irony is that the argument that information should not be available for targeting marketing opportunities to consumers means not less junk mail but, of course, more and not less satisfying--not more satisfying communications but less, because they will not have been targeted; they will not reflect that consumer's likely interest. I dare say not one of you here or many people elsewhere in the Congress or in State legislatures have ever run a campaign without contacting people based on knowing what party they belong to; what their likely interest, their likely past donating record has been. This is precisely the type of information that makes it possible to communicate efficiently and effectively with individuals. Now, against these and many other benefits, we have the privacy tension, the tension that if information is not available or it cannot be used, then it is inevitably going to, as one State attorney general put it, interfere with information flows and cause consumers to pay the price in terms of either higher prices or a restricted set of choices offered to them in the market. This is the inevitable effect of this tension. There is no way around it. This leads, then, to the third and final point on the limit of consent, because we have heard the argument many times in the privacy debate that all we are seeking in privacy law is that consumers be given a chance to consent. But there are many reasons why consent does not alleviate these concerns; for example, the difficulty of obtaining consent; the difficulty, in many instances, of even reaching consumers, particularly when the information flow, as in the credit example, is largely among parties whom the consumer may not directly see; the cost of reaching consumers; and also the fact--and one that is often overlooked--that many uses of information are interrelated. So if we want information available for, say, fraud detection and crime detection, the way the cost of that is often borne is by other users who use that information for other purposes. If you eliminate those other purposes, you inevitably affect the availability of that information for those purposes. I see my time is up, so I will stop. [The prepared statement of Fred H. Cate follows:] PREPARED STATEMENT OF FRED H. CATE, DIRECTOR, INFORMATION LAW AND COMMERCE INSTITUTE, INDIANA UNIVERSITY SCHOOL OF LAW Mr. Chairman: My name is Fred Cate, and I am a professor of law and director of the Information Law and Commerce Institute at the Indiana University School of Law in Bloomington. For the past 12 years, I have researched, written, and taught about information laws issues generally, and privacy law issues specifically. I directed the Electronic Information Privacy and Commerce Study for the Brookings Institution, served as a member of the Federal Trade Commission's Advisory Committee on Online Access and Security, and currently am a visiting fellow, addressing privacy issues, at the American Enterprise Institute. I appreciate the opportunity to testify today and, more importantly, I want to acknowledge you and the Members of the Subcommittee for holding such a broad hearing on the subject of ``Privacy in the Consumer World.'' It is a rare pleasure to participate in a hearing that is not restricted to a particular bill or event, but rather inquires widely about the uses of personal information, the need for further legislation, and the potential impact of adopting new privacy laws. Such an open-minded approach in an area as complex and important as privacy is desperately needed, and I applaud your leadership in providing it. I would like to take advantage of the presence of the other distinguished members on this panel, who I believe will address a number of the issues posed by privacy laws, and limit my testimony to three points: the critical roles that information plays in our economy and society; the extent to which privacy laws inevitably interfere with the benefits that consumers enjoy as a result of accessible personal information; and the ways in which requiring consumer ``consent'' exacerbates, rather than ameliorates, the harmful impact of many privacy laws on consumers. 1. THE INFORMATION INFRASTRUCTURE Information is the lifeblood of our 21st century economy. In the words of the Federal Reserve Board: ``[I]t is the freedom to speak, supported by the availability of information and the free-flow of data, that is the cornerstone of a democratic society and market economy.'' \1\ These simple words reflect a profound transformation: Consumers are increasingly evaluated today according to more complete, objective, and reliable information about them than was ever before possible. As a result, consumers can now expect--and the law can meaningfully require--that they be treated as individuals and judged on their own records, not by their race, gender, who they know, or other subjective prejudices. This is the result of the information revolution: Routine, comprehensive information collection has contributed to unprecedented prosperity, and allows more Americans than ever before to share in that prosperity, and to do so on a more equitable basis. Consider the following examples of benefits that this ``information infrastructure'' makes possible. --------------------------------------------------------------------------- \1\ Board of Governors of the Federal Reserve System, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud 2 (1997). --------------------------------------------------------------------------- a. Expanding the Availability, Enhancing the Speed, and Lowering the Cost of Consumer Credit The routine sharing of reliable, standardized personal information has greatly expanded the availability, increased the speed, and reduced the cost of consumer credit. So, for example, when a consumer applies for a mortgage, car loan, or instant credit, the lender makes its decisions about whether, how much, and on what terms to lend based on information collected from a wide variety of sources over time. The lender can have confidence in that information because it has been assembled routinely--not just for the purpose of one loan application-- and presents a complete picture of the borrower's financial situation-- not just one moment in time or information from just a selective sample of the businesses with which the borrower deals. Because of that confidence, lenders provide more loans to a wider range of people than ever before. Between 1956 and 1998, the number of U.S. households with mortgage loans more than trebled. The same trend is true for credit card products; today, the average American adult carries 13 credit cards. Consumers benefit by obtaining the funds they need to buy homes and cars and finance educations. The ``almost universal reporting'' of personal credit histories, in the words of economist Walter Kitchenman, is the ``foundation'' of consumer credit in the United States and a ``secret ingredient of the U.S. economy's resilience.'' \2\ In addition, because the necessary information does not have to be collected from scratch, loan applications are reviewed and approved faster than ever before. In 1997, 82% of automobile loan applicants received a decision within an hour; 48% of applicants received a decision within 30 minutes.\3\ Many retailers open new charge accounts for customers at the point of sale in less than two minutes. This is unheard of in countries where restrictive laws prevent credit bureaus and other businesses from routinely collecting the information on consumer activities required to maintain the accurate, up-to-date files necessary to support rapid and accurate decision making. --------------------------------------------------------------------------- \2\ Walter F. Kitchenman, U.S. Credit Reporting: Perceived Benefits Outweigh Privacy Concerns 1 (The Tower Group 1999). \3\ Consumer Bankers Association, 1998 Automobile Finance Study at 19. --------------------------------------------------------------------------- The greater accuracy, speed, and efficiency of the credit system, and the greater confidence of lenders also drives down the cost of credit. Lenders don't have to charge higher interest rates and fees to guard against bad or missing information. And it is easier for lenders to pool loans according to risk and sell them in the secondary market-- a process known as ``securitization.'' This makes more capital available for new loans and further reduces the cost of credit in the United States by an estimated $80 billion per year for mortgages alone.\4\ Most importantly, consumers benefit from the knowledge that loan decisions will now be based on their own financial situation, not on local biases or prejudices. Readily available, standardized personal information not only makes this possible, it also facilitates easy analysis of lender compliance with fair lending laws. --------------------------------------------------------------------------- \4\ Kitchenman, supra, at 7. --------------------------------------------------------------------------- b. Identifying and Meeting Consumer Needs Businesses use personal information to identify and meet customer needs. According to Federal Reserve Board Governor Edward Gramlich: ``Information about individuals' needs and preferences is the cornerstone of any system that allocates goods and services within an economy.'' The more such information is available, he continued, ``the more accurately and efficiently will the economy meet those needs and preferences.'' \5\ In short, information-sharing allows businesses to ascertain customer needs accurately and meet those needs rapidly and efficiently. Detailed consumer information is at the heart of new individualized offerings that provide each customer with the recognition and personalized service that she desires. --------------------------------------------------------------------------- \5\ Financial Privacy, Hearings before the Subcomm. on Financial Institutions and Consumer Credit of the House Comm. on Banking and Financial Services, July 21, 1999 (statement of Edward M. Gramlich). --------------------------------------------------------------------------- c. Enhancing Customer Convenience and Service Information-sharing also enhances customer convenience and service. For example, many services are provided through a myriad of companies. A customer may have a checking account, a savings account, a credit card, and an investment account all with the same bank, but the four services will likely be provided by four completely separate affiliates. The customer's checks will be printed by a separate company altogether. Billing for the credit card may be handled by still another company. Because of information-sharing, the customer can deal with all six entities as if they were one. Her high savings balance may be used to qualify her for free checking. Overdrafts on her checking account can be covered automatically with her credit card. She can call one customer service number with questions, and if her credit card or checks are stolen, a single call is all that is needed to protect all of her accounts. Many retailers provide specialty services and products, such as fine jewelry, photographic studios, vision services, hair care, and product repair or installation through independent companies that license the retailer's name, but are not the retailer's affiliates. This approach is required because of the nature of the service, efficiencies that come with specialization, insurance factors, and federal and state tax and licensure laws. Due to routine information- sharing, these independent companies provide services to customers under the retailer's name, accept the retailer's credit card, include information and coupons in the retailer's mailings and advertisements, participate in the retailer's loyalty programs, and, from a customer perspective, are simply another department of the retailer's operations. d. Targeting Interested Consumers Information-sharing also allows consumers to be informed rapidly and at low cost of those opportunities in which they are most likely to be interested. As a result, information on second mortgages and home improvement services can be targeted only to home owners. Information on automotive products and services are targeted only to car owners. The American Association of Retired People can target its offers only to older Americans, veteran's organizations can appeal only to people who have served in the armed forces, and political campaigns can target their solicitations to registered members of their party. In the absence of information-sharing, these organizations either (1) could not afford to communicate with potential customers or members, or (2) they must contact even more households--meaning more unsolicited mail, e-mail, and telephone calls--to find people interested in their offer. The first alternative would mean the death of many organizations. In fact, the cost of alerting consumers about a new product or opportunity can be a major obstacle to the launch of new businesses and prevent innovative products from ever reaching the marketplace. The second alternative means that the public is peppered with more mail, e-mail, and telephone calls, a higher percentage of which will be of no interest to the recipient. This would truly be ``junk mail,'' because it would have been generated without regard for the recipient's demonstrated interests. Targeting marketing to consumer interests lowers the volume, cost, and environmental impact of that marketing while increasing consumer satisfaction. e. Promoting Competition and Innovation Information-sharing is especially critical for new and smaller businesses, which lack extensive customer lists of their own or the resources to engage in mass marketing to reach consumers likely to be interested in their products or services. This may help explain why some large European national banks and industrial concerns supported new privacy laws there: By restricting the availability of information about their customers, privacy laws help to protect established businesses from competition from other countries or start-ups. Open access to third-party information and the responsible use of that information for targeted marketing is essential to level the playing field for new market entrants. Similarly, businesses offering specialized products and services rely on accessible information to help them identify and reach those customers most likely to be interested in their offerings, wherever those customers are located. Many businesses in today's markets never see their customers because transactions are conducted exclusively by telephone, Internet, or mail. These businesses are able to serve the needs of potential customers they have never met because of the free flowing information that allows them to identify who those likely customers are. In a global market, information-sharing is key to connecting far-flung customers and businesses. f. Preventing and Detecting Fraud Another key use of personal information is to prevent and detect fraud. More than 1.2 million worthless checks are cashed at retailers, banks, and other U.S. businesses every day, accounting for more than $12 billion in annual losses.\6\ Treasury Department officials estimated that credit card fraud losses would be between $2 billion and $3 billion in 2000.\7\ The insurance industry paid $24 billion--10% of all claims--in 1999 for fraudulent property and casualty claims.\8\ The GAO found that Medicare made improper payments of $13.5 billion in fiscal year 1999 alone, and has estimated that health care fraud accounts for up to 10% of national health care spending each year.\9\ Across the economy, business losses due to all forms of document fraud and counterfeiting exceed $400 billion--6% of annual revenue of American businesses--per year.\10\ Although businesses paid for virtually all of these losses, they ultimately affect consumers through higher prices, inconvenience, and lost time and productivity. --------------------------------------------------------------------------- \6\ Barry Flynn, ``In Search of Security, Some Banks Are Giving the Thumbs up to Fingerprinting New Customers,'' Orlando Sentinel, March 2000, at B1; Steven Marjanovic, ``Banks Tap ATM Systems To Banish 18B Checks,'' American Banker, June 14, 2000, at 1. \7\ Gary Fields, ``Victims of Identity Theft Often Unaware They've Been Stung,'' USA Today, March 15, 2000, at 6A (quoting Undersecretary James Johnson of the U.S. Treasury Department). \8\ ``Insurance Fraud,'' III Insurance Issues Update, Oct. 2000. \9\ General Accounting Office, Medicare Improper Payments: While Enhancements Hold Promise for Measuring Potential Fraud and Abuse, Challenges Remain (GAO/AIMD/OSI-00-281) at 4 (2000). \10\ Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud and Abuse <http://www.cfenet.com/newsandfacts/ fraudfacts/reporttothenation/reportsection4.shtml>. --------------------------------------------------------------------------- Personal information is one of the most effective tools for stemming these losses. Such information is used every day to identify consumers cashing checks and seeking access to accounts. Close monitoring of account activity also allows credit providers, insurance companies, and other businesses to recognize unusual behavior that may indicate that someone is using a credit card or debit card without authorization or making improper claims. Moreover, because of information-sharing, companies share alerts about lost or stolen credit or debit cards and information about fraud schemes so that they can prevent further losses and improve the odds of apprehending the thief. g. Informing the Electorate and Protecting the Public Personal information is also used for a wide variety of purposes central to democratic self-governance and protecting public health and safety. For example, information is used to elect and monitor public officials and to facilitate public oversight of government employees and contractors. The Supreme Court has found that these uses are so critical that it has virtually eliminated any recourse by public officials or public figures for the publication of true information, even if defamatory or highly personal.\11\ --------------------------------------------------------------------------- \11\ Monitor Patriot Co. v. Roy, 401 U.S. 265 (1971). --------------------------------------------------------------------------- Law enforcement officials rely on collected personal information to prevent, detect, and solve crimes. Journalists and other researchers use accessible information to inform the public about matters of public importance. Personal information is also used for product safety warnings and recall notices, such as when Firestone and Ford Motor Company used databases to identify and obtain current addresses for people who own recalled Firestone tires. Medical researchers rely heavily on personal information to conduct ``chart reviews'' and perform other research that is critical to evaluating medical treatments, detecting harmful drug interactions, uncovering dangerous side effects of medical treatments and products, and developing new therapies. Such research cannot be undertaken with wholly anonymous information, because the detailed data that researchers require will always include information that could be used to identify a specific person, and when that information indicates that a given therapy or drug poses a real health risk, researchers must notify the affected individuals. Even information as mundane as citizen addresses is used to locate missing family members, owners of lost or stolen property, organ and tissue donors, and members of associations and religious groups and graduates of schools and colleges; and to identify and locate suspects, witnesses in criminal and civil matters, tax evaders, and parents who are delinquent in child support payments. (This same information is used to help verify the identity of consumers who apply for instant credit, begin new utility service, or seek other valuable products and services.) These examples are not exhaustive; they are mere illustrations of the extent to which personal information constitutes part of this nation's essential infrastructure, the benefits of which are so numerous and diverse that they impact virtually every facet of American life. 2. THE PRIVACY TENSION All of the benefits outlined above flow from readily accessible information about consumers. To provide those and other benefits, access to data is essential. Laws and regulations designed to protect privacy interfere with that access and therefore with the benefits that result from open information flows. As a result, those laws--although motivated by the best of intentions--inevitably harm consumers. In the words of one state Attorney General, because privacy laws interfere with information flows, consumers ultimately pay the price for those laws ``in terms of either higher prices for what they buy, or in terms of a restricted set of choices offered them in the marketplace.'' \12\ But the harm to consumers is also experienced through reduced convenience and service, an increased number of less well-targeted commercial solicitations, limited competition and innovation, and even diminished public health and safety. --------------------------------------------------------------------------- \12\ Bill Pryor (R-Ala.), Protecting Privacy: Some First Principles, Remarks at the American Council of Life Insurers Privacy Symposium, July 11, 2000, Washington, DC, at 4. --------------------------------------------------------------------------- 3. THE LIMITS OF CONSENT Proponents of new privacy laws often argue that these costs can be avoided because most privacy laws do not block information flows outright, but rather condition them on consumer consent. This reflects the recent dominant trend in privacy legislation--to invest consumers with near absolute control over information, what Alan Westin, in his path-breaking study Privacy and Freedom, described as ``the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.'' \13\ The National Association of Attorneys General's December 2000 draft statement on Privacy Principles and Background sets forth as its core principle: ``Put simply, consumers should have the right to know and control what data is being collected about them and how it is being used, whether it is offline or online.'' \14\ And virtually all of the privacy bills pending before Congress reflect this goal: ``To strengthen control by consumers'' and ``to provide greater individual control.'' \15\ --------------------------------------------------------------------------- \13\ Alan F. Westin, Privacy and Freedom 7 (1967). \14\ National Association of Attorneys General, Draft Statement on Privacy Principles and Background at 7 (Dec. 11, 2000) (emphasis added). \15\ S. 30, 107th Cong. Sec. 2 (2001); H.R. 89, 107th Cong. Sec. 2(b)(1) (2001); H.R. 347, 107th Cong. Sec. 2(b)(1)(A) (2001) (emphasis added) --------------------------------------------------------------------------- As a result, proponents of privacy laws argue that the costs of these laws can be avoided, because if consumers are persuaded that they benefit from information flows, they will consent to the collection and use of information about them. The simple, straightforward nature of this argument has made it very powerful. However, in addition to conflicting with Supreme Court precedent on the ownership of information \16\ and the protection of expression, \17\ this approach ignores the practical difficulty and burden to consumers of attempting to exercise control over the vast amount of data that they generate and disclose about themselves in a increasingly networked economy, and ignores the many powerful reasons why society permits access to information about others. --------------------------------------------------------------------------- \16\ See, e.g., United States v. Miller, 425 U.S. 435 (1976). \17\ See, e.g., Martin v. Struthers, 319 U.S. 141 (1943); Lamont v. Postmaster General, 381 U.S. 301 (1965); Denver Area Educational Telecommunications Consortium, Inc. v. Federal Communications Comm'n, 518 U.S. 727 (1996). --------------------------------------------------------------------------- a. Unanticipated Benefits The benefits of personal information are often unanticipated. For example, many retailers collect information about consumer purchases and then access that information so that consumers can return merchandise without a receipt, order supplies and replacement parts without knowing the exact model number or specific product information, obtain information about past purchases for insurance claims when fire or other disasters destroy or damage those goods, and receive immediate notification about product recalls and other safety issues. These are tangible benefits that many consumers take advantage of every day, but few consumers would anticipate in advance that they were going to need information about a past transaction for insurance purposes or to order replacement parts. The benefit is exceptionally valuable when it is needed, but often illusory before that time. b. Lack of Consumer Contact Many benefits result from uses of personal information that do not involve the consumer directly. For example, credit bureaus update consumer credit files--the files that are used to obtain rapid, low cost access to credit of all forms--without ever dealing directly with the consumer. In fact, few Americans will ever deal directly with a credit bureau. To require the credit bureau to establish contact with the consumer every time it needed to collect or use information about him or her would be expensive and burdensome to the consumer. Similarly, most mailing lists are obtained from third parties, not the people whose names are on the list. For a secondary user to have to contact every person individually to obtain consent to use the information would cause delay, require additional contacts with consumers, and increase costs. c. Value of Standardized and Third-Party Information There are many beneficial uses of personal information where the benefit, frankly, is derived from the fact that the consumer has not had control over the information. This is certainly true of credit information: Much of its value derives from the fact that the information is obtained routinely, over time, from sources other than the consumer. Allowing the consumer to block use of unfavorable information would make not only that credit report useless, but all others, because lenders, merchants, employers, and others who rely on credit reports would not know which ones contained only selective information. Even when information is not particularly ``positive'' or ``negative,'' its value may depend on it being complete. Many businesses monitor accounts for suspicious activity that may indicate fraudulent activity. Often credit card companies will call a card holder whose account has experienced unusual charges to verify that the card has not been stolen. Identifying the unusual requires knowing what is usual and that, in turn, requires access to a complete set of data. d. Consumer Preferences Most consumers do not want to be deluged with repeated requests for consent. The ultimate result is that consumers will either not consent, and thereby diminish the benefits that flow from information-sharing both for themselves and others, or they will consent to everything, just to avoid further calls, letters, and e-mails. The Los Angeles Times reported in December 1999 that banking customers are understandably ``irritated if the bank fails to inform them that they could save money by switching to a different type of checking account.'' As the newspaper noted, however, ``to reach such a conclusion, the bank must analyze the customer's transactions.'' \18\ One major U.S. bank reported that its customers who participated in a test of various privacy policies were annoyed at the very idea of being contacted by the bank to obtain permission to contact them again in the future to offer selected opportunities. Customers expected that the bank would use their information to offer them appropriate offers. The last thing they wanted was another phone call or letter asking permission to do what they perceived to be the very foundation of their relationship with the institution. --------------------------------------------------------------------------- \18\ Edmund Sanders, ``Your Bank Wants to Know You,'' Los Angeles Times, Dec. 23, 1999, at A1. --------------------------------------------------------------------------- e. The Practical Obstacles to Consumer Contact Conditioning use of personal information on specific consent may also harm consumers because of the practical difficulties of reaching them. Consider the experience of U.S. West, one of the few U.S. companies to test an ``opt-in'' system. To obtain permission to utilize information about its customer's calling patterns (e.g., volume of calls, time and duration of calls, etc.), the company found that it required an average of 4.8 calls to each customer household before they reached an adult who could grant consent. In one-third of households called, U.S. West never reached the customer, despite repeated attempts. Consequently, many U.S. West customers received more calls, and one-third of their customers were denied opportunities to receive information about valuable new products and services.\19\ --------------------------------------------------------------------------- \19\ Brief for Petitioner and Interveners at 15-16, U.S. West, Inc. v. Federal Communications Comm'n, 182 F.3d 1224 (10th Cir. 1999) (No. 98-9518). --------------------------------------------------------------------------- f. The Cost of Obtaining Consent There is always a price to obtaining consent and recent experience has shown that those costs are often quite significant. For example, the privacy provisions of the Gramm-Leach-Bliley Financial Services Modernization Act require financial institutions to ``clearly and conspicuously'' provide customers with a notice about its policies and practices for disclosing personal information and informing customers about their right to ``opt-out'' of certain sharing of that information.\20\ That disclosure must be made ``[a]t the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.'' \21\ By July 1, 2001, approximately 40,000 financial institutions will be sending as many as 2-5 billion notices to their various customers. Households will receive an average of 20 or more notices each. Printing and mailing costs alone will run into the billions of dollars. Internal compliance costs are certain to be much higher. --------------------------------------------------------------------------- \20\ Gramm-Leach-Bliley Financial Services Modernization Act tit.V, 106 Pub. L. No. 102, 113 Stat. 1338 (1999) (codified at various sections of 15 U.S.C.). \21\ 15 U.S.C. Sec. 503(a). --------------------------------------------------------------------------- ``Opt-in'' systems cost even more. The Department of Health and Human Services calculates that compliance with its recently released Health Insurance Portability and Accountability Act privacy rules will cost $3.2 billion for the first year, and $17.6 billion for the first ten years.\22\ Based on the prior, less complicated draft of the rules, health care consulting companies have calculated that the cost will be much higher--between $25 and $43 billion (or three to five times more than the industry spent on Y2K) for the first five years for compliance alone, not including impact on medical research and care or liability payments. --------------------------------------------------------------------------- \22\ Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (2000) (HHS, final rule) (to be codified at 45 C.F.R. pt. 160, Sec. Sec. 164.502, 164.506). --------------------------------------------------------------------------- These costs are inevitably passed on to consumers. If the market will not bear the added cost, then these costs mean that the service or product will not be offered. g. The Interconnectedness of Consent Many of the beneficial uses of information that consumers now enjoy depend on spreading the cost of collecting and maintaining the information for a variety of uses. For example, commercial intermediaries collect, organize, and make accessible to the public government records. Those records are used for countless socially valuable purposes: monitoring government operations, locating missing children, preventing and detecting crime, apprehending wanted criminals, securing payments from ``deadbeat'' parents and spouses, and many others. In fact, in 1998 the FBI alone made more than 53,000 inquiries to commercial online databases for ``public record information'' that led to the arrest of 393 fugitives wanted by the FBI, the identification of more than $37 million in seizable assets, the locating of 1,966 individuals wanted by law enforcement, and the locating of 3,209 witnesses wanted for questioning.\23\ The Association for Children for Enforcement of Support uses information from public records, provided through commercial vendors, to locate over 75% of the parents they sought.\24\ Access to these records is possible, as well as convenient and inexpensive, precisely because commercial intermediaries assemble the information for such a wide variety of other uses. If the law restricted the other valuable uses of public records, or made those uses prohibitively expensive, then the data and systems to access them would not be in place for any use. In as much as the beneficial uses of information outlined above are interconnected, and often depend on common systems and spreading the cost of acquiring and managing data over many uses, consent-based laws may only create the illusion of consent, because they will lead to consumers having fewer opportunities made available to them to which they can consent. --------------------------------------------------------------------------- \23\ Hearings before the Subcomm. for the Departments of Commerce, Justice, and State, the Judiciary and Related Agencies of the Senate Comm. on Appropriations, March 24, 1999 (statement of Louis J. Freeh). \24\ Hearings before the House Committee on Banking and Financial Services, July 28, 1998 (statement of Robert Glass, Vice President and General Manager of the Nexis Business Information Group of Lexis- Nexis). --------------------------------------------------------------------------- h. Required Consent The opportunity for consent may also be illusory because many services or products cannot or will not be provided without personal information. HIPAA, for example, requires that physicians provide extensive disclosures and obtain explicit consent concerning information collection and use prior to treating a patient. If a patient wishes to be treated, she must consent. The law is effectively irrelevant, because the physician cannot treat the patient without information about his or her condition. Moreover, as a practical matter, signing the consent form is likely to become just another procedural hurdle, like signing an insurance authorization form, to getting in to see a doctor. Experience suggests that few people will shop for physicians based on information policies; rather, their decisions about from whom to seek service will be driven by price, location, insurance coverage, specialty, and other considerations. So the expense of crafting, providing, and storing consent forms will likely achieve little in terms of enhancing consumer choice or privacy. i. Consumer Ignorance and Lethargy Finally, even if the request gets through to the intended adult recipient, the typical response to requests for consent to use personal information, to judge by the extensive experience of businesses and not-for-profit organizations, is that the customers will simply ignore them. Most unsolicited mail in this country is discarded without ever being read and most unsolicited commercial or fund-raising telephone calls are terminated by the consumer without the offer ever being made. It will not matter how great the potential benefit resulting from the information use, if the request is not read or heard, it cannot be acted on. Even where mail is actually read and the offer appeals to the consumer, lethargy and the competing demands of busy lives usually conspire to ensure that no action is taken. It is difficult to imagine that promises of potential future benefits from information use will command greater attention or activity. These considerations suggest that simply conditioning the use of personal information on specific consent is tantamount to prohibiting outright many beneficial uses of information, because of the cost of obtaining consent, the extent to which consent may undermine information's usefulness, the degree to which uses of information are interconnected, and the many impediments to consumers receiving and acting on the request, even when it is in their best interest to do so. CONCLUSION The fact that information flows constitute a central part of our economic and social infrastructure, and that privacy laws--by interfering with those information flows--inevitably harm consumers and businesses, does not suggest that there is no role for the government or for law in protecting privacy. Far from it. The government plays many critical roles in helping to protect individual privacy. One of the most important responsibilities of the government is assuring that its own house is in order. Only the government has the power to compel disclosure of personal information and only the government operates free from market competition and consumer preferences. As a result, the government has special obligations to ensure that it complies with the laws applicable to it; collects no more information than necessary from and about its citizens; employs consistent, prominent information policies through public agencies; and protects against unauthorized access to citizens' personal information by government employees and contractors. Similarly, there are many steps that only the government can take to protect citizens against privacy-related harms, such as identity theft: Make government-issued forms for identification harder to obtain; make the promise of centralized reporting of identity thefts a reality; make it easier to correct judicial and criminal records and to remove permanently from one individual's record references to acts committed by an identity thief. The government alone has this power. Regulators and law enforcement officials should enforce existing privacy laws vigorously, and legislators should ensure that they have the resources to do so. The government should also help educate the public about privacy and the tools available to every citizen to protect her own privacy. Many privacy protections can only be used by individuals--no one else can protect their privacy for them. Yet few individuals will recognize the importance of their responsibility or have the knowledge to fulfill it without education. Finally, should you conclude that new laws or regulations are necessary, it is critical to identify and articulate clearly the purpose of the proposed privacy law or regulation, and whether it will in fact serve that purpose: In sum, what public benefit justifies the government's action? Only after having answered this question can the benefits of the proposed law or regulation be balanced against both the beneficial uses of information with which it interferes and the other costs of implementing and complying with the law. Armed with this information, you can then ask whether the law is worth its cost or whether there are other less intrusive, less expensive, or more effective tools for achieving the same purpose. I address these and related issues in greater detail in a report that will forthcoming soon from the American Enterprise Institute. Because that document is so directly responsive to the subject of this hearing, with your permission, I append the complete draft report to my testimony. Thank you again for the opportunity to testify. Mr. Stearns. Thank you. Professor Volokh? STATEMENT OF EUGENE VOLOKH Mr. Volokh. Thank you. Mr. Chairman, members of the subcommittee, it is a great pleasure and honor to be invited to testify here. I will limit my remarks to the First Amendment questions posed by certain kind of privacy rules and will not speak to whether they are a good policy or bad policy but solely to the Constitutional questions. Why are there First Amendment problems involved here? I mean, isn't privacy sort of one of those wonderful, warm, fuzzy things that sort of everybody should be in favor of? Well, the right to control information about ourselves sounds very appealing until you realize that what it means, literally what it means is the right to stop others from speaking about us, the right to stop others from communicating about us. So let's look at what would happen if the right were taken to its logical conclusion, just read by its terms. If people had the right to control information about themselves, that means they could perhaps sue us if we gossip about them to our friends. They could sue newspapers, as some people have tried to do, if they publish information that for whatever reason the subject of the information doesn't like--accurate information, but still, it's information about them. If the subject has the right to control information about himself, he should be able to stop newspapers from reporting it or stop his business partners, people who have done business with him, discussing the outcome and the terms of that transaction. The right to control information about ourselves is the right to stop others from communicating this information, and whenever you start talking about rights to stop others from communicating, you run up against the First Amendment. In fact, people have talked about codes of fair information practices, and I would like to suggest that at least as to many kinds of practices, the First Amendment is our code of fair information practices, just as if you wanted to talk about a code of fair journalism practices or a code of fair political debate practices. You know, we're all in favor of fair journalism, of fair political debate, of fair information management. But in the case of fair journalism practices, of fair political debate practices, I would take it we would say it is not up to the Government to set up this code; this code already exists, and it is the First Amendment. It seems to me that the same is, in large measure, true about other kinds of communication of information. Just to give a couple of very brief examples of where this tension comes up, there is a case from California where California courts recognized the so-called disclosure tort, which really does give people control of information about themselves. There is a Reader's Digest article that was published about somebody who was an armed robber. Ten years before, he had engaged in armed robbery involving a gun battle with the police, but the courts allowed him to sue when Reader's Digest reported this fact in kind of a story saying, you know, here is a story from the past about this formerly notorious crime. The theory was, well, he has a right to privacy. And the court said, well, right-thinking people shouldn't want to know this information, and it used the term right-thinking people. And I submit that under the First Amendment, it is up to each of us to decide, using our own thinking, whether we want to know certain information and whether we want to communicate certain information that we have acquired, whether as a result of reading public records; a result of doing business with somebody; or as a result of talking to people about this person. Now, it seems to me, as I said, that similar things arise in the context of many--not all--some of the proposals that I think might be quite sound, but many cyberspace information privacy speech restrictions are, indeed, speech restrictions. Let me briefly make, I think, one distinction that I think is very important in this context, and that is between restrictions that merely enforce contracts, either expressed or implied contracts, and distinctions that go beyond that; that we do not have and should not have a right to control people from speaking about us, but we should have a right to insist that they keep their promises to us. So if somebody on their Website says I promise to keep your information private, it is certainly quite legitimate for the government, either through a normal contract lawsuit or through, perhaps, FTC action and such, to enforce that. It seems to me, again, there might be policy questions as to what the best way of doing it is, but it would be quite Constitutional. In certain situations, I think it is also legitimate for the government to say that we will infer a term, a privacy term, into the contract. I think that is how we can best understand things like attorney-client privilege and a variety of other such things; that when you go to an attorney, implicitly, the attorney is promising to keep certain information secret. And I think the government can establish these defaults in certain situations so long as the defaults are waiveable; so long as the person can say or the Website can say I stand on my rights as a speaker to communicate this information. And I warn you up front: you know about it. If you deal with me, you have to understand that I am going to feel free to communicate information about you. So if it is a truly contractual thing, including default terms, including more aggressive enforcement, then, it seems to me that would be a Constitutional thing. But if it goes beyond it, if it says we will impose this speech restriction, even in the noble name of privacy, we will impose this speech restriction on you even without any contractual understanding, that, it seems to me, poses very serious First Amendment problems. My time is up, but I would be happy to discuss some of the doctrinal issues having to do with things like intellectual property arguments, which I think are unsound; commercial speech arguments, which I think don't apply here; and other First Amendment doctrines that I think ultimately support rather than contradict my conclusions. [The prepared statement of Eugene Volokh follows:] PREPARED STATEMENT OF EUGENE VOLOKH,<SUP>1</SUP> PROFESSOR OF LAW, UCLA LAW SCHOOL --------------------------------------------------------------------------- \1\ Professor of Law, UCLA Law School (volokh@law.ucla.edu). This testimony is largely based on an article with the same title in 52 Stanford Law Review 1049 (2000), Copyright 2000 by Eugene Volokh and the Board of Trustees of the Leland Stanford Junior University. --------------------------------------------------------------------------- INTRODUCTION Privacy is a popular word, and government attempts to ``protect our privacy'' are easy to endorse. Government attempts to let us ``control . . . information about ourselves'' <SUP>2</SUP> sound equally good: Who wouldn't want extra control? And what fair-minded person could oppose requirements of ``fair information practices''? <SUP>3</SUP> --------------------------------------------------------------------------- \2\ See, e.g., Charles Fried, Privacy, 77 Yale L.J. 475 (1968); Susan E. Gindin, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 San Diego L. Rev. 1153, 1155 (1997). \3\ See, e.g., Joel R. Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497 (1995); Paul M. Schwartz, Privacy and Participation: Personal Information and Public Sector Regulation in the United States, 80 Iowa L. Rev. 553 (1995). --------------------------------------------------------------------------- The difficulty is that the right to information privacy--my right to control your communication of personally identifiable information about me--is a right to have the government stop you from speaking about me. We already have a code of ``fair information practices,'' and it is the First Amendment, which generally bars the government from controlling the communication of information (either by direct regulation or through the authorization of private lawsuits <SUP>4</SUP>), whether the communication is ``fair'' or not.<SUP>5</SUP> While privacy protection secured by contract is constitutionally sound, broader information privacy rules are not easily defensible under existing free speech law. --------------------------------------------------------------------------- \4\ Cf., e.g., New York Times v. Sullivan, 376 U.S. 254, 265 (1964) (holding that the First Amendment applies to ``civil lawsuit[s] between private parties,'' because such lawsuits involve ``[state] courts . . . appl[ying] a state rule of law''). \5\ If ``fair information practices'' applied only to the government's control of its own speech, I would have had no objection to them. But governmental restriction of supposedly ``unfair'' speech by nongovernmental entities raises serious First Amendment problems. --------------------------------------------------------------------------- Consider, for instance, the ``disclosure of private facts'' tort, which bars the media from reporting supposedly ``nonnewsworthy'' personal information that most people would find highly private.