Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Dixon, Tim --- "Internet self-regulation struggling to meet consumer demands" [1999] PrivLawPRpr 58; (1999) 6(5) Privacy Law & Policy Reporter 72

Internet self-regulation struggling to meet consumer demands

Background
Self-regulation under examination

Internet self-regulation struggling to meet consumer demands

Tim Dixon

The US debate about online privacy protection has flared again in response to warnings from the Federal Trade Commission (FTC) and high profile privacy breaches which have not been corrected by industry self-regulation. While the US is still several steps away from getting legislation through Congress, leading ecommerce consultancy group Forrester Research has predicted in a new report that online privacy regulation is likely within the next 12 to 18 months.

Background

In June 1998 the FTC issued its report, Privacy Online: A Report to Congress, which warned that legislation would be necessary if self-regulation failed to provide adequate privacy protection. It promised to monitor the performance of industry over the next year and come back with a recommendation for or against legislation by mid-1999. Following a second survey of website practices conducted in March 1999, the FTC returned to Congress in July with advice to continue to wait and see. While it indicated that significant progress has been made towards the development of industry self-regulation, it also noted that coverage of privacy safeguards was still inadequate and that unless self-regulation produced better outcomes, legislation would become necessary.

The FTC commissioned a survey of the practices of the most commonly visited websites to check their compliance with privacy principles in early 1999. The Georgetown Internet Privacy Policy Survey, conducted by Mary Culnan of Georgetown University, was released in June 1999. It was based on a survey of 361 .com websites drawn from a sample of the top 7500 URLs ranked by audience during January 1999. Unlike the previous FTC survey, it was based on actual web traffic rather than a survey of all websites. In that sense, it gave a more reliable indication of the privacy policies of the sites which consumers would most often visit and where they would be most likely to conduct transactions. The 7500 URLs from which the sample was drawn represent 98.8 per cent of traffic on the world wide web.

The survey confirmed that most sites collect personal information — 92.8 per cent collected personally identifying information and 56.8 per cent collected demographic information such as age, family information, gender, education, income, interests and occupation. The vast majority of those which collect a name and email address (some 83.9 per cent) collect at least one other additional piece of personal information. In percentage terms, the top 10 items of personal information collected by websites are email address (91 per cent), name (81 per cent), postal address (63 per cent), phone number (52 per cent), credit card number (39 per cent), age or birthday (31 per cent), postcode or location (30 per cent), gender (25 per cent), preferences (21 per cent) and occupation and other demographic information (16 per cent). Some 10 per cent ask for information about a person’s income or education.

The second issue examined by the survey was companies’ practices relating to privacy policies. The survey distinguished between privacy policies and information practice statements, which explained how personal information was used by that website. The focus on information practice statements reflects the emphasis in the US on consumers being able to make an informed choice about their use of websites depending upon the websites’ practices. Only 36 per cent of websites had both a privacy policy and an information practice statement; 34.1 per cent had neither, and 22.4 per cent only had a statement about their information practices. The survey reviewed those statements for the extent to which they met fair information practice criteria relating to notice, choice, access, security and content information. Only 9.5 per cent of the websites that collect personal information actually had a statement about each of those five criteria. Other findings include that:

• 22 per cent of the surveyed websites allow consumers to access their personal information;
• 18 per cent allow consumers to correct inaccurate information;
• 40 per cent say that they give consumers a choice about whether they are recontacted for marketing purposes; and
• 25 per cent say that they provide consumers with some control of the disclosure of data to third parties.

The FTC’s Self Regulation and Privacy Online report contained its response to the Georgetown survey. It noted the rapid growth of electronic commerce: for example, the growth of online advertising revenues from $906.5 million in 1996 to $1.92 billion in 1998, exceeding those for advertising on outdoor billboards in the US in that year. It noted that 80 million adults in the US are now estimated to be using the internet. But according to the FTC, privacy concerns remain high and are a major constraint on the growth of ecommerce. According to a 1999 AT&T survey, 87 per cent of experienced internet users surveyed in the US say they are somewhat or very concerned about threats to their privacy online. Only one quarter of internet users go beyond just browsing for information to purchasing goods and services online, in part due to their privacy concerns.

After highlighting the outcomes of the survey and noting the significant progress in the development of programs such as TRUSTe, BBB Online, and the Online Privacy Alliance, the FTC stated that nevertheless, not enough progress has been made in establishing privacy policies. However, it concluded that ‘the Commission believes that legislation to address online privacy is not appropriate at this time’. The FTC instead outlined a program of initiatives, including public workshops on issues such as online privacy website tracking of consumer behaviour and improving implementation of fair information practices.

The report also highlighted disagreements among the four federal trade commissioners. Two separate statements were issued by individual commissioners in addition to the report. Commissioner Orson Swindle criticised the report for failing to give sufficient praise to the efforts of industry to protect privacy, commenting that ‘the way to get where we want to be is not through more laws and regulation’. In contrast, Commissioner Sheila Anthony argued that legislation was necessary now: she was ‘dismayed ... with the results of the two studies’ showing that:

there is an enormous gap between the online collection of individually identifiable information and the protection of that information by the website owner’s implementation of fair information practices of notice consent access and security ... industry progress has been far too slow ... I believe the time may be right for federal legislation to establish at least a base line minimum standard.

