FTC Seeks Authority to Regulate Online Privacy

(May 23, 2000) The FTC issued a lengthy report on Monday, May 22 in which it requests wide authority to regulate web sites' information collection practices. The report recommends that Congress pass legislation to empower the FTC to pass rules requiring web sites to give notice of their information practices, to allow individuals to control how their data is used, to allow individuals to access and correct their data, and to require security measures.

The Report is titled "Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress." It is available in the FTC web site in PDF.
Text of the Report.
Dissent of Commissioner Swindle.
Dissent of Commissioner Leary.

Two of the five members of the Federal Trade Commission dissented. Commissioner Orson Swindle wrote a long damning dissent in which he stated that the "embarrassingly flawed" report calls for "extensive government regulation" through "breathtakingly broad laws". Commissioner Thomas Leary wrote a more modest dissent.

The report recommends that the Congress pass legislation that would give the FTC wide authority pass and enforce regulations in four areas:

"(1) Notice -- Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site.

(2) Choice -- Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities).

(3) Access -- Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review the information and to correct inaccuracies or delete information.

(4) Security -- Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers."

Rep. Bob Goodlatte (R-VA), Co-chairman of the Internet Caucus, immediately criticized the report. "The FTC has injected election-year politics into what should be a non-partisan issue. Last year, when the FTC urged a hands-off approach to the Internet, a mere fraction of websites posted privacy policies. Now that over 90 percent of major websites are posting privacy policies, the FTC has discovered the need for new government regulations."

"Congress will continue to act in a careful and thoughtful manner on the issue of online privacy, in the spirit of last weekend's privacy retreat which explored ways to assure the protection of consumer privacy while not undermining the dynamic growth of the Internet," said Rep. Goodlatte.

Similarly, Secretary of Commerce William Daley reiterated the Clinton administration's position that new legislation is not necessary at this time.

Daley first pointed out that "Today the FTC released a survey that shows that there has been significant improvement in the number of websites that tell their customers about company privacy policies."

He continued: "The Administration will continue its dialogue with the private sector and with consumer groups on effective mechanisms to ensure privacy protection online. To the extent that the private sector can show how it will address the free rider problem and improve the quality of privacy policies, legislation would not be necessary. As we have long stated, if we do not see such progress, then we may eventually need to consider whether legislation would provide companies with the right incentives to have good policies and participate in an effective self-regulatory program."

Congress is highly unlikely to enact any legislation this year. It is an election year. Congress already has a full agenda, and is anxious to wrap up. It is already too late in the session for such a controversial proposal to work its way through the Congress.

The FTC will present its report at a hearing of the Senate Commerce Committee on Thursday. Committee Chairman Sen. John McCain (R-AZ) has opposed online privacy legislation in the past most. Sen. McCain has most closely agreed with FTC Commissioner Orson Swindle.

Commissioner Swindle had this to say about the new report.

"I dissent from this embarrassingly flawed Privacy Report and its conclusory -- yet sweeping -- legislative recommendation. 1 In an unwarranted reversal of its earlier acceptance of a self-regulatory approach, a majority of the Commission recommends that Congress require all consumer-oriented commercial Web sites that collect personal identifying information from consumers to adopt government-prescribed versions of all four fair information practice principles ("FIPPs"): Notice, Choice, Access, and Security.  The majority abandons a self-regulatory approach in favor of extensive government regulation, despite continued progress in self-regulation."

Commissioner Thomas Leary dissented in part, and concurred in part:

"Today the Federal Trade Commission recommends that Congress enact legislation to help consumers protect their privacy when transacting business on the Internet. I agree that some legislation is appropriate, but believe that the recommendation in the Report endorsed by a majority is too broad in one respect and too narrow in another. The recommendation is too broad because it suggests the need for across-the-board substantive standards when, in most cases, clear and conspicuous notice alone should be sufficient. The recommendation is too narrow because any legislation should apply to offline commerce as well."