<SUP>6</SUP> On the one hand, it sounds appealing; by definition, if the information is ``nonnewsworthy'' and ``private,'' why should anyone print it? --------------------------------------------------------------------------- \6\ See Restatement (Second) of Torts Sec. 652D (1977). --------------------------------------------------------------------------- But under our free speech regime, should a government agency (such as a court) really be able to decide what is ``newsworthy'' or ``of legitimate public concern''? Should, for instance, courts be able to hold--as California courts did--that the media may be punished for reporting that a college student politician is a transsexual, or that a person had committed armed robbery and engaged in a shootout with police ten years before? True, some citizens might think that such reporting, in the words of one court, has no ``public purpose'' and was not ``of legitimate public interest,'' that there was no ``reason whatsoever'' for it, and that ``we, as right-thinking members of society, should permit [a person] to continue in the path of rectitude rather than throw him back into a life of shame or crime'' by revealing his past.<SUP>7</SUP> Others, though, may disagree. And under the First Amendment, it should be up to each of us, as readers and publishers, to decide what we think is ``of legitimate public interest,'' and not to have the government make the decision for us, even in the name of ``privacy.'' The Supreme Court has never fully considered the constitutionality of the disclosure tort, but many courts have recognized the serious First Amendment problems that the tort poses. --------------------------------------------------------------------------- \7\ Briscoe v. Reader's Digest Ass'n, 483 P.2d 34, 36, 41 (Cal. 1971). --------------------------------------------------------------------------- Consider also Bartnicki v. Vopper, a currently pending Supreme Court case. In Bartnicki, an unknown person tape-recorded a cellular phone conversation in which two union officials were discussing the possibility of ``blow[ing] off the[] front porches'' of management. The tape eventually made its way to a radio station, which played it on the air. The station was then sued under a federal statute banning the media from publishing or even paraphrasing intercepted cellular phone conversations, even when the media entity was entirely innocent of the actual interception.<SUP>8</SUP> --------------------------------------------------------------------------- \8\ Bartnicki v. Vopper, 200 F.3d 109 (3rd Cir. 1999). --------------------------------------------------------------------------- Again, the law serves noble purposes: it seeks to protect people's privacy, and to deter illegal interception of cellular conversations (and everyone agrees that the interception itself should be illegal). But it does this by restricting the press's freedom to publish--the right to control information, we again see, is a right to stop others from speaking. And the logic of the law of course doesn't stop at the rather unusual context of intercepted cell phone conversation: The same sort of law could easily be enacted to ban the publication of any material that's illegally leaked (for instance, in violation of an employer's nondisclosure agreement or a fiduciary duty of loyalty) as well as to the publication of material that's illegally gathered. The understandable desire to protect people's privacy can thus dramatically interfere with the media's freedom to report the news, and to the public's access to the news. The same First Amendment objections apply, I will argue, to many recent proposals for laws securing information privacy on the Internet. Some people have argued that these proposals are different from the examples I give above, because they fall into some exceptions to First Amendment protection. And I agree that some such proposals, if they are framed as default contractual rules (such as true ``opt-in'' or ``opt- out'' provisions), or as disclosure requirements, are constitutional. But other proposals are not constitutional, and the defenses which are most often given for them--the intellectual property argument, the commercial speech argument, the private concern argument, and the compelling government interest argument--are not sound under current First Amendment doctrine. And while one can urge courts to narrow current First Amendment law to accommodate these new proposals, I think that would be a serious mistake. If free speech principles are diluted in the attractive case of information privacy speech restrictions, such a decision will be a powerful precedent for still more restraints that might be proposed in the future. Such slippery slope concerns are still quite sensible, because accepting a proposed speech restriction entails accepting a principle that is broader than the particular proposal and that can logically cover many other kinds of restraints.<SUP>9</SUP> Our legal system is based on precedent. Our political life is in large measure influenced by arguments by analogy. And many people's normative views of free speech are affected by what courts say: If the legal system accepts the propriety of laws mandating ``fair information practices,'' people may becomes more sympathetic to legal mandates of, for instance, fair news reporting practices or fair political debate practices.<SUP>10</SUP> --------------------------------------------------------------------------- \9\ One of the most eloquent American expressions of this concern with uncabinable principles is also among the earliest: [I]t is proper to take alarm at the first experiment on our liberties. We hold this prudent jealousy to be the first duty of citizens, and one of [the] noblest characteristics of the late Revolution. The freemen of America did not wait till usurped power had strengthened itself by exercise, and entangled the question in precedents. They saw all the consequences in the principle, and they avoided the consequences by denying the principle. We revere this lesson too much, soon to forget it. Who does not see that the same authority which can establish Christianity, in exclusion of all other Religions, may establish with the same ease any particular sect of Christians, in exclusion of all other Sects? That the same authority which can force a citizen to contribute three pence only of his property for the support of any one establishment, may force him to conform to any other establishment in all cases whatsoever? James Madison, Remonstrance Against Religious Assessments (1786). I likewise fear that the same authority which can force a citizen to stop speaking on one matter by, for instance, defining it out of the zone of ``legitimate public concern'' may in time do the same as to speech on other matters. \10\ For some examples of past attempts to restrict such ``unfair'' speech, see, e.g., Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (rejecting attempt to impose liability for a publisher's vicious parody of a political enemy); Miami Herald v. Tornillo, 418 U.S. 241 (1974) (rejecting attempt to require a newspaper to publish rebuttals of attacks on a consolidate); Keefe v. Organization for a Better Austin, 402 U.S. 415 (1971) (rejecting attempt to enjoin leafletting aimed at pressuring a local resident to change his business practices); Mills v. Alabama, 384 U.S. 214 (1966) (rejecting attempt to ban election-day political editorials in the interests of preventing unrebuttable attacks). The European Personal Data Directive, which is often praised by privacy advocates, does require countries to create a code of fair news reporting practices: It on its face applies to journalism that reveals personal data such as ``racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life,'' and mandates that governments create exemptions for journalism, art, or literature ``only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.'' Directive 95/46/EC, 1995 O.J. (L 281) 31, arts. 8(1), 9. What this provision will ultimately mean is so far unclear. Cf. James R. Maxeiner, Freedom of Information and the EU Data Protection Directive, 48 Fed. Comm. L.J. 93, 102 (1995) (stating that the ``only if they are necessary'' language was added to prevent ``the balance [from] fall[ing] too much in favor of the media,'' and concluding that the scope of the journalism exception is uncertain); Paul Eastham, I Would Have Gagged the Press Over Cook, London Daily Mail, Feb. 5, 1998, at 2 (quoting the senior English Law Lord as taking the view that the privacy directive would have barred certain news stories about a cabinet minister's alleged affair). The disclosure tort, of course, has always been an attempt to mandate fair news reporting practices. --------------------------------------------------------------------------- I ultimately conclude that these risks of watering down important free speech protections are troubling enough that I must reluctantly oppose such information privacy rules. But I hope my views will also be useful to those who are committed to supporting information privacy speech restrictions, but would like to design their arguments in a way that will minimize the risks that I identify. Thinking ahead about the possible unintended implications of a proposal--even, and perhaps especially, if it seems viscerally appealing--is always worthwhile. I. INFORMATION PRIVACY SPEECH RESTRICTIONS My analysis focuses on the government acting as sovereign, restricting what information nongovernmental speakers may communicate about people. I thus exclude restrictions that the government imposes on its own agencies, such as Freedom of Information Act provisions that prevent government revelation of certain data, or IRS or census rules that prohibit the communication of some tax or census data to other government agencies or to the public. By focusing on communication by nongovernmental speakers--reporters, businesspeople, private detectives, neighbors--I limit the inquiry to people and organizations that indubitably have free speech rights. I also exclude restrictions that the government imposes as an employer (e.g., telling its employees that they may not reveal confidential information learned in the course of employment), or as a contractor putting conditions on the communication of information that it has no constitutional duty to reveal (e.g., telling people who want certain lists from the Federal Election Commission that they may only get them if they promise not to use those lists for certain purposes, or telling litigants that they will get discovery materials only if they promise not to reveal them). The government has long been held to have much broader powers when it's acting as employer or contractor, imposing constraints on those who assume them in exchange for government benefits or for access to government records, than when it's acting as sovereign, controlling the speech of private citizens. I also focus only on restrictions on communication. Other things that are often called privacy rules--the right to be free from unreasonable governmental searches and seizures, the right to make certain decisions about one's life without government interference, the right not to have people listen to you or watch you by going onto your property, the right not to have people electronically eavesdrop on your conversations, the requirement that credit bureaus notify consumers when credit reports about them are prepared, and the like--are outside the scope of my discussion. Some of these laws, for instance restraints on government snooping or control, pose no First Amendment problems. For other laws, such as restrictions on nongovernmental gathering of information through nonspeech means, the First Amendment rules are unclear; but it is clear that the analysis of restrictions on information gathering is different from the analysis of restrictions on speech. It is the latter doctrine that is most fully developed, and that provides the most protection against government restrictions. These three exclusions merely reflect the fact that the strongest protection of free speech has long been seen as arising when the government is acting as sovereign, restricting the speech of private parties. And within this zone lie a variety of current and proposed speech restrictions, including both older rules such as the disclosure tort, and newer ones such as some proposed restrictions on businesses revealing information about their customers. II. CONTRACT A. Permissible Scope To begin with, one sort of limited information privacy law-- contract law applied to promises not to reveal information--is eminently defensible under existing free speech doctrine. The Supreme Court explicitly held in Cohen v. Cowles Media that contracts not to speak are enforceable with no First Amendment problems.<SUP>11</SUP> Enforcing people's own bargains, the Court concluded (I think correctly), doesn't violate those people's rights, even if they change their minds after the bargain is struck. Insisting that people honor their bargains is a constitutionally permissible ``code of fair practices,'' whether information practices or otherwise. --------------------------------------------------------------------------- \11\ 501 U.S. 663 (1991). --------------------------------------------------------------------------- And such protection ought not be limited to express contracts, but should also cover implied contracts (though, as will be discussed below, there are limits to this theory). In many contexts, people reasonably expect--because of custom, course of dealing with the other party, or all the other factors that are relevant to finding an implied contract--that part of what their contracting partner is promising is confidentiality. Furthermore, though Cohen v. Cowles Media involved traditional enforcement of a promise through a civil suit, there should be no constitutional problem with the government enforcing such promises through administrative actions, or using special laws imposing presumed or even punitive damages for breaches of such promises. I suspect that even with purely contractual remedies, the threat of class action suits could be a powerful deterrent to breaches of information privacy contracts by e-commerce sites, especially since the suits would create a scandal: In the highly competitive Internet world, a company could lose millions in business if people hear that it's breaking its confidentiality promises. But I think it would be constitutional for the government to try to increase contractual compliance either by providing an extra incentive for aggrieved parties to sue or by bringing a complaint itself. The great free speech advantage of the contract model is that it does not endorse any right to ``stop people from speaking about me.'' Rather, it endorses a right to ``stop people from violating their promises to me.'' One such promise may be a promise not to say things, and perhaps there may even be special defaults related to such promises or special remedies for breaches of such promises. The government may enforce obligations that the would-be speaker has himself assumed. And such enforcement, in my view, poses little risk of setting a broad precedent for many further restrictions, precisely because it is founded only on the consent of the would-be speaker, and thus cannot justify the other speech restraints to which the speaker has not consented. B. Limitations Contract law protection, though, is distinctly limited, in two ways. First, it only lets people restrict speech by parties with whom they have a speech-restricting contract, express or implied. If I make a deal with a newspaper reporter under which he promises not to identify me as a source, I can enforce the deal against the reporter and the reporter's employer, whom the reporter can bind as an agent. But if a reporter at another news outlet learns this information, then that outlet can publish it without fear of a breach of contract lawsuit. Second, Cohen v. Cowles Media cannot validate speech-restrictive terms that the government compels a party to include in a contract; the case at most validates government-specified defaults that apply unless the offeror makes clear that these terms aren't part of the offered deal. Thus, while the government may say ``Cyberspace sales contracts shall carry an implied warranty that the seller promises not to reveal the buyer's personal information,'' it may not add ``and this implicit warranty may not be waived, even by a prominent statement that is explicitly agreed to by a customer clicking on an `I understand, and agree to the contract in spite of this' button.'' This flows directly from the rationale on which Cohen v. Cowles Media rests: ``The parties themselves . . . determine the scope of their legal obligations, and any restrictions which may be placed on the publication of truthful information are self-imposed.'' A merchant's express promise of confidentiality is ``self-imposed''; so, one can say, is an implicit promise, when the merchant had the opportunity to say ``by the way, I am not waiving my rights to speak about this transaction and am thus not promising confidentiality'' but didn't do so. But when someone is legally barred from communicating, even if he explicitly told his contracting partner that he was making no such promise, then such an obligation is hardly ``self-imposed'' or determined by mutual agreement. Thus, I certainly do not claim that a contractual approach to information privacy, even with a large dollop of implied contract, is a panacea for information privacy advocates. There is much that information privacy advocates may want but that contract will not provide. I claim only that contractual solutions are a constitutional alternative and may be the only constitutional alternative, not that they are always a particularly satisfactory alternative. C. Contracts with Children Finally, this discussion of contracts presupposes that both parties are legally capable of entering into the contract and of accepting a disclaimer of any implied warranty of confidentiality. If a cyber- consumer is a child, then such an acceptance might not be valid. This is also a difficult issue, but one that is outside the scope of this Article.<SUP>12</SUP> --------------------------------------------------------------------------- \12\ Cf. Children's Online Privacy Protection Act of 1998, 15 U.S.C. Sec. Sec. 6501 et seq.; Justin Matlick, Governing Internet Privacy: A Free-Market Primer (Pacific Research Institute, July 1999), (visited March 3, 2000) <http://www.pacificresearch.org>; Solveig Singleton, Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector, Cato Policy Analysis No. 295 (Jan. 22, 1998) <http://www.cato.org/pubs/pas/pa-295.html>, text accompanying nn.76-79. --------------------------------------------------------------------------- III. PROPERTY A. Intellectual Property Rules as Speech Restrictions Partly because of the limitations of the contract theory, many information privacy advocates argue that people should be assigned a property right in personal information about themselves.<SUP>13</SUP> Such a property approach would bind everyone, and not just those who are in contractual privity with the person being talked about. --------------------------------------------------------------------------- \13\ See, e.g., Lawrence Lessig, The Architecture of Privacy, Vand. J. Ent. L. & Prac., April 1999, at 56, 63. --------------------------------------------------------------------------- Database operators would have to stop communicating information about people unless people give permission, even though the database operators have never promised, expressly or implicitly, to keep silent. Likewise, people could stop newspapers from publishing stories about them, even if the information was gleaned through interviews with third parties or was taken (with no contractual constraints) from public records.<SUP>14</SUP> --------------------------------------------------------------------------- \14\ See Edward J. Bloustein, Privacy Is Dear at Any Price: A Response to Professor Posner's Economic Theory, 12 Ga. L. Rev. 429, 439-40 (1978). --------------------------------------------------------------------------- Calling a speech restriction a ``property right,'' though, doesn't make it any less a speech restriction, and it doesn't make it constitutionally permissible. Broad, pre-New York Times v. Sullivan libel laws can be characterized as protecting a property right in reputation; in fact, some states consider reputation a property interest.<SUP>15</SUP> The right to be free from interference with business relations, including interference by speech urging a boycott as in NAACP v. Claiborne Hardware,<SUP>16</SUP> is often seen as a property right.<SUP>17</SUP> --------------------------------------------------------------------------- \15\ Reputation is generally not a property interest for purposes of the federal Due Process Clause, Paul v. Davis, 424 U.S. 693 (1976), but it can be a property right for other purposes. E.g., Marrero v. City of Hialeah, 625 F.2d 499, 514 (5th Cir. 1980). \16\ 458 U.S. 886 (1982). \17\ E.g., Leonard Duckworth, Inc. v. Michael L. Field & Co., 516 F.2d 952, 955 (5th Cir. 1975). --------------------------------------------------------------------------- Restrictions on speech that uses cultural symbols in ways that the cultures find offensive might likewise be reframed as property rights in those symbols.<SUP>18</SUP> A ban on all unauthorized biographies, whether of former child prodigies, movie stars, or politicians, can be seen as securing a property interest in the details of those people's lives. Similarly, an early right of publicity case took the view that people who aren't public figures have the exclusive right to block all photos and portraits of themselves, with no exceptions for news stories.<SUP>19</SUP> --------------------------------------------------------------------------- \18\ Cf. Hornell Brewing Co. v. Rosebud Sioux Tribal Court, 133 F.3d 1087 (8th Cir. 1998) (involving the descendants of the Sioux leader Crazy Horse, then 115 years dead, trying to use right of publicity law to stop the marketing of Crazy Horse Malt Liquor; the malt liquor company won on procedural grounds). \19\ Corliss v. E.W. Walker Co., 64 F. 280, 282 (C.C.D. Mass. 1894). --------------------------------------------------------------------------- Each of these ``property rights,'' though, would remain a speech restriction. A property right is, among other things, the right to exclude others; <SUP>20</SUP> an intellectual property right in information is the right to exclude others from communicating the information--a right to stop others from speaking. Like libel law, intellectual property law is enforced almost entirely through private litigation, but like libel law, it's still a government-imposed restriction on speech.<SUP>21</SUP> Some such restrictions may be permissible because there's some substantive reason why it's proper for the government to restrict such speech, but not because they are intellectual property rights. --------------------------------------------------------------------------- \20\ See, e.g., Kaiser Aetna v. United States, 444 U.S. 164, 179-80 (1979) (``the `right to exclude' [is] universally held to be a fundamental element of the property right''). \21\ See, e.g., New York Times Co. v. Sullivan, 376 U.S. 254, 265 (1964); see also Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (same as to intentional infliction of emotional distress); NAACP v. Claiborne Hardware, 458 U.S. 886 (1982) (same as to intentional interference with business relations). --------------------------------------------------------------------------- The question isn't (as some suggest) ``who should own the property right to personal information?'' <SUP>22</SUP> Rather, it's whether personal information should be treated as property at all--whether some ``owner'' should be able to block others from communicating this information, or whether everyone should be free to speak about it. --------------------------------------------------------------------------- \22\ See, e.g., Richard S. Murphy, Property Rights in Personal Information: An Economic Defense of Privacy, 84 Geo. L.J. 2381, 2393 (1996). --------------------------------------------------------------------------- B. Existing Restrictions as Supposed Precedents The Court has, of course, upheld some intellectual property rights against First Amendment challenge, acknowledging that they are speech restrictions but holding that those restrictions were constitutional. In all these precedents, though, the Court has stressed a key point: The restrictions did not give the intellectual property owners the power to suppress facts. And this power to suppress facts is exactly the power that information privacy speech restrictions would grant.<SUP>23</SUP> --------------------------------------------------------------------------- \23\ See generally, e.g., Rochelle Cooper Dreyfuss, Warren and Brandeis Redux: Finding (More) Privacy Protection in Intellectual Property Lore, 1999 Stan. Tech. L. Rev. VS 8, available at <http:// stlr.stanford.edu/STLR/Symposia/Privacy/99__VS__8/> (concluding that traditional intellectual property law provides little support for informational privacy speech restrictions); Pamela Samuelson, Privacy as Intellectual Property?, 52 Stan. L. Rev. 1125, 1136-46 (2000) (same). --------------------------------------------------------------------------- Harper & Row v. Nation Enterprises, which held that copyright law is constitutional, <SUP>24</SUP> is the best example of this. Under copyright law, I may not publish a book that includes more than a modicum of creative expression from your book, even though my book is neither obscene nor libelous nor commercial advertising; such a restriction, Harper & Row held, is indeed a speech restriction, but a permissible one. --------------------------------------------------------------------------- \24\ 471 U.S. 539 (1985). --------------------------------------------------------------------------- But the main reason Harper & Row gave for this conclusion is that copyright law does not give anyone a right to restrict others from communicating facts or ideas. ``[C]opyright's idea/expression dichotomy strike[s] a definitional balance between the First Amendment and the Copyright Act by permitting free communication of facts while still protecting an author's expression.'' ``No author may copyright his ideas or the facts he narrates.'' Copiers ``possess[] an unfettered right to use any factual information revealed in [the original],'' though they may not copy creative expression. There ought not be ``abuse of the copyright owner's monopoly as an instrument to suppress facts.'' ``In view of the First Amendment protections already embodied in the Copyright Act's distinction between copyrightable expression and uncopyrightable facts and ideas,'' copyright law is constitutional. Under the copyright exception to free speech protection, then, speech that borrows creative expression is restrictable, but speech that borrows only facts remains free. The same goes for other intellectual property rights in speech, such as trademark law, right of publicity law, and trade secret law. For space reasons, I will not discuss them in detail here; a thorough discussion is available in Parts III.B.2-4 of http://www.law.ucla.edu/ faculty/volokh/privacy.htm. But the bottom line is that all these restrictions create a fairly narrow right that may affect the form of people's speech but ought not prevent people from communicating facts. Any putative property right in one's personal information can thus be adopted by analogy only if one is willing to relax this limitation, a limitation that is critical to protecting free speech. C. Functional Arguments for Upholding Information Privacy Speech Restrictions Under a Property Theory 1. Avoiding ``free-riding'' and unjust enrichment. Some argue for property rights in personal information on functional grounds: Those who communicate personal information about others are engaging in a sort of free riding, enriching themselves without compensating the people whose existence makes their enrichment possible; and property rights, the argument goes, are the way to avoid this free riding. As one article argued, in 1988 three leading credit bureaus made almost $1 billion put together from selling credit information, but ``[h]ow much did these credit bureaus pay consumers for the information about them that they sold? Zero.'' <SUP>25</SUP> --------------------------------------------------------------------------- \25\ Scott Shorr, Personal Information Contracts: How to Protect Privacy Without Violating the First Amendment, 80 Cornell L. Rev. 1756, 1793 (1995). --------------------------------------------------------------------------- This, though, cannot be the justification for restricting speech, unless we are willing to dramatically redefine free speech law. Newspapers and radio and TV news programs, after all, make billions from stories that are made possible only by the existence of their subjects. The essence of news is precisely the reporting of things done or discovered by others; the essence of the news business is profiting from reporting on things done or discovered by others. But news organizations generally don't pay a penny to the subjects of their stories--in fact, it is seen as unethical for news organs, though not entertainment organs, to pay subjects. Likewise, unauthorized biographers and historians make money from publishing information about others, information that only exists because those people exist. Comedians who tell jokes about people make a living from those they mock.<SUP>26</SUP> --------------------------------------------------------------------------- \26\ In some of these examples, some subjects of the speech do profit from the speech, albeit indirectly. The subject of a story may be pleased by his newfound fame; the manufacturer of a product that's covered favorably in the newspaper may make money as a result of the coverage. But of course other subjects of news stories are hurt, either financially or emotionally, by those stories; in such cases, the news organ may be making a profit at the same time that the subjects of the stories, without whom the stories would never have existed, are suffering a loss. Free speech law's response to these subjects is ``tough luck,'' at least unless the stories say something false. And in this respect, distribution of personal information databases is no different from the publishing of news. Many, perhaps most, of the subjects of these databases derive indirect benefits just like the subjects of news stories do. If I have a good credit history, I am benefited by the credit history databases--if the databases didn't exist and would-be creditors had no way of knowing my record, I'd have to pay a higher interest rate. Likewise, while many people are annoyed by having their personal information available to marketers, some people apparently find the targeted marketing useful, or else they wouldn't buy as a result of this marketing and the marketing would become unprofitable and stop. Thus, some (but not all) people indirectly benefit as a result of information about them being stored in databases--just as some (but not all) people indirectly benefit as a result of news stories about them or their businesses. --------------------------------------------------------------------------- All these speakers are free-riding: They are taking advantage of something that relates to someone else and that exists only because of that other person's existence, and they aren't paying that person for it (though they are usually investing a good deal of time, money, and effort in the project--this free-riding is certainly not mere literal copying). But our legal system correctly allows a great deal of free- riding. It has never been a principle of tort law that all free-riding is illegal, or that all such enrichment is unjust. Intellectual property law has generally tried to prevent not free- riding as such, but free-riding of a particular kind: the use not just of something that relates to another, but the use of the product of another's substantial labor, and even that only in limited cases. Such a use runs the risk of dramatically diminishing the incentive to engage in such labor, which is what makes the defendant's enrichment socially harmful rather than merely unjust in some abstract moral sense. This concern is at the heart of copyright law, <SUP>27</SUP> of the right to prevent the unauthorized transmission of an entire act, <SUP>28</SUP> and to a large extent of trade secret law. But this concern does not apply to personal information about people, where the incentive arguments don't really apply. --------------------------------------------------------------------------- \27\ See Feist Publications, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 349 (1991). \28\ Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 576 (1977). --------------------------------------------------------------------------- 2. Internalizing costs and maximizing aggregate utility. Another functional argument often made on behalf of a property rights theory of information privacy speech restrictions is that the property rights model is the best way to require speakers to ``internalize th[e] cost'' of their speech ``by paying those whose data is used.'' <SUP>29</SUP> Such internalizing, the theory goes, would maximize aggregate social utility: By ``recogniz[ing the] diversity'' of people's desires for information privacy, the property rule could make sure that information about each person is communicated only if the benefit to the speaker exceeds the felt cost to the subject.<SUP>30</SUP> --------------------------------------------------------------------------- \29\ Lessig, supra note 12, at 63. \30\ See, e.g., id.; Bloustein, supra note 12, at 439-40; Murphy, supra note 12, at 2395-96. --------------------------------------------------------------------------- The principle of free speech law, though, is that speakers do not have to internalize all the felt costs that flow from the communicative impact of their speech. The NAACP didn't have to internalize the tangible economic (not just emotional) cost that its boycott imposed on the Claiborne County merchants.<SUP>31</SUP> Movie producers don't have to internalize the tangible cost that their movies impose on victims of viewers who commit copycat crimes.<SUP>32</SUP> Cohen, Johnson, and Hustler didn't have to internalize the emotional distress cost that their speech inflicted on passersby or on its subject.<SUP>33</SUP> --------------------------------------------------------------------------- \31\ NAACP v. Claiborne Hardware Co., 458 U.S. 886 (1982). \32\ E.g., Olivia N. v. NBC, Inc., 178 Cal. Rptr. 888 (Ct. App. 1981) (barring recovery where child was sexually abused by minors who allegedly copied a similar crime shown on television). \33\ Cohen v. California, 403 U.S. 15 (1971) (public profanity constitutionally protected); Texas v. Johnson, 491 U.S. 397 (1989) (public flag burning constitutionally protected); Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (vicious personal attack constitutionally protected). --------------------------------------------------------------------------- D. The Potential Consequences Of course, despite the arguments given above, the Court is always free to broaden the intellectual property exception to allow people to restrict facts; but this, I think, would be a bad idea. Speech that reveals private information is not the only speech that some want to restrict under the property rights model. As many leading commentators have recently argued, we are now in the midst of a broad movement that uses intellectual property rhetoric to broaden people's rights to restrict others' speech.<SUP>34</SUP> The proposed database protection legislation would give database owners a form of property right in collections of information.<SUP>35</SUP> --------------------------------------------------------------------------- \34\ See, e.g., Yochai Benkler, Free as the Air to Common Use: First Amendment Constraints on Enclosure of the Public Domain, 74 N.Y.U. L. Rev. 354, 354 (1999) (``We are in the midst of an enclosure movement in our informational environment.''). \35\ See id. at 358, 440, 445-46. --------------------------------------------------------------------------- Some recent cases have revived the misappropriation tort, recognizing a property right in news.<SUP>36</SUP> Many recent cases have broadened trademark owners' rights to restrict parodies and other transformative uses (though fortunately some courts seem to be resisting this trend).<SUP>37</SUP> The right of publicity is growing to include any advertising, merchandising, and even interior decor that reminds people of a celebrity, even if it doesn't use the celebrity's name or likeness.<SUP>38</SUP> --------------------------------------------------------------------------- \36\ See, e.g., NBA v. Motorola, Inc., 105 F.3d 841, 853 (2nd Cir. 1997) (fortunately limiting the tort to only a narrow range of hot news). \37\ See generally Mark A. Lemley, The Modern Lanham Act and the Death of Common Sense, 108 Yale L.J. 1687 (1999). \38\ See, e.g., White v. Samsung Elecs. Am., Inc., 989 F.2d 1512, 1520 (9th Cir.) (Kozinski, J., dissenting from denial of rehearing en banc); Wendt v. Host Int'l, 125 F.3d 806 (9th Cir. 1997). --------------------------------------------------------------------------- Many have criticized this creeping propertization of speech, often on First Amendment grounds.<SUP>39</SUP> But if the arguments that ``it's not a speech restriction, it's an intellectual property rule'' or ``the Supreme Court has upheld property rights in information, so property rights in information are constitutional'' are accepted for information privacy speech restrictions, they will be considerably strengthened as to the other restrictions, too. --------------------------------------------------------------------------- \39\ See, e.g., Lemley, supra note 36, at 1710-12 (``The expansive power that is increasingly being granted to trademark owners has frequently come at the expense of freedom of expression. As trademarks are transformed from rights against unfair competition to rights to control language, our ability to discuss, portray, comment, criticize, and make fun of companies and their products is diminishing.''). --------------------------------------------------------------------------- Now perhaps my parade of horribles isn't so horrible; maybe we should have more property rights in facts, which is to say restrictions or speech that communicates facts. Nonetheless, people who are worried about the general trend towards propertization of information should look very carefully at even those proposals that might at first seem benign and even just; such proposals could have effects far beyond the context in which they are first suggested. IV. COMMERCIAL SPEECH A. What ``Commercial Speech'' Means Some argue that sale of information about customers is restrictable because it fits within the ``commercial speech'' doctrine.<SUP>40</SUP> The Court's definition of ``commercial speech,'' though, isn't (and can't be) simply speech that is sold as an article of commerce: Most newspapers, movies, and books are articles of commerce, too, but they remain fully protected.<SUP>41</SUP> Likewise, speech can't be commercial just because it relates to commerce, or else the Wall Street Journal, union leaflets and newsletters, <SUP>42</SUP> newspaper reviews of commercial products, <SUP>43</SUP> and speech by disgruntled consumers criticizing what they consider poor service by producers would be deprived of full constitutional protection. --------------------------------------------------------------------------- \40\ See, e.g., United Reporting Publ'g Corp. v. California Highway Patrol, 146 F.3d 1133, 1137 (9th Cir. 1999), rev'd on other grounds sub nom. Los Angeles Police Dep't v. United Reporting Publ'g Corp., 120 S. Ct. 483 (1999). \41\ See, e.g., Smith v. California, 361 U.S. 147, 150 (1959) (``It is of course no matter that the dissemination [of speech by the claimant] takes place under commercial auspices''). \42\ See, e.g., Debartolo Corp. v. Florida Gulf Coast Trades Council, 485 U.S. 568 (1988). \43\ See, e.g., Bose Corp. v. Consumers Union, 466 U.S. 485 (1984). --------------------------------------------------------------------------- Rather, the Court's most now-standard definition of commercial speech is speech that explicitly or implicitly ``propose[s] a commercial transaction.'' <SUP>44</SUP> Commercial advertisements for products or services are classic examples. So are stock prospectuses, which propose the purchase of stock; this is why fairly heavy SEC regulation of speech in such prospectuses is largely permissible, while similar SEC regulation of newsletters or newspapers that discuss stocks is not.<SUP>45</SUP> --------------------------------------------------------------------------- \44\ Virginia State Bd. of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748, 761 (1976). \45\ See Lowe v. SEC, 472 U.S. 181, 211 (1985) (White, J., concurring in the judgment). --------------------------------------------------------------------------- Under the ``speech that proposes a commercial transaction'' analysis, communication of information about customers by one business to another is not commercial speech. It doesn't advertise anything, or ask the receiving business to buy anything from the communicating business.<SUP>46</SUP> It poses no special risk of the speaker misleading or defrauding the listener, beyond those risks present with fully protected speech generally. The recipient business does intend to use the information to more intelligently engage in commercial transactions, but that's equally true of businesspeople reading Forbes. --------------------------------------------------------------------------- \46\ Sometimes, of course, a business will use customer information that it has bought from another business to send out commercial advertisements to prospective clients. These advertisements would indeed be commercial speech, though the original communication of the customer information is not. See U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999). --------------------------------------------------------------------------- Of course, even if speech that communicates personal information is seen as ``commercial speech,'' restrictions on such speech will still have to face considerable scrutiny. Whether they will pass such scrutiny is hard to tell, since commercial speech scrutiny is so notoriously vague. But this question is actually somewhat tangential to my main point. To me, the main problem with treating speech that communicates personal information as ``commercial speech'' is not that this will put such speech at more risk of restriction. Rather, it is that stretching the definition of ``commercial speech'' will put a wide range of other speech at risk, too. B. The Risks to Other Speech Consider a recent example of the government trying to regulate cyberspace speech about economic matters on the grounds that it's ``commercial speech.'' In Taucher v. Born, several operators of commodities-themed Web sites successfully sued to set aside a prior restraint system which bars people from distributing for profit any unlicensed speech that relates ``to the value of or the advisability of commodity trading'' or that contains ``analyses or reports'' about commodities.<SUP>47</SUP> --------------------------------------------------------------------------- \47\ 7 U.S.C. Sec. 6m(1). --------------------------------------------------------------------------- And the license that speakers must get to be allowed to speak isn't just a modest tax; the Commodities Futures Trading Commission can refuse a license if it finds ``good cause'' to do so, and speaking without a license is illegal. Nor is this speech restriction limited to individualized, person-to-person professional advice: The regulation is broad enough to cover people who ``never engage in individual consultations with their customers'' and who ``under no circumstances make trades for their customers.'' <SUP>48</SUP> --------------------------------------------------------------------------- \48\ Taucher v. Born, 53 F. Supp. 464, 478 (D.D.C. 1999). --------------------------------------------------------------------------- The law essentially restricts the Web equivalent of books and newspapers about commodity training--it's as if the government claimed the right to refuse the Wall Street Journal a license to publish articles about the market. As it happens, the law specifically excludes publishers who publish such data ``incidental[ly]'' as part of a broader news enterprise of ``general and regular dissemination,'' <SUP>49</SUP> so the Journal can sleep easy. But under the logic of the law, newspapers and book publishers could also be subject to a prior restraint system, just as the small commodities-focused electronic publishers were subject to it until the court's ruling. --------------------------------------------------------------------------- \49\ 7 U.S.C. Sec. Sec. 1a(5)(B)(iv), 1a(5)(C). --------------------------------------------------------------------------- The CFTC argued that speech about commodities is mere ``commercial speech,'' but the court correctly rejected this: <SUP>50</SUP> ``The plaintiffs' publications in this case do not propose any commercial transaction between the plaintiffs and their customers.'' <SUP>51</SUP> If, however, the commercial speech doctrine had been extended to cover the sale of speech about a business's clients, the court's decision might well have been different. --------------------------------------------------------------------------- \50\ The CFTC's other argument was that the government may regulate speech in the context of a professional-client relationship, but the court adopted the response to a similar argument given by Justice White in his SEC v. Lowe, 472 U.S. 181 (1985), concurrence: Whatever extra power the government may have to regulate the professional-client relationship, this power arises only when the professional exercises individualized judgment on behalf of a particular client. Personal advice may to some extent be restricted, but books, newsletters, and the like may not be. \51\ Taucher v. Born, 53 F. Supp. at 480. --------------------------------------------------------------------------- After all, the Web business journalist who writes about commodities is likewise selling information that's primarily of economic concern, and that has little to do with broad political debates. If that's enough to deny free speech protection to communications about customers, it may be enough to deny such protection to communications about commodities. Consider another example: disgruntled homebuyers putting up signs criticizing the developer that sold them their homes, or consumers leafleting outside a business that they claim sold them defective goods, often hoping that the business will give them a refund or at least will do a better job in the future. In cyberspace, the analogy would be consumers putting up a http://www.[businessname]sucks.com site or circulating messages to a long list of acquaintances or to a Usenet newsgroup. In my view, the First Amendment fully protects such speech that is aimed at creating public pressure on someone to do what you think is right, even in economic contexts--that, after all, is what much advocacy is about.<SUP>52</SUP> The fact that the speech exposes alleged problems with a product and aims at redressing an economic harm should not strip it of protection. For many people problems with their homes and redress for shoddy wares are more important than problems with politicians and redress for shoddy policies, and far more important than art, entertainment, or many other kinds of fully protected speech. --------------------------------------------------------------------------- \52\ See, e.g., Debartolo Corp. v. Florida Gulf Coast Trades Council, 485 U.S. 568 (1988); NAACP v. Claiborne Hardware, 458 U.S. 886 (1982); Keefe v. Organization for a Better Austin, 402 U.S. 415 (1971). --------------------------------------------------------------------------- If the consumer's speech is an intentional lie (or perhaps in some circumstances if it's merely negligently false), the business can sue for libel; false statements of fact, whether on economic matters or not, lack constitutional protection. But the law shouldn't impose extra restrictions on the speech just because the speech deals with economic issues. Again, though, a broadening of the commercial speech doctrine would jeopardize speech of this sort. If communicating information about a person's bad credit record is mere ``commercial speech,'' then communicating information about a business's bad service record should be, too. Both, after all, involve speech on economic matters. Both involve speech that's primarily of economic interest to listeners. Both are motivated by the speaker's economic interest--either a desire to get money from the buyer of the information, or a desire to get redress from the business. Either both are commercial speech or neither is. In a free and competitive economy, people naturally want to talk about economic matters. Giving the government an ill-defined but potentially very broad power to restrict such speech--not just speech that proposes a commercial transaction between speaker and listener and thus directly implicates the risk of fraud--risks exposing a great deal of speech to government policing. V. SPEECH ON MATTERS OF PRIVATE CONCERN A. The Argument One feature of virtually all information privacy proposals (except those built on a contract model) is their distinction between speech on matters of public concern and speech on matters of private concern.