April 14, 1997

Secretary
Federal Trade Commission
Rm H-159, Sixth St. and Pennsylvania Ave. NW
Washington, D.C. 29580

Session Two

Consumer Privacy 1997 -- Comment, P954807

Comments of Beth Givens, Project Director
Privacy Rights Clearinghouse

These comments are limited to "Self Regulation," specifically points 2.9 and 2.13 as follows:

2.9 What industry principles, recommendations or guidelines have emerged since June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry.

2.13 What privacy concerns, if any, are not adequately addressed by existing guidelines?

At the June 1996 FTC Workshop on Consumer Privacy, the Direct Marketing Association (DMA) and Interactive Services Association (ISA) presented their Joint Statement on Online Notice and Opt-Out (called the ISA/DMA Statement below). Both organizations favor the self-regulatory approach to protecting the privacy of consumers when engaged in online activities.

In the ensuing year, the DMA has developed a "Privacy Policy Questionnaire," available on its Web site (http://www.the-dma.org). The DMA Questionnaire is an interactive tool which marketers can use to develop their own online privacy statements and then post them on their own Web sites.

On the face of it, both the ISA/DMA Statement and the DMA Questionnaire are laudable steps toward ensuring that consumers' privacy wishes are honored during online interactions. But these self-regulatory approaches have some major shortcomings that bring into question the ultimate efficacy of the self-regulatory approach.

Definitions. One shortcoming is that of definition. The ISA/DMA Statement addresses the practices of "all marketers." It sets forth the principles of disclosure and opt-out as they pertain to the collection of "personal information." But these terms, "marketers" and "personal information" are not defined in the Statement.

What is the definition of "marketer?" Is it any entity that solicits consumers to purchase goods and services? What is meant by "personal information." Is it information that is personally identifiable, or does it also include usage information that is not traceable to a specific individual, such as much of the data collected by "cookies?"

A great deal of collection of personal information on the "Net" exists outside of the marketing purview, and outside of the boundaries of the two industry associations, the DMA and the ISA. Yet even though the initial collection of information might not be marketing oriented, there's nothing to prevent that information from being collected and then merged with, say, demographic data, for eventual use by and sale to marketers. How is the ISA/DMA Statement to pertain to the collection of personal information when individuals are engaged in the broader universe of online activities?

Compliance and enforcement. Another shortcoming of the ISA/DMA Statement, and ultimately the self-regulatory approach, is that it is not backed up with mechanisms for compliance and enforcement. What's to be done about those entities which do not offer disclosure statements and opt-out opportunities? Will there be an auditing and compliance body that issues a "seal of approval" to those entities that adhere to industry policies? Will non-compliant entities be fined or sanctioned in some other way? Will there be mechanisms such as public listings of noncompliant entities to provide incentives for compliance? [I look forward to the Comments of such endeavors as eTrust in this regard.]

Benchmarks. A further shortcoming of the self-regulatory approach, at least as promulgated to date, is the lack of any benchmarks for success. How will we know if/when the self-regulatory approach is working?

The DMA's Mail Preference Service (MPS) exemplifies this particular shortcoming. The MPS was established by the Direct Marketing Association in 1971, over a quarter century ago. Consumers who do not want to receive unsolicited mail register their name and address with this centralized data base. Mailers use this list on a voluntary basis to "suppress" these names from their own lists.

Does the MPS work? From the standpoint of callers to the PRC's hotline who have used the MPS, the answer is "no." Consumers see little to no reduction in volume of unsolicited mail after registering with the MPS. The only category of mail for which the MPS has any noticeable effect is catalog mail.

Another way to assess whether or not the MPS has been successful is to look at the numbers of mailers that use the service. The major nationwide mailers are the most likely to use the MPS. But large categories of mailers do not take advantage of the MPS. These include local mailers, the "resident" mailers, many charities, as well as many prize and sweepstake promoters. In addition, not even the totality of DMA members use the MPS.

If meaningful goals were imposed on direct mailers, perhaps the MPS could in fact be effective. For example, the goal of X% of MPS subscribership by direct mailers, Y% of resident mailers, Z% of charities over certain sizes, and so on, could be established as benchmarks to determine if in fact self regulation is working vis-a-vis direct mail.

Another approach would be that of standards setting, which is now being considered in Canada. The success, or lack thereof, of the MPS could be determined if the industry were to develop a set of standards which define compliance.

[These comments will not delve into a standards approach except to note that the approach taken by our neighbors to the north deserves attention by the Federal Trade Commission. I would look forward to a presentation by a representative from the Canadian Standards Association during the upcoming June meetings. (See the recent CSA publication "Your Guide to CSA's Privacy Code.)]

Let us transpose the example of the Mail Preference Service onto the topic of these comments, online services. Even though the MPS has been in operation for a quarter century, we are not able to determine its success because of lack of any benchmarks to do so. If some sort of goals and/or standards regime is not imposed on online services, we will continue to hear the refrain that "self regulation is working" without any meaningful evidence to back up that claim.

Consumer education and feedback. Given the above comments, I am not convinced that self regulation has worked to date, and I do not expect it to be effective in the future unless there are effective tools for ensuring and measuring compliance. Nonetheless, if the self regulatory approach is taken vis-a-vis ensuring consumer privacy in the use of online services, consumer education must be a major part of the mix.

In a self-regulatory environment, consumers must be well-informed of their choices and the consequences for taking those choices. They must also know the "lay of the land." What expectations regarding protection of their privacy should they have? How will they know when an online entity is not taking adequate steps to protect their privacy? How will they know what actions they can take regarding entities that violate their privacy?

Consumer education can go a long way toward explaining the "lay of the land" to consumers. To avoid serving the interests of industry or government, such education must be provided by independent entities.

In addition, consumers must have a trusted feedback mechanism they can use so their experiences with online services -- both the good and bad -- are documented. The market provides one kind of feedback mechanism, but an imperfect one: entities which violate consumer privacy may lose business. A more reliable mechanism might be an independent body or bodies to which consumers can provide such feedback.

At the risk of appearing self-serving, I encourage the FTC, industry and others to investigate the model provided by the Privacy Rights Clearinghouse -- a nonprofit organization which conducts research and makes information available to consumers, and which also serves as a feedback loop for both government and industry entities. Granted, a program as small as the PRC is not able to serve the educational and feedback needs of a nation. But on a larger scale, the PRC model deserves attention. When examining the role of an independent consumer education body(ies), policymakers must also determine how to fund such an entity(ies) to provide long-term stability and avoid conflicts of interest. [For further information, see Comments of Beth Givens, submitted in June 1996 at the FTC Consumer Privacy workshop.]

This concludes the Comments of the Privacy Rights Clearinghouse vis-a-vis Session Two, specifically directed at "Self-Regulation."