Just as commissioners disagreed on what conclusions should be drawn from the survey, business and consumer groups also put a very different spin on its meaning:

• industry self-regulation body TRUSTe argued that the figures showed ‘a remarkable demonstration that the message has been received loud and clear ... TRUSTe is confident that widespread adoption of privacy policies will only increase expedientially ... the online world has moved extremely quickly’;
• the Direct Marketing Association said that ‘the study shows that business has heeded the call from the White House and the FTC to promote privacy protection online’ and that ‘consumers are showing a great level of comfort as e-commerce booms: online sales approached $6 billion in 1998 and sales are expected to exceed $11 billion this year’;
• privacy and public interest advocates differed — the Consumer Federation of America, like other public interest groups, concluded that ‘industry self-regulation fails to protect consumers or foster consumer confidence in electronic commerce’; and
• Ram Avrahami of privacy advocacy group The NAMED noted that the survey results were distorted by the fact that industry groups, including the DMA, put out an urgent posting on 1 March 1999 warning thousands of business about the FTC’s survey a week later, and urging them to post up privacy policies on their sites immediately. The notification warned that government regulation was likely if the survey showed that organisations were not posting privacy policies. The DMA made it particularly easy with a privacy policy generator which they promised ‘would create and post a privacy policy statement to your website in a matter of minutes’. Avrahami argued that this biased the survey results towards an artificially high level of privacy notices.

Self-regulation under examination

The next step in the US internet privacy debate is likely to involve a more detailed examination of the effectiveness of self-regulation. Three major privacy seal programs, TRUSTe, BBB Online and the Online Privacy Alliance, have emerged in recent years.

• The TRUSTe program was launched in June 1997. It involves a licence which stipulates conditions to which the licensee must adhere, including privacy principles and dispute resolution processes. TRUSTe examines the privacy practices of the site, awards a seal, conducts ongoing audit and handles consumer complaints. By July 1999 850 sites were licensed, including 15 of the most visited sites.
• The Council of Better Business Bureaus launched the BBB Online Privacy Program in March 1999. It is part of the BBB Online Reliability Program which was launched in 1997 and has 3500 members. It claims a comprehensive process of assessing a company’s privacy policy and practices. By October 1999 it had 60 companies approved with 400 applicants.
• The Online Privacy Alliance is another major US based initiative covering a large proportion of major US companies. It focuses on achieving transparency and allowing consumers to make choices based on disclosure of information practices, data security, data quality and limited access to data. The OPA was launched in June 1998 and includes 85 major US companies and industry organisations.

These programs were developed in order to foster consumer confidence and forestall any heavy handed government regulation of internet privacy. They have relatively quickly achieved a high take up among the top websites, but their effectiveness in delivering better privacy safeguards is now under fire. They may have persuaded organisations to post privacy policies, but critics argue they have had little effect on their actual practices. In its comments on the FTC report, the Privacy Rights Clearing House highlighted problems with industry members of TRUSTe, including that:

• GeoCities, a provider of free webpages, was found to have disclosed information about its members (many of whom were children) to third parties even though it is a member of the TRUSTe program — this prompted an enforcement action by the FTC;
• Microsoft’s Internet Explorer 5.0 was found to inform websites of when users bookmark their pages, without obtaining the consent of those users — Microsoft was a major supporter of TRUSTe;
• Microsoft’s Office 98 program was found to be including Globally Unique Identifiers (GUIDs) that would allow all documents and visits to Microsoft operated websites to be linked to customer profiles provided previously by software registrations. TRUSTe argued that this was not a violation of its licence agreement and did not investigate.

A major controversy erupted in November 1999 when The New York Times reported that online software distributor Real Networks was collecting information about the musical tastes of 13.5 million Real product users without their knowledge. Real Jukebox, software downloaded through the Real Networks site, was scanning users’ hard drives and transmitting information about their musical interests and music player back to Real Networks. This information was then added to pre-existing customer profile information. Although Real Networks is a member of TRUSTe and displayed its logo on its website, TRUSTe refused to launch an investigation into Real Networks because its licence only covers information collected from consumers over a website, and since the information was actually collected by software downloaded from a website, Real Networks had not violated its TRUSTe licence. TRUSTe did announce, however, that it would review its licence agreements.

Another incident occurred just days later when it was revealed that Sony Music Entertainment’s Infobeat newsletter was disclosing the email addresses of its subscribers to advertisers without their permission.

The sequence of incidents with high profile brand names, often discovered only through a coincidence or random event, suggests that current practices are failing to meet consumers’ expectations of privacy safeguards. Often this appears to be the deliberate result of practices which large corporations should be aware are in breach of privacy principles and are, on one face of it, quite unethical. The seeming ineffectiveness of the self-regulating privacy seal and licence organisations has strengthened the push for a legislated solution.

On the other hand, some large organisations have taken a more proactive stance to encourage adoption of four information practices. IBM, Disney and Microsoft announced in mid-1999 that they would withdraw advertising from sites that do not adhere to fair information practices. While the advocates of self-regulation point to such initiatives to show that the industry is able to police itself, the question is whether these initiatives will ultimately satisfy regulators.

Forrester Research’s report, Privacy Self-Regulation Will Fail, concluded that they should wait, but that legislation is almost inevitable because business and consumer groups cannot reach common ground on privacy principles. In fact, the Forrester report argues that customer-profile driven e-commerce is inherently in conflict with protecting consumers’ privacy:

To avoid regulation, companies must convince the FTC that substantial progress has been made towards fair information principles [but] asking this group to reach consensus is like expecting hospitals, insurers and patients to agree on managed care.

The FTC will revisit the state of internet privacy in March 2000. The prospects of a recommendation for legislation, either at this review or the next, are growing. The experience of the Children’s Online Privacy Protection Act (see 1999 6(4) PLPR55) suggests that any recommendation from the FTC for legislation would carry significant weight with Congress.

Tim Dixon is an Associate at Baker & McKenzie in Sydney and Chairman of the Australian Privacy Foundation.