<SUP>53</SUP> Even people who argue that newspapers should be forbidden from publishing a private person's long-ago criminal history or a politician's sexual orientation would probably agree that they have a right to publish the politician's criminal history, no matter how old. ``Political speech'' or ``speech on matters of public concern'' or ``newsworthy'' material, they would argue, is constitutionally protected, while speech that is merely of private concern is not protected, at least against information privacy speech restrictions. --------------------------------------------------------------------------- \53\ See, e.g., among many others, Peter B. Edelman, Free Press v. Privacy: Haunted by the Ghost of Justice Black, 68 Tex. L. Rev. 1195, 1229-30 (1990); Julie Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 Stan. L. Rev. 1373, 1414, 1417 (2000). --------------------------------------------------------------------------- But this approach, I will argue, is theoretically unsound; it is precedentially largely unsupported; in the few circumstances in which it has been endorsed, it has proven unworkable; and, if adopted, it would strengthen the arguments for many other (in my view improper) speech restrictions. B. The Dangers of the Argument Under the First Amendment, it's generally not the government's job to decide what subjects speakers and listeners should concern themselves with.<SUP>54</SUP> A private concern exception essentially says ``you have no right to speak about topics that courts think are not of legitimate concern to you and your listeners,'' a view that's inconsistent with this understanding. --------------------------------------------------------------------------- \54\ See, e.g., Police Dep't v. Mosley, 408 U.S. 92, 95 (1972) (``[A]bove all else, the First Amendment means that government has no power to restrict expression because of its message, its ideas, its subject matter, or its content.''). The Court has recognized some exceptions to this principle, but this presumption is still the basis for the Court's analysis of speech restrictions imposed by the government as sovereign. --------------------------------------------------------------------------- A clear example of the danger of such government power comes in a disclosure tort case, Diaz v. Oakland Tribune.<SUP>55</SUP> Diaz, the first woman student body president at a community college, was a transsexual, and the Oakland Tribune published this fact. Diaz sued, and the court of appeals held that her lawsuit could go forward; if a jury found that Diaz's transsexuality wasn't newsworthy, she could prevail.<SUP>56</SUP> --------------------------------------------------------------------------- \55\ 188 Cal. Rptr. 762 (Ct. App. 1983). \56\ The court set aside the verdict for Diaz because of a jury instruction error, but remanded for a new trial. --------------------------------------------------------------------------- As usually happens in these cases, the court didn't define newsworthiness but left it to the jury, subject only to the instruction that ``[i]n determining whether the subject article is newsworthy you may consider [the] social value of the fact published, the depth of the article, [its] intrusion into ostensibly private affairs, and the extent to which the plaintiff voluntarily acceded to a position of public notoriety.'' But the court did stress that a jury could find that the speech wasn't newsworthy: ``[W]e find little if any connection between the information disclosed and Diaz's fitness for office. The fact that she is a transsexual does not adversely reflect on her honesty or judgment.'' Now I agree with the court's factual conclusion; people's gender identity strikes me as irrelevant to their fitness for office. But other voters take a different view. Transsexuality, in their opinion, may say various things about politicians: It may say that they lack attachment to traditional values, that they are morally corrupt, or even just that they have undergone an unnatural procedure and therefore are somehow tainted by it. These views may be wrong, but surely it is not for government agents--whether judges or jurors--to dictate the relevant criteria for people's political choices, and to use the coercive force of law to keep others from informing them of things that they may consider relevant to those choices. I may disagree with what you base your vote on, but I must defend your right to base your vote on it, and the right of others to tell you about it. This is the clearest example of a court using the public concern test to usurp what should be a listener's and speaker's choice, but other public disclosure cases raise similar problems. Consider, for instance, the criminal history cases, in which some courts held that it was illegal for newspapers to print information about ``long past'' criminal activity by people who are now supposedly rehabilitated and are leading allegedly blameless lives. The leading such case is Briscoe v. Reader's Digest Association, in which Reader's Digest was held liable for revealing that Briscoe had eleven years earlier been convicted of armed robbery (a robbery that involved his fighting ``a gun battle with the local police'').<SUP>57</SUP> --------------------------------------------------------------------------- \57\ 483 P.2d 34, 36 (Cal. 1971). --------------------------------------------------------------------------- The court acknowledged that the speech, while not related to any particular political controversy, was newsworthy; the public is properly concerned with crime, how it happens, how it's fought, and how it can be avoided. Moreover, revealing the identity of someone ``currently charged with the commission of a crime'' is itself newsworthy, because ``it may legitimately put others on notice that the named individual is suspected of having committed a crime,'' thus presumably warning them that they may want to be cautious in their dealings with him. But revealing Briscoe's identity eleven years after his crime, the court said, served no ``public purpose'' and was not ``of legitimate public interest''; there was no ``reason whatsoever'' for it. The plaintiff was ``rehabilitated'' and had ``paid his debt to society.'' ``[W]e, as right-thinking members of society, should permit him to continue in the path of rectitude rather than throw him back into a life of shame or crime'' by revealing his past. ``Ideally, [Briscoe's] neighbors should recognize his present worth and forget his past life of shame. But men are not so divine as to forgive the past trespasses of others, and plaintiff therefore endeavored to reveal as little as possible of his past life.'' And to assist Briscoe in what the court apparently thought was a worthy effort at concealment, the law may bar people from saying things that would interfere with Briscoe's plans. Judges are of course entitled to have their own views about which things ``right-thinking members of society'' should ``recognize'' and which they should forget; but under the First Amendment, members of society have a constitutional right to think things through in their own ways. And some people do take a view that differs from that of the Briscoe judges: While criminals can change their character, this view asserts, they often don't. Someone who was willing to fight a gun battle with the police eleven years ago may be more willing than the average person to do something bad today, even if he has led a blameless life since then (something that no court can assure us of, since it may be that he has continued acting violently on occasion, but just hasn't yet been caught). Under this ideology, it's perfectly proper to keep this possibility in mind in one's dealings with the supposedly ``reformed'' felon. While the government may want to give him a second chance by releasing him from prison, restoring his right to vote and possess firearms, and even erasing its publicly accessible records related to the conviction, his friends, acquaintances, and business associates are entitled to adopt a different attitude. Most presumably wouldn't treat him as a total pariah, but they might use extra caution in dealing with him, especially when it comes to trusting their business welfare or even their physical safety (or that of their children) to his care.<SUP>58</SUP> And they might use extra caution in dealing with him precisely because he has for the last eleven years hidden this history and denied them the chance to judge him for themselves based on the whole truth about his past.<SUP>59</SUP> Those who think such concealment is wrong will see it as direct evidence of present bad character (since the concealment was continuing) and not just of past bad character. --------------------------------------------------------------------------- \58\ If you were deciding whether to leave your children for the day in a neighbor's care, would you consider his eleven-year-old conviction for a violent crime involving a gun battle with police relevant (not necessarily dispositive, but relevant) to your decision? Would you advise your daughter to consider a prospective date's armed robbery conviction when deciding whether and under what conditions to go out with him? \59\ Richard A. Epstein, Privacy, Property Rights, and Misrepresentations, 12 Ga. L. Rev. 455, 472-73 (1978). --------------------------------------------------------------------------- Revealing Briscoe's name, under this view, may have little to do with broad political debates, but it is still of intense and eminently legitimate public concern to one piece of the public: people who know Briscoe, the very same group whose ignorance Briscoe seemed most concerned about preserving. These members of the public would use this information to make the decision, which is probably more important to them than whom they would vote for next November, about whether they could trust Briscoe in their daily dealings. This isn't speech on political matters, but rather on what I might call ``daily life matters.'' Under the First Amendment, which protects movies, art, jokes, and reviews of stereo systems, <SUP>60</SUP> such speech on daily life matters is at least equally worthy. --------------------------------------------------------------------------- \60\ See, e.g., Winters v. New York, 333 U.S. 507 (1948) (entertainment); Bose Corp. v. Consumers Union, 466 U.S. 485 (1984) (product review of stereo equipment); Abood v. Detroit Bd. of Educ., 431 U.S. 209, 231 (1977) (``[O]ur cases have never suggested that expression about philosophical, social, artistic, economic, literary, or ethical matters--to take a nonexhaustive list of labels--is not entitled to full First Amendment protection.''). --------------------------------------------------------------------------- At least as much as those kinds of protected speech, daily life matter speech--communication related to ``the real, everyday experience of ordinary people'' <SUP>61</SUP>--indirectly but deeply affects the way we view the world, deal with others, evaluate their moral claims on us, and even vote; and its effect is probably greater than that of most of the paintings we see or the editorials we read. Consider how much our view of crime and punishment, secrecy and publicity, and many other topics would be indirectly influenced--towards greater liberalism, conservatism, or something else--by the knowledge that some of our seemingly law-abiding neighbors have been concealing a criminal past. --------------------------------------------------------------------------- \61\ Cynthia L. Estlund, Speech on Matters of Public Concern: The Perils of an Emerging First Amendment Category, 59 Geo. Wash. L. Rev. 1, 37 (1990). --------------------------------------------------------------------------- In any event, which viewpoint about our neighbors' past crimes is ``right-thinking'' and which is ``wrong-thinking'' is the subject of a longstanding moral debate. Surely it is not up to the government to conclude that the latter view is so wrong, that Briscoe's conviction was so ``[il]legitimate'' a subject for consideration, that the government can suppress speech that undermines its highly controversial policy of forgive-and-forget. This also goes for databases of personal information as much as for news stories about such information. Many such databases--for instance, credit history databases or criminal record databases--are used by people to help them decide whom it is safe to deal with and who is likely to cheat them. Other databases, which contain less incriminating information, such as a person's shopping patterns, may be less necessary for self- protection; but of course for the same reason the data stored in them will also generally be much less embarrassing to their subjects, which makes the supposed harm to the subjects of the communication of such data much smaller. And in any event, even this data is of direct daily life interest to its recipients, since it helps them find out with whom they should do business. In some instances, it may be quite unlikely that certain speech would be useful to the listeners either for political purposes or for daily life purposes; this largely has to do with information that shows people in ridiculous, embarrassing, or demeaning contexts without revealing any useful new information about them. Everybody knows that I go to the bathroom; printing a picture of me on the toilet would embarrass me not because it reveals something new about me, but because it shows me in a pose that by cultural convention is seen as ridiculous or undignified. But while there may be a narrow zone of fairly uncontroversially non-public-concern topics, the danger is that the vague, subjective ``public concern,'' ``newsworthiness,'' or ``legitimate public interest'' test will flow far beyond this zone; and as Briscoe and Diaz, among others, show, this danger has materialized. This risk may be enough to abandon the test altogether, and it is certainly enough to demand that the test be rephrased as something much clearer and narrower before it is accepted. We can all think of examples of entertainment that has no connection to public issues, but Winters v. New York was right to conclude that entertainment should be protected despite this, because ``[t]he line between the informing and the entertaining is too elusive for the protection of [the] basic right [of free speech].'' <SUP>62</SUP> If vitriolic, relatively nonsubstantive parodies such as the one in Hustler v. Falwell were banned, ``public discourse would probably suffer little or no harm,'' but the Court correctly refused to uphold such a ban, since it could find no ``principled standard to separate'' them from speech that had to be protected.<SUP>63</SUP> --------------------------------------------------------------------------- \62\ 333 U.S. 507, 510 (1948). \63\ . 485 U.S. 46, 55 (1988). --------------------------------------------------------------------------- Likewise, the notion that speech should generally be restrictable when it doesn't relate to matters of public concern strikes me as so potentially broad and so vague that it deserves to be abandoned, even if it would yield the right results in a narrow subset of the cases in which it would be applied. C. Doctrine That, then, is why I think the public concern test is theoretically unsound. The doctrinal discussion is easier: Though the Court has often said in dictum that political speech or public-issue speech is on the ``highest rung'' of constitutional protection, <SUP>64</SUP> it has never created any general exception for speech on matters of ``private concern.'' Political speech, scientific speech, art, entertainment, consumer product reviews, and speech on matters of private concern are thus all doctrinally entitled to the same level of high constitutional protection, restrictable only through laws that pass strict scrutiny. --------------------------------------------------------------------------- \64\ Carey v. Brown, 447 U.S. 455, 467 (1980). --------------------------------------------------------------------------- The two situations where the Court has adopted a public concern / private concern distinction are narrow exceptions to this general principle. The first such exception, established in Connick v. Myers, is that the government acting as employer may freely restrict speech on matters of private concern by its employees.<SUP>65</SUP> --------------------------------------------------------------------------- \65\ 461 U.S. 138 (1983). --------------------------------------------------------------------------- The government's power as employer to fire its employees for what they say has always been far greater than its power to fine or imprison private citizens for what they say, and the Connick Court explicitly stressed that private-concern speech remains protected against the government acting as sovereign.<SUP>66</SUP> The restriction on such speech by government employees was justified only by the special role of the government acting as employer, in which the government's interest in efficient day-to-day operation would make it infeasible to let people sue the government over every discharge that was based on any sort of speech. --------------------------------------------------------------------------- \66\ ``We in no sense suggest that speech on private matters falls into one of the narrow and well-defined classes of expression which carries so little social value, such as obscenity, that the State can prohibit and punish such expression by all persons in its jurisdiction [and not just its own employees].'' Id. at 147. --------------------------------------------------------------------------- The second exception, established in Dun & Bradstreet v. Greenmoss Builders, is that plaintiffs in libel cases involving false statements on matters of purely private concern may be awarded punitive and presumed damages without a showing of actual malice.<SUP>67</SUP> This, though, also came in a context where the government has special power to restrain speech: restrictions on false statements of fact. --------------------------------------------------------------------------- \67\ 472 U.S. 749 (1985). --------------------------------------------------------------------------- Such statements, the Court has held, have ``no constitutional value''; any protection they get stems from the need to prevent the undue chilling of true statements, which are indeed constitutionally protected.<SUP>68</SUP> The economic interests of the speaker and its audience, the Court argued, warrant no special protection when ``the speech is wholly false.'' <SUP>69</SUP> Dun & Bradstreet thus says little about the propriety of applying the ``private concern'' test to speech that, unlike false statements of fact, is presumptively constitutionally valuable.<SUP>70</SUP> --------------------------------------------------------------------------- \68\ Id. at 767 (White, J., concurring in the judgment). See Gertz v. Robert Welch, Inc., 418 U.S. 323, 340-41 (1974). \69\ Dun & Bradstreet, 472 U.S. at 762 (emphasis added). \70\ Cf., e.g., U.D. Registry, Inc. v. California, 40 Cal. Rptr. 2d 228, 232 (Ct. App. 1995) (``While the distinction [between private and public concern speech] may be significant in the area of defamation, it does not define the parameters of permissible regulation for truthful reporting.''). --------------------------------------------------------------------------- D. The Experience Under the Two ``Public Concern'' Doctrines In practice, neither of these doctrines has been a success story for the public concern test. As many critics have pointed out, the government employee private concern doctrine has proven both vague to the point of indeterminacy and extremely broad.<SUP>71</SUP> Much speech that would clearly fit within a normal reading of the words ``public concern'' has been found to be of purely private concern and therefore unprotected, with seemingly little justification other than the desire to make life easier for government employers confronted with troublemaking employees. --------------------------------------------------------------------------- \71\ See, e.g., Stephen Allred, From Connick to Confusion: The Struggle to Define Speech on Matters of Public Concern, 64 Ind. L.J. 43 (1988); Estlund, Speech on Matters of Public Concern, supra note 60, at 7 n.40, 34, 45. --------------------------------------------------------------------------- Connick itself found that speech among District Attorney's office employees about ``the confidence and trust that [employees] possess in various supervisors, the level of office morale, and the need for a grievance committee'' was ``not of public concern,'' hardly a commonsense reading of the term ``public concern.'' Later cases have likewise found, for instance, that speech criticizing the way a dean runs a public university department, <SUP>72</SUP> alleging race discrimination by a public employer, <SUP>73</SUP> and criticizing the way the FBI decides whom to lay off <SUP>74</SUP> was not ``of public concern,'' though other cases reached opposite results on seemingly similar facts.<SUP>75</SUP> Whether or not the government should have the power to dismiss employees for such speech, surely the government ought not have the power to censor such speech by citizens at large on the grounds that it's supposedly of insufficient ``public concern.'' --------------------------------------------------------------------------- \72\ Landrum v. Eastern Ky. Univ., 578 F. Supp. 241 (E.D. Ky. 1984). \73\ Lipsey v. Chicago Cook County Criminal Justice Comm'n, 638 F. Supp. 837 (N.D. Ill. 1986). \74\ Murray v. Gardner, 741 F.2d 434 (D.C. Cir. 1984). \75\ See generally Allred, supra note 70, at 65-73. --------------------------------------------------------------------------- Under Dun & Bradstreet, the concept of ``speech of purely private concern'' has ended up similarly vague, and has sometimes covered speech that clearly seems to be of public concern under any normal definition of the term: for instance, speech discussing the competence of psychologists to whom children are sent by government-run schools, the business practices of car dealers, and alleged misconduct by the owner of a gymnastics school.<SUP>76</SUP> Again, perhaps it's permissible to allow presumed and punitive damages for false statements on such topics, but surely it would be unconstitutional to restrict true statements on these matters on the grounds that they aren't of ``public concern.'' --------------------------------------------------------------------------- \76\ See Robert E. Drechsel, Defining ``Public Concern'' in Defamation Cases Since Dun & Bradstreet v. Greenmoss Builders, 43 Fed. Comm. L.J. 1, 17-18 (1990); Saunders v. Van Pelt, 497 A.2d 1121 (Me. 1985); Vern Sims Ford, Inc. v. Hagel, 713 P.2d 736 (Wash. Ct. App. 1986); Ramirez v. Rogers, 540 A.2d 475 (Me. 1988). --------------------------------------------------------------------------- The experience of the public concern test in these two areas thus suggests that the theoretical criticisms of the public concern / private concern distinction are sound: There's a substantial practical risk of the courts finding too much speech to be of ``private concern,'' and while some facially vague and broad tests have the merit of being tied to an existing body of clarifying and narrowing caselaw, that's hardly the case here. Maybe for lack of anything better, the public / private concern distinction may remain sensible as to the genuinely hard and necessarily vague government employee speech cases, but its track record hardly seems to encourage expanding it elsewhere. E. Potential Consequences All this discussion is not just academic or just applicable to information privacy speech restrictions. The argument that certain speech should be more restrictable because it's not ``political speech,'' not ``high-value speech,'' or not of ``legitimate public interest'' is routinely marshaled in favor of a broad range of speech restraints. Businesses criticized by disgruntled consumers have already argued that such consumer criticism doesn't relate to speech on matters of genuinely ``public concern,'' and should therefore be restrictable even if it's true or if it's mere opinion.<SUP>77</SUP> Likewise, supporters of campus speech codes have argued that this speech too, is of low value.<SUP>78</SUP> Allowing tort liability under the disclosure tort for speech on supposedly ``private matters'' (such as a person's criminal history or failure to pay his debts <SUP>79</SUP>) would provide strong support for allowing tort liability under the intentional interference tort for speech on ``private matters'' (such as a business's unfair practices or breaches of warranty), or for allowing universities to suppress speech that they find supposedly valueless. --------------------------------------------------------------------------- \77\ See, e.g., Paradise Hills Assocs. v. Procel, 1 Cal. Rptr. 2d 514, 521 (Ct. App. 1991). \78\ See, e.g., Richard Delgado, Campus Antiracism Rules: Constitutional Narratives in Collision, 85 Nw. U. L. Rev. 343 (1991). \79\ See, e.g., Mason v. Williams Discount Ctr., Inc., 639 S.W.2d 836 (Mo. Ct. App. 1982). --------------------------------------------------------------------------- VI. COMPELLING INTEREST The last argument for many proposed information privacy speech restrictions is that the government interest behind the restriction is just so great. Speech that reveals personal information about others, the argument goes, violates their basic human rights, strips them of their dignity, causes serious emotional distress, interferes with their relations with family, friends, acquaintances, and business associates, and puts them at risk of crime. Moreover, such speech itself undermines other rights of constitutional stature, such as the right to privacy or free speech itself. The government must be able to step in and prevent this, even at the cost of creating a new free speech exception. A. Countervailing Constitutional Rights Let me begin by discussing the ``constitutional tension'' argument, which comes in two flavors: (1) Because the Constitution has been interpreted as protecting privacy (possibly including information privacy <SUP>80</SUP>), attempts to restrict speech in the name of protecting information privacy involve a ``tension'' between two constitutional values.<SUP>81</SUP> (2) Information privacy speech restrictions ``promote[] some of the same values protected by the First Amendment,'' because ``[g]ranting people privacy, recognizing that despite their entering into the public debate on an issue . . . they remain a private person to some degree, encourages people to come forward and engage in the debate.'' <SUP>82</SUP> --------------------------------------------------------------------------- \80\ See Whalen v. Roe, 429 U.S. 589, 605 (1977). \81\ See also Melvin v. Reid, 112 Cal. App. 285, 291 (1931). \82\ Sean M. Scott, The Hidden First Amendment Values of Privacy, 71 Wash. L. Rev. 683, 687, 710 (1996). See also Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1701-02, 1651 (1999). --------------------------------------------------------------------------- I have elsewhere argued at length against this sort of analysis, <SUP>83</SUP> but for now let me make two observations about it. First, the speech vs. privacy and speech vs. speech tensions are not tensions between constitutional rights on both sides. The Constitution presumptively prohibits government restrictions on speech and perhaps some government revelation of personal information, but it says nothing about interference with speech or revelation of personal information by nongovernmental speakers. --------------------------------------------------------------------------- \83\ Eugene Volokh, Freedom of Speech and the Constitutional Tension Method, 3 U. Chi. L. Sch. Roundtable 223 (1996). --------------------------------------------------------------------------- If, for instance, a private group organizes a boycott of a newspaper to pressure it into dropping a columnist whose work the group finds offensive, <SUP>84</SUP> the group is not thereby violating the columnist's First Amendment rights; he has a constitutional right to speak free from government restraint, but not free from private censure or private pressure. --------------------------------------------------------------------------- \84\ See, e.g., Jill Stewart, Free This Man; Can Black Conservatives Speak Their Minds in America? Ask KABC Talk-Show Host Larry Elder, the Target of a Black Nationalist Group in L.A., New Times (L.A.), July 3, 1997 (describing boycott of sponsors of black conservative talk show host Larry Elder's radio show, aimed at getting the radio station to take him off the air); James Warren, Andy Rooney Suspended, But Denies Racist Comment, Chi. Trib., Feb. 9, 1990, Sec. 1, at 3 (describing public pressure that caused CBS to suspend 60 Minutes commentator Andy Rooney for allegedly making a racist comment); Jerry Berger, Kennedy Decries Reagan Civil Rights Policies, United Press Int'l, Jan. 18, 1988, available in LEXIS, News Library, UPI File (describing public pressure that caused CBS to fire Jimmy ``The Greek'' Snyder on similar grounds). --------------------------------------------------------------------------- Likewise, information privacy speech restrictions involve a tension between a constitutionally secured right to speak free of government restriction and a proposed statutory or common-law right to speak free of private revelation of private information. The fact that the proposed statutory or common-law right is in one way analogous to a constitutional right does not give it constitutional stature. Second, as the boycott example shows, changing First Amendment doctrine to let free speech rights be trumped by other ``constitutional values'' derived by analogy from constitutional rights would permit a broad range of speech restrictions. Lots of speech has the effect, and often the purpose, of discouraging people from exercising their speech rights in certain ways. Political bullies try to silence their opponents not only by revealing embarrassing private information about them, but also by calling them nasty (but nonlibelous) names, citing their interracial marriages as evidence that they are traitors to their race, <SUP>85</SUP> attacking them with bitter and unfair parodies, or saying things aimed at undermining their business affairs. --------------------------------------------------------------------------- \85\ See, e.g., Amy Wallace, He's Either Mr. Right or Mr. Wrong, L.A. Times, Mar. 31, 1996, at 12. --------------------------------------------------------------------------- Depending on the era, the risk of having your arguments called ``Communist,'' ``un-American,'' ``racist,'' or ``sexist'' (even if your arguments really don't fall into those categories) has discouraged many people from expressing viewpoints that might draw such rhetoric--and I suspect that the rhetoric was often used precisely to deter people from expressing certain viewpoints. Who among us hasn't at times decided to stay quiet in order to avoid having to deal with our opponents' vituperation? The logic of the argument I quoted, if accepted, would thus justify restriction on all these kinds of speech. And yet our right to use speech to pressure others into not speaking is a fundamental aspect of the First Amendment; recall that a recurring (and correct) argument of those who fight against advocacy of evil ideas--even advocacy that is concededly constitutionally protected against government suppression-- is that such speech should be deterred by social ostracism and condemnation. Likewise, accepting the other constitutional tension argument, which urges that speech be restricted when it undermines the unwritten constitutional ``value'' of privacy, would provide strong support for restrictions on speech that vehemently criticizes a religion and thereby discourages people from publicly adhering to it (and thus supposedly undermines the explicitly constitutionally described values of religious freedom), <SUP>86</SUP> speech that urges people to treat others unequally (and thus undermines equality), speech that tries to pressure people into not exercising their property or contractual rights (and thus undermines private property rights or the obligation of contracts), and so on.<SUP>87</SUP> A rule that constitutional rights to protection from the government may be turned into justification for government restrictions on speech by private actors would have a broad effect indeed. --------------------------------------------------------------------------- \86\ Cf., e.g., Kunz v. New York, 340 U.S. 290, 295, 302 (1951) (Jackson, J., dissenting). \87\ See generally Volokh, supra note 82, at 231-34, 237-38. --------------------------------------------------------------------------- B. Dignity, Emotional Distress, and Civil Rights Other arguments for information privacy speech restrictions claim that the speech injures people's dignity or emotionally distresses them. This injury is sometimes also characterized as an interference with people's basic ``civil right'' not to have others know or say certain things about them.<SUP>88</SUP> --------------------------------------------------------------------------- \88\ See, e.g., Directive 95/46/EC, art. 1(1) 1995 O.J. (L.281) 31 (describing protection of informational privacy as a matter of ``the fundamental rights and freedoms'' ``of natural persons''); Talk of the Nation: Online Privacy (NPR radio broadcast, June 30, 1998) (quoting Todd Lappin, senior associate editor of Wired magazine) (``[I]t's really the job of all of us to get a consensus in Congress that'll give us basic legal rights so we have some control over our names and over our personal information. This is a civil rights and a human rights struggle . . .''). --------------------------------------------------------------------------- But is it constitutional for the government to suppress certain kinds of speech in order to protect dignity, prevent disrespectful behavior, prevent emotional distress, or to protect a supposed civil right not to be talked about? Under current constitutional doctrine, the answer is generally no: Even offensive, outrageous, disrespectful, and dignity-assaulting speech is constitutionally protected.<SUP>89</SUP> --------------------------------------------------------------------------- \89\ See, e.g., Cohen v. California, 403 U.S. 15 (1971) (public profanity); Texas v. Johnson, 491 U.S. 397 (1989) (flag burning); Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (scurrilous, personal attack in print); Brandenburg v. Ohio, 395 U.S. 444 (1969) (racist advocacy); Collin v. Smith, 578 F.2d 1197 (7th Cir. 1978) (Nazi parade in a part of town where many Holocaust survivors lived); Kunz v. New York, 340 U.S. 290 (1951) (vitriolic attacks on Catholicism and Judaism); Cantwell v. Connecticut, 310 U.S. 296 (1940) (vitriolic attack on Catholicism). --------------------------------------------------------------------------- And there is good reason for this approach. If the government can declare it to be my ``civil right'' to prohibit others from saying the truth about me behind my back, then the arguments for many speech restrictions would be considerably strengthened. The government could similarly declare it a civil right to have others not say insulting things about me (and my kind) in print or in broadcasts, where I may directly see or hear such speech; other countries have indeed done this. Similarly, say that true statements--statements about past crimes, current sexual orientation, credit history, and the like--can be restricted because of the danger that they will change people's attitudes about their subject. Why wouldn't sociological or political claims that the government considers false or misleading (group libel or seditious libel) <SUP>90</SUP> or statements of opinion (general bigoted or antigovernment advocacy) be likewise restrictable, on the grounds that they may change people's attitudes about a group, and that there's a ``compelling governmental interest'' in preventing such changed attitudes? --------------------------------------------------------------------------- \90\ Cf., e.g., United States v. Cooper, 25 F. Cas. 631, 639 (C.C.D. Pa. 1800). --------------------------------------------------------------------------- It's conceivable that as to some kinds of speech, for instance the revelation of the names of rape victims or the unauthorized distribution of pictures of a person naked or having sex, courts will find that the speech is so valueless and so distressing that there is indeed a compelling interest in restricting it. Though I empathize with the reasons for such restrictions, I reluctantly oppose them, precisely because of the dangers discussed in Part V and earlier in this section--``lack of legitimate public concern'' and ``severe emotional distress,'' while intuitively appealing standards, are so vague and potentially so broad that accepting them may jeopardize a good deal of speech that ought to be protected. But while these narrow restrictions would merely increase the risk that more speech might be restricted in the future, other proposed restrictions cheerfully embrace this possibility. Broad readings of the disclosure tort would restrict speech about elected officials that many voters would (rightly or wrongly) find quite relevant, or restrict speech about people's past crimes, which many of the people's neighbors may find important. Likewise, many of the proposals to restrict communication of consumer transactional data would apply far beyond a narrow core of highly private information, and would cover all transactional information, such as the car, house, food, or clothes one buys. I don't deny that many people may find such speech vaguely ominous and would rather that it not take place, and I acknowledge that some people get extremely upset about it. But knowing that some business somewhere knows what car you drive <SUP>91</SUP> is just not in the same league as, say, knowing that all your neighbors (and thousands of strangers) have heard that you were raped. --------------------------------------------------------------------------- \91\ Cf., e.g., Gindin, supra note 1, at 1157. --------------------------------------------------------------------------- If such fairly modest offense or annoyance is enough to justify speech restrictions, then the compelling interest bar has fallen quite low. And watering down the threshold for when an interest becomes ``compelling'' will of course have an impact far beyond information privacy speech restrictions. C. Keeping the Internet Attractive to Consumers Some have argued that privacy restrictions are needed to keep Internet access attractive to consumers: Consumers are so concerned that online sites will collect and reveal information about them, the argument goes, that they are being deterred from engaging in e- commerce, and thus e-commerce in particular and the economy in general is suffering.<SUP>92</SUP> --------------------------------------------------------------------------- \92\ Cf. generally Joel R. Reidenberg & Francoise Gamet-Pol, The Fundamental Role of Privacy and Confidence in the Network, 30 Wake Forest L. Rev. 105 (1995). --------------------------------------------------------------------------- But fostering economic growth and increasing Internet use, while laudable goals, can hardly be ``compelling government interests'' justifying content-based bans on certain kinds of speech, at least if the ``compelling'' threshold is to have any meaning. And the potential consequences of accepting this sort of justification for restricting speech are both clear and dire: The same rationale, after all, would easily justify bans on TV broadcasts that warn of cyberspace privacy risks, since such speech even more directly frightens consumers away from e-commerce and other Internet use. Furthermore, if this is really such a great concern (which is far from clear, given the explosive growth of e-commerce even in the absence of noncontractual information privacy speech restrictions), it stands to reason that many Internet businesses would invest a lot of effort into preventing such consumer alienation: They'll promise not to communicate consumer information, set up enforcement mechanisms aimed at giving consumers confidence that such promises will be kept, distribute software that helps protect people's privacy through technological means, and so on. The availability of these alternatives further undercuts the case for restricting First Amendment rights in order to protect e-commerce.<SUP>93</SUP> --------------------------------------------------------------------------- \93\ Cf. Reno v. ACLU, 521 U.S. 844, 885 (1997) (rejecting on similar though slightly different grounds a similar argument in support of restrictions on sexually themed speech). --------------------------------------------------------------------------- D. Preventing Misconduct and Crime 1. Discrimination. Speech that reveals some kinds of information about people may make it easier for the listeners to act illegally or supposedly unfairly towards those people. One commonly given example is the risk that certain health-related information might fall into the hands of your health insurance company. ``Say that the insurance company learns that you eat a lot of pizza and steak, and therefore concludes that you'll probably have higher cholesterol and a higher risk of heart disease,'' the argument goes; ``it might then raise your rates.'' Another example is the risk that information about people's past crimes, alcoholism, or drug abuse will become known to employers, who will then refuse to hire these people.<SUP>94</SUP> --------------------------------------------------------------------------- \94\ See, e.g., James Rachels, Why Privacy Is Important, 4 Phil. & Pub. Aff. 323, 324 (1975) (``Revealing a pattern of alcoholism or drug abuse can result in a man's losing his job or make it impossible for him to obtain insurance protection . . .''). --------------------------------------------------------------------------- I can certainly see why people might be offended by their insurance company ``snooping'' on them this way. I can also see why it might be in the unhealthy eaters' financial interest (and I should mention that I love meat and cheese) not to be identified as such, so they can be subsidized by the healthy eaters with whom they pool their risk. Similarly, closet smokers would prefer, if possible, that life insurance companies not be able to identify them as smokers. But the question is not just whether the communication of this information is offensive or financially costly to its subjects, but rather whether the government may suppress such communication. If discrimination in insurance based on the insureds' eating habits is legal, as it is with respect to smoking habits, then it's hard to see how the risk of such lawful discrimination can justify restricting speech. True, one's buying habits are not a perfect proxy for one's eating habits (maybe the buyer is a healthy eater who is buying the pizza entirely for his roommate), but insurance is all about using imperfect but lawful predictors. Being above twenty-five and being a good student don't perfectly predict whether someone will drive safely; smoking and being older don't perfectly predict whether someone will die soon; but virtually nothing perfectly predicts anything else. Likewise, many employers might consider a person's criminal record, alcoholism, or drug abuse relevant to whether they should entrust their property, their clients' well-being, <SUP>95</SUP> or a $100 million oil tanker to that person. --------------------------------------------------------------------------- \95\ Employers not only have moral and business reasons to make sure that they don't hire people who might abuse their customers, but legal reasons, too: A negligent failure to discover that an employee has a criminal record may lead to liability for negligent hiring if the employee later attacks a customer. See, e.g., Carlsen v. Wackenhut Corp., 868 P.2d 882, 888 (Wash. App. 1994). --------------------------------------------------------------------------- But even if the government outlaws discrimination based on insureds' eating habits, or discrimination based on a person's alcoholism, drug use, or criminal past, <SUP>96</SUP> the basic First Amendment rule is that while the government may restrict conduct, it generally can't restrict speech simply because some people may at some time be moved by the speech to act illegally.<SUP>97</SUP> The law has plenty of tools to fight such discrimination directly. They are not perfect tools, but under the First Amendment the government may not try to compensate for their imperfection by suppressing speech. --------------------------------------------------------------------------- \96\ See N.Y. Corr. Law Sec. Sec. 752, 753 (generally barring employment discrimination based on criminal record); Wisc. Stat. Ann. Sec. Sec. 111.31, 111.32 (same). \97\ See, e.g., Brandenburg v. Ohio, 395 U.S. 444 (1969). --------------------------------------------------------------------------- The government may not suppress advocacy of discrimination based on race, criminal history, alcoholism, drug use, or pizza consumption, even though such advocacy may lead some people to actually engage in such discrimination. Likewise, the government may not suppress speech about particular people's criminal history, alcoholism, drug use, or pizza consumption, even though such speech may lead some people to engage in the discrimination. 2. Fraud and violent crime. In a few cases, revealing certain information about people may make it easier for others to defraud or otherwise victimize them. Under what circumstances the government may restrict speech that facilitates the commission of crime is a difficult and so far largely uninvestigated question.<SUP>98</SUP> It arises in many cases which have nothing to do with revelation of personal information, because personal information is just one of many kinds of information that can make it easier for people to commit crimes. For instance, the most prominent recent case that upheld a restriction on crime-facilitating speech involved a lawsuit against the publisher of a murder-for-hire manual.<SUP>99</SUP> --------------------------------------------------------------------------- \98\ See U.S. Department of Justice, 1997 Report on the Availability of Bombmaking Information, available at <http:// www.usdoj.gov/criminal/cybercrime/bombmakinginfo.html>; Kent Greenawalt, Speech, Crime, and the Uses of Language (1989); Eugene Volokh, Crime-Facilitating Speech (in progress). \99\ See Rice v. Paladin Press, 128 F.3d 233 (4th Cir. 1997). --------------------------------------------------------------------------- Moreover, even crime-facilitating speech that's focused on particular targets may involve information that few would consider especially private: For example, if we're concerned about speech that facilitates fraud or theft, publishing information about a business's security vulnerabilities or a list of the business's computer passwords may create as much risk of fraud as publishing a person's social security number would. I won't try to resolve this question here, but only want to offer three observations. First, the fact that speech facilitates crime doesn't always justify restricting the speech (even if it sometimes might): Consider, for instance, normal chemistry books, which may be used by criminals to learn how to make explosives, <SUP>100</SUP> or detective stories that describe particularly effective ways to commit a crime. --------------------------------------------------------------------------- \100\ See, e.g., U.S. Department of Justice, supra note 97 (listing a chemistry book from the respected Telford Press and books on explosives from the U.S. Bureau of Mines and the Association of Australian State Road Authorities among sources ``useful to individuals bent upon constructing bombs and other dangerous weapons''). --------------------------------------------------------------------------- Second, the strongest argument for restricting speech that reveals crime-facilitating personal information is that the speech facilitates crime, not that it reveals personal information. It is therefore probably most useful to analyze such speech as a kind of crime- facilitating speech, rather than as a specimen of revelation of personal data. Third, the crime facilitation concern at most supports narrow restrictions on the particular kinds of speech that materially risk facilitating crime.<SUP>101</SUP> Whatever support there may be for a general right to suppress either speech that reveals embarrassing personal information or speech that reveals information about a person's purchases, the fact that a few kinds of such speech may facilitate crime can't justify these broad restrictions. --------------------------------------------------------------------------- \101\ Cf. Florida Star v. B.J.F., 491 U.S. 524, 537, 539 (1989); id. at 542 (Scalia, J., concurring in part and concurring in the judgment). --------------------------------------------------------------------------- CONCLUSION I have made three arguments: 1. Despite their intuitive appeal, restrictions on speech that reveals personal information are constitutional under current doctrine only if they are imposed by contract, express or implied. There might possibly be room for restrictions on revelations that are both extremely embarrassing and seem to have virtually no redeeming value, such as unauthorized distribution of nude pictures or possibly the publication of the names of rape victims, and perhaps for speech that makes it substantially easier for people to commit crimes against its subjects. Even these, though, pose significant doctrinal problems. 2. Asking courts to expand the doctrine to create a new exception may give supporters of information privacy speech restrictions much more than they bargained for. All the proposals for such expansion-- whether based on an intellectual property theory, a commercial speech theory, a private concern speech theory, or a compelling government interest theory--would, if accepted, become strong precedent for other speech restrictions, including ones that have already been proposed. The analogies between the arguments used to support information privacy speech restrictions and the arguments used to support the other restrictions are direct and powerful. And accepting the principles that the government should enforce a right to stop others from speaking about us and that it's the government's job to create ``codes of fair information practices'' controlling private parties' speech may shift courts and the public to an attitude that is more accepting of government policing of speech generally. The risk of unintended consequences thus seems to me quite high. 3. People who generally oppose any broad diminution of free speech protections but who think information privacy speech restrictions must be upheld, can try to set forth their proposed new exception and its supporting arguments as carefully and narrowly as possible. I hope their attempt to craft such a well-cabined, narrow rationale for any such new exception will be helped by this Article, which highlights some of the analogies that generally pro-speech-restriction forces might use to expand any exception that is created. Maybe with a very carefully drawn exception, my fears about the unintended consequences of recognizing such exceptions won't come to pass. But some people may reluctantly conclude that the risk is just too great. We protect a good deal of speech we hate because we fear that restricting it will jeopardize the speech we value. Some people may likewise conclude that it's better to protect information privacy in ways other than speech restriction--through contract, technological self-protection, market pressures, restraints on government collection and revelation of information, and social norms--than to create a new exception that may eventually justify many more restrictions than the one for which it is created. Mr. Stearns. Professor Rubin? STATEMENT OF PAUL RUBIN Mr. Rubin. Thank you, Mr. Chairman and members of the subcommittee. I thank you for letting me testify. Mr. Stearns. Could you just pull one of the microphones up to you? Mr. Rubin. Oh, I am sorry. Mr. Stearns. That is fine. Mr. Rubin. Thank you for inviting me to testify today. Mr. Stearns. Maybe just a shade closer. Good. Mr. Rubin. I am currently in the process of completing a major study of the issue of privacy for the Progress and Freedom Foundation. My testimony and the forthcoming study is concerned with the commercial market for personal information that is used for advertising and marketing purposes, so I want to confine my remarks to that segment of the issue. In my written testimony, I make five basic points. First, consumers receive large benefits from the commercial use of information. Advertising revenues support many valuable services that are provided free over the Internet, and we all know what some of these are. Information makes it possible to target advertising messages to consumers' interests, and the result is, as Professor Cate indicated, better information; reduces the amount of spam and other undesired messages, because advertisers are better able to target us if they have this information. Second, the way information is used on the Internet is highly impersonal. Humans do not see or handle the information. It is generated and manipulated by computers. So we have this intuition that somebody knows something, but in many cases, the knowledge is embedded on a computer somewhere; no person has access to the information. The typical unit of commerce in online advertising is an ad based on 1,000 browsers. So it is a large block of potential viewers rather than an individual. Third point: despite consumer concerns, there does not appear to be actual evidence of harm to consumers from the legal use of information for marketing and advertising purposes. I want to stress that it is the legal information, so there are illegal uses, of course, but the legal use does not seem to have led to any harm. We have heard some stories from members of the committee this morning on, for example, medical records and so forth, but these are not commercial use of information. From the commercial use, there seems to be no evidence. In a year-end summary dealing with privacy issues, C-NET, a leading new economy news source, said despite the fears and concerns, there were no publicized horror stories that resulted from a privacy invasion. As I said, illegal use of information such as credit card fraud and identity theft do cause real harms. These are already, of course, against the law and do not appear to be closely related to online activities. James Hust, the Inspector General of the U.S. said with respect to identity theft this is not an Internet crime and never was, and the FTC is on record--officials of the FTC are on record also indicating that there is no higher level, no evidence of a higher level of fraud or identity theft based on the Internet than based on other sources of information. The fourth point: we have heard people say that privacy is good business, and I think it is good business, and what you expect if something is good business, you expect business to respond, and we have a lot of evidence that business is, in fact, responding to privacy concerns. I have some charts here. The first chart indicates that in several cases, firms have undertaken some action which has later turned out to bother consumers; consumers protested, and the firms have canceled the action solely based on consumer response. Probably the best- known is Double-Click's purchase of Abacus, which was canceled because of consumer concerns about the use of information. So there is a mechanism there. Second, there are voluntary standards organizations, numerous voluntary standards organizations; trustee; BBB Online; the Direct Marketing Association has principles of privacy; and accounting firms provide privacy audits; again, a market response to privacy issues. There is also something about to come online, P3P, which has been mentioned and may go a long way toward alleviating privacy concerns. And then, we see firms beginning to advertise privacy as well. Part of this morning's Post has an article: Earthlink resorts to restroom ads, but the restroom ads referred to in the Post deal with privacy. So firms are perceiving that privacy is something consumers want, and not only are they posting privacy policies on their Websites, but they are actually advertising that they offer better privacy. Fourth, there are lots of technologies that consumers can use: cookie rejection technologies, anonymous browsers, so there are alternatives out there for consumers particularly concerned with privacy. The fifth point: regulation of the market for personal information is potentially very costly. Congress should proceed cautiously based on a careful evaluation of the benefits and costs. Based on the evidence thusfar available, the case for new regulation is weak. The market seems to be rapidly evolving to meet privacy concerns. Regulation of the market would entail cost in terms of fewer consumer choices. It would also have an adverse effect on innovation and competition. These costs are likely to outweigh potential benefits which appear small, because there is little evidence that consumers are now being harmed by misuse of this information. Thank you. [The prepared statement of Paul Rubin follows:] Prepared Statement of Paul H. Rubin,<SUP>1</SUP> Professor of Economics and Law, Emory University --------------------------------------------------------------------------- \1\ Paul Rubin is Professor of Economics and Law at Emory University and Senior Fellow at The Progress & Freedom Foundation. The views expressed here are his own. --------------------------------------------------------------------------- Mr. Chairman and Members of the Subcommittee: I appreciate the opportunity to testify on ``Privacy in the Commercial World.'' I am currently in the process of completing a major study of this issue for The Progress & Freedom Foundation. Recent advances in information technologies have reduced the costs of collecting, storing, retrieving and transmitting information of all kinds. While the economic and social impacts of these advances have been overwhelmingly positive, they have also raised concerns on the part of individuals about who has access to their personal information and how it is being used. These concerns, in turn, have led to calls for new government regulation. In order to decide whether regulation is in order, and, if so, what form it should take, basic public policy questions need to be answered: <bullet> Are there market failures in the market for personal information? <bullet> If market failures exist, how do they adversely affect consumers? <bullet> Can such failures be remedied by government regulation? <bullet> Would the benefits of government regulation exceed the costs? <bullet> Are specific legislative and/or regulatory proposals cost- effective in achieving their goals. The purpose of the PFF study is to make a start toward answering these questions. My testimony--and the forthcoming PFF study--is concerned with the commercial market for personal information that is used for advertising and marketing purposes. Thus, it does not specifically address a number of other issues that are sometimes discussed under the overall umbrella of ``privacy,'' but raise different concerns. My work does not address particularly sensitive types of information, such as health information, personal financial information or information about children. These types of information are already subject to regulatory programs specifically tailored for them. I also do not address illegal uses of information, such as credit card fraud and identity theft. These are serious crimes, and impose significant costs on consumers and businesses. However, they are already against the law. Identity theft is a Federal crime, and a crime in 22 states,<SUP>2</SUP> and the use of someone else's credit card is illegal in all 50 states. --------------------------------------------------------------------------- \2\ CALPIRG, ``Nowhere to Turn: Victims Speak Out On Identity Theft,'' available on the CALPIRG Website, http://www.pirg.org/calpirg/ consumer/privacy/idtheft2000/toppage1.htm visited January 12, 2001. --------------------------------------------------------------------------- Moreover, the incidence of these crimes does not appear to be related to online activities. In a recent article, for example, Betsy Broder, Assistant Director for Planning and Information at the FTC is quoted as saying: ``The Internet is probably not as large a part of the problem [of identity theft] as people suspect.'' <SUP>3</SUP> Ms. Broder also said ``None of the statistics show a greater vulnerability of consumers who are shopping online.'' <SUP>4</SUP> This is consistent with the findings of a study of 66 victims of identity theft, which found that only two of the 66 (about three percent) ``had reason to believe that the thief had obtained their information via the Internet.'' <SUP>5</SUP> The Inspector General of the United States, James Huse, has said, with respect to identity theft, ``This is not an Internet crime and never was.'' <SUP>6</SUP> --------------------------------------------------------------------------- \3\ Quoted in Danielle Sessa, ``The Best Way to . . . Keep Safe,'' The Wall Street Journal, Nov. 27, 2000, R25. \4\ Quoted in Susan Stellin, ``Using Credit Cards Online Remains Safe Despite High-Profile Security Lapses,'' New York Times October 16, 2000. \5\ CALPIRG, ``Nowhere to Turn: Victims Speak Out On Identity Theft,'' available on the CALPIRG Website, http://www.pirg.org/calpirg/ consumer/privacy/idtheft2000/toppage1.htm visited January 12, 2001, p. 6. \6\ Scott Bernard Nelson, ``Identity Crisis,'' The Boston Globe, August 27, 2000. He does add: ``But technology has created new ways of storing and selling personal information and it's likely to create more and more headaches in the future.'' --------------------------------------------------------------------------- Finally, my testimony does not concern government collection and use of information. Because, as a nation, we are concerned about the misuse of government power, government is constitutionally constrained in its ability to obtain information about individuals, as when it uses software such as ``Carnivore'' to search emails. It is also justifiable to hold government to a stricter standard with respect to the information it controls, because government has mandatory access to much of that information. THE COMMERCIAL USE OF PERSONAL INFORMATION Data on individuals has been used by marketers and advertisers long before the advent of the Internet. But, the Internet has increased the flow of personal information and, in the process, raised the level of individuals' concerns about privacy. On the Internet, targeted advertising is accomplished by examining individuals' online activities, developing an understanding of their interests, and then matching and delivering relevant advertisements. This is accomplished by compiling individuals' web-browsing activities and applying database technologies and statistical models that yield demographic and interest profiles, commonly referred to as consumer profiles. Advertisements relevant to consumers' profiles are then inserted in the Web pages they visit. Advertising firms, such as DoubleClick and 24/7, deliver targeted advertisements to Internet users that visit popular Websites. Website operators receive advertising revenues based on pages viewed and advertisements delivered. Advertising is a major source of revenue for Websites such as search engines, directories and portals, and is growing rapidly. U.S. companies spent $3.5 billion on Web advertising in 1999. Revenue in the second quarter of 2000 was $2.1 billion. Advertising spending on the Web is predicted to increase to $16.5 billion by 2005, making online spending eight percent of the total amount spent on advertising. <SUP>7</SUP> This advertising in turn fuels billions of dollars in online purchases. --------------------------------------------------------------------------- \7\ The Standard, ``Net Ads Keep on Ticking,'' by Stacey Lawrence, September 4, 2000. Available on-line at: http://www.thestandard.com/ research/metrics/display/0,2799,18155,00.html. Visited September 20, 2000. --------------------------------------------------------------------------- Advertisers use personal data to identify individuals who are more interested than the average in purchasing some product or service. The search begins with the product, and seeks out individuals who might have an interest in the product. A seller does not ask ``What can I sell to Paul Rubin?'' Rather, a seller asks an advertiser such as DoubleClick or 24/7 to ``Put my ad on 1,000,000 pages viewed on computers of persons more likely than average to want a new car'' and perhaps Paul Rubin's computer turns out to be one of those selected. But, no human makes this determination; rather, it is made by various computers connecting with each other. Moreover, the unit of commerce in the online advertising market is typically 1000 persons, not any individual. <SUP>8</SUP> --------------------------------------------------------------------------- \8\ ``All rates are expressed in cost per thousand (CPM) ad banner impressions.'' From DoubleClick's Rate Card, http:// www.doubleclick.net:80/us/advertisers/media/network/info/rate- card.asp?asp__object__1=& , visited February 22, 2001. --------------------------------------------------------------------------- CONSUMER BENEFITS Consumers benefit from this advertising in numerous ways. First, advertising revenues support many valuable services that are provided to consumers at no charge. These services include free email and pages from firms like Yahoo! customized to contain information of direct interest to the particular individual.<SUP>9</SUP> The amount of free information available on the Internet is truly remarkable, and this information is paid for through advertising. Internet advertising firms such as DoubleClick provide customized advertising to smaller Websites that use the revenues from this advertising to support themselves. Larger firms, such as AOL and Yahoo!, can internally provide the same services that DoubleClick and its competitors provide for the smaller sites. --------------------------------------------------------------------------- \9\ I use a free customized page from Yahoo! as my own homepage. This contains information in many categories that I have selected: headlines on selected topics from Reuters and AP; information about chosen stocks and stock indices; weather in selected cities; and movies in my neighborhood. Many other categories are also available. For all of this information, much more detail is available from a mouseclick. --------------------------------------------------------------------------- Second, consumers benefit from receiving information that is targeted to their interests. Consumers value learning about products they are likely to buy. Even if some advertising does not lead directly to a purchase, the information may still enable a consumer to compare prices among products, or to determine what products are available. Targeted advertising reduces the likelihood that consumers will be bothered with information that is of no interest to them, and marketers have an incentive to avoid sending messages to consumers who aren't interested. Consumers are likely to avoid Websites that routinely display useless information, or to ignore, delete or screen out messages from marketers who send the irrelevant emails commonly described as ``spam.'' Thus, both consumers and advertisers have an interest in better targeting of advertising messages. Generally, markets work better with better information. As the cost of information goes down, market participants will obtain more of it and will consequently make better decisions. For example, if merchants can better estimate demand, they are less likely to purchase excess inventories, reducing costs and even lessening swings in overall economic activity. Similarly, geographic computer-based information can enable bricks-and-mortar merchants to put their new stores in the places that best serve consumers, and to stock the most useful merchandise for nearby consumers in those stores. Such examples can be multiplied without limit--all agents in the economy will benefit from better information. Electronic information has led to a major reduction in the cost of information and therefore a major increase in the amount of information available to the economy, and any policy that reduces the amount of such information below the efficient amount will have detrimental effects on the economy. Finally, an important characteristic of information is that--in contrast to many other goods--it can be used many times without being used up. If I know something and tell you, then we both know it. This ``public good'' characteristic is an important reason for the productivity of information. For the type of commercial information discussed here, advertisers, credit institutions, and insurance companies use the same information, and it is useful to all of them. Indeed, the various information users cooperate in generating this information because they all find it valuable. Thus, if there are externalities associated with the commercial use of information, they are more likely to be positive than negative. This means that it is more likely that not enough information is available than that too much information is available. Regulation that would reduce the use and availability of information would exacerbate this problem.<SUP>10</SUP> --------------------------------------------------------------------------- \10\ It is sometimes argued that information should be used only for the purpose for which was collected. In fact, this is part of the European Union Directive on the Protection of it Personal Data. However, this restriction on information use imposes a real cost on the economy, in that many productive uses would be denied. --------------------------------------------------------------------------- IS THERE MARKET FAILURE? From an economic point of view, regulation of the market for information should only be undertaken if the market is not functioning correctly. Market failure in this context would mean that consumers' preferences concerning the amount and use of their information are not being accurately transmitted and responded to in the marketplace. If the market is working well, there is no need for government intervention. Consumer Harm Given widespread consumer concerns about privacy and perceptions that personal information may be subject to misuse, it is noteworthy that there does not appear to be actual evidence of harm to consumers from the legal use of information for marketing and advertising purposes. In an economy with 281 million individuals, there does not even appear to be much in the way of anecdotal evidence of harms resulting from violations of privacy in connection with such marketing activities. For example, in a year-end summary for 2000 dealing with privacy issues, CNET, a leading ``New Economy'' news source, indicated that there were no mishaps involving commercial use of personal information in 2000: ``Despite the fears and concerns, there were no publicized horror stories that resulted from a privacy invasion.'' <SUP>11</SUP> --------------------------------------------------------------------------- \11\ Patricia Jacobus, ``Privacy heats up but doesn't boil over,'' CNET News, December 22, 2000, available online at http://news.cnet.com/ news/0-1005-200-4238135.html?tag=st.cn.sr.ne.1, visited December 25, 2000. --------------------------------------------------------------------------- Much of the anecdotal evidence of ``harm'' that does exist concerns activities that have nothing to do with the use of information for marketing purposes. For example, a New York Times magazine article by Jeffrey Rosen <SUP>12</SUP> provides anecdotes about individuals who have been harmed by invasions of their privacy, but none concern misuse of advertising data. He discusses, for example, Monica Lewinsky's emails and various archives kept by chat rooms, and employer monitoring of email and surfing. None of his evidence or examples of harm apply to marketing or advertising information. --------------------------------------------------------------------------- \12\ Jeffrey Rosen (2000), ``The Eroded Self,'' New York Times Magazine, April 30, p. 46. --------------------------------------------------------------------------- It might be argued that, even though there has been no harm thus far, there might be in the future. But, given the absence of harm thus far, the risk would seem to be small. Consumer Interaction with Websites Perhaps part of the reason we see no evidence of consumer harm is that there are a variety of market mechanisms now available to consumers to make known their preferences with respect to the use of their personal information. Reputation Effects. Consumers are not without recourse if firms use their information in ways they don't like. Consumers can simply stop doing business with the offending firm, and the evidence shows they are quite willing to do so. In fact, reputation effects are powerful, and the evidence shows that when a firm does something that is perceived as harming its reputation with consumers, the firm suffers a substantial loss in value.<SUP>13</SUP> --------------------------------------------------------------------------- \13\ For a summary of the literature, see Kari Jones and Paul H. Rubin, ``Effects of Harmful Environmental Events on the Reputations of Firms,'' Advances in Financial Economics (forthcoming), 2001, edited by Mark Hirschey, Kose John and Anil K Makhija, available online at http:/ /papers.ssrn.com/paper.taf?ABSTRACT__ID=158849. --------------------------------------------------------------------------- Reputation effects can be expected to be particularly strong among firms operating on the Internet, where communication between consumers is easy and inexpensive. Consumers quickly learn about what they perceive as misdeeds by a firm: <bullet> When Amazon appeared to have engaged in ``dynamic pricing'' (what economists call price discrimination) consumers learned about it quickly and many became irate.<SUP>14</SUP> Such pricing is probably efficient, <SUP>15</SUP> but nonetheless the firm has promised not to engage in this practice. --------------------------------------------------------------------------- \14\ David Streitfeld, ``On the Web, Price Tags Blur,'' Washington Post, September 27, 2000. Amazon denies that it was engaged in dynamic pricing or price discrimination. \15\ Paul Krugman (2000), ``What Price Fairness?'', New York Times October 4. --------------------------------------------------------------------------- <bullet> In 1997, America Online had plans to sell telephone numbers of its subscribers to telemarketers, but cancelled those plans in response to angry reactions from subscribers.<SUP>16</SUP> --------------------------------------------------------------------------- \16\ This and the following two examples are from Jessica Litman, ``Information Privacy/Information Property,'' 52 Stanford Law Review, 1283-1313, May, 2000, at 1305-6. --------------------------------------------------------------------------- <bullet> In 1998, CVS pharmacy arranged for another company to contact consumers who failed to refill prescriptions. Again, consumer dissatisfaction led to the plans being called off. <bullet> In 1999, RealNetworks was forced to change its software when it was learned that its product, RealJukebox, collected information on users' habits. <bullet> Yahoo! eliminated the reverse telephone number search from its search site in response to consumer unhappiness.<SUP>17</SUP> --------------------------------------------------------------------------- \17\ This and the following two examples are from Daniel J. Solove, ``Privacy and Power: Computer Databases and Metaphors for Information Privacy,'' p. 27, available online through SSRN.Com, 56-57. --------------------------------------------------------------------------- <bullet> Lotus cancelled plans to sell data about 120 million citizens. <bullet> Lexis-Nexis also cancelled plans to sell information about millions of persons. <bullet> More recently, a firm called N2H2, which makes filtering software, has stopped selling information about Websites visited by students, because many felt that such sales were improper.<SUP>18</SUP> --------------------------------------------------------------------------- \18\ Associated Press, ``Internet Co. Drops Data Selling Plan,'' Feb. 22, 2001. Note that the plan did not sell personally identifiable information. --------------------------------------------------------------------------- <bullet> Finally, there is the well-known story of DoubleClick's cancelled plan to link online and personally identifiable information through its acquisition of Abacus Direct.<SUP>19</SUP> --------------------------------------------------------------------------- \19\ Discussed at numerous places. See for example Diane Anderson and Keith Perine, ``Marketing the Double Click Way,'' The Standard, March 13, 2000. --------------------------------------------------------------------------- The critical point is that when businesses use information in ways that consumers do not like, they quickly learn about it, and the firms are forced to stop. Such reputational penalties may be among the strongest protections available to consumers. The main asset that on- line marketers own is their reputation with consumers. Any use of information in a way that reduces the value of that reputation would be counterproductive for the firm. Moreover, the very nature of information on the Internet means that consumers are likely to learn about such uses. This suggests that arguments about asymmetric information, such as have been advanced by Peter Swire, are incorrect.<SUP>20</SUP> Such arguments claim that consumers will not have adequate incentives to learn about the policies of any Website with respect to privacy, and therefore Websites will not have adequate incentives to provide appropriate privacy protections. This may be true for many consumers. However, as discussed above, if they find privacy policies unsatisfactory, when they do learn about them, the market reaction will be strongly adverse. This provides a sufficient incentive to Websites to provide their customers with satisfactory privacy policies. --------------------------------------------------------------------------- \20\ See Peter Swire, ``Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information,'' in Privacy and Self-Regulation in the Information Age, U. S. Department of Commerce, Washington, DC, 1997, http://www.ntia.doc.gov/reports/privacy/ selfreg1.htm. --------------------------------------------------------------------------- We also see firms taking many positive steps to protect their reputations. IBM, Microsoft, Disney, Intel, Compaq, Novell, Procter & Gamble, and American Express do not advertise on Websites that do not have privacy policies.<SUP>21</SUP> Presumably, this is to protect their reputations. As a method of protecting reputations, firms are increasingly hiring ``chief privacy officers'' (CPOs) and giving them substantial power and discretion in setting company policies. Alan Westin, a well-known privacy expert, offers a training course for this position.<SUP>22</SUP> There are now about 100 CPOs, and it is estimated that there will be 500 by the end of next year.<SUP>23</SUP> --------------------------------------------------------------------------- \21\ ``It's Time for Rules in Wonderland,'' Business Week, March 20, 2000; ``Towards Digital eQuality--The Second Annual Report of the US Government's Work Group On Electronic Commerce'', December, 1999. \22\ http://www.pandab.org/.,visited November 13, 2000. \23\ Kemba J. Dunham, ``The Jungle: Focus on Recruitment, Pay and Getting Ahead: A New Playing Field,'' The Wall Street Journal March 20, 2001. --------------------------------------------------------------------------- Technologies of Choice. There are numerous technologies now available that allow consumers to address their privacy concerns: <bullet> Basic browsers now allow some customization with little effort. For example, Netscape allows a user four options with respect to cookies. Microsoft also offers some control. <bullet> Other options allow control of cookies. From one site, approximately forty programs that allow control of cookies can be downloaded.<SUP>24</SUP> These programs allow one to refuse certain cookies, or to easily delete cookies after they are received. --------------------------------------------------------------------------- \24\ Downloaded on October 25, 2000 from ZDNet Downloads (http:// www.zdnet.com/down loads/), a popular source for software, using a search for ``cookie'' --------------------------------------------------------------------------- <bullet> There are also several services that allow anonymous surfing, including Anonymizer.com, IDZap.Com, iPrivacy.com, SafeWeb, SilentSurf.com, and others as well. These services offer different levels of control over information, depending on the consumer's preferences and willingness to bear the inconvenience costs of protecting information. <bullet> In addition, American Express now offers a ``one-time'' credit card number, good only for one purchase, designed for Internet use. Since Websites selling products to consumers using this card never have access to information about the consumer, privacy is protected. Consumers concerned about privacy are able to use any of these services, some free, to protect their information online.<SUP>25</SUP> --------------------------------------------------------------------------- \25\ Some of these are discussed in Don Clark, ``Privacy: You Have No Secrets,'' The Wall Street Journal, October 23, 2000 and Lorrie Faith Cranor, ``Agents of Choice: Tools That Facilitate Notice and Choice about Web Site Data Practices'', available online from http:// www.research. att.com/~lorrie/#publications. --------------------------------------------------------------------------- Importantly, the World Wide Web Consortium (W3C), a consortium of 488 members (as of December 22, 2000), including the largest players on the Internet, such as Microsoft, America Online and Cisco, <SUP>26</SUP> is in the process of drafting a major private privacy protocol, the Privacy Preferences Project, P3P.<SUP>27</SUP> If P3P is successful, it will provide standardized information in machine- readable form about each Website's privacy policy. Individuals will then be able to configure their own browsers to deal with the Website. Major players in the Internet world are participants in this endeavor. Moreover, Microsoft will begin incorporating P3P standards in its software.<SUP>28</SUP> It will also be available as a downloadable plug-in.<SUP>29</SUP> This will solve one side of the ``chicken-and- egg'' problem. Since the software will be available to consumers, Websites will have a ready-made audience if they install the other side of the package. Lessig <SUP>30</SUP> also discusses the possibility of P3P leading to increased negotiation and customization of privacy policies, as do several others. --------------------------------------------------------------------------- \26\ For the W3C homepage, see http://www.w3.org. For the list of members, see http://www.w3.org/Consortium/Member/List, visited December 22, 2000. \27\ http://www.w3.org/P3P/. \28\ ``New Tools to Help Web Surfers Protect Privacy,'' Associated Press, June 22, 2000. \29\ Elizabeth Weise, ``Privacy plug-in will ask: `Do you want to go there?' '' USA Today, July 11, 2000. \30\ Lawrence Lessig, ``The Architecture of Privacy,'' 1998, Online, http://cyber.law.harvard.edu/works/lessig/ architecture__priv.pdf. --------------------------------------------------------------------------- There are other technologies on the horizon that may provide other solutions. One is the evolution of ``trusted systems.'' These are envisioned as computer protections that limit the way in which data can be copied. While they are being developed to protect intellectual property, such as music, movies and books, it may be possible for these technologies to be adapted to protect consumer information as well.<SUP>31</SUP> --------------------------------------------------------------------------- \31\ Jonathan Zittrain, ``What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication, 52 Stanford Law Review 1201-1250, May 2000. --------------------------------------------------------------------------- Voluntary Standards. Voluntary standards, defined and enforced by third parties or by consortia of Web operators, are an important mechanism to inform consumers that a Website meets certain minimum standards. Such standards improve the functioning of the market and are not merely an attempt by industry to ward off government regulation. There are already several voluntary programs in existence that certify that a Website meets certain privacy standards: <bullet> A Website can voluntarily join TRUSTe, for example. <SUP>32</SUP> If it does, a link is put on the website and by clicking on this link, a visitor can view the site's privacy policy. TRUSTe audits Websites to ensure compliance with stated privacy policies. As of December 22, 2000, 1,570 firms were members of TRUSTe.<SUP>33</SUP> --------------------------------------------------------------------------- \32\ Website: http://www.truste.org. \33\ Found at http://www.truste.org/users/users__lookup.html visited December 22, 2000. --------------------------------------------------------------------------- <bullet> The Better Business Bureau also has a certifying program, BBBOnLine, that performs similar functions.<SUP>34</SUP> --------------------------------------------------------------------------- \34\ http://www.bbbonline.org/ --------------------------------------------------------------------------- <bullet> The Direct Marketing Association has various voluntary standards in place, including a method consumers can use to have their names removed from email lists, and members of the association must meet certain requirements regarding privacy on the Web.<SUP>35</SUP> --------------------------------------------------------------------------- \35\ http://www.the-dma.org. --------------------------------------------------------------------------- <bullet> Finally, auditing firms, such as PriceWaterhouseCoopers, perform privacy audits and put a box on a website indicating that the site conforms with its stated privacy policy.<SUP>36</SUP> --------------------------------------------------------------------------- \36\ Bob Tedeschi ``Sellers Hire Auditors to Verify Privacy Policies and Increase Trust,'' New York Times, September 18, 2000. --------------------------------------------------------------------------- There is evidence that voluntary standards in the U.S. actually work better than mandatory standards imposed by the European Commission.<SUP>37</SUP> For example, although ``opt-out'' is required in Europe, only 20 percent of Websites actually offer this option to consumers; in the U.S., 60 percent of sites offer this choice. About twice as many U.S. sites (62 percent) as European sites (32 percent) have posted privacy policies. Although all members of the EU now have data-privacy commissioners and agencies, these agencies seem unable to enforce privacy regulations. Thus, it appears that voluntary self- regulation provides more privacy protection than does mandatory government-imposed regulation. --------------------------------------------------------------------------- \37\ Ben Vickers, ``Europe Lags Behind U.S. on Web Privacy: More American Firms Let Customers Guard Data, Study Finds,'' The Wall Street Journal, February 20, 2001. --------------------------------------------------------------------------- THE BENEFITS AND COSTS OF REGULATION The discussion above suggests that the market is responding well to consumers privacy concerns. Firms have incentives to provide consumers the desired levels of privacy protection and consumers have tools available to inform themselves about, and control the use of, their data. In addition, there seems to be little if any evidence that consumers are suffering harm from the commercial use (or misuse) of their personal information. While every regulatory proposal should be subjected to a detailed benefit-cost analysis, the absence of serious market failure or consumer harm suggests that the potential benefits of new regulation will be very small. The costs, on the other hand, can be significant, because regulation is a cumbersome, inflexible tool and because we do not now have the knowledge base to regulate intelligently in this area. As I discuss below, regulation can have adverse effects on both innovation and competition and slow the development of the Internet economy. It is a cliche to say that the Internet is dynamic. But, it is true. Any regulation at this time would freeze some aspects of the Internet in their current state. Even if the regulators were able to devise perfect regulations for today's environment, these regulations would quickly become obsolete as the Internet changes. The P3P release is P3P 1.0, indicating that, like software in general, the drafters expect that the privacy policies embedded in the document will change over time. Indeed, at several places in the document itself there are indications of directions for change in future versions. Change is the normal state of affairs for the Internet and for software and other products that interact with the Internet. Once an inefficient regulatory scheme is in place, however, it becomes very difficult to change. This suggests moving with great caution in this area. The FTC has recommended that Congress pass a law regulating four aspects of privacy: Notice, Choice, Access and Security.<SUP>38</SUP> These may be the correct elements for a privacy policy to address. But they also may not be, and the FTC has not done the analysis necessary to show that they are. If it should turn out that other policies are better, the Internet would nonetheless be locked into the FTC's choices. The FTC's desire that all Websites structure their privacy policy in the terms dictated by the FTC would have the effect of freezing in place a particular policy. This policy may not be the best policy now, and almost certainly will not be the best policy for the future. --------------------------------------------------------------------------- \38\ Federal Trade Commission (2000), Privacy Online: Fair Information Practices in the Electronic Marketplace, May 2000. For comments on the FTC's proposal, see Orson Swindle, ``Privacy in a Digital World: Industry Must Lead, or Government Will Follow,'' The Progress & Freedom Foundation, March 2001 (attached). --------------------------------------------------------------------------- Effect on Choice Regulation of this sort is of necessity the ``one size fits all'' variety. This might be justified if all consumers had similar or identical preferences. But, it is difficult to justify what are in essence mandatory product design regulations if preferences differ substantially, as is the case with respect to privacy. Some consumers view privacy protection as a good thing, but others welcome the advertising information they receive when they give out information about themselves. As an industry source puts it, ``What's an invasion of privacy to one consumer is a great deal to another.'' <SUP>39</SUP> When preferences do differ in such significant ways, then some consumers must be harmed by regulation. --------------------------------------------------------------------------- \39\ Margaret Barnett, The Profilers: Invisible Friends, The Industry Standard, March 13, 2000, p. 221. --------------------------------------------------------------------------- With respect to Internet privacy, the FTC itself acknowledges that consumers differ in their privacy preferences: ``According to one panelist, survey research consistently indicates that roughly one- quarter of the American public is ``intensely'' concerned about privacy and that another quarter has little or no concern; the remaining fifty percent view this issue pragmatically.'' <SUP>40</SUP> These differences are documented carefully in a survey on Internet privacy by AT&T.<SUP>41</SUP> For example, those most concerned about Internet privacy--those the AT&T report calls ``privacy fundamentalists''--can already protect themselves using a variety of techniques discussed above. On the other hand, some consumers are so little concerned with privacy issues that they are willing to have all of their Web surfing monitored. AllAdvantage.com pays consumers to monitor their browsing, and some consumers (presumably those less concerned with privacy issues) are apparently willing to join this program.<SUP>42</SUP> Dash.com provides discounts to consumers who allow monitoring. Many other companies provide discounts and benefits of various kinds to consumers who are willing to share their information. Thus, consumers have radically different preferences regarding Internet privacy, and markets are now satisfying all types of preferences. Privacy regulations could have the effect of making some business plans infeasible and thereby depriving consumers of goods and services that are now available. --------------------------------------------------------------------------- \40\ In its 1998 Report, Part II, at 2. \41\ Lorrie Faith Cranor, Joesph Reagle, and Mark S. Ackerman, ``Beyond Concern: Understanding Net Users' Attitudes About Online Privacy,'' AT&T Labs-Research Technical Report TR 99.4.3, 1999http:// www.research.att.com/library/trs/TRs/99/99.4/ \42\ http://www.alladvantage.com/home.asp?refid= --------------------------------------------------------------------------- The AT&T Report also finds that consumers have very different privacy preferences regarding different types of information. For example, consumers are less willing to provide Social Security and credit card numbers than other types of information. Similarly, 78 percent would accept cookies to provide a customized service; 60 percent would accept a cookie for customized advertising; and 44 percent would accept cookies that convey information to many Web sites. This means that any standardized privacy notice would have to be exceedingly complex--so complex that few people would be willing to read it. Moreover, different pages within the same site might require different policies, so virtually each mouse click would require reading a new notice. On the other hand, a protocol such as P3P could provide customized settings for each type of information and each potential use, based on consumers filling out a one-time form when configuring their browsers. Of course, some consumers would choose not to do so and would merely accept the defaults. Effect on Innovation Regulation will affect potential new uses of the Internet. Uses that might otherwise develop will be hindered by excessive regulation. The costs in terms of lost innovation are difficult, if not impossible, to quantify, because we are not likely to know about potential new uses that do not come into being because of regulation. Nonetheless, these costs are real, and probably larger than the measurable, direct costs of regulation. For example, the Internet is becoming more available on handheld units, also called Personal Digital Assistants (PDAs), and on Web- enabled cell phones. Technologies for such uses are becoming increasingly easy to use. Some are wireless: Websites are broadcast to users. Additionally, it is possible to download Websites to handhelds in the process of synchronizing the PDA with a desktop computer. There are even new technologies that may make Web information available through audio means. But the interaction of these new technologies with privacy policies is problematic. One difficulty is provision of notification policies on a PDA or mobile telephone screen; these screens are too small and too slow to display meaningful notice information. Having notice policies read aloud by an audio-enabled Website would be even more impractical. Moreover, it is commonly agreed that a major innovation in the use of the Internet is the increasing extent to which it will be possible to track the geographic location of individual consumers, using mobile phones or PDAs with GPS chips.<SUP>43</SUP> One advantage of the technology (and one of its sources) is a desire by the government to better deliver emergency services to injured persons. Chips in mobile telephones and other devices and PDAs will have tracking abilities. The chips will enable individuals to obtain personalized information relevant to their location, such as driving directions or the location of restaurants or movies. General Motors is planning to use this technology to send information to users of its OnStar vehicle-based navigation system.<SUP>44</SUP> Privacy issues are important with these devices. Palm is developing an opt-in program for location chips. DoubleClick will not begin delivering ads until privacy issues are worked out. TRUSTe is developing standards for privacy policies. Of course, the difficulties with presenting privacy policies on small screens applies to these uses as well. --------------------------------------------------------------------------- \43\ Discussed, for example, in Anick Jesdanun, ``Wireless Tracking Device Coming Soon,'' AP, October 29, 2000 and Pui-Wing Tam, ``. . . K now Where We Are,'' Wall Street Journal, November 13, 2000. \44\ Rachel Konrad, General Motors to `push' ads to drivers,'' CNET News.com, January 8, 2001. --------------------------------------------------------------------------- There are at least two lessons from the story of this technology. First, industry is already responding to privacy concerns in developing this technology, because it is responding to consumer preferences. Second, if a government-mandated privacy policy were in place, it could retard or even entirely stop the development of these technologies. For example, if there were a law mandating notice and standards for notice, the requirements could be inconsistent with the size of screen available, and certainly with audible websites. If this were so, then consumers could lose the benefits of a valuable technology. This potential loss, should it occur, would not even be recognized; people do not miss technologies that do not exist. Effect on Competition Regulation of privacy has competitive implications as well. More stringent regulatory requirements would have the effect of reducing advertising, which typically benefits new entrants and small firms relative to large, established firms.<SUP>45</SUP> This would be particularly true for Internet advertising, where established firms have lists of their own customers and visitors to their Websites, but new firms must purchase such lists. The existence of a market for customer lists and other such information makes it easier for entrants to begin competing. If regulation should reduce the scope of this market or increase the cost of information, then competition from new entrants would be reduced. --------------------------------------------------------------------------- \45\ John E. Calfee, Fear of Persuasion: A New Perspective on Advertising and Regulation, American Enterprise Institute, Washington, 1997. --------------------------------------------------------------------------- New privacy standards would also make entry more difficult by increasing the fixed costs of doing business. Every online marketer would be required to hire an attorney at least to write a ``notice'' about privacy policies; full-time CPOs earn between $120,000 and $175,000 per year.<SUP>46</SUP> Allowing access and enforcing security would also be costly. All of these costs are ``fixed'' costs, and so are higher per unit of output for small than for large firms. Thus, any such regulations would serve at least in part as a barrier to entry against small firms, and as a source of protection for large established firms. These policies would lead to increased prices and reduced service and, thus, harm consumers. --------------------------------------------------------------------------- \46\ Kemba J. Dunham, ``The Jungle: Focus on Recruitment, Pay and Getting Ahead: A New Playing Field,'' The Wall Street Journal March 20, 2001. --------------------------------------------------------------------------- In the Internet economy, small startup companies with new ideas and new business models have been a particularly important source of innovation. Regulations mandating privacy policies or other regulations are particularly likely to be harmful in this environment.<SUP>47</SUP> --------------------------------------------------------------------------- \47\ Discussed in Peter P. Swire and Robert E. Litan (1998), None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, Washington: Brookings Institution Press, at 78-79. --------------------------------------------------------------------------- CONCLUSION To summarize, regulation of the market for personal information should proceed cautiously, based on a careful evaluation of the benefits and costs of any specific regulatory proposal. Based on the evidence thus far available, the case for new regulation is weak. The market seems to be rapidly evolving to meet consumers' privacy concerns. Innovative new ways to address these concerns are rapidly becoming available. Regulation of the market for personal information would entail costs in terms of fewer consumer choices. It would also have an adverse effect on innovation and competition. These costs are likely to outweigh the potential benefits, which appear to be small, because there is little evidence that consumers are now being harmed by misuse of marketing and advertising information. Mr. Stearns. Ms. Singleton? STATEMENT OF SOLVEIG SINGLETON Ms. Singleton. Thank you, Mr. Chairman, for this opportunity to offer a historical perspective on the law of privacy. I will try to do this in 5 minutes, which should be interesting. My remarks mainly pertain to broad privacy laws that are not targeted at sectors where there are special contractual and sort of professional issues like medicine or to specific real harms like identity theft. My remarks are, rather, relevant to sort of broad privacy legislation affecting businesses across the board. Let me begin my summing up what we can learn from privacy in the Nineteenth Century. There's essentially two aspects to Nineteenth Century privacy cases. There's some limited case law involving the private sector, and there's also, of course, Constitutional cases involving the Fourth Amendment. Let me start with the private sector. There was a sort of nascent common law of privacy in the private sector at that time. For example, privacy was often recognized as an element in disputes over physical property rights such as easements and nuisances and that sort of thing. There was a lot of building going on in America during that time, and so, frequently, privacy questions would come up when two buildings were built very close together. Now, the bit here that is relevant to today's debate about privacy is that when you see these privacy cases that essentially identify privacy with physical property rights, there is no First Amendment problem. And that is because the property often helps us find boundaries of free speech, too. For example, you have a right to read books, obviously, but you can't go and steal books out of your neighbor's house or any other kind of information. So in that respect, privacy and First Amendment are quite consistent with one another. Now, I am going to change tracks a little bit and talk about some of the privacy cases in the Constitution from the Nineteenth Century. Sometimes, in the debate about privacy and business today, one hears the assertion that privacy rights in the Constitution show that government has a strong interest in regulating privacy in the commercial sector. But actually, Constitutional privacy cases are rarely very relevant to the debate about privacy in business. In the Nineteenth Century, and this continues today, courts do not apply the Fourth Amendment to the private sector, and essentially, the Fourth Amendment should not be a basis for asserting privacy rights against either journalists or commercial businesses where there is no State action, and the private sector enjoys Constitutional rights of free speech. Obviously, the police don't have a kind of Constitutional right to free speech to come into your home and search your things without a warrant. So again, on that traditional understanding of the Fourth Amendment, there is no conflict with free speech. Now, I will jump ahead to privacy in the early Twentieth Century, which is where you first begin to see a tension between privacy and the First Amendment. Beginning in the early Twentieth Century, courts began to accept a concept of privacy that was detached from physical property rights a little bit akin to defamation or intellectual property but more expansive. Now, over the years, many of those privacy torts were applied against journalists, and so, for the first time, we see serious free speech and privacy issues. And over the years, some of the privacy torts have been construed very narrowly by the courts. Some of them are referred to today as dying torts, although some of them still seem to be going strong. Now, the concept of privacy based on the mere fact that information was spread asserted a new kind of property right in information, and Gene has already talked a little bit about this. This assertion is too broad, though, to make sense. Unlike copyright, the new right to own information about yourself or to control it amounts to a claim of ownership of facts and opinions and ideas about one's own actions, and unlike defamation, which lets you sue when someone disseminates false information, a right to own or control information about yourself gives you a veto power over truthful information. Now, to jump ahead to today's debate, what has not been widely recognized and which makes this history of privacy and journalism relevant to the debate today is it hasn't been widely recognized the extent to which businesses, like journalists, rely on the freedom of information to produce goods and services. Also, consumers rely on information produced by businesses to learn about products. Economic studies have shown that advertising and marketing alert consumers to flaws in existing products; to the existence of new competitors and choices in the marketplace and help bring down prices. But many proposed privacy laws would be even much more extreme than the privacy rule attack that was initially made upon journalism. The journalists were attacked only for disseminating information to a broad public, whereas, in the case of the laws proposed today for commercial business, rather, the target is just the mere having the information or just the act of possessing it, although it may be disseminated only to legitimate businesses for their special purposes. So in the historical context, then---- Mr. Stearns. Ms. Singleton, can we have you wrap up? Ms. Singleton. Yes, I will. Mr. Stearns. And then, we are going to take a break and just go vote. Ms. Singleton. I will just summarize my main points. The Fourth Amendment should not be a basis for asserting privacy rights against commercial businesses, because no State action in the private sector enjoys Constitutional rights of free speech. And the second is the idea that people own or have a right to control the information about themselves is a radical departure from the free flow of information that has made the U.S. the world's leading economy. Thank you. [The prepared statement of Solveig Singleton follows:] Prepared Statement of Solveig Singleton, Senior Policy Analyst, Competitive Enterprise Institute Mr. Chairman, my name is Solveig Singleton and I am a lawyer and senior analyst at the Competitive Enterprise Institute. Thank you for this chance to comment on the history of privacy law and commercial enterprises. Based on my research,<SUP>1</SUP> I offer the following observations: \1\ Most of this research is documented in Solveig Singleton, ``Privacy Versus the First Amendment: A Skeptical Approach,'' XI Fordham Intellectual Property, Media & Entertainment L. J. 97 (Autumn 2000). --------------------------------------------------------------------------- <bullet> The Fourth Amendment should not be a basis for asserting privacy rights against journalists or commercial businesses, for there is no ``state action'' and the private sector enjoys constitutional rights of free speech. <bullet> The idea that people own or have a right to control information about themselves has no historical justification; it is a radical and extreme departure from the free flow of information that has made the U.S. the world's leading economy. <bullet> Today, we take shocking uses of ``private'' information by journalists in stride; less sensibly, we fret about electronic databases and learning tools--although these represent a natural and beneficial evolution away from reliance on gossip and guesses about people's preferences. U.S. Privacy Law in the Nineteenth Century. In the nineteenth century, as today, the law of privacy consists of two different sets of rules. First, there is the Fourth Amendment of the U.S. Constitution, which protects our rights against brutal searches from the government. Obviously, in the nineteenth century and today, it was not applied to the private sector.<SUP>2</SUP> The private sector has no power to seize and search one's property without consent under color of law. This remains true today. Note that there was and is no conflict between the Fourth Amendment and the First Amendment's rights of free speech. One might say that the Fourth Amendment is an example of a modified free speech right; <SUP>3</SUP> just as the Supreme Court recognized that Jehovah's Witnesses cannot be compelled to pledge allegiance to the flag, we cannot compel people to show the content of their papers and homes without a showing of probable cause. This makes the Fourth Amendment a very inappropriate basis for asserting expansive privacy rights against journalists or businesses today, who are not the government and who do enjoy free speech rights. --------------------------------------------------------------------------- \2\ Ibid at 99. \3\ Ibid. at 104. --------------------------------------------------------------------------- Second, there was a common law of privacy in the private sector. For example, privacy was recognized as an element in disputes over physical property boundaries and easements or nuisances, for example, when two buildings were built close together.<SUP>4</SUP> Because these private sector cases identify privacy with physical property rights, there is no conflict between the First Amendment and privacy; property rights mark the boundaries of free speech rights, too.<SUP>5</SUP> One's right to read books does not give one a right to steal books--or letters--from a neighbor's house or out of his pocket. --------------------------------------------------------------------------- \4\ Ibid at 107-114. \5\ John O. McGinnis, ``The Once and Future Property-Based Vision of the First Amendment, 63 The U. of Chicago L. Rev. 49 (1996). --------------------------------------------------------------------------- Privacy in the Early Twentieth Century. The concept of a right to privacy detached from physical property rights was not unknown during the early part of nineteenth century,<SUP>6</SUP> but it was not recognized in the courts until the early part of the twentieth century. A famous law review article by Brandeis & Warren calling for creation of a privacy tort for use against the press was cited in some of these cases.<SUP>7</SUP> Over the years, many of the four privacy torts that sprang up were often directed against journalists. It became obvious in these cases when no violation of physical property or a contract has occurred, privacy is in conflict with free speech rights. Over the years, privacy torts have been constrained narrowly by the courts; some are referred to as ``dying torts.'' <SUP>8</SUP> --------------------------------------------------------------------------- \6\ For example, a sort of privacy right closely akin to intellectual property was protected by cases involving the reprinting of letters. Blackstone speaks of defamation by pictures, a tort closely akin to the modern privacy of placing someone in a ``false light.'' Singleton at 110. \7\ Ibid. at 105-106. \8\ Ibid. at 111, 114. --------------------------------------------------------------------------- The concept of privacy suit based on the mere fact that information was spread asserted a sort of new property right in information. This expanded right has not prospered in the legal system, for it is a troubling one. Taken literally, it would obliterate the practice of journalism and much ordinary conversation. Unlike intellectual property, the new right amounts to a claim of ownership of facts and ideas. Unlike defamation, which lets you sue when someone disseminates false information, a right to own or control information about oneself gives you a veto power over truthful information.<SUP>9</SUP> And, unlike intellectual property law, an expanded view of privacy is not sanctioned by the Constitution. --------------------------------------------------------------------------- \9\ Ibid. at 114. --------------------------------------------------------------------------- Within U.S. legal history, there is little support for the concept that people own information about themselves and much support for the idea that facts and ideas and opinions are and should remain free to be communicated. This observation holds even as the focus of privacy has shifted from journalism to business. Journalist too is a commercial enterprise. And what has not been well-recognized by policymakers is the extent to which businesses, like journalists, rely on the freedom of information to produce goods and services, and the extent to which consumers rely on information produced by commercial enterprises to learn about those products. Economic studies have produced substantial evidence that advertising and marketing alerts consumers to flaws in existing products, to the existence of new competitors and choices in the market, and helps bring down prices.<SUP>10</SUP> --------------------------------------------------------------------------- \10\ See generally John E. Calfee, Fear of Persuasion: Advertising and Regulation (Agora Association, 1997). --------------------------------------------------------------------------- Broad privacy principles are represented as a moderate step towards giving consumer's ``choice.'' In fact, these broad principles are a radical and extreme departure from the American tradition of the free flow of information. Writing broad privacy principles into a law for the commercial sector would amount to a sudden massive expansion of copyright or defamation law, a step that Congress would not dream of. Even supposedly moderate ``opt-out'' measures are far more radical than they seem. The evolution of formal information networks such as consumer credit reporting has important benefits for the public as a whole. Even the poor or those who are not well known in a given community may buy on credit, a relatively recent and beneficial development. The existence of credit reports gives consumers an incentive to make payments on time, which means that businesses can lower the losses they suffer from default. Note, however, that had a statute imposing an opt-out rule been in place in the late nineteenth century when all this began, credit reporting could never have evolved! All of the bad debtors would have opted out! Similarly, on the Internet today, Amazon.com and other e-commerce distributors rely on commercial services to confirm that the addresses and names of their customers are valid, to weed out fraud. But this would be impossible if the database were full of holes and gaps left by opt-outs, well-meaning or sinister. The Evolution of Databases from The Late Nineteenth Century to Today. Within the U.S. legal tradition that commercial enterprises are generally free to learn about and communicate with their customers, the way in which they have done so has evolved over time. Economists have documented how formal networks for checking credit and assessing the reliability of goods have grown out of informal networks. Dun & Bradstreet, which reports on the creditworthiness of businesses, originated with Lewis Tappan, who managed credit accounts in his brother's silk business and who exchanged letters with 180 correspondents throughout the country about the creditworthiness of businesses in their communities.<SUP>11</SUP> Forty years ago community-based nonprofit organizations handled consumer credit reporting, now handled by three nationwide for-profit firms.<SUP>12</SUP> --------------------------------------------------------------------------- \11\ Daniel B. Klein, ``Knowledge, Reputation, and Trust by Voluntary Means,'' in Reputation: Studies in the Voluntary Elicitation of Good Conduct, ed. Daniel B. Klein (Ann Arbor: University of Michigan Press, 1997): 7. \12\ Ibid. --------------------------------------------------------------------------- The formalization of the collection of information about consumers portends nothing sinister. Databases are a natural entrepreneurial adaptation to a more urban world, freed of small-town gossip. This holds true of Internet web sites, who are at a tremendous disadvantage compared to real-space businesses. For decades, the ordinary shopkeeper with a little store on the streeet can stand at the counter and watch people come it. He can see if they are regulars or strangers, if they are locals or tourists, German or Spanish, young or old, male or female. Do they look longingly at the stuffed monkeys, but comment that the price is just a little too high? Are they missing the display in the back? The operator of a web site has none of this information. It is as if he is deaf, dumb, and blind. And thus he has little chance of improving his service to customers, unless he hits upon their needs by sheer dumb luck. Thus, cookies were born. They are more properly viewed as the eyes and ears of the Internet than as some kind of sinister surveillance device. Many of the same arguments that were deployed against the journalist are today deployed against business uses of information. But they have no more merit than in their original context. For example, it is alleged that the transmission of information in itself and represents a threat to human autonomy and dignity. But writing a story about Madonna is not the same thing as seizing and torturing her. Receiving an unwanted advertisement in the mail is not akin to stealing someone's identity. The fact that we tolerate the rights of journalists to promulgate stories that once would have been considered shocking and indecent is a good sign that human beings are as always tough, adaptable creatures. We are not going to wither away because Safeway knows we bought lettuce. Some may be a little wary of the Internet--but if that has any basis in reality it is the fear of real crimes like identify theft, which are already illegal and for which have little to do with legitimate businesses use of information. The fact of the matter is, human beings, whether they are consumers, voters, or businesses, rarely make better decisions with less information. Laws that view the spread of information itself as the enemy will not target any real problems, and will do considerable harm. Mr. Stearns. Thank you, and the committee will take a 15- minute break and resume. [Brief recess.] Mr. Stearns. If I can have the attendees sit down, the committee will come to order. We will continue with our panel, and we will start with Mr. Rotenberg, if you would be so kind as to give us your opening statement. STATEMENT OF MARC ROTENBERG Mr. Rotenberg. Thank you very much, Mr. Chairman. I appreciate the opportunity to be here today. I am director of the Electronic Privacy Information Center. I have also been on the faculty at Georgetown Law Center, where I have taught privacy law for more than 10 years, and I have edited two books on privacy that are in use in U.S. law schools today which I would be happy to make available to the committee and the staff if that would be useful. What I do in my testimony is to outline what I think are the broad themes of the development of privacy law in the United States. And this really is based on my work and research and my teaching over the years to try to give you a framework to understand what it is when we talk about privacy law. The first point that I make in my testimony is that the concept of the protection of privacy in law is very much an American tradition. It is not only in our Fourth Amendment that establishes the warrant process before the government may conduct a search but even in the Brandeis-Warren tort, which was described a moment ago. When that was first announced and reviewed by legal scholars in the early part of this century, people described it as the American tort, something unique to the U.S. legal system, to provide people a right of action against other for private acts, and the fair information practices which have also been discussed and provide the framework for many of the modern-day privacy laws both in the United States and around the world. Those principles were first articulated in the United States in the early 1970's, and they provided the underpinnings for our Privacy Act, which safeguards the information that is held by Federal agencies and is, in many ways, the most robust privacy law in the United States. So it is critical to understand in this discussion that our starting point I don't think is really do we regulate? Don't we regulate? You know, what is the appropriate role of government? It is with the understanding that privacy, as a right in law, is very much a part of the American tradition. The second point I would like to make is that what privacy laws typically do is to allocate rights and responsibilities. They are not simply, as Gene Volokh has suggested, a restriction on the right to talk about others. There are, in privacy laws, elements sometimes that place limitations on disclosure, and they may, in certain circumstances, I agree, raise First Amendment issues. But if you look at the whole structure of a privacy law, whether it is the Fair Credit Reporting Act of 1970 or the cable subscriber privacy provisions in the Cable Act of 1984, you will see a number of different elements. One of the most interesting elements in a privacy law, somewhat paradoxically, is the requirement of transparency, of openness, to give individuals the right, for example, to obtain a copy of their credit report to see if the information that is being kept about them is accurate and complete, so that when they go to obtain a home mortgage or a car loan, that decision is being made based on accurate information. And so, for example, when Fred Cate is describing the importance of access to accurate information in commercial markets, part of that accuracy comes about because individuals, by virtue of privacy laws, have the right to get access to information about them that is being used for decisions that affect their economic and employment opportunities. The third point I would like to make, and this may surprise you a little bit, but it is very much my view that in the modern era of privacy law in the United States, as new technology has evolved, it is not the case that Congress has generally stood back and allowed the technology to go forward and then wrestled with the privacy issue. It is rather the case that Congress has typically established privacy safeguards at the beginning, before new commercial services were widely adopted. This was true, for example, in 1984, when you did the Cable Act and included the subscriber privacy provisions. It was true in 1986 with electronic mail. The video rental industry, which began the late 1980's; you remember the Judge Bork bill to protect the privacy of video rental records? You did the Telecommunications Act in 1996; included new provisions to protect the privacy of customer billing information. What is remarkable about the discussion concerning privacy on the Internet is that this is really the first instance with a new technology that Congress has decided not to legislate at the front end to protect consumer privacy and to rely instead on a mixture of self-regulatory and industry-directed initiatives. Now, I think it is an important question to explore how successful those initiatives have been, but I would like to suggest to you that one of the reasons that you may be seeing such high levels of public concern today that you see, you know, the consumer protests, literally, public protests of new consumer products is resulting in part because we have not yet established in law clear privacy standards to protect these new types of commercial transactions, and I think that is a real risk. I make several other points in my statement, but one key point which I would like to draw your attention to concerns the use of technology. And it is my view that technology plays a very important role in protecting privacy. In fact, the first book we did was titled Technology and Privacy: the New Landscape. And there is a chapter in there that talks about the role of privacy-enhancing techniques. My own organization has been a big advocate of strong encryption; techniques to protect your identity. But I have come to believe that it is vitally important that if you are going to talk about technical solutions to the privacy issue that you understand very clearly what the technology does and, in particular, what the impact is on the collection and use of personal information. P3P, which is an industry-backed effort, in my view, is not a privacy technology. It does not limit the collection of personal information. It facilitates the collection of personal information. And this is an important issue for you to consider as you look at new proposals and new legislation. I think there are other technical methods that could do a better job of protecting online privacy. As I said, Mr. Chairman, there are a few other points in my statement. I suggest also that you should look closely at the issue of whether Federal preemption is appropriate. In fact, it has not generally been done by tradition in the privacy field. It was not done recently with the financial regs or with the medical regs. I understand the interstate commerce concern, but I think you should look at some of the history here. And finally, on the First Amendment issue, I agree with Professor Volokh. There is a real question there. But even Professor Volokh, in his article for the Stanford Law Review, I think acknowledges that some of these privacy terms, viewed as part of an implied contract, an understanding that information provided for a purpose won't be disclosed for another purpose, are probably acceptable. And that is really all we are arguing on this point: in the context of a particular business relationship, if you provide information for a particular purpose, you would reasonably expect it would not be used for other purposes. So thank you very much, and I will be pleased to answer your questions. [The prepared statement of Marc Rotenberg follows:] PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER I appreciate the opportunity to appear before the Committee today to discuss privacy issues. My name is Marc Rotenberg. I am Executive Director of the Electronic Privacy Information Center in Washington, and I have taught the Law of Information Privacy at Georgetown since 1990. As both an advocate and academic, I have participated in many of the leading privacy debates in this country. In the spirit of this hearing, I will focus my comments on several general observations about privacy law. I'd like to emphasize at the start that this is an enormously interesting and important topic and I appreciate the decision of the Committee to begin with a discussion at a high level. 1. The Protection of Privacy in Law is Central to the American Legal Tradition The protection of privacy in law is one of the great contributions of the American legal system. When the framers of the Bill of Rights set out in the Fourth Amendment a legal procedure that placed a judge between the authority of the state and the rights of the citizen, they established a structure that today distinguishes democratic governments from dictatorships. It is without question a burden to the police that they may not freely seize evidence, intercept phone calls, or detain individuals without probable cause, but this is a burden that every Constitutional democracy accepts as a fundamental requirement to safeguard the rights of it citizens. But it is not just with respect to government that our country has established rights of privacy in law; we have done so also with respect to actions among private individuals, the practices of business, the use of new technology, and the collection and use of personal information for commercial purposes. When Brandeis and Warren first set out the right of privacy in the famous 1890 law review article it came to be known as the ``American tort.'' The privacy tort became the basis for privacy claims that were recognized in state courts, state legislatures, and eventually Congress. Our tradition of protecting privacy rights in law has carried forward with each new technology. From the telephone, to computers, cable television, electronic mail, video tape rentals. Our privacy laws, like all laws, are imperfect. But they reflect at their core a belief that we have the ability, through our government and our legal institutions, to control the technologies that we create, to ensure the we can obtain the benefits of new technology and preserve important political values. So, when privacy and consumer advocates testify in support of restrictions on government surveillance, safeguards for financial records, and protections for consumers in electronic commerce, it is with full regard and understanding of the American legal tradition. The burden of justifying the self-regulatory approach falls squarely on its supporters. The first lesson of US law is that the presumption favors legal safeguards. I make this point at the outset because there is a tendency in the policy debates about privacy to ask the question whether to ``regulate'' or what is the ``appropriate role'' of government. The better starting point is with the recognition that in the United States we have long understood that privacy is a right protected in law. 2. Privacy Law Allocates Rights and Responsibilities and Ensure Fairness and Transparency in the Collection and Use of Personal Information Next we should consider what we mean when we discuss privacy laws. Some believe that privacy laws are simply a restriction on the right to speak freely. There is an aspect of privacy protection that may, in some circumstances, limit the disclosure of certain types of personal information obtained in the context of certain relations. But to view privacy law as only a restriction on publication is to misunderstand the structure, history and purpose of privacy laws in the United States. Typically, privacy laws set out a range of rights and responsibilities for the collection and use of personal information. The Fair Credit Reporting Act, for example, does not simply limit the disclosure of information contained in a credit report, it also places on the credit reporting agency an obligation to ensure that the information is correct and timely, and it provides the subject of the credit report the opportunity to inspect the record and correct it if necessary. These responsibilities help ensure that information collected is used for its intended purposes and that determinations, such as whether a person qualifies for a car loan or can obtain a home mortgage, are based on accurate information. The rights and responsibilities that provide the basis of privacy laws have come to be known as ``Fair Information Practices.'' Although the specific elements that make up Fair Information Practices may vary somewhat, what is significant is the high degree of commonality of these principles, across subject matter, technologies, and jurisdictions. In many respects this is not surprising. The goal is simply to fairly allocate the responsibilities to safeguard personal information. Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection. The most well known of these international guidelines are the Organization for Economic Co-operation and Development's Recommendations Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (``OECD Guidelines''). Fair Information Practices also provided the basis for the recently concluded Safe Harbor arrangement between the United States and Europe. 3. Privacy Laws Respond to New Technologies It is critical to understand that the recent history of privacy law in the United States is largely a story of efforts by Congress to pass laws to safeguard privacy as new technologies emerge. There is for example, the Federal Wiretap Act of 1968, the Act that limits the monitoring of private communications. There is also the Privacy Act of 1974 that established a legal framework for the records collected by the federal government and addressed the specific concern of Big Brother monitoring by means of automated databases. There are the privacy subscriber provisions of the Cable Act of 1984 (cable television), the Video Privacy Protection Act (video rental records), the Electronic Communications Privacy Act of 1998 (electronic mail), the Polygraph Protection Act of 1988 (lie detectors), and the Telephone Consumer Protection Act of 1991 (auto-dialers and junk faxes), the Children's' Online Privacy Protection of 1999 (Children's' data obtained by companies operating on the Internet). In addition, many laws at the state level are designed to further limit the monitoring of private activities in the United States. Privacy laws have come about in response to challenges posed by new technologies. But the aim is rarely to limit the technology or to stifle a new business; it is instead to ensure that the data collection is fair, transparent, and subject to law. This approach builds consumer confidence, establishes a stable business environment, and allows for the benefits of new technology while safeguarding key interests. 4. Privacy Protection by Self-regulation is a Recent Development Until about 1996, if one were asked to describe the US approach to privacy protection for personal information, you would likely have said there is ``omnibus'' protection with respect to records held by the federal government and ``sectoral'' protection concerning the private sector. The point is that the Privacy Act of 1974 covered all federal agencies, while regulation in the private sector had been done on a more piecemeal basis. The contrast with the European approach was also understood: Europe had adopted an ``omnibus'' approach for private sector records, based in part on the need to harmonize national law as part of the establishment of the European Union. In the United States there was little discussion of privacy protection through ``self- regulation.'' There were a few efforts by trade groups to establish privacy practices, most notably the Mail Preference Service of the Direct Marking Associations, but these efforts typically came about as means to hold off legislation. Beginning in 1996 an effort began to develop a more comprehensive self-regulatory approach to privacy protection. Companies posted policies, privacy seals were announced, new organizations were established to review privacy practices, and the FTC said it would take action against firms that failed to follow their privacy policies. This was done for several reasons, including growing public concern about the loss of privacy, fear that legislation restricting certain business practices might be adopted, and recognition that the European Union might limit the transfer of personal information about European consumer to American firms unless steps were take to establish stronger privacy safeguards. It may be too soon to say whether this new ``self-regulatory'' approach will over time effectively protect the privacy of American consumers. The FTC last year concluded that while progress had been made, legislation was nonetheless required. But there are several recent developments that deserve further consideration by the Committee if there is going to be a meaningful evaluation of self-regulation. Here are five issues that I believe call into question the effectives of self-regulation: <bullet> The redefinition of privacy. There has been a sharp departure from the bundle of rights associated with Fair Information Practices to a narrow characterization of privacy as simply ``notice and choice'' that is at odds with the tradition of privacy law in the US. Privacy notices appear to operate more like disclaimers or warning labels than any actual assurance of protection. <bullet> The development of intrusive new marking practices. Profiling, tracking, and monitoring of American consumers have become far more widespread as a result of the self-regulatory approach to privacy. It is not clear yet what the impact will be on educational or employment opportunities, but there is always that risk, in the absence of legislation, that once permanent dossiers on Americans are created they will be used for purposed completed unrelated to the original collection. <bullet> The ability of the FTC to operate as an effective privacy agency. The FTC appears to lack the statutory authority, the resources, and the reporting requirements that are required to operate effectively on privacy issues. There are too many complaints, too little adjudication, and too little oversight. <bullet> The ability to respond to new technologies. In the next few years we are going to see the development of new technologies that both hold great promise for innovation and technical achievement as well as significant risk to personal privacy. The use of genetic information, for example, poses new challenge that may be addressed more effectively through privacy legislation than the ``notice and choice'' approach. <bullet> Growing public concern about the loss of privacy. At least one measure of success for a policy approach must be public support. There is little evidence to indicate that the public favors the self-regulatory approach to privacy protection. While I remain very skeptical about self-regulation to protect privacy, I want to emphasize that establishing a right of privacy in law does not necessarily extensive regulation. There are many privacy of only a few pages that extraordinarily effective. The Subscriber privacy provision in the Cable Act of 1984, for example, is one of the most effective privacy laws in the US. It provides a very good model going forward for emerging privacy issues in the commercial world. 5. Genuine Privacy Enhancing Technologies (PETs) Limit or Eliminate the Collection of Personally Identifiable Information My fifth point is that technology does have a role to play in privacy protection, but it is critical to think carefully about the collection and use of personal information in evaluating various technical methods. To say simply ``there must be technological solutions to technological problems'' really does not tell us anything. Some technologies clearly exacerbate the loss of privacy, others may help restore privacy. Over the last several years I have become particularly interested in the development of Privacy Enhancing Technologies (PETs). I have presented papers at international conferences and worked closely with several of the leading technical innovators in the world. I believe that there are methods that enable commerce and communication and that respect privacy. In my view, the goal is to promote genuine Privacy Enhancing Technologies that limit or eliminate the collection of personally identifiable information. Anonymity, for example, is critical to the future of privacy. Of all the various approaches to online privacy, P3P may be the most problematic. It is the one privacy standard that provides no inherent privacy protection. It can as easily be used to extract data from consumers as it could be used to limit the collection of data. And I think this is fairly well understood by the industry groups that favor P3P. They do not believe that this standard will pose any significant obstacles to their plans for collecting and using persona information. A better approach would seek to both enable commerce and to limit the collection of personal information. We have many examples of this in the physical world, from the metro card to movie tickets to the cash in our wallets. Privacy technologies should not hinder commerce but they should also not force consumers to trade privacy to participate in commerce. 6. Free Expression and Privacy Protection are Complimentary Values On the question of the privacy and freedom of expression, this is clearly not a zero-sum relationship. This can be shown by the fact that there are many countries today with little regard for personal privacy or freedom of expression. The success of the US legal system is to preserve both interests, to safeguard free expression and to protect individual privacy. There are also a series of cases that make clear that privacy and the First Amendment are complimentary interests. In MacIntyre v. Ohio, for example, the Supreme Court struck down an ordinance that required the publisher of a handbill to place her actual name on the pamphlet. In so doing, the Court recognized that the freedom to express ones views includes also the right to withheld ones identity. There are many other examples in American law where we safeguard privacy to promote free expression and freedom of association. It's worth noting, for example, that the freedom to vote as one wishes in a democratic society is safeguarded by the privacy of the voting booth. There are tough cases where the First Amendment and privacy interests collide. The Supreme Court, for example, must determine this term whether the press may publish the contents of a private telephone call obtained by means of an unlawful wiretap. EPIC, my own organization, dedicated to both the protection of privacy and the promotion of free speech, struggled with the question on which side we would file an amicus. In the end, we decided it was too difficult a case. But recognizing that there are, in some instances, difficult case does not mean as a general matter that it is not possible to protect privacy and to promote free expression. 7. Federal Privacy Legislation Typically Does Not Preempt State Law The issue of federal preemption is arising increasingly in discussions about privacy protection. It is important to understand that as a general matter, federal privacy law operates as a baseline and does not preempt stronger state statutes. This is clear from laws such the Video Privacy Protection Act of 1988 and the subscriber privacy provision in the Cable Act of 1984. This approach was reaffirmed recently in the privacy provisions of the Financial Modernization Act of 2000 and the HIPAA regulations. There are important reasons in our form of government to continue to allow the states to operate as ``laboratories of democracy.'' Congress may fail to act or it may act in such a way that reduces or limits the protections that a state might otherwise choose to provide for its citizens. States may also innovate and explore different approaches to common problems. California, for example, has recently passed legislation to address emerging privacy concerns and Maryland is now looking at new legislation that would provide important new protections. 8. Public Support for Privacy Protection is a Significant Consideration in the Legislative Process In understanding the protection of privacy in America it is critical to keep in mind the central role that the Congress and the state legislatures have played in safeguarding privacy. In some instances, it has been the courts that have established rights of privacy, but more often it has been the legislature that has set out by means of statute the rights and responsibilities associated with the use of personal information in the commercial realm. My belief is that there is today widespread public support to establish Fair Information Practices for the collection and use of personal information in the commercial sector. There is a strong American tradition to protect privacy in law, many legislative precedents and broad based public support. The question is whether Congress will accept the challenge and act to safeguard this right, described by Justice Brandeis ``as the most comprehensive of all rights and the one most cherished by a free people.'' I appreciate the opportunity to appear before the Committee today and will be pleased to answer your questions. Mr. Stearns. Professor Feldblum? STATEMENT OF CHAI R. FELDBLUM Ms. Feldblum. Thank you, Mr. Chairman, and members of the subcommittee. My name is Chai Feldblum. I am a law professor at Georgetown University Law Center and director of the Federal Legislation Clinic, where we have worked on the issue of medical privacy for a number of years for various organizations. But I am testifying here today in my personal capacity as a law professor--although I am used to answering questions and being grilled by students. I don't know; I guess the new generation of students is quite different--to talk about my experiences in employment discrimination and medical privacy. And instead of talking about the minute details of those areas, of which there are many, instead of getting bogged down in that to sort of step back and talk about conceptually why it makes sense for government to regulate in these areas. Now, my written testimony gives you a description of the privacy requirements of the ADA, and I am not going to repeat those here. Basically, employers cannot ask questions of employees about their medical conditions at certain stages of the application process. They can collect a whole range of medical information before actually hiring somebody. That medical information has to be kept confidential, and employees with medical conditions are forced to disclose those conditions to their employers if they want reasonable accommodations. So what I want to focus on is why is government regulation of privacy in this way appropriate? I think that when government regulates conduct that it is otherwise permitted to regulate, such as employment discrimination, it can also regulate speech that would lead directly to such discrimination. So, for example, government can say you can't refuse to hire someone because she is pregnant. You also can't refuse to ask someone if she is going to become pregnant. Similarly, you can't ask applicants about their medical conditions if that means they won't get a fair chance to be considered for a job, but you can certainly find out about their medical information if that means they are not going to be qualified. None of us want to have 911 operators unable to hear. I mean, that is not the point. Now, in the area of medical privacy, the context that we are dealing with is that patients believe that they have a confidential relationship with their medical professional, and yet, that expectation is compromised every day by the interconnected research, medical, treatment, payment, quality system that we live in. The California Health Care Foundation has done a fascinating presentation of where our medical information actually goes, and I would absolutely recommend that presentation to everybody. Now, of course, a certain amount of individually identifiable health care information has to flow through our medical system. As someone who has represented disability organizations, I can tell you that people with disabilities have a very pragmatic view of this issue. Bottom line: they want a health care system that is effective and efficient. But precisely because the interaction in the medical system starts with a contractual relationship between the patient and the provider, the individual must feel assured of certain ground rules that their information will, in fact, be used appropriately. Now, let me end by saying that Congress, in 1996, did tell the Department of Health and Human Services to implement nine standards, and these were standards about transaction codes and identifiers and data security, et cetera. I think it made sense for Congress to interact in this way with the private parties because the only way to have consistent, uniform standards in the health care system is if, in fact, government intervenes and says everyone has to abide by these standards. That is what eight of those standards were about. But at the same time, government has to make sure that privacy protections are built in as well. That is the ninth standard. Well, I very much appreciate that you are looking at this issue, and I look forward to answering any of your questions. Mr. Stearns. You roughly have 2 minutes left. Ms. Feldblum. Oh, I do. My thing over here says stop. Mr. Stearns. I just checked. Ms. Feldblum. Well, then, I am going to give you my last two paragraphs. Mr. Stearns. There you go. Ms. Feldblum. And I know that if you had gone home without them, it just would not have been the same. I know that there is controversy about the regulations that have been put out, but for purposes of this big picture hearing, I want to stress the need to analyze privacy within the specific context of which the perceived need to regulate arises, and if there is anything that you get from this hearing and to me anything about doing--thank you; I know you agree, a big picture hearing as opposed to a hearing on a particular bill, it is to focus on the context in which that privacy concern arises. In the health care arena, that context is a longstanding belief between patient and doctor that medical information should be kept confidential juxtaposed with the reality of a complex health care treatment, payment, research, quality and marketing system that uses a significant amount of individually identifiable information without patients' explicit consent although with some patients' dimly sensed fear. The role of government, I believe, is to bring clarity and confidence to this area. Thus, the goal of any system of privacy regulation should be to enhance the treatment, payment, research and quality aspects of our health care system through creating a workable privacy system that gives patients trust and ensure that health care entities can engage in the marketing necessary to their financial health consistent with consumer consent. Now, I can assure you as someone who has worked in this area for 6 years that there is a lot of debate and a lot of detail within that sentence. What is a workable system? But I think there is a common principle that there is a role for government to ensure that there are uniform, consistent standards and confidence and trust in the system. That is what you should do in the medical privacy area, and consistent with the context of these other areas, that is what you should do in other areas as well. Thank you. [The prepared statement of Chai R. Feldblum follows:] PREPARED STATEMENT OF CHAI R. FELDBLUM, PROFESSOR OF LAW, GEORGETOWN UNIVERSITY LAW CENTER Mr. Chairman and Members of the House Subcommittee on Commerce, Trade, and Consumer Protection: Thank you for inviting me to testify today regarding ``Privacy in the Commercial World.'' My name is Chai Feldblum. I am a Professor of Law at Georgetown University Law Center, and Director of the Law Center's Federal Legislation Clinic. I created the Clinic in 1993 with the goal of training law students to be ``legislative lawyers'': that is, lawyers who are equally at ease with law and with politics. My goal is to train lawyers who are steeped in law and who like reading legal text, and at the same time, who are sophisticated about politics, know how to speak and write in ``English'' rather than in ``law,'' and who like the particular world of political negotiation. The goal is to produce lawyers who will actually be helpful to you and your staff as you create legislation to address the needs of our country.<SUP>1</SUP> --------------------------------------------------------------------------- \1\ For an explication of ``legislative lawyering,'' see ``Five Circles of an Effective Coalition'' and ``What is Legislative Lawyering?'' available at http://www.law.georgetown.edu/clinics/flc. --------------------------------------------------------------------------- I also wear the traditional hat of an academic professor. My academic legal writings have been primarily in the area of civil rights, with a focus on disability law and sexual orientation and the law. I appear before you today as an amalgam of those roles. In my life before teaching, I was the principal lawyer representing the disability community in the drafting and negotiating of the Americans with Disabilities Act--including those provisions impacting on privacy and confidentiality. As Director of the Federal Legislation Clinic, I have represented the National Association of People with AIDS (NAPWA), in its capacity as co-chair of the Privacy Working Group of the Consortium of Citizens with Disabilities.<SUP>2</SUP> For six years, we have worked on behalf of the disability community toward passage of comprehensive federal medical privacy legislation. More recently, the Clinic has represented the Family Violence Prevention Fund, which is also concerned with enhancing medical privacy in this country.<SUP>3</SUP> --------------------------------------------------------------------------- \2\ The Consortium for Citizens with Disabilities (CCD) is a Washington-based coalition of approximately 100 national disability, consumer, advocacy, provider and professional organizations that advocate on behalf of 54 million children and adults with disabilities and their families. As advocates for persons with disabilities, CCD supports strong privacy protections that give health consumers confidence that their information will be used appropriately and that permit the continued viability of medical research and delivery of quality health care. \3\ The Family Violence Prevention Fund is a leading national organization that advocates on behalf of the millions of women and children who are the victims of domestic violence each year. The Fund runs several major programs that deal specifically with health care and domestic violence. As advocates for people affected by domestic violence, the Fund supports privacy protections that will give victims confidence that their personal information will be used appropriately. --------------------------------------------------------------------------- Today, however, I wish to draw on those experiences to share with you some general observations about protecting the privacy of our nation's citizens.<SUP>4</SUP> I am less familiar with the academic and advocacy debate regarding proposals to regulate consumer information databanks developed by businesses (the subject of some of the writing of my co-panelists), and more familiar with the debate regarding privacy as it relates to employment discrimination and medical information. What I hope to do, therefore, is share with you some observations on the latter forms of privacy, and perhaps extrapolate from that some observations on privacy in general.<SUP>5</SUP> --------------------------------------------------------------------------- \4\ Thus, I appear before you today in my personal capacity. \5\ My observations with regard to employment discrimination and medical privacy should not be taken to mean that I do not believe there are also serious policy considerations for applying privacy regulation to consumer databases of non-medical information. Indeed, while I consider the work of my colleague, Eugene Volokh, see below, to be of superb quality, I believe Congress must be cautious in chilling in its own action in anticipation of some speculative long-term constitutional concern. While I have touted the advantages of Congress drafting a narrowly circumscribed bill to address a real, documented public policy evil to be remedied, so as to avoid creating an inviting target for the Supreme Court to further narrow Congressional power, see testimony of Chai R. Feldblum before the Senate Judiciary Committee on the Religious Liberty Protection Act, September 9, 1999, I have never believed that Congress should fail to act when there is a clearly defined public policy problem and the recommended legislative response is not clearly unconstitutional. Of course, as Congress acts, it is useful to have the background analysis of scholars such as my co-panelists who may entertain some doubts about such actions. --------------------------------------------------------------------------- A useful place to start is a sentence from my co-panelist Eugene Volokh's May 2000 article on freedom of speech and information privacy: `` `[P]rivacy' is a word with many meanings, and with such words both judges and laypeople often shift from one meaning to the other even in cases where the meanings have little in common.'' <SUP>6</SUP> I completely agree with that observation. While I do not necessarily agree with my co-panelist's subsequent conclusion that harmful analogies are more likely be drawn if the privacy of consumer information databases are regulated, <SUP>7</SUP> I believe he has helped enhance the practical debate about privacy by illuminating its various meanings and components.<SUP>8</SUP> What I would like to do is focus on two areas where the concerns are somewhat different, I believe, than those that arise in the context of consumer information databases. The best way for Members of Congress to carry out the hard work of figuring out what legislation to pass (and how to craft such legislation) depends, I believe, on developing a sensitive understanding of the context in which various privacy concerns arise. --------------------------------------------------------------------------- \6\ Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People from Speaking About You, 52 Stan. L. Rev. 1049, 1102 (2000) (hereinafter Freedom of Speech). \7\ Volokh argues that ``once restrictions on people's speech are accepted in the name of `privacy,' people will likely use them to argue for other restrictions on `privacy' grounds, even when the matter involves a very different sort of `privacy.' '' Id. at 1102. By contrast, my colleague at Georgetown University Law Center, Julie Cohen, has written some interesting pieces presenting a different point of view. See Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 Stan. L. Rev. 1373 (2000); Julie E. Cohen, Privacy, Ideology, and Technology: A Response to Jeffrey Rosen, 89 Geo. L. J. xx (2001)(forthcoming). See also Janlori Goldman, Privacy & Individual Empowerment in the Interactive Age, Visions of Privacy: Policy Choices for the Digital Age (C. Bennett & R. Grant eds. 1999). \8\ The work of my other co-panelists has also been of significant use in this regard. See, e.g., Solveig Singleton, Privacy Versus the First Amendment: A Skeptical Approach, 11 Fordham Intell. Prop. Media & Ent. L. J. 97 (2000) (hereinafter Privacy); Fred H. Cate, The Changing Face of Privacy Protection in the European Union and the United States, 33 Ind. L. Rev. 173 (1999); Wayne Madsen, David L. Sobel, Marc Rotenberg, David Banisar of The Electronic Privacy Information Center, Cryptography and Liberty: An International Survey Of Encryption Policy, 16 J. Marshall J. Computer & Info. L. 475 (1998). --------------------------------------------------------------------------- The two areas on which I would like to focus are employment discrimination and medical privacy. Again, I do not plan to focus on the minute details of these areas (and there are a number of very minute details in each of these areas, I assure you), but rather, on the broad conceptual reasons for the enactment of legislation in these areas. Indeed, in both employment discrimination and medical privacy, Congress has already acted to some extent--and there are lessons to be drawn from those enactments. During passage of the Americans with Disabilities Act (ADA), Congress chose to draw on Section 504 of the Rehabilitation Act of 1973, a law that prohibits programs that receive federal funds from discriminating on the basis of disability. That law, and the regulations issued pursuant to the law, provided Congress with a 17- year track record of substantive non-discrimination principles on the basis of disability. Section 504 was not focused on privacy, and yet the law included some important privacy components that were carried over to the ADA. Congress recognized that people with hidden disabilities (such as breast cancer or HIV infection or diabetes) often do not get the chance to be fairly considered for a job because the employer finds out-- through questioning at an interview or through a medical examination or questionnaire--that the applicant has a particular medical condition. In such cases, the employer may choose not to hire the person because of unsubstantiated fears regarding the person's possible absentee rate or the response of co-workers, or because of possibly substantiated fears of higher health care costs that might be associated with that individual. In either case, in such circumstances the individual is judged not on the merits of his or her ability to do the job, but rather on ramifications that (justly or unjustly) flow from the individual's medical condition. In some cases, of course, an individual's medical condition will impact directly on the person's ability to perform the job. For example, we all want our airline pilots to be able to see, our truck drivers to be able to drive, and out ``911 operators'' to be able to hear. The ADA thus creates privacy rules that ensure applicants are provided a fair chance to be considered for a job, but also ensures that employers are permitted to hire only qualified employees. Under this framework, employers may not ask job applicants to disclose their medical conditions during the initial stages of an application process. Rather, after a conditional job offer is extended, employers may ask applicants to respond to questions about their medical conditions (or to take a physical examination)--and based on that information, employers may refuse to hire employees who are not qualified for the relevant jobs.<SUP>9</SUP> --------------------------------------------------------------------------- \9\ 42 U.S.C. Sec. 12112(a)-(c). The ADA had originally incorporated a stricter rule which permitted employers to request from applicants only that medical information which was directly related to the job. After negotiations with the business community and the Bush Administration, however, that provision was modified to allow employers to request any medical information. Chai Feldblum, Medical Examinations and Inquiries Under the Americans with Disabilities Act: A View from the Inside, 64 Temple Law Review 521, 535-537 (1991) (hereinafter Medical Examinations). The key protection for people with disabilities, however, is that the medical information must demonstrate they are not qualified for the job. Whether a person is qualified for a job will depend on whether there are reasonable accommodations that will enable the person to perform the job functions. 42 U.S.C. Sec. 12112(b)(5)(a); see generally, Chai Feldblum, Antidiscrimination Requirements of the ADA, Implementing the Americans with Disabilities Act: Rights and Responsibilities of All Americans (L. Gostin & H. Beyer eds. 1992). --------------------------------------------------------------------------- Once employers have collected medical information about applicants through such questioning or examinations, that information must be kept confidential.<SUP>10</SUP> In addition, if an employer seeks medical information from an employee on the job, <SUP>11</SUP> that information similarly must be kept confidential. What that means is the following. If medical information indicates that an applicant is not qualified to perform a job, or that an employee is no longer qualified to perform the job, the medical information may be used to refuse to hire or to fire that applicant or employee. This includes, obviously, disclosing the medical information to the relevant person with employment authority. However, if the medical information does not indicate that an applicant or employee is unqualified for a job, then that information cannot be circulated within the employment setting.<SUP>12</SUP> --------------------------------------------------------------------------- \10\ 42 U.S.C. Sec. 12112(c)(3)(B). \11\ After an employee is on-the-job, medical inquiries may only be made if they are job-related. 42 U.S.C. Sec. 12112(c)(4)(A); Feldblum, Medical Examinations, at 538-540. \12\ The only individuals who may gain access to these records are: supervisors who may be informed regarding necessary restrictions or reasonable accommodations; first aid and safety personnel, when appropriate, and government officials investigating compliance. 42 U.S.C. Sec. 12112(c)(3)(B). According to regulations issued by the Equal Employment Opportunity Commission, employers may also provide such information to worker's compensation offices upon the filing of a claim by an employee. See EEOC Interpretive Guidance to 29 C.F.R. Sec. 1630.14(b). --------------------------------------------------------------------------- There is a flip side to the confidentiality requirements of the ADA. Many people with medical conditions wish to keep their conditions private, and do not wish either their employer or their co-workers to know of their conditions. Often, this does not pose a problem. However, in certain circumstances, an employee is required by law to divulge his or her condition, even if such disclosure is personally difficult for the individual. These circumstances arise when an employee seeks a modification of an employment practice or procedure (a ``reasonable accommodation'') because of his or her medical condition. Thus, for example, if an employee has a health condition that requires her to receive a two-hour treatment once a week, and she seeks time off to receive that treatment--she must disclose the existence and nature of her health condition in order to receive the benefit of the reasonable accommodation requirement under the ADA.<SUP>13</SUP> --------------------------------------------------------------------------- \13\ EEOC Interpretive Guidance to 29 C.F.R. Sec. 1630.9. --------------------------------------------------------------------------- What can we extrapolate from these employment requirements? As I noted, it is important to view privacy issues in the context in which they arise. When government regulates conduct that it is otherwise permitted to regulate (for example, prohibiting discrimination in employment contracts based on race, sex, or disability), I believe it is also permitted to regulate speech that would directly contribute to such discrimination. Thus, the government may not only prohibit an employer from discriminating on the basis of pregnancy, but may also prohibit an employer from asking a prospective job applicant if she is planning to become pregnant.<SUP>14</SUP> Similarly, employers may be restricted in the questions they ask of applicants regarding their medical conditions during the application process.<SUP>15</SUP> These restrictions should be narrowly tailored, however, to the harm sought to be prevented by the government. For example, such tailoring is evident in the structure of the ADA, which permits employers to seek medical information prior to actually hiring an individual. --------------------------------------------------------------------------- \14\ See EEOC Sex Discrimination Guidelines, 29 C.F.R. Sec. 1604.7 (1983); King v. TWA, 738 F.2d 255 (8th Cir. 1984). \15\ I do not believe there is much disagreement that speech which effectively constitutes an act of discrimination is within government's legitimate power. For example, government may not only prohibit employment discrimination based on race, but may also prohibit an employer from running an ad that seeks ``whites only'' for a job. The more complicated question is whether, consistent with the First Amendment, government may also prohibit employers from engaging in speech that might lead directly to such discrimination. As noted, I believe government may legitimately do so. In some cases, however, the context in which this speech arises may well be determinative. For example, in U.D. Registry, Inc. v. California, 40 Cal.Rptr. 2d 228 (Ct. App. 1995), a state court held that the government could not prohibit only credit reporting agencies from disclosing information regarding certain housing actions, which were otherwise a matter of public record. While I have some questions regarding the outcome of this case, the fact that the relevant information already existed in the public domain was critical to the court's decision. --------------------------------------------------------------------------- The context of the employment relationship also justifies the fact that government compels certain speech on the part of some employees with disabilities. As a general matter, of course, government may not compel speech on the part of its citizens.<SUP>16</SUP> But if an individual enters a contractual relationship with an employer, in which certain facets of that relationship are regulated by the government, then that individual can be expected to conform to expectations in the relationship that have been established through the government regulation. Thus, for example, although an individual must forgo some privacy rights if she wishes to take advantage of the reasonable accommodation requirement of the ADA, that trade seems both appropriate and within the government's power. --------------------------------------------------------------------------- \16\ See Wooley v. Maynard, 430 U.S. 705 (1977); West Virginia State Board of Education v. Barnette, 319 U.S. 624 (1943). --------------------------------------------------------------------------- A contractual relationship also exists in the area of medical privacy more generally. That relationship has led some commentators, who are otherwise leery of governmental regulation of privacy, to view medical privacy in a different light. Let me take two of my co- panelists as an example. Eugene Volokh has observed that ``one sort of limited information privacy law--contract law applied to promises not to reveal information--is eminently defensible under free speech doctrine.'' <SUP>17</SUP> Volokh notes that this protection should also cover implied contracts and explains the relevance of this for the medical context: --------------------------------------------------------------------------- \17\ Volokh, Freedom of Speech, at 1057. --------------------------------------------------------------------------- This explains much of why it's proper for the government to impose confidentiality requirements on lawyers, doctors, psychotherapists, and others: When these professionals say ``I'll be your advisor,'' they are implicitly promising that they'll be confidential advisors, as least so long as they do not explicitly disclaim any such implicit promise.<SUP>18</SUP> --------------------------------------------------------------------------- \18\ Id. at 1058. --------------------------------------------------------------------------- A similar observation is made by Singleton in her critique of analyzing privacy primarily as a ``right to `control' information about oneself.'' <SUP>19</SUP> As Singleton observes: --------------------------------------------------------------------------- \19\ Singleton, Privacy, at 122. --------------------------------------------------------------------------- This idea is familiar in medical and legal ethics and perhaps in other special professional relationships. In these relationships the expectations makes sense. The legal and medical professions understand that clients and patients will not confide in them without the right of confidentiality. Even if this right did not exist by statute, it is implicit in the agreements under which a doctor treats his patients or the lawyer counsels his clients. This understanding is informed by decades or even centuries of custom.<SUP>20</SUP> --------------------------------------------------------------------------- \20\ Id. at 122-123. --------------------------------------------------------------------------- The reality, of course, is that the confidential relationship patients believe they have with their medical professionals is compromised every day by the reality of the interconnected medical, research, payment, and marketing system that we live in. The California HealthCare Foundation has developed a fascinating presentation that graphically displays the flow of our medical information in our existing interconnected systems.<SUP>21</SUP> Thus, for example, during and following one visit to a hospital, a patient's individually- identifiable health information may be sent to a lab, a pharmacy, a pharmacy wholesaler, a drug company, a marketer, an imaging center, a primary care group administrator, a third party administrator, an insurance company, a research institution, a public health department, a medical information bureau, a life insurer, a state insurance board, an oversight or accreditation board, and an employer. --------------------------------------------------------------------------- \21\ I watched this presentation at a conference sponsored by the California HealthCare Foundation in December 2000. It is one I would whole-heartedly recommend to Members of Congress and their staff. A useful summary graphic of ``sample data flow'' was developed by the Georgetown University Health Privacy project, based on the presentation of the California HealthCare Foundation, and is attached to this testimony. --------------------------------------------------------------------------- Of course, a certain amount of individually-identifiable health information must flow freely in our health care system in order for the system to work efficiently, effectively, and at a high level of quality. As someone who has represented disability organizations over the years, I can assure you that people with disabilities have a very pragmatic view of this issue. People with medical conditions tend to interact a significant amount with the medical system. Hence, they want an effective, efficient, and high quality health care system, together with the best that increased research and disease management can offer. But disability rights advocates do not experience their desire for medical privacy to be in conflict with their desire for an effective health care system, and thus they do not view these interests as needing to be ``balanced'' against each other. Rather, precisely because the interaction with the medical system is, at first onset, a contractual relationship--the interaction works best if patients feels assured of certain ground-rules: that their individual medical information will not be disclosed to entities that may use that information to harm them; that their information will be used, within the health care system, in an ``appropriate manner;'' <SUP>22</SUP> that they will be provided information about what those ``appropriate'' uses will be, and that they will have the opportunity to review their own medical records. Thus, establishing an effective system of privacy regulation can enhance the operation of the health care system by increasing individuals= trust and confidence in the initial medical contractual relationship.<SUP>23</SUP> --------------------------------------------------------------------------- \22\ I put ``appropriate'' in quotation marks because the debate over health care privacy regulation sometimes concerns the scope of the activities over which patients should be able to control transfer of their individually identifiable information. There are many activities that patients may not realize, at first blush, are ``appropriate'' uses of their medical information, and yet, such activities may be quite essential for the workings of the health care system. For this reason, the debate often focuses on what providers and plans may legitimately demand--as a pre-condition for treating a patient or paying for such treatment--as they enter the contractual relationship with the patient. \23\ A national survey released in January 1999 found that one in six Americans engages in some form of ``privacy protective behavior'' because he or she is afraid of confidentiality breaches regarding sensitive medical information. These activities include withholding information from health care providers, providing inaccurate information, doctor-hopping to avoid a consolidated medical record, paying out of pocket for care that is covered by insurance, and avoiding care altogether. California Healthcare Foundation, National Survey: Confidentiality of Medical Records (January 1999). The survey was conducted by Princeton Survey Research Associates. Results are available at http://www.chcf.org/conference/survey.crfm. --------------------------------------------------------------------------- As in the area of employment discrimination, Congress has already acted to some extent in the area of medical privacy--although there is work that still needs to be done. In 1996, Congress directed the Department of Health and Human Services (HHS) to develop nine administrative simplification standards for use in the health care system. These standards were to address: ``transaction codes and medical data code sets; consistent identifiers for patients, providers, health plans, and employers; claims attachments that support a request for payment; data security; enforcement'' and ``information privacy.'' <SUP>24</SUP> As the General Accounting Office described this Congressional mandate: ``Taken together, the nine standards are intended to streamline the flow of information integral to the operation of the health care system while protecting confidential health information from inappropriate access, disclosure, and use.'' <SUP>25</SUP> --------------------------------------------------------------------------- \24\ Ms. Leslie G. Aronovitz, Director, Health Care-Program Administration and Integrity Issues, U.S. General Accounting Office, Testimony before the Senate Committee on Health, Education, Labor, and Pensions, February 8, 2001, at 2. The mandate on HHS to implement an information privacy standard was triggered only if Congress failed to enact comprehensive medical privacy legislation by August 21, 1999. Of the nine standards required to be issued, HHS has issued a regulation governing electronic transactions (on August 17, 2000) and a regulation governing information privacy (on December 28, 2000). \25\ Id. --------------------------------------------------------------------------- Congress' action to date in this area reflects, I believe, an appropriate interaction between government and private contractual parties in the health care system. Given the interconnectedness of our health care system, and the increasing use of computer technology, all parties benefit if there are consistent and uniform standards that will be used by all parties to health care transactions. To create such uniformity and consistency--and hence, administrative simplification-- government must intervene through the establishment of standards to which all parties must conform. However, as government facilitates the uniform entry of our medical information into this administratively simplified system, it must simultaneously ensure that privacy standards, policies, and protections are built into the system as well. Congress took that initial step in 1996, and the Department of Health and Human Services fulfilled its obligation in 2000. While I, as others, are disconcerted that the process will be reviewed yet again, <SUP>26</SUP> I have no doubt that, as Secretary of HHS Tommy G. Thompson has stated, after reviewing public comments, he intends to ``put strong and effective health privacy protections into effect as quickly as possible.'' <SUP>27</SUP> I believe the Secretary, as well as the heath care industry, clearly recognize that effective privacy protection facilitates and enhances the doctor-patient relationship. --------------------------------------------------------------------------- \26\ See Robert Pear, ``Health Secretary Delays Medical Records Protections,'' NY Times, February 27, 2001, at A14 (reporting that HHS Secretary Tommy G. Thomson announced he would seek additional public comment on the privacy regulation issued by HHS in December 2000). \27\ Id. --------------------------------------------------------------------------- The reality, of course, is that Congress has not yet acted to ensure that medical privacy protection will exist--as a reality--in all contexts in which problems of disclosure may arise. For example, the mandate Congress handed to HHS covered only a select group of entities in the health care system (health care providers, health plans, and health care clearinghouses), and did not cover a range of other entities (such as employers, educational institutions, and financial institutions) that also obtain medical information. While the regulation issued by HHS makes some effort to address subsequent disclosures by such entities, I believe most observers consider there is room for improvement in this area. The actions that Congress has previously taken in the area of medical privacy, together with the work that remains to be accomplished, provides us with some general observations on the role of government in this arena. As I stated at the outset, ``privacy'' must be viewed within a specific context. In the health care arena, that context is a long-standing belief between patient and doctor that medical information should be kept ``confidential,'' juxtaposed with the reality of a complex health care treatment, payment, research, quality and marketing system that uses a significant amount of individually identifiable health care information without patients' explicit knowledge (albeit presumed by some patients with some dimly sensed fear). The role of government, I believe, is to bring clarity and confidence to this area. The goal of any system of privacy regulation must be to enhance the treatment, payment, research, and quality aspects of our health care system through creating a workable privacy system that provides patients with trust in their health care system, and at the same time, ensures that health care entities can engage in the marketing necessary to their financial health in a manner consistent with consumer consent. Obviously, this is not necessarily an easy project. For example, while I doubt many observers of the current health care privacy debate would quibble with the first part of my previous sentence, I expect there would still be debate regarding what is a ``workable system'' of privacy regulation, what requirements ``enhance'' research or simply make life more ``convenient'' for researchers, and whether one uniform federal standard, with no state variations, is an essential component of such a system. Moreover, I am sure there would be disagreement regarding the extent of marketing that should be permitted without consumer consent. Nevertheless, I believe there is a shared conceptual principle that it is legitimate for government to intervene in this area so as to enhance patient trust in the health care system. The fact that this may be a hard job for government to do has never been a reason not to tackle it. Let me conclude with some comments on an area that represents one of those ``hard jobs'' that need to be tackled--and that brings together some of my observations on employment discrimination and medical privacy. We are blessed to be living in a century where amazing medical and scientific advances are made every year.<SUP>28</SUP> The success of the Human Genome Project is one example of such an astonishing scientific breakthrough. But the researchers in that project, and in comparable private sector projects, correctly warn us that ``genetic testing'' and ``genetic markers'' must be treated with caution. The existence of a ``genetic marker'' does not necessarily mean an individual will develop a particular disease.<SUP>29</SUP> Moreover, employers and insurance companies may begin to view genetic information as useful information to compile, and then act upon such information for purposes that the general public, and Congress, may well find objectionable.<SUP>30</SUP> The principles that I articulated above should, I believe, lead Congress to clearly prohibit unjustified discrimination based on genetic markers for health conditions (as well as for the health conditions themselves), and to ensure that any medical privacy regulation clearly encompasses protection for genetic information. --------------------------------------------------------------------------- \28\ Of course, the existence of such breakthroughs only makes the reality of ``medical mysteries'' that much more heartbreaking. See, e.g., Jerome Groopman, Second Opinion: Stories of Intuition and Choice in the Changing World of Medicine (2000); Jeff Wheelwright, The Irritable Heart: The Medical Mystery of the Gulf War (2001); Hillary Johnsen, Osler's Web: Inside the Labyrinth of the Chronic Fatigue Syndrome Epidemic (1996). Nevertheless, medical advances continue to help a large number of individuals. \29\ For background information on the Human Genome Project and genetic research generally, see the website of the National Human Genome Research Institute at the National Institutes of Health, available at http://www.nhgri.nih.gov. \30\ Certain evidence seems to indicate that such activities are already taking place. See, e.g., U.S. Equal Employment Opportunity Commission, ``EEOC Petitions Court to Ban Genetic Testing of Railroad Workers in First EEOC Case Challenging Genetic Testing Under Americans with Disabilities Act,'' available at http://www.eeoc.gov/press/2-9-01- c.html. --------------------------------------------------------------------------- Thank you for your attention. I look forward to responding to your questions. Mr. Stearns. Thank you. Let me start with my questions. Professor Volokh, this is perhaps a more legal question, but I think our committee should tackle this and get the nuances here. What legal considerations would creating a property right in personal information trigger? Mr. Volokh. Sure; this is one of the arguments that is sometimes made in support of information privacy speech restrictions, that they just create a property right in personal information. The Supreme Court has said that certain kinds of speech restrictions--specifically, copyright law is the best example--are justifiable on an intellectual property rationale. But in that case, Harper and Row v. Nation Enterprises, where the Court upheld copyright law, it said many times that the reason that copyright law is Constitutional is precisely because it distinguishes facts, which nobody can own under copyright law, from expression of those facts. So if you are a historian, and you uncover some facts about a person or about something else, you have no property right in those facts. You do have a property right in the book that you used to express those facts, so nobody can copy literally or even paraphrase the book, but they can borrow the facts from your book. That is the fundamental rule of intellectual property law, but it is also a fundamental rule, as I read Harper and Row, of First Amendment law: that to the extent the intellectual property rules do survive First Amendment scrutiny, it is precisely because they do not create a monopoly in facts. And also, if you think about what are the implications of saying that somebody has a property right in personal information? If somebody really does have a property right in personal information, that is like a property right to stop other people--not just in the business context but also, say, in the press context--from writing about this person, from communicating that information. Mr. Stearns. So I am on a computer. I go to a site---- Mr. Volokh. Yes. Mr. Stearns. [continuing] they send a cookie, and they start to track me, and they provide--they have a pretty good idea all about me in terms of from a marketing standpoint. At what point do I have a right to ask that they tell me what they are doing with it and to say I want to opt out? Mr. Volokh. Okay; I think that there are two distinctions here. One is between data gathering of certain kinds. Mr. Stearns. Okay; which is---- Mr. Volokh. So, for example, if they pop a virus in your computer---- Mr. Stearns. Right. Mr. Volokh. [continuing] well, that would clearly be something that can be regulated. Mr. Stearns. Okay. Mr. Volokh. But the other distinction is between disclosure requirements---- Mr. Stearns. Okay. Mr. Volokh. [continuing] and actual restrictions on communication. I think it would be quite Constitutional for Congress to say that before somebody---- Mr. Stearns. Starts tracking you. Mr. Volokh. [continuing] gathers information, they have to explain what they are doing. Mr. Stearns. So Constitutionally, I would have a right for them to put up a dialog box saying that I have the right to opt out? Mr. Volokh. It would be Constitutional for Congress to create this as a statutory right. Mr. Stearns. Okay; so, it would be Constitutional. Mr. Volokh. But I should mention the opt-out thing. I mean, it seems to me the site has to have the right to say look: if you want to use our site, you have to understand that we are going to reveal this information. So I think the opt out is the customer's right not to use that site. Mr. Stearns. Let me follow up. Can you take us through the Constitutional tests that a court would apply regarding a law restricting commercial speech? What would qualify as compelling in your mind? Mr. Volokh. Sure; if we are talking about commercial speech, which is a legal bit of shorthand that really means commercial advertising, then, there is this four-part so-called Central Hudson test which demands only a substantial government interest to justify restriction on commercial advertising. Most of this data gathering and communication does not involve commercial advertising or commercial speech under the Court's precedents. Just like the Wall Street Journal reports speech about commerce; reports speech about commercial entities, that is not commercial speech. The Wall Street Journal is fully protected as to its data that it contains even though not as to the advertisements. Likewise with this information that is gathered about people. If there is an advertisement that is sent to people, that is commercial speech. That can be restricted under this more lenient test. But if all we are talking about is communication of information about people, that is not commercial speech, and that requires the highest level of Constitutional scrutiny. Mr. Stearns. So I am on the Website, and after 3 or 4 months, I am starting to get all of this advertising. It is coming into my Website, and, you know, I don't know where it is coming from. Mr. Volokh. Yes. Mr. Stearns. It is not only the mundane stuff, but it is starting to get more nuanced into all kinds of things---- Mr. Volokh. Yes. Mr. Stearns. [continuing] I don't want to have on my Website, and I don't understand how it got there. So is that commercial speech Constitutionally acceptable, and can I object to that? Mr. Volokh. Yes; if it is advertisement that is being sent to you, not just communication about you to other people but advertisements, commercial advertisements being sent to you, that is commercial speech. Congress has somewhat more flexibility in restricting that. So, for example, Congress could certainly require that commercial ads have some disclosure requirement, for example, explaining where it is coming from, maybe even where they got the data from you and such. Mr. Stearns. Because I see all of this come on, and I don't know where it is coming from. And, you know, it is okay and doesn't bother me, but after awhile, it does start to bother me. Mr. Volokh. Yes; and one thing that Congress could do--and again, it is an interesting question as to whether, as a policy matter, it is a good idea for it to do, but it could give you the right to say stop sending me this stuff. Mr. Stearns. Right, like spamming. Mr. Volokh. There is a Supreme Court case--exactly; there is a Supreme Court case 30 years ago called Rowen v. Post Office Department that had to do with paper spam. Mr. Stearns. Okay; one question, and then, I am done. Professor Cate, and perhaps this is a question for each of you to answer just yes or no to, if I can, pin you down here as law professors. As a member of the FTC's Online Access and Security Advisory Committee, you closely studied the issue of access and security as it relates to online Websites. What problems did the committee see with the access and security as it relates to consumer data? Does that make sense? Mr. Cate. Yes, it makes perfect sense. I would like to be able to answer yes or no to that. But there were obviously numerous problems. That is one reason the committee never reached a consensus or a resolution on that issue; beginning with the problem of, first of all, how do you authenticate who you are providing access to? If somebody comes to you and says I want access to my information, how do you know who they are? A second problem of do you have to bring together more information in order to provide them access? So, for example, if you collect information in three different ways or three different sides, you never bring it together for any purpose whatsoever, marketing or others. Would access requirements require that the business profile you in order to respond to your request for access; you know, a third being the related security issues: how do you protect the security of that transaction? A fourth concern, particularly in the online environment, being, as this committee well knows, computers, you know, tend to collect a lot of information, much of which is never used for any purpose. For example, you know, there are backup tapes that record virtually all of the access to any Website. I am sure that is true for the Congress as well. That is not used for any purpose at all. Yet, that is certainly personally identifiable information about you. Would an access request require that the institution, the business, go back and mount all of those tapes and run them in order to find data which is not used for any purpose whatsoever? And, you know, I guess finally the fifth issue raised in that committee's discussion is what information would you have access to? You know, only personally identifiable information? How about calculated information? If I know that you purchase beer, statistically, that means you are likelier to purchase diapers. Don't ask me why. That just happens to be true. So, if I have calculated that you are likely to have children--does that mean I have to disclose that to you? If it is a credit score, do I have to tell you how I arrived at that score? If it publicly available information, you know, I matched some information about you with data from the public record, do I have to give you access to that information even though I am not the custodian of it and can't correct it in any event? And what if it is information that you can't correct in any event, for example, records of past transactions? You want to say you did not make that purchase at my store. You know, you can want to say that all you want. Unfortunately, you know, if I believe you did, and I can support that, I am not going to change it. Should access be provided to that type of information? Mr. Stearns. Well, my time has expired. Ms. DeGette? Ms. DeGette. Thank you, Mr. Chairman. I would like to follow up on the Chairman's question a little bit to you, Professor Volokh. I am not so concerned about advertising that comes onto folks' Websites. What I am concerned about is the topic of the discussion today, which is privacy. And from what I heard you say in your opening statement, it sounds like your view is that there is really pretty much an unrestricted First Amendment right to privacy which you can have either an expressed or an implied contract by the providers to restrict that somewhat, but if there is no contract, then, what it sounds to me you are saying is that once someone gives over, say, their medical records or their financial records that there is an unrestricted First Amendment right. Is that not accurate? Mr. Volokh. My view, being kind of an extremist by temperament, my view is that---- Ms. DeGette. I noticed that. Mr. Volokh. Exactly; is that in fact, once information is revealed without any contractual obligation to somebody, that person is free to pass it on. Ms. DeGette. So, for example, if I give my medical records to somebody, and then, they, without my knowledge, transfer them to someone else, that third party, in your view, has an unrestricted First Amendment right to disseminate those records---- Mr. Volokh. Yes. Ms. DeGette. [continuing] anywhere they want, and Congress could pass no law to control that action? Mr. Volokh. A very similar question is before the U.S. Supreme Court right now. It has to do with whether the media are entitled to publish information that was illegally gathered, in that case by intercepting cellular conversations but turned over to them. And I think the answer is, for example, if a newspaper get somebody's record, they are entitled to publish it. Ms. DeGette. So your answer to my question is yes, that is your view. Mr. Volokh. My view is but there is also another possibility. Ms. DeGette. Yes or no. Mr. Volokh. My personal view, yes. Ms. DeGette. What do you think about that, Mr. Rotenberg? And then, I will ask you, Professor Feldblum. Mr. Rotenberg. I think it is generally correct, but there are competing legal principles, and one competing legal principle is the privacy tort, particularly with regard to the disclosure of private facts. Now, that tort creates First Amendment questions, because that is the issue that you have to consider. If I know, for example, that someone is AIDS- positive, and I publish this information, it is a true fact. Assuming it is a true fact, all First Amendment theory says why would we restrict the publication of true fact? There is no defamation. But if you go back to the concept articulated in the Brandeis and Warren article, we might restrict the publication of true facts because of the harm that it does to the individual as a person, whether or not there is identifiable economic damage, that somehow, we value the person's integrity, their autonomy and their dignity. And so we have, in American common law, recognized this privacy tort. We have created a very high standard. The disclosure has to be very highly offensive. And just, you know, by way of counterexample, one of the cases I teach is a case called Legg v. Wal-Mart. Ms. DeGette. Right. Mr. Rotenberg. It concerns a woman who went into a Wal-Mart to have her vacation film developed. It included some pictures of her in the shower, of her and a friend taking a shower without any clothing on. She got back from Wal-Mart and a notice which said I am sorry; we can't process this film. She didn't think anything of it until she later learned that pictures from that roll of film were circulating in the community, because the technician who had access to that roll of film had gone ahead, developed the pictures, and circulated them. And she brought an action against Wal-Mart. There was nothing in the agreement with Wal-Mart that said that they were prohibited from disclosing this information. The question that was put to the Minnesota Supreme Court was does she have a right of privacy---- Ms. DeGette. And what was the answer? Mr. Rotenberg. And the answer was yes. Ms. DeGette. Thank you. Professor Feldblum? Ms. Feldblum. Yes; I think you have touched on exactly what I thought was the weakness when I read my colleague's article. I believe that the government does have a right to restrict that information of the newspaper or some other third party because they have a compelling interest in protecting that information, and it is narrowly tailored to that. The contract model gets you only so far in the medical world. It is the reason why we have to be concerned that only gets you so far in terms of binding individuals. I believe Congress can bind not only the physician or the hospital to their express or implied contracts but also other entities that get that information, even though it is a burden on their speech. But you can burden speech when it is narrowly tailored to a compelling government interest, and in my mind, this is one of those. Ms. DeGette. Thank you. Ms. Feldblum, let me follow up. I spoke in my opening statement about these new HIPAA regulations and have been hearing from a lot of businesses that they will be overburdensome and costly. I would be interested, and I know you were involved in the development of those regulations, and I am wondering what your thoughts are on that and if you have been thinking of ways we could streamline them to make them more workable. Ms. Feldblum. I think they will cost money. The bottom line is things cost money when you actually change norms. There is a norm right now in the medical community which is that information flows very freely, and it flows that way because people think that they are all doing a good thing. You know, often, they are, but sometimes, it doesn't make sense to have all that information flowing in that way. What the health industry said to Congress in 1996--well, they had been saying it for some time--is we have got so much information going on out there, and we have people putting it in all of these different formats, and that is a problem for us. So we want you, government, to intervene and create standards about what the data codes should look like and what the identifiers---- Ms. DeGette. Well, my time has expired. Ms. Feldblum. Yes, I see. Ms. DeGette. So I would like to get an answer, which would be are you involved or willing to look at ways we can modify those regulations to make them more workable for industry? Ms. Feldblum. I believe that the comments actually took in those concerns already and that they have been modified. I think it is unfortunate that the Secretary is opening it up for comment again. I will be involved in this 30-day comment, and if we get something better, I am all for it. Ms. DeGette. Great; thank you. Mr. Stearns. Thank you. I thank my colleague. Mr. Buyer? Mr. Buyer. Thank you. In my mind, when it comes to issues of privacy, it is easier for me to understand this when there is a contract or physical property. I am going to move into a difficult arena for me, and I am going to turn to you, Professor Volokh, only because I remember your testimony to us before the Judiciary Committee, and I appreciated your past witnessing. What are some examples of an implied contract with an inferred privacy where there would be an unjust enrichment? Mr. Volokh. A classic example of an implied contract, I think, would be a situation where---- Mr. Buyer. Well, Wal-Mart immediately comes to my mind. Mr. Volokh. Exactly, exactly. I am not sure unjust enrichment is present there, but I don't think it needs to be present in order for the government to be able to act, either through a standard contract claim. You could have a claim on an implied contract without unjust enrichment; or through special tailored legislation. I'd be happy to talk further to the unjust enrichment question, but I just don't think it is necessary as a doctrinal matter. Mr. Buyer. An example, then. If we are to do absent physical property or a contract, in the arena of a privacy tort, is it possible to have an inferred privacy? Mr. Volokh. I think the term inferred usually arises in the context of a contract; that is, a promise on somebody's part. Mr. Buyer. Right, and I am saying absent that. Mr. Volokh. Right; I oppose---- Mr. Buyer. If the courts are going to be narrowly constrained? Mr. Volokh. Yes. Mr. Buyer. Is it possible to have an inferred privacy absent? Mr. Volokh. I oppose the Warren-Brandeis privacy tort. I think that there have been quite a few cases in which it has been applied in a way that, as people would predict, involved judges telling newspapers what they may and may not publish. I think that is not a good thing for a judge to do. Mr. Buyer. People believe--they have these expectations---- Mr. Volokh. Yes. Mr. Buyer. [continuing] of privacy. Mr. Volokh. Yes. Mr. Buyer. Is it possible to have an inferred privacy, absent--I mean, in a privacy tort, can you have an inferred privacy? Mr. Rotenberg. If I may answer, Mr. Buyer, I think the Internet today provides a wealth of very interesting examples to answer the question that you are asking, and the reason for this is that there is a great deal of surreptitious data collection taking place by Websites, by firms that do advertising profiling, the so-called Web bugs that are related to HTML tags that make it possible to track and collect data about individuals without their knowledge. Now, this is a very interesting type of data collection, because I think you could fairly say that there is really no contractual relationship, and what was quite significant about the Double-Click example is that an advertiser really exists apart from the customer. I mean, the client of the advertiser is the company for whom the product is being advertised. But when this type of data collection occurs, it raises privacy issues of the Brandeis-Warren tort variety. And, in fact, claims that were brought in State courts against companies like Double-Click, and I don't mean to single them out because there were others as well, were based on the theory that you are talking about now, that you have this type of collection of information; a use that occurs; arguably, a form of unjust enrichment; I have seen that alleged--without a preexisting relationship. Now, I think, a) this is a serious privacy issue, but b) the better approach, rather than going back and forth with a privacy tort state-by-state, is a general privacy law for this activity based on fair information practices that makes more open, more transparent when that data collection is occurring, makes it fairer. Mr. Buyer. May I ask, Professor Feldblum---- Ms. Feldblum. Yes? Mr. Buyer. [continuing] do you believe it is possible absent, in torts privacy, to have an inferred privacy cause of action? Ms. Feldblum. I think it is very hard to imagine an inferred privacy without some contractual engagement at some point. I think where you are going to find---- Mr. Buyer. I am trying to find the boundaries. That is why I asked the question. Ms. Feldblum. I think that where the differences will be is how far we are willing to see that contract extend; that is, somebody might say here is the contract and then that is it, and I think I would be someone who might say yes, that is the initial contract, but actually, there are other ramifications from that contract in terms of other people they interconnect with, and therefore, then, we get a privacy issue. And that is when the context of the area makes a difference. It might be a difference if it is medical privacy, and they are interconnected there versus that I shop at Books a Lot. I mean, and that is a policy question, then, for you guys to decide. Mr. Buyer. Thank you, Mr. Chairman. Mr. Stearns. Thank you. Mr. Doyle? Mr. Doyle. Thank you, Mr. Chairman. Professor Volokh, you seem to get a lot of questions. I am not an attorney, so bear with me. I want to make sure I got this right. My desire to keep certain factual information about myself private violates your First Amendment right to speak about me. Did I get that right? Mr. Volokh. Not quite. Let me offer a friendly amendment. The government stepping in and suppressing people's speech to effectuate your desire, that would violate their speech rights. If the government goes and, as Professor Feldblum suggested, and tells a newspaper you may not publish this story, because it conflicts with the subject's desire to keep the information private, then, indeed, that is the government restraining the freedom of speech and of the press. Mr. Doyle. I have got you. So it is not inquiring minds have a First Amendment right to know; it is inquiring minds want to know. You are not saying that my desire to keep certain things private about myself violates your First Amendment rights. Mr. Volokh. Oh, no, absolutely. If you are just doing it through technological self-help or through contract or through not revealing certain information, that is perfectly right. It is when the government steps in and tries to enforce that through coercive sanctions; that raises First Amendment questions. Mr. Doyle. Got you. Professor Cate, you were not serious about that beer and diaper thing, were you? Mr. Cate. Yes, I was. Mr. Doyle. That is incredible. Mr. Rotenberg, that is all I have. Mr. Doyle. Let me ask you a question. We have talked a little bit about, you know, back in 1996 that companies started this self-regulatory approach to privacy, and here we are 5 years later, and FTC has basically come on the side that maybe the self-regulation hasn't progressed as much as it should. In your view, do you think the private sector has made a legitimate effort, a good faith effort to institute standards of behavior, or do you think they could be doing a better job? Mr. Rotenberg. Well, I think both statements are true. In other words, I think they have made a good faith effort. I think there has been progress. But I also think they could be doing a better job. What I tried to do in my testimony, because this is obviously an area that you are going to come back to, I think, how well does self-regulation work, is to suggest a few issues you might want to consider. Now, one thing that concerns me about this process of self- regulation is what I see as a redefinition of privacy. you know, we may sort of disagree about where the privacy rules apply, but I do not think there would be broad disagreement about fair information practices. That basic set of principles that can be found in a lot of places in U.S. law has been shortened, and today, we talk a lot about notice and choice, I mean, as a formulation for self-regulation. I think that is a very significant change in how we talk about privacy protection. Mr. Doyle. Thank you. Professor Feldblum, you know, when we talk about commercial matters, I am not near as troubled as when we talk about medical matters, and again, I am trying to understand the legal issues. I mean, there is an implied privacy between a patient and their doctor that when you are sitting down discussing your medical situations with your doctor, you have a right to expect that that is not going to become public information. Yet, I know--I live in Pittsburgh--the University of Pittsburgh Medical Center is undertaking this effort through this new technology project to be able to share information not only with doctors in their system but outside the system, so that when you go to a doctor, instead of waiting for film to be sent over and records that, you know, they can plug right into what standard, a system that can pull up all of that information. But in the medical community, isn't this always done with some sort of waiver release? In other words, can my records actually be accessed by someone without me signing a medical waiver saying I give permission to send my records somewhere? Ms. Feldblum. Oh, absolutely. I mean, that is what happens all the time right now. You will get---- Mr. Doyle. Doesn't that seem---- Ms. Feldblum. Doesn't that seem odd? Well, you do sign waivers for things like payment and sometimes research. But, you see, what the medical community will say to you, and I think there is some value to this. One of the pluses about negotiating is hopefully, you learn and understand the other side is that they need some of that free flow of information. And if it was simply dependent on the consumer, the patient, agreeing, you would have too many people opting out, and then, that would hurt the quality of the system. That would hurt the quality of the information. Mr. Doyle. Give me an example of why they need the free-- like, for instance, if I want to apply for a life insurance policy, I give a medical waiver saying, you know, check my medical records to make sure I am not going to die tomorrow. But I am saying give me an example of how stopping the free flow of information between doctors that I have not given any permission to do is a benefit---- Ms. Feldblum. Right. Mr. Doyle. [continuing] to consumers and/or the hospital. Ms. Feldblum. The point, the idea is that the way research and quality and disease management work the best is by bringing in a lot of information. I think it was Congresswoman DeGette's point that sometimes, greater information actually helps the consumer, and the medical industry will say you may not realize that if you allow your medical information to be used, you will be helped with your diabetes as well, and you might not be smart enough now in the moment to realize you should give up that information. So I believe, and my work in this area has made me believe, that we have to make sure that privacy regulation is workable for the industry, but that does include, No. 1, making sure that patients know where that information is going and that they do sign. Now, that is a sort of compelled consent, because if they don't sign, they don't get treated. But at least there is some information being given to them and that in areas where the industry can prove, look, we need this information; we need it under the compelled consent, it has to be under a separate consent where if I don't sign, you can't refuse to treat me. And to be honest, that is what the HIPAA regulations have essentially done. Mr. Doyle. Thank you. Thank you, Mr. Chairman. Mr. Stearns. Thank you. Mr. Shimkus? Mr. Shimkus. Thank you. I think this is a family show, and I don't think I want to be effectuating my desire, as was stated. That was supposed to be funny. I guess it didn't work. I am not a lawyer either, and I don't even pretend to be one. And I am going to take this question, but I really enjoyed it. Let me state that. And I think it has caused a lot of questions. My opening statement said how do you balance? There are a lot of benefits to the consumers for trading of information, but there will be benefits to the business to keep the individual's records also. In another subcommittee that Chairman Upton chairs, we are addressing the Webpages, domain names, and my personal interest is a move, if possible, to a .xxx domain name for that type of material, trying to address how do we skip away from the First Amendment debate on the people being able to go to those areas and for people to reap benefits from the publication of that smut, as a lot of us will characterize it, while protecting our children? And with a .xxx domain name, filtering and technology could better support that, but you are not, in essence, infringing, I don't think. So I want to pose that to those who want to respond. I know Professor Volokh is ready to respond to that. What do you think are the First Amendment consequences? And then, it would translate into privacy because of the cookie issue and the tracking and all the other events. Mr. Volokh. Just by sheer accident, it turns out that this is also an area that I have studied. Mr. Shimkus. I knew that. Mr. Volokh. But the Supreme Court, in Reno v. ACLU, said that the Government has very limited power controlling information online, even if it is sexually explicit information. Outside of the narrow zone of obscenity and child pornography, that speech is Constitutionally protected. One of the things that the Supreme Court highlighted is there is filtering technology that parents can use to shield their children at home. I have argued that the Court may have overstated the utility of that technology; that the filtering technology is not perfect, and I think it is very important to realize that it is not perfect and never will be perfect. But it is probably the best solution, both from a Constitutional perspective--it may be the only Constitutionally available solution for parents, essentially, to use this technology and perhaps for the government to facilitate its development if necessary. But what is more, as a technical matter, given the amount of offshore sexually explicit material which we might like to control, but we can't really, filtering is a necessary requirement, because filtering is the only--the technological option is the only mechanism for controlling all the access that your child might have, whether domestic or foreign, because, of course, on the Internet, nobody can tell if it is domestic or foreign. So I think filtering, with all its flaws, is the best solution both technically, practically and Constitutionally. Mr. Shimkus. Following up on the actual--the ICAN, which is a pseudo-government entity---- Mr. Volokh. Yes. Mr. Shimkus. [continuing] that assigns domain names---- Mr. Volokh. Yes. Mr. Shimkus. [continuing] what about their requiring--two issues: requiring pushing sexually explicit sites into a specific domain name, and then, there is, again, would be copyright issues as far as forcing them from their name of choice that they have been using and everybody has familiarity with to another domain? Mr. Volokh. You know, I am not an ICAN expert, but while I understand that there is talk, excuse me, of the .xxx suffix-- -- Mr. Shimkus. Yes, we had a hearing on that. Mr. Volokh. Yes. Mr. Shimkus. And it didn't go as well as I would have liked. Mr. Volokh. I think while ICAN can set up that system, I think it becomes much harder for ICAN, then, to say and, by the way, you can't have sexually explicit material on any other things. So it is one thing for them to create a special domain name. It is another thing for them to start policing what is going to happen on other domain names. Even setting aside the legal question that happens if they say oh, we are going to revoke your .com address because we find pornography on your site, there is a whole host of practical questions: how are they going to figure out what is on your site? How are they going to hold a trial on whether it is sexually explicit? What happens if you have links from your site to some other site with links to .xxx? So while I think this might be a channeling mechanism by which the job of filter providers could be made easier, because it would be a win-win-win for everybody, I don't think it would work as a coercive mechanism. Mr. Shimkus. Mr. Rotenberg? Mr. Rotenberg. Yes; well, let me just say we participated in the Communications Decency Act litigation. We have also looked at the filtering issue. In fact, we have a publication called Filters and Freedom that looks at the strengths and weaknesses. But I very much agree with Gene on this. I mean, I think you can set out the domain and try to encourage its voluntary use, which would be beneficial, but at the point that you tried to, in effect, cordon off speech and say that certain speech, by government regulation, can only occur on certain places of the Internet, I think that would be very problematic and probably not permissible. Mr. Shimkus. My time is up. I yield back to you, Mr. Chairman. Mr. Stearns. I thank my colleague. Mr. Terry? Mr. Terry. Thank you, Mr. Chairman. This has really been a---- Mr. Stearns. Mr. Terry, let me go to this side and pick up Mr. Gordon. Mr. Gordon. Thank you, Mr. Chairman. This has been an interesting and a diverse panel, as it should be. To sum up what you have talked a long time about probably isn't completely fair to you, but, you know, anyway, let me just sort of, if I could, lay out what I see as sort of some parameters here. I guess it is Dr. Volokh. Basically, it seems to me you are saying that you don't have a right to stop or I don't have a right to stop someone from talking about me once it's out in the public domain, but it would seem that, as an individual, you know, we have the right to pull our blinds at night. We have the right to close the door. Mr. Volokh. Absolutely. Mr. Gordon. We have the right to, under certain circumstances, have our divorce sealed. We have the right to, in contracting with someone in a business deal, saying that if you divulge this information, then the business deal is null and void. And, Ms. Singleton, you say that to think that to own the right to control information about yourself is a radical thought. It would seem to me that it would be radical to think that you can't, but again, that is where you are, it would seem. And then, Dr. Feldblum is more pragmatic in that, you know, let's take things, as you say, in context. We will figure them out as we go along. Now, as legislators, you know, I am trying to find out what our field of play is. We can doing nothing, or we can do, obviously, something. Now, getting outside of the realm of what you think ought to be done--that is our decision--what I am interested in knowing is how far we can go. You know, what is our outside limit? We know that our outside limit on doing nothing is doing nothing. Now, our outside limit on doing something is what I would like to find out. Whether we go that far is another matter. So why don't we start with the three individuals I just mentioned, and hopefully, we will have time to talk to others in trying to succinctly tell us if we chose to go forward with legislation, how far could we go, in your opinion, Constitutionally? Mr. Volokh. Sure. One is disclosure requirements. Again, this is what you could do. There may be some practical problems with it, but you could require that sites reveal their privacy policy. Another thing that you could do is that you could set up default contractual terms that are waiveable by the site, but they would have to be waived in a very explicit way that is evident to people. So, say, there are certain kinds of transactions where the default assumption that people engage in is no, you are not going to reveal--you are not going to pass along these photographs that I send you. And if that is so, then, if you want to have a different rule, Website operator, you have got to make it absolutely clear that the users know and have an option not to do business with you. A third thing is--and here, I agree with Professor Rotenberg--there are certain kinds of surreptitious data gathering. An extreme example would be them planting a virus on your computer or having them collect data in a situation where there is really absolutely no reason to think that there is any data being collected. Those kinds of data gathering restrictions, I think, would be permissible, because they are not focusing on disclosure. They are more like saying no, you cannot peek into my windows using a telescope. So, requirements that a site disclose its policies; setting up default provisions in the contract that will be enforced unless the provisions are disclaimed; and restrictions on certain kinds of surreptitious data gathering. Mr. Gordon. That's for preventive measures, though. Mr. Volokh. Pardon? Mr. Gordon. Preventive measures up front is what you are-- -- Mr. Volokh. Yes, yes, exactly. Mr. Gordon. And, Ms. Singleton, it is sort of Katy, bar the door with you. Are there any limits? Is there any action that you think that we could take legally, whether it was good policy or not, but it was legal? Ms. Singleton. I would say generally, from a Constitutional standpoint, the more targeted the legislation is to a specific, identifiable harm, such as identity fraud, the more likely it is to pass Constitutional muster. The further you move toward sort of omnibus rules that are applying even in situations where there has not necessarily been any harm to consumers that has been identified, that might be a different story, but a lot of it depends on the details of the legislation, the costs it imposes on industry, and a lot of those, frankly, are unknowns at this point. Mr. Gordon. So is there a Constitutional right not to have costly measures placed on you? Ms. Singleton. The question in the free speech case as it comes up is how much of a burden is it on the dissemination of truthful information? Are you restricting---- Mr. Gordon. So why should cost be a matter? It should be, maybe, a policy matter, and I think it should be, but why should it be a Constitutional matter? Ms. Singleton. I guess because cost is part of the picture in terms of what the impact will be on speech. Will there be, essentially, chunks of speech that for cost reasons no longer are permitted to exist or move around, even though there is no particular harm being done by those bits of speech? Mr. Gordon. Okay. Ms. Singleton. I hope that answers it. Ms. Feldblum. I would say to the three areas that Eugene noted would be Constitutionally allowable, I would add three others. One that I think you can put prohibitions on further redisclosure, even with someone whom you are not in that direct contractual relationship with, and that is part of what we have talked about. Two, I think in some situations, I don't think we should allow that default contractual rule to be waived. And the medical profession, I think, is a classic example, because of the need and power, sort of, situation, and I am not sure what I would think in terms of other commercial settings, but I would not do it as an absolute rule that that can be waived, that default contractual obligation for confidentiality. And three, besides the mandated disclosure, I think in certain areas, an informed consent is, in fact, Constitutionally appropriate as well. Again, I think that fits well in the medical arena. Whether that also fits in as a required opt-in in a commercial, I think, is more of a policy question. Mr. Gordon. The benevolence of the Chairman may allow you to talk some more to other candidates, but in case he doesn't, I would like to ask that each of you submit to the committee a written statement as to what you think are the Constitutional furtherest bounds that we could go in legislating. If you want to add to that why you think maybe we shouldn't, then, that is fine. But I would like to find out what the field of play is, and then, hopefully, ultimately, we can maybe find some common denominators. Mr. Stearns. The time of the gentleman has expired. Is that acceptable, doable, feasible for you folks to do that. I think it would be very helpful for the committee. Mr. Terry? Mr. Terry. Thank you, Mr. Chairman. I think all of our questions here are focused on trying to find that boundary or at least the lowest common denominator of what should be done, what could we do Constitutionally, legally, without restraining trade. Let me work some of that. Can I have an hour? Since I am the last to ask questions? Mr. Stearns. Will that do it? Mr. Terry. I will try and do it within the 4\1/2\ minutes that are left. Mr. Stearns. I would say to the gentleman we are going to do a second round. Mr. Terry. Okay. Mr. Stearns. I think, with the panel's indulgence, there are not that many members, so we are going to do a quick second round which would be an additional 10 or 15 minutes. Mr. Terry. I think one of the areas I would like to explore, but I am going to try and discourage, is it seems to me that perhaps there should be a sliding scale. Of course, we want higher protections on sensitive material like medical information, but yet, should commercial information about my buying habits of diapers and beer have this same heightened scrutiny and protection? And I would probably say right here without exploring it more that no, there should be probably a laxer standard on my purchase of Bud Light and Pampers. And by the way, more young people drink beer, and more young people have small children in diapers: case in point. And so, let's go with that. Mr. Cate, I want to explore some of these boundaries of when there should be some rules protecting commercial information in place, and I am going to kind of give examples of how that information can be, then, redisclosed throughout the system and see if maybe higher standards should be put in place as the information is disseminated. Let's say I go to the grocery store, and I use my credit card. It is issued by my bank. And, Professor, let's say, for example, you in answering this question, and I want your personal opinion, are my bank and the credit card issuer. Is it appropriate for you, then, to have software that would be able to read that when I use my credit card or my debit card to purchase at the grocery store that I buy Pampers and Bud Light? Is that appropriate that you even have that technical ability? And should I, as a consumer, when I sign up for my credit card, know that you may have software where you are going to know that I am specifically buying that brand or diapers generically but that brand specifically? Is that appropriate? Mr. Cate. Yes, it is appropriate. Mr. Terry. Should there be laws in place that I know that that is occurring? Mr. Stearns. Mr. Cate. It is appropriate that it occurs, and it is appropriate that you should know. Mr. Terry. All right; is it appropriate that perhaps Congress adopts some policy and law that mandates it on Professor Cate Bank and Credit Card Company? Mr. Cate. Well, let me say the answer to that is yes but, and if I can just have, you know, 5 seconds to say the but, which is you can send out all the notices in the world to customers, and they will throw them away with enormous glee. And so, if the effect of that notice is simply to impose a $1 billion cost--although it does subsidize the Post Office, which is not an unimportant issue--but not to educate the public, then, I think that it is not advisable, although it is clearly legally permissible. Mr. Terry. And I will tell you right now: I want to make sure that when I open up my credit card bill that I don't have a bunch of trashy coupons in there. Give me a Pampers coupon, because I am spending a heck of a lot of money on diapers. So I want you to be able to target it to me. Now, let's say Professor Volokh is actually--you are just the shell. You just issue the darn card to me. You hire a separate business to actually do all of the contracting. Should he have the right, that company that is not you but your contracting agent, have that power, the software, the technology to be able to gather my specific buying needs, although my contract is with you? Mr. Cate. I believe that he should. Mr. Terry. And either two of you, you can now expand on it. Mr. Cate. But he can speak for himself now. Mr. Volokh. Well, it seems to me that if the Cate Bank makes this promise to you that they are, let's say, not going to reveal it further or some such, then, they had better ask me to make the same promise to them, because otherwise, they might be liable to you. Mr. Terry. Should I know that you are part of that process up front? Mr. Volokh. Well, it is an interesting question, because I think for most consumers, the exact financial structure or the exact business structure is not terribly relevant. I think with most consumers, my guess is--and here, you are reaching policy rather than Constitutional law--I think what consumers would like to know is what purposes their information is going to be used for. And it seems to me that---- Mr. Terry. And that is the point I am getting to, actually, because if it just keeps coming back to me that since you are the one who is really going to send me out my bill with the coupons in it, because you have hired another company that actually prints and does all of that, which is the real world, if it keeps coming back to me, is there a lower standard than that? Mr. Volokh. A lower standard? Mr. Terry. Of privacy and regulation, maybe just an opt-out type of policy instead of an opt-in type of policy. Mr. Volokh. I would think that---- Mr. Terry. Or just basic disclosure? Mr. Volokh. I think there is a lot, especially given how much consumers are concerned about business, and it is interesting you mention credit cards. It is a very competitive business. A lot of people want your credit card business. Mr. Terry. And this is a lot of---- Mr. Volokh. Exactly. Mr. Terry. [continuing] when we get feedback from the business world on rights of privacy, it is usually in the---- Mr. Volokh. Yes; I would think that there are a lot of banks that would have a lot of incentive to say we are going to give you a high-privacy credit card, and we are going to promise that we are going to give you privacy; we are going to promise that we are going to use the information only for these very limited purposes. We are going to make all of our contractors promise the same thing to us, so that we can hold them to this obligation, too. So it seems to me that the business world may do a good enough job if it is. If it does not, then, I think you could impose requirements that credit card companies facilitate consumer shopping by making it clear to the consumers what their privacy policies are. Mr. Terry. But I am running out of time, but the next phase of that would be selling my name to Anheuser Busch or whoever owns Pampers. Mr. Volokh. I thought you had an hour. Mr. Terry. What is that? Mr. Volokh. Well, I think if we promised---- Mr. Terry. And I think that is what a lot of people are worried about. Mr. Volokh. Yes. Mr. Terry. But with the consumer, heck, if I get something at a discount from Pampers---- Mr. Volokh. Yes. Mr. Terry. [continuing] I like that idea. But where do we draw the line in the process? Mr. Volokh. It seems to me that providing disclosure of what is going to happen and thus providing meaningful consumer choice will allow consumers to decide: do they want the high- privacy, no-coupons, I just want to be as sheltered as possible credit card? Or do they want the go ahead; I don't care if people know I am buying the beer, especially if they want to send me more coupons? It seems to me that disclosure does provide consumers with more choice. Mr. Terry. I appreciate that, Mr. Chairman. Mr. Stearns. The gentleman from Massachusetts, Mr. Markey? Mr. Markey. I thank the gentleman very much. See, the point is that most people would not care if anyone found out that you were buying Pampers for your children. But your mother would care if you found out that she was buying Pampers for herself, Okay? That is a much more sensitive issue, very sensitive, incontinence pads for 2 million elderly women. They haven't told their daughters. That is a different issue. So, yes, you don't care maybe necessarily. But on the other hand, your mother is very sensitive about that. Only her husband knows; no one else, her sisters, her children. So what are we going to do for her? What rights does she have? So, I want to give her a lot of rights, to be honest with you, because she built the country. She doesn't want that information disclosed; she has a right to keep it private. So I am very respectful of her; very embarrassed, because it goes right to her dignity, her pride. She can't control herself. So where are those lists, and how do we get names off those lists? How hard is it to get your names off those lists? So, we kind of have this duality, you know. On the one hand, you have got the industry coming before this committee saying we need more copyright protection for all of their information. Don't let anyone disclose it. It would be terrible if anyone ever took our information and sold it, you know. Look at Napster. That Napster is going to ruin us, you know. We listen attentively. Then, the individual says, oh, by the way, I want a copyright on my own personality, my own information. You can't do that, says the very same industry. You are not entitled to copyright your information. That is different, Okay? But don't let them take mine. The industry comes in here, and they say you have got to have the top-notch, No. 1 encryption technology available to every consumer, security all the way, all the way from your house to my bank, my Internet company. Security, very important. But once I get the information, you shouldn't have any privacy. Now, from a consumer's perspective, they say, well, I do support state-of-the-art encryption, because I don't want the kid across the street cracking in and finding out what I am doing. But I don't want you to do it either. I am only transacting, you know, for this one little deal. So there is a duality here. The industry says copyright good, security good; privacy bad, privacy bad. But we need the same high standards, because from the consumer's perspective, they see the same issues, okay, that the industry does. And the paradox is quite obvious. So begin, then, Professor Volokh, you begin with the question of your children. Did we make a good decision in passing the Children's Online Privacy Act here, saying that parents have to be consulted whenever any information on a commercial site has been gathered about a child under the age of 13 that could be reused for purposes other than that which the parent intended? Do you think that was a good law, first, to pass, Professor? Mr. Volokh. I actually have no opinion specifically on that law, because I think that the situation with children revealing information, because children are incapable of consenting, is actually a much more difficult question. Mr. Markey. No, what I am saying is what is your view then? Is that a good law for us to pass? Mr. Volokh. Believe it or not, actually, I don't have an opinion, and in my article, I actually specifically say it is an interesting question that I haven't examined. Mr. Markey. No, I don't believe you don't have an opinion. I mean, otherwise, you shouldn't have been invited, to be honest with you, Okay? Because that is too simple a question, to be honest with you, okay, for somebody who his holding himself out as an expert. What about children under the age of 13, Professor? Should parents have to give their approval if a commercial Website is going to reuse the information for purposes other than that which the parents intended? Mr. Volokh. I believe I wasn't--I'm sorry. Mr. Stearns. Professor, hold on. Just a comment. Mr. Volokh. Yes. Mr. Stearns. I would say to the gentleman from Massachusetts we asked these people to come here for their legal interpretation and not necessarily for their personal interpretation, for what it is worth. Mr. Markey. I appreciate that, but, Professor, that is hard, because they have rapt audiences in law school that hear both their legal and personal opinions, and so, they are usually packaged almost in a way that is so intertwined that it is impossible to really separate them as a student, okay, but as a Congressman, I am in a position--Father Drinan was my dean in law school. And then, in my second year, he wins for Congress. So I was so intimidated by him. But then, 6 years later, I got to be a Congressman, too. And so, whenever he voted yes, I could vote no, you know, if you know what I mean, okay? And I have to admit: it was gratifying, although in retrospect, he was probably right on everything. But at least I was able to question more, you know, intensively any position which he had. So all I am asking, Professor, quite simply is would you personally, as you hear the question, give that child audience more protection? Mr. Volokh. Representative, I was invited here, I thought, to comment on those matters that I thought I was competent to comment on. In my article, I specifically said that this is an issue that is very tough that I have not spent the time necessary to think about it, because whenever children are involved, especially with questions of consent, that raises all sorts of difficult questions. It seems to me the only responsible thing for me to say is to admit that I have not thought about this enough to have formed an opinion. Mr. Markey. Okay; well, let me just say that--okay, you can play that. My view--I will say my view. I think children should be protected, and it came out unanimously out of this committee, and I don't think you are going to get much dissent across this country. You may be the only person in the country without a view on that issue. Really, but that is okay. I mean, I don't mind that you want to take that position, because of course, that immediately begs the question of whether or not 14-year-olds should be protected, okay? You don't have to have a view on that, either, but I would say yes, 14-year-olds should also be protected. We didn't do that. We only did it up to 13. And then, how about 16-year-olds? And I would say 16 years old as well, okay? Looking at it from a societal perspective, you know, that they should be protected. And then, you just keep going. You keep asking the same question over and over again, okay? And that is what we do as a matter of public policy. But you can start from one perspective and say okay, on the one hand, you know, maybe this information should be out there free and, you know, unrestricted. But then, if you take it from the other perspective, you are saying no, it should be restricted, because you have got this special category down here, and then, you have to decide how far up you are going to take the special category, which is the much tougher question, because it doesn't fit into a uniform philosophy. And, of course, that is the most valuable information to us: what doesn't fit into a uniform philosophy? Mr. Stearns. I would tell my colleague we are going to do a second round. Mr. Markey. Excellent. I am ready. Excellent. Mr. Stearns. I am going to start and ask Ms. Singleton: emergence and diffusion of certain new technologies, such as the Internet, have triggered today's debate on information privacy. Would you please place the relationship between new technologies and privacy debates in historical perspective? Ms. Singleton. Yes; let me do this very quickly. One of the interesting things that began to happen in the early Twentieth Century is that credit reporting became professionalized. It was originally done sort of as a nonprofit activity to help poor people get access to credit, and today, it has become professionalized and become, you know, a professional thing. Now, this goes to my point that privacy legislation, even relatively minimal opt-out, is not nearly as moderate as it appears on the surface, because if there had been an opt-out rule in place during the period of time in which credit reporting was developed, there simply would not be credit reporting. All of the people with bad debts would simply have opted out. To move up to another example today involving the Internet, just a few years ago, identification and authentication became a very important function that e-commerce companies needed to have. Amazon.com, for example, when they get an order from a customer, they check the name and address against a massive commercial data base with pretty much everyone's name and address in it and absolute as updated and accurate is possibly can be. And if people were allowed to opt out of this data base, its value as a commercial enterprise, once it was full of holes and gaps and so on, people opting out, whether for well-meaning purposes or because they want to conceal who they are, would essentially make this authentication and identification much less useful. So I think there again, as we think about the evolution of technology, it is important to realize that there are uses of information that are very innovative that haven't been thought of yet, some of which could turn out to be tremendously beneficial to consumers and which even relatively moderate legislation might foreclose. Mr. Stearns. Mr. Rubin, Professor Rubin, in your study, you identified no market failures. Do market failures primarily result from information asymmetry? And if so, how does information sharing relate to market failure? Mr. Rubin. Information asymmetry is one---- Mr. Stearns. You might define a couple of terms. Mr. Rubin. Information asymmetry is when one party knows something, and the other party does not know it, but as it is used in economics, which is my field, by the way; I am the only non-attorney here, I think--as it is used in economics, it means that people are, in those circumstances, less willing to transact. So if I know there is an information asymmetry, I may be unwilling to transact. But the way to solve information asymmetries is to create more information. And so, the free flow of information actually is likely to solve problems of information asymmetry. Now, with respect to the Internet, you might argue that in the early days of the Internet, when people did not understand data collection and didn't understand that information was being collected, there may have been more of a problem. But now, all of the surveys show that people are fully aware of the fact that data is collected. This creates an incentive for Websites to post privacy policies, for example, and tell people how the information is being used, which creates an incentive to eliminate the information asymmetry because it makes people more willing to engage in transactions. And so, in a sense, the market is solving that problem by the posting of privacy policies, and the FTC study showed, for example, that 100 percent of the most commonly visited Websites did post privacy policies, not because they have been mandated to but because it is in their own interest to do so. So in a sense, the market has been solving that problem. Mr. Stearns. But the problem is you go to some of these sites, and the privacy request is way down, and you have to scroll all the way down. And then, it is a light gray line. And then, they put another light overtone on the light gray line. And so, you have got to see that, and you have got to double- click on the privacy. Then, up it comes, the dialog box. So, I mean, they are volunteering, but they are volunteering in a rather clever way or a way that is an obtrusive, so that the average person doesn't even know that they have a privacy policy. Mr. Rubin. But if people want privacy policies, a natural reaction when you go to a site where you can't find it is to simply leave that site, to assume that it doesn't have one, or it's not worth my looking for it. If people are concerned about privacy policies, then sites have incentives to make them available and to make them more easily available, because otherwise, they are going to lose consumers. Ms. DeGette. Will the gentleman yield? Mr. Stearns. I will yield. Ms. DeGette. But what if they don't see the privacy disclaimer, so they just assume that privacy is included? Isn't that also a possibility? Mr. Rubin. Well, I think it is less of a possibility now, because as I say, the surveys show that people are concerned about privacy. I don't think people have an expectation that the default is they are going to protect privacy. Ms. DeGette. Has there been research done on that? Mr. Rubin. I haven't seen specific research, but there are all of the surveys that do show people concerned about privacy, which means yes, I guess that would indicate that people don't expect information to be kept private without a disclaimer, because they are concerned about the way Websites use information. Mr. Stearns. Let me just indulge myself with one other question for you. Please define the free rider problem and explain its relevance to the information privacy debate. Explain what you mean by free rider problem. Mr. Rubin. Free rider problem is where someone can benefit from something without contributing. So, for example, if information, collecting lots of information, is valuable for the credit reasons and the other reasons that we have talked about, so that creating lots of information can create a marketplace, but I, myself, would prefer to benefit from that marketplace and not contribute that information, then, I would be what is considered a free rider. So I might say it is good if Websites can make these determinations, but I don't want to tell them my information. I am going to benefit from the things that are provided without contributing; then, that would be a free rider, and under certain circumstances, you would have a free rider problem in the provision of such information. Mr. Stearns. Okay; my time has expired. Ms. DeGette? Ms. DeGette. Thank you, Mr. Chairman. To follow up, Professor Rubin, I think that to make the studies more pedagogically sound, it might be interesting to research consumer attitudes when they don't see a privacy disclaimer, because I would opine, based on nothing except for common sense, that people going into certain types of sites-- financial sites or where they are going to be disclosing personal information--may well still assume that there would be some privacy given, for example, similar to when they went to the doctor, and there is not, on your regular medical form, a privacy disclosure, but yet, people assume that their doctors will keep their medical records private. So I think that would be some useful research to conduct, and I would hope that it is being done. Mr. Cate, I have a couple of questions for you. I wanted you to expand a little bit on your written testimony where you talk about how requiring a customer's consent exacerbates the harmful impact of many privacy laws on consumers. How do you see that happening? Mr. Cate. Well, I provide seven or eight examples in the testimony. Ms. DeGette. Right. Mr. Cate. So let me just touch on a few of those---- Ms. DeGette. Thank you. Mr. Cate. [continuing] and try to make them clearer. One of them, of course, is if consent requires repeated contacts or requests to the consumer. So, for example, even under the Gramm-Leach-Bliley law, the average American household gets 20, 30, 40 notices. That is with a cost that is paid for by consumers. That is an environmental burden that is borne by all of us as citizens, and it is a burden for people who say they don't like the junk mail they get already; they are now getting more junk mail mandated by Congress. So that is a clear burden on consumers that the opportunity for consent, the mandated opportunity for consent, exacerbates. I think, for example, in the health privacy rules that are out now, we see even more of that. That is where, for example, the length of that notice, the fact that notice will be interposed between the patient and the physician at every occasion; I mean, even the mundane question, you know, I go to the pharmacy to pick up a prescription for my wife, but, of course, I can't do that under those HIPAA rules, because only she can consent, and her consent is required by regulation for her to receive that prescription. So, now, she has got to go to the pharmacy to pick up that prescription and sign that form first. I think that is a real burden. Ms. DeGette. What is your view on that, Professor Feldblum? Ms. Feldblum. My view is that sometimes, Professor Volokh's approach of not talking when you don't know it all the way through is a good one. The HIPAA regulations specifically dealt with that and, in fact, have set it up so that other people can go to the pharmacy to pick up. Ms. DeGette. How will that work under the HIPAA rules? Ms. Feldblum. Because there isn't the ongoing consent each time. You consent for that information to go for certain purposes, and you consent for other people to do that on your behalf. Ms. DeGette. So you think his wife would be able to go pick up that prescription? Ms. Feldblum. Absolutely, absolutely. Mr. Cate. Not the first time. Ms. Feldblum. I completely stand by that. Ms. DeGette. Not the first time, but subsequently after she signed the thing? Mr. Cate. Absolutely; that is right. Ms. DeGette. But you think that is an undue burden? Mr. Cate. I think that is an example of a burden. Ms. DeGette. Okay. Ms. Feldblum. And to your question of the expectations of privacy, you are right. People think when they go to the doctor that that information is going to be kept private. And, in fact, until we have these regulations effective, they, in fact, don't really know where that information is going. So the problem we currently have in the medical system is also the problem that exists in your question about some of those sites. People don't know enough, and as Eugene Volokh said, the one thing Congress can do without any concerns is mandating some more clear disclosure. And that is, in fact, what the HIPAA regs do. Ms. DeGette. Let me get back, Professor, for a minute to the H.R. 10 privacy restrictions. Is it your view that under that law that that law requires repeated notices to customers? Because as I say, I was on that conference committee, and that was not my sense. Mr. Cate. That law requires that those notices be delivered annually, yes. Ms. DeGette. And you think that that is an undue burden? Mr. Cate. There is no question, because, for example, there could be no use of information at all; you know, I am not making any third-party use; I am not distributing it to anyone; I am not marketing. Therefore, there is no opt-out right involved. There is nothing at all that the consumer can do based on this other than, of course, stop engaging in the service. And there can be no change in the information used from year to year. But still, that notice has to be sent out. Ms. DeGette. Mr. Chairman, I just want to say that I think this was a great first start on this privacy question. We obviously had a breadth of opinions here, and I, myself, having sat through many law school classes where the professors grilled me--am very, very happy to have my little comeuppance. So thank you all for coming today. Mr. Stearns. Mr. Terry? Mr. Terry. Thank you. I said earlier that I don't see a problem with having completely different standards for what we think as a traditional commercial transaction versus a medical transaction. Is that appropriate legally and public policy-wise in your opinions? Ms. Feldblum. Well, two things: one, and I think it was sort of referenced by Representative Markey's comment: often, there is an integration of those in a way that can be complicated. So I think that while, as a conceptual matter, yes, there are different harms, given our system of credit and finances and educational institutions sort of being connected in with some medical information, it means that you have got to think through all of those elements. The second is really more a matter of, you know, really what both Ms. Singleton and Professor Volokh have written about, which is the conceptual question of how much control should you have over your own information? And for people who feel that strongly, it really doesn't matter that much about whether it's that they're taking a particular medical drug or that they like to buy a certain type of, you know, videos, you know, even action videos. You know, I am someone personally who I don't really--you know, I like getting coupons for things that I care about, right? Mr. Terry. Right. Ms. Feldblum. On the other hand, if I am sitting and making policy for everybody, I think I need to think about what sort of control do I want to give these folks consistent with not messing up the commercial system? Because that is going to help everyone as well. So, yes, there are differences, but there is integration of that information, and two, you have to legislate for the general public. Mr. Rotenberg. I think the problem is actually somewhat more complicated than this, and the reason is that when you are talking about a sectoral approach to privacy focusing on subject matter--I mean, we agree that medical information is more sensitive than commercial information--it puts aside the significance of technology. Now, consider, for example, the privacy protections associated with the use of the telephone system. You pick up the telephone, and you call up Safeway, and you say do you have any diapers left? You call up your doctor, and you say do I need to get that prescription refilled, because this problem is continuing. The privacy protection that exists for your telephone call, whether you are calling Safeway about the diapers or your doctor about the prescription is the same. Now, it may be the case that if someone intercepts the call and discloses the fact that you were talking about diapers, it wouldn't be embarrassing, or it could be the case that even the medical information isn't embarrassing. But it is interesting that if you look at the development of privacy law, video rental tapes--probably most of the tapes that you rent, not that sensitive. But some may be. The law provides comprehensive protection across this new technology in which consumers operate, and I think it is very important to keep this in mind, because there is a tendency when thinking about privacy protection, and I think it is common sense to sort of distinguish and say, well, some things are very sensitive; some things are not. Let's focus on what is sensitive. It makes sense. But when you talk about the integrated nature of technology that allows both sensitive and nonsensitive information to be exchanged, I think you need a more comprehensive approach, and that is why I would not recommend, actually, going based on subject matter in trying to define privacy. Mr. Terry. Let's continue, because I think there will be a variety of opinions. I respectfully disagree. I just don't see how you actually physically do it in the real world, because in order to treat everything equally, we have to move to the strictest standard, and I can't believe that I would have to sign a--I mean, literally, take a consent form to go to the grocery store and use my debit card. I mean, if we want to take that to the extreme that---- Mr. Rotenberg. But I don't think you would. Mr. Terry. Well, it depends. If there may be something that, you know, if you move to the strictest standard, you would. But let's keep going down the field, because we have got to explore the boundaries of what we can do. Ms. Singleton. Yes; I think that there is one potential problem with sectoral legislation, and that is you may have a situation, as you have with Gramm-Leach-Bliley and the new medical privacy standards, where there are companies where their same data base is governed both by the Gramm-Leach-Bliley Act and by the new medical privacy rules, and those rules set a different legal standard. So what does the company do there? In some cases, one standard may be higher than the other one, in which case you just comply with the higher standard. But in some other cases, it is not really that clear, and the standards are just different. So that is one problem, and I think the answer to that is when you do sectoral legislation to narrowly target that legislation at a specific, identifiable harm such as fraud. Now, some people would say why don't we just have legislation all across the board to solve that problem? And my answer to that is because that is way too broad. Its impact on the economy would be enormous and very difficult to even grasp at this point. And plus, it also has a really big impact on small businesses potentially. Mr. Stearns. Do you want to make your--his time has expired. Do you want to make your comment short? Mr. Rubin. I will try to make them short. I think there is a difference between information that starts with a person and says what do we know about Paul Rubin as opposed to most of the commercial information, which starts with a product and says how can we find Websites of consumers who are interested in buying this product? So medical information, much of it, would fit into the first category, and the sort of commercial information I am talking about fits into the second, and I think that may be a way to think about a differentiation. Mr. Stearns. Thank you. Time has expired. Before I have my colleague from Massachusetts finish up our great hearing here, he mentioned Congressman Drinan. He came here, as I recollect, a professor from Georgetown. Mr. Markey. No, from Boston College. Ms. Feldblum. From Boston College. He is now a professor at Georgetown. Mr. Markey. Downward social mobility. Mr. Stearns. And Mr. Markey mentioned how much reverence and awe he had of him, and I am reminded of an expression that we all know as Members of Congress: the first 6 months, we wonder how we got here. And then, the next 6 months, we wonder how the rest of them got here. Mr. Markey. As he introduces me! Mr. Stearns. Mr. Markey. Mr. Markey. Thank you, Mr. Chairman, I appreciate it very much. Not only that: Boston College is number 10 in the AP basketball ratings, and Georgetown is number 16, okay? So it was the only small little area of advantage they maintained over us, and now, it is complete domination. So we're quite happy--with the exception of their privacy division in the law school--and that one Constitutional law professor emeritus, you know, Father Drinan, they are the--so here's the way it is. And Professor Rubin said, you know, most of these sites now have a privacy policy, and they do post their privacy policy. We have a privacy policy, it says, okay? Then, you read way down here. It says--by the way, after you have hired lawyers at $700 an hour to write a 14-paragraph privacy policy with double negatives just driven throughout the entire thing just so that they can prove they went to law school, and down here, after you get to the bottom line, they could have just said you have no privacy. We reserve the right, of course, to sell this stuff, okay? But it is their policy, though. It is their policy. And who the hell is going, you know, to read 10 paragraphs on every single site they go into? So, obviously, that doesn't work. The free market--yes, they put it up, but it is like an attractive nuisance. It is misleading in a lot of ways, do you know what I am saying? You are sucking people in where they shouldn't be going, because they aren't going to go through all 10 paragraphs. And the thing is, well, financial, of course. It is the financial. You know, you might have been writing the check for your kid's Ritalin or your kid's child psychiatrist on the checks for the last, you know, number of years. That is medical, okay? More sensitive; you don't want the whole neighborhood, you know. You promised your daughter you are not going to tell anybody, you know, much less everybody in town can get it as a direct mail, you know, from the financial institution. And the same thing is true for the medical exams, for the insurance, you know. That is also very sensible. So the financial oftentimes is nothing more than the genetic makeup of the family's medical history for the last 30 years, you know, just sitting here if you can go through the medical. So it is hard sometimes to tease it out, in other words. It is basically inextricably intertwined inside of those financial data. And Citigroup, somehow or other, in Germany figures out how to do it, but they just can't figure out how to do it in the United States when these higher privacy standards are put on the books. So let me go down with just a very quick question to each one of you. You basically disclosed what Federal contracts you might have. What private contracts do any of you have, any financial interests that you might have in your life apart from your law school careers that would influence to oppose the most stringent privacy policies? Can you tell me which companies, any consulting contracts that you have--we will go right down the line--with outside groups? Mr. Stearns. With the indulgence of my colleague, as I recollect, and, counsel, you can correct me if I am wrong, when they came here, did they fill out--was that our policy? Mr. Markey. No, I have their forms. I have their forms right here. This only deals with their Federal contracts. It doesn't deal with their private sector contracts. Mr. Stearns. Well, what I am just saying is that what they filled out is all we requested from them. Mr. Markey. Oh, they don't have to give this to me right now. I am asking them as a favor to tell me. It is just a question. They don't have to tell me. Mr. Stearns. So this is a voluntary---- Mr. Markey. Right. Mr. Stearns. [continuing] exercise here. Mr. Markey. Right. Mr. Stearns. In which he is asking you to divulge personal information about your privacy. Mr. Markey. Exactly. Now, you have got it. You have got my point. Mr. Stearns. He wants to know things about you personally. Mr. Markey. I want to know things about them, you know. Mr. Stearns. So under his timeframe, you can say that it will take you awhile to get it---- Mr. Markey. Yes. Mr. Stearns. [continuing] and you will get back to him---- Mr. Markey. You can say that. Mr. Stearns. Or do whatever you like. Mr. Markey. But I think that they all probably know where their income comes from each month, so can you tell us? Can you just go down the line, and then, you know, we can all hear? Mr. Cate. Well, I am perfectly happy to answer your question if the question is what consulting contracts I have. I am senior counsel for information law to a law firm in Indianapolis by the name of Ice, Miller, and that is the only ongoing consulting relationship that I have. Mr. Markey. Do they have any clients that you are writing-- -- Mr. Cate. I am sure they have many clients. Mr. Markey. [continuing] memos on at their request on this issue of privacy? Mr. Cate. They do have clients that I work for, yes. Mr. Markey. Can you list a couple of those clients? Mr. Cate. I cannot list those publicly, I am afraid. Mr. Markey. They like their privacy, don't they? Mr. Cate. No, I think they protect the confidentiality of their relationship with their attorneys. Mr. Markey. As I am saying, the public would call that privacy. The law firm has a different word for it. Mr. Stearns. If the chairman would just indulge, the gentleman from Massachusetts is an attorney, and isn't there a client privilege that---- Mr. Markey. That is exactly my point. Mr. Stearns. [continuing] you are trying to divulge here a client privilege? Mr. Markey. That is exactly my point. Mr. Stearns. That is a contractual relationship that they have with their clients which they don't want to divulge, and so, I suspect that you are putting them on the spot here by doing that, which I know you are trying to make a point. Mr. Markey. Well, we can go down, and we can just see how many times they want to invoke client-lawyer privilege, because this is not exactly national security here that you are writing memos on the privacy policy for private sector firms, okay? This is not something that I think we would put in the highest category. We would put this down on the lowest category: I am on espn.com finding out where BC is this week compared to Georgetown, okay? But the fact that private sector companies need privacy memos, okay, doesn't seem to me that it would be the highest level of privacy protection; not up there with medical and financial, for certain. I would put it in the lower category. Mr. Stearns. Well, the gentleman's time has expired. So, saved by the bell. Mr. Markey. I don't think that's fair, Mr. Chairman. Ms. DeGette. That is not right. Mr. Markey. That is not fair to me. They should all have the right to say no, I don't want to tell you. I think I have the right to have a no. Mr. Stearns. I think the Chairman also has a right to say that time has expired when the member's time has expired. Ms. DeGette. Mr. Chairman, I will ask unanimous consent to let these witnesses answer the question. You haven't cut any other member off today. Mr. Stearns. Well, no, but I think in a free discussion here I would say to my colleague that we have had an opportunity to understand Mr. Markey's point, and I don't necessarily want to take these witnesses who have come here, to ask them to divulge personal information. Mr. Markey. I don't want them to. I want them to say no, I don't want to disclose it. Don't you understand? No, no, no, no, no, and then, I am happy. It is over. It will be under 10 seconds. Ms. DeGette. Does that mean, Mr. Chairman, you are objecting to my unanimous consent request? Mr. Markey. I don't want to tell you; I don't want to tell you; I don't want to tell you. Mr. Stearns. No, what I am saying is that even by them saying that they don't want to answer, that is putting them in a position which I don't think they should have to be put in, and that is my prerogative as the Chairman, and that is where I stand. Mr. Markey. I don't think you can do that, Mr. Chairman. I really do believe that they have a right and the ability as law school professors to protect themselves. How about in writing? How about if you would each give it to me in writing? How about if I asked them all, because I can see the reluctance that is sitting down there. Nobody is raising up their hands saying I don't have a problem. Mr. Stearns. I think that is a very good compromise. Mr. Markey. But if you send it in writing, I would very much appreciate it. Mr. Stearns. Okay. Mr. Markey. Would all of you agree to send it in writing? Mr. Volokh. I am sorry. Actually, because it was suggested that our failure to say anything is reluctance to that, I would be very happy to say: I have---- Mr. Markey. He doesn't want to let you. Mr. Volokh. Fair enough if he forbids you from---- Mr. Stearns. His time has expired, and I am saying as a nice compromise here that I suggest that we follow up with Mr. Markey's suggestion that if you would like to submit in writing to the chairman and the committee, and we will get this to Mr. Markey post haste. And thank you very much for your testimony. The committee is adjourned. [Whereupon, at 1:03 p.m., the subcommittee was adjourned.] [Additional material submitted for the record follows:] Indiana University School of Law--Bloomington March 8, 2001 The Hon. Cliff Stearns Chairman Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce U.S. House of Representatives 2125 Rayburn House Office Building Washington, DC 20515 Dear Chairman Stearns: Thank you once again for the opportunity to participate in the Subcommittee's March 1, 2001, hearing on Privacy in the Commercial World. It was a privilege to be invited, and I particularly appreciate your foresight in holding such an open and wide-ranging discussion of privacy issues, and your thoughtfulness and consideration when moderating the discussion. We were asked during the hearing to respond in writing to two additional questions. First, you asked us to respond to Mr. Gordon's inquiry about the constitutional bounds of Congress' authority to legislate in the area of privacy. I attach a supplemental statement that attempts to do so. Second, you referred to us Mr. Markey's request that we disclose any ``on-going consulting contracts'' to which we are parties. I am happy to reiterate what I said during the hearing: I have worked on privacy issues with many businesses, professional groups, associations, academic institutions, not-for-profit organizations, government agencies, think-tanks, and even a recent political campaign. My only on-going consulting contract is with the Indianapolis law firm of Ice Miller, where I have served since 1997 as senior counsel for information law. Finally, I am aware that the next privacy-related hearing before the Subcommittee concerns European privacy protections and their impact on consumers and businesses in Europe and the United States. Again, I applaud you for taking up this important subject, because I believe there has been considerable misunderstanding about how privacy law is actually applied within Europe, and regrettable inattention to the impact of European privacy law on European citizens. I would like to comment on four points in particular. First, many of the requirements of the EU data protection directive have not been enforced. For example, the directive requires European nations to condition the collection, March 7, 2001 use, or transfer of personal information on ``opt-in'' consent. This is rarely done in practice. Privacy scholar Amitai Etzioni tells of regularly asking his European audiences if anyone has ever been asked to ``opt-in.'' To date, Etzioni reports only one positive response--from a man who was asked for ``opt-in'' consent by Amazon.com, a U.S. company. ``It seems that this EU directive is one of those laws that is enacted to keep one group--privacy advocates and their followers--happy and, as a rule, is not enforced so that commerce and life can continue.'' Amitai Etzioni, ``Protecting Privacy,'' Financial Times, April 9, 1999, at 18. A January 2001 study by Consumers International bears out Etzioni's conclusion. The study found that while U.S. and European Web sites collect personal information at nearly comparable rates (66 percent in the United States; 63 percent in Europe), U.S. sites provide better privacy protection, despite having no specific legal obligation to do so, than European sites, which are subject to comprehensive legal requirements. In fact, the study concluded: ``US-based sites tended to set the standard for decent privacy policies.'' Consumers International, Privacy@net: An International Comparative Study of Consumer Privacy on the Internet at 6 (2001) (emphasis added). A second observation is that when restrictive privacy rules actually have been enforced, for example, as part of national data protection laws that predated the directive, they have contributed to significant economic and social costs. The financial services sector provides some of the clearest examples. Restrictive national privacy laws have acted as a barrier to competition, giving the dominant incumbent a monopoly over the information it possesses about its customers, and denying new market entrants the information needed to provide and market financial services. As a result, financial services are provided by far fewer institutions--one-tenth the number that serve U.S. customers, despite the fact that the pan-European market has almost one and one-half times as many households. This means that European consumers have fewer choices of companies and services, fewer locations at which they can obtain financial services, and fewer ATMs-- one-third the number in the United States--at which they can obtain and deposit funds. Restrictive privacy laws also mean that consumers cannot take advantage of their complete credit histories, thereby restricting the mobility of consumers, because of the difficulty of obtaining credit from new institutions. As a result, economist Walter Kitchenman writes, in Europe ``consumer lending is not common, and where it exists, it is concentrated among a few major banks in each country, each of which has it own large databases.'' Walter F. Kitchenman, The European Union Directive on Privacy as a Barrier to Trade (2000). In fact, European consumers, although they outnumber their U.S. counterparts, have access to one-third less credit as a percentage of gross domestic product. Moreover, the absence of standardized, complete consumer data reduces lender confidence and impedes the securitization and pooling of loans, thereby furthering limiting the availability of credit and driving up its price. Consumers also pay more for other financial services and products because of the lack of competition, the difficulty of obtaining service from another institution without a portable credit history, and the absence of other efficiencies made possible through information-sharing. Third, if U.S. lawmakers don't hear loud complaints from European businesses about restrictive privacy laws, it likely reflects not only the limited extent to which at least the EU data protection directive is being enforced, but also the fact that many dominant companies welcome the anticompetitive impact of such laws. By keeping competitors out and making it harder for customers to take their business elsewhere, European privacy laws help dominant incumbents maintain their stranglehold on markets. In France, for example, the EU country with the strictest financial privacy laws, seven banks control more than 96 percent of banking assets. The seven dominant French banks already own extensive databases--they have no need to share information about their customers with anyone. And the fact that this system restrains innovation, hurts customer choice, and increases price is not a great concern to those banks because the same system also restrains competition and makes it easier to hold customers and capital captive. Finally, European and U.S. markets differ in many significant ways. The vast potential European market is, in fact, divided into many smaller markets by languages, cultures, and, at least until the euro is in widespread use, currencies. Moreover, the longstanding practical and legal restraints on the productive use of information have contributed to shaping radically different customer expectations in Europe than in the United States. For example, until recently, telephone bills in many EU countries did not include a listing of long-distance calls. Europeans just did not expect to have that type of tool for evaluating the accuracy of telephone charges. U.S. consumers, by contrast, have lengthy experience with expecting the businesses with which they deal to keep detailed call and charge records, so that the customer can verify that bills are accurate. And, of course, Europe does not have a ``First Amendment'' or a tradition of constitutional protection for information flows. I mention these four points only to highlight the importance of your inquiry and the need for caution before attempting to emulate European-style privacy protection. Thank you again both for the opportunity to participate in last week's hearing and for your foresight in carefully scrutinizing a wide range of issues about the current privacy debate, before attempting to reach any conclusion about whether further legislation is necessary or, if so, what the nature of that legislation may be. If I can be of any service, I hope you will not hesitate to contact me. Yours sincerely, Fred H. Cate Professor of Law and Harry T. Ice Faculty Fellow Enclosure U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection supplemental statement of professor fred h. cate Mr. Chairman: You asked the witnesses in the March 1, 20001, hearing on Privacy in the Commercial World to respond to Mr. Gordon's inquiry about the constitutional bounds of Congress' authority to legislate in the area of privacy. This statement attempts to do so. I read the Constitution and the Supreme Court's jurisprudence as permitting Congress to legislate privacy protection only when it has a constitutional basis for doing so (in this case, the interstate commerce clause), and when that legislation meets the requirements of the First Amendment. First Amendment review is required of any law-- privacy-related or otherwise--that limits the ability of individuals or nongovernmental institutions to engage in expression. That limit does not have to take the form of a direct prohibition to trigger First Amendment scrutiny, although most privacy laws have that effect. Strict Scrutiny Of course, not all restrictions on expression trigger the same type of First Amendment review. This point was largely obscured in last week's hearings, due perhaps to the fact that the Supreme Court's jurisprudence in this area is not always clear or consistent. As a general mater, however, direct government restraints, prior restraints, restraints based on the viewpoint of the expression or, in many cases, the content of the speech, require strict scrutiny, the highest form of scrutiny applied by the Court. Under this standard, which is the one that the Supreme Court has most frequently applied when reviewing privacy laws, the government bears the burden of showing that the law is (1) necessary to serve a compelling interest, and that the law (2) imposes no greater burden than is necessary to achieve that purpose. The need to evaluate both the purpose of the law and how narrowly it is tailored is why most of us at last week's hearing focused on what harm a privacy law is intended to prevent or remedy, and what cost or other burdens privacy law imposes on consumers and businesses. A privacy law that does not respond to a specific, significant harm will not be found to serve a compelling interest, and a law that imposes unnecessary costs, or costs in excess of the benefits it generates, will not be found to be the least restrictive means of achieving the government's interest. In either case, the Court would almost certainly strike down the law as unconstitutional. Moreover, it is important to reiterate that it is the government's responsibility under the First Amendment to demonstrate both the importance of the interest and the precision with which the law is tailored. Intermediate Scrutiny Although most privacy laws have been reviewed under strict scrutiny, not all have. Some courts have applied various forms of intermediate scrutiny, usually on the basis that the expression affected by the privacy law was commercial in nature. Although specific tests vary in detail, all intermediate scrutiny tests require that the government demonstrate that the law is intended to serve an important or substantial government interest, and that the law be narrowly tailored to achieving that interest. As you know, Professor Volokh testified, and I agree with him, that intermediate scrutiny was inappropriate for reviewing privacy laws and regulations because, even though the expression affected occurred in a commercial context, it was not ``commercial speech'' (i.e., it did not propose a commercial transaction). Some lower courts have nevertheless reviewed privacy laws or regulations under intermediate scrutiny. When they have done so, however, they have tended to find that the law or regulation failed even this level of scrutiny. In other words, they applied intermediate scrutiny because there was no need to apply strict scrutiny: The restriction being challenged could not survive even the lower standard of review. The most recent example of this type of scrutiny was the decision of the U.S. Court of Appeals for the Tenth Circuit in U.S. West, Inc. v. Federal Communications Commission. The appellate court struck down the Commission's rules requiring that telephone companies obtain explicit consent from their customers before using data about those customers' calling patterns to market products or services to them.<SUP>1</SUP> The court found that the FCC's rules, by limiting the use of personal information when communicating with customers, restricted U.S. West's speech and therefore were subject to First Amendment review. Although the court applied intermediate scrutiny, it determined that under the First Amendment, the rules were presumptively unconstitutional unless the FCC could prove otherwise by demonstrating that the rules were necessary to prevent a ``specific and significant harm'' on individuals, and that the rules were ``. . . no more extensive than necessary to serve [the stated] interests . . .'' <SUP>2</SUP> Although we may feel uncomfortable knowing that our personal information is circulating in the world, we live in an open society where information may usually pass freely. A general level of discomfort from knowing that people can readily access information about us does not necessarily rise to the level of substantial state interest under Central Hudson [the test applicable to commercial speech] for it is not based on an identified harm.<SUP>3</SUP> The court found that for the Commission to demonstrate that the ``opt-in'' rules were sufficiently narrowly tailored, it must prove that less restrictive ``opt-out'' rules would not offer sufficient privacy protection, and it must do so with more than mere speculation: Even assuming that telecommunications customers value the privacy of [information about their use of the telephone], the FCC record does not adequately show that an opt-out strategy would not sufficiently protect customer privacy. The respondents merely speculate that there are a substantial number of individuals who feel strongly about their privacy, yet would not bother to opt-out if given notice and the opportunity to do so. Such speculation hardly reflects the careful calculation of costs and benefits that our commercial speech jurisprudence requires.<SUP>4</SUP> The court found that the FCC had failed to show why burdensome ``opt-in'' rules were necessary, and therefore struck down the rules as unconstitutional. The Supreme Court declined to review the case.<SUP>5</SUP> The Dominance of First Amendment Rights The result in U.S. West is not surprising, because, whether analyzed under strict or intermediate scrutiny, privacy laws and regulations rarely survive constitutional review. For example, the Supreme Court has accorded privacy rights little protection when confronted with freedom of association claims of groups such as the American Communist Party.<SUP>6</SUP> The Supreme Court has struck has down ordinances that would require affirmative consent before receiving door-to-door solicitations,<SUP>7</SUP> before receiving Communist literature,<SUP>8</SUP> even before receiving ``patently offensive'' cable programming.<SUP>9</SUP> The words of the Court in the 1943 case of Martin v. Struthers--involving a local ordinance that banned door- to-door solicitations without explicit (``opt-in'') householder consent--are particularly apt: ``Whether such visiting shall be permitted has in general been deemed to depend upon the will of the individual master of each household, and not upon the determination of the community. In the instant case, the City of Struthers, Ohio, has attempted to make this decision for all its inhabitants.'' <SUP>10</SUP> Similarly, the Court often has demonstrated little concern for the privacy interests of unwilling viewers or listeners, rejecting claims against broadcasts of radio programs in Washington, D.C. streetcars,<SUP>11</SUP> R-rated movies at a drive-in theater in Jacksonville, Florida,<SUP>12</SUP> and a jacket bearing the phrase ``Fuck the Draft'' worn in the corridors of the Los Angeles County Courthouse.<SUP>13</SUP> And plaintiffs rarely win suits brought against the press for disclosing private information. When information is true and obtained lawfully, the Supreme Court repeatedly has held that the state may not restrict its publication without first meeting strict scrutiny. Under this requirement, the Court has struck down laws restricting the publication of confidential government reports,<SUP>14</SUP> and of the names of judges under investigation,<SUP>15</SUP> juvenile suspects,<SUP>16</SUP> and rape victims.<SUP>17</SUP> Even if information published by the press is subsequently proved to be false, the Supreme Court has demonstrated extraordinary deference to First Amendment expression rights and little concern for the privacy interests involved.<SUP>18</SUP> In fact, when privacy rights conflict with free expression rights before the Court, the latter prevail, virtually without exception. The dominance of the free expression rights over privacy interests is so great that Peter Edelman has written: [T]he Court [has] virtually extinguished privacy plaintiff's chances of recovery for injuries caused by truthful speech that violates their interest in nondisclosure . . . If the right to publish private information collides with an individual's right not to have that information published, the Court consistently subordinates the privacy interest to the free speech concerns.<SUP>19</SUP> This is true irrespective of whether the speaker is an individual or an institution. The Impact on Congress So what does this mean for Congress? I believe it necessitates that whenever Congress restricts the flow of information in an effort to protect privacy it must demonstrate (1) what harms it is acting to prevent or remedy, (2) that such harms are serious enough to constitute a substantial or compelling government interest, (3) that the law is not broader, or does not regulate appreciably more expression, than is necessary to achieve that interest, and (4) that there are not other tools (such as technologies or market solutions) that would achieve the same end with less interference with information flows. The precise test (i.e., whether the interest must be ``compelling'' or ``substantial'' and whether the legislation must be the ``least restrictive means'' or merely ``narrowly tailored'' to achieve that interest) will depend upon the nature both of the expression restricted and of the legislation itself, but effectively all restrictions on the collection, use, or disclosure of information by the private sector will have to survive this basic First Amendment review. This is a very high, but not impossible, burden. As a practical matter, it means that Congress cannot legislate to protect individuals from embarrassment or a ``general level of discomfort'' as a result of the disclosure of true information about them. It also means that Congress cannot broadly restrict uses of information that do not cause harm in an effort to target those that do. On the other hand, the First Amendment does not restrict Congress from facilitating the creation and enforcement of private contracts. For example, Congress has broad discretion under the First Amendment to require disclosures, provided that those requirements do not interfere with expression to such an extent, or impose such high costs, that they constitute an unconstitutional restraint on expression. The Supreme Court has also found that Congress has significantly broader latitude to act to protect children, provided that the law is not so overbroad that it impinges on adult's expression. This explains why the Children's Online Privacy Protection Act may be constitutional under the First Amendment as applied to children, but similar restrictions would be unconstitutional if applied to adults. Moreover, Congress has broad--although not unlimited authority--to regulate the government's use of information (i.e., to require privacy policies on government Web sites, or to reduce the amount of personal information the government collects from citizens). Congress can fund the development of privacy protecting technologies (either directly or through tax incentives or other subsidies), and sponsor commissions or other research initiatives about privacy issues. Congress can help educate citizens about the steps that we--and often, only we--can take to protect our own privacy. Conclusion The First Amendment is often lamented as a regrettable restraint on the ability of Congress and other governmental bodies to act in the best interest of the citizenry and protect the public. It may sometimes have that effect. But I view it differently. The First Amendment reflects the fact that expression, and the information that is essential to expression, are so integral to our democracy and our economy, that laws affecting them always pose a great risk to citizens and consumers. Even when motivated by the most noble of purposes, those laws can result in untold damage, especially if they are not precisely targeted. Moreover, laws regulating expression and information are often attractive to policymakers and to the public; such laws frequently respond to immediate concerns and they usually do not require the expenditure of taxpayer dollars. The First Amendment reflects a constitutional calculation that because of the attractiveness of laws limiting expression and the great risks that they pose, the government should only be allowed to enact and enforce such laws when they are necessary to prevent or remedy a specific, significant harm, and when they are closely tailored to affect only that expression that causes the harm. Viewed in this light, the First Amendment does not limit Congress' authority to restrict expression when necessary to prevent substantial harms. It only limits Congress' authority to restrict expression when that restriction is not necessary or is designed to serve a less important purpose. Notes <SUP>1</SUP> U.S. West, Inc. v. Federal Communications Comm'n, 182 F.3d 1224, 1235 (10th Cir. 1999), cert. denied, 528 U.S. 1188 (2000). <SUP>2</SUP> Id. at 1235 (quoting Rubin v. Coors Brewing Co., 514 U.S. 476, 486 (1995)) (emphasis added). <SUP>3</SUP> Id. (emphasis added). <SUP>4</SUP> Id. (emphasis added). <SUP>5</SUP> U.S. West, Inc. v. Federal Communications Comm'n, 528 U.S. 1188 (2000). <SUP>6</SUP> Communist Party of the U.S. v. Subversive Activities Control Board, 367 U.S. 1 (1961); Scales v. United States, 367 U.S. 203 (1961); Noto v. United States, 367 U.S. 290 (1961). <SUP>7</SUP> Martin v. Struthers, 319 U.S. 141 (1943). <SUP>8</SUP> Lamont v. Postmaster General, 381 U.S. 301 (1965). <SUP>9</SUP> Denver Area Educational Telecommunications Consortium, Inc. v. Federal Communications Comm'n, 518 U.S. 727 (1996). <SUP>10</SUP> Martin v. Struthers, 319 U.S. at 141. <SUP>11</SUP> Public Utilities Commission v. Pollack, 343 U.S. 451 (1952). <SUP>12</SUP> Erznoznik v. City of Jacksonville, 422 U.S. 205 (1975). <SUP>13</SUP> Cohen v. California, 403 U.S. 15 (1971). <SUP>14</SUP> New York Times Co. v. United States, 403 U.S. 713 (1971). <SUP>15</SUP> Landmark Communications, Inc. v. Virginia, 435 U.S. 829 (1978). <SUP>16</SUP> Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979). <SUP>17</SUP> Florida Star v. B.J.F., 491 U.S. 524 (1989); Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975). <SUP>18</SUP> Hustler Magazine, Inc. v. Falwell, 485 U.S. 46 (1988); Time, Inc. v. Hill, 385 U.S. 374 (1952). <SUP>19</SUP> Peter B. Edelman, ``Free Press v. Privacy: Haunted by the Ghost of Justice Black,'' 68 Texas Law Review 1195, 1198 (1990). ______ Response for the Record of of Solveig Singleton, The Competitive Enterprise Institute Question (1) Below I will summarize my view of the outer constitutional limits of Congressional action on privacy (noting, however, that the most Congress can do is probably not what Congress should do). Opt-in. An opt-in regime is probably a violates of rights of free speech as applied to many cases, for it will in effect operate as a ban on the exchange of truthful information in many cases. Opt-out. Opt-out is more likely to pass constitutional muster. There may be some contexts where opt-out is unconstitutional, for examples, if it restricts the use of information from public records. In addition, the Court might find, consistent with copyright cases, that it is inconsistent with free speech principles to create a property right in facts. Default Contract Terms. Congress could clarify the default rules for a contract that is silent on the matter of privacy. This would not restrict speech, so long as companies remained free to set their own terms differently from the default. Notice. Congress could require companies to give notice of their privacy practices. Question (2) Below I offer information in response to the question about consulting clients and my work on privacy. Some think tanks such as AEI and Brookings do permit industry consulting. But my former employer, the Cato Institute, for whom I worked when I first formed my views on privacy, has an explicit rule prohibiting consulting related to analysts' policy topics with interested for-profit companies or associations that represent for- profit companies. The Competitive Enterprise Institute, where I presently work, also assumes that such consulting is inappropriate. Thus I have never worked as an industry consultant on privacy or any other topic that I also work on in the policy world. I have, worked as a consultant to a number of non-profit public policy groups on privacy. These groups are the Mackinaw Center, the Foundation for Economic Education (a small market-oriented group that works with students and academics), the National Center for Policy Analysis (a conservative group based in Texas), and the Democracy Online Task Force (meeting in Washington, D.C.). This is an all- inclusive list.