Problems with Self-Regulation of Online Privacy:: 13 Works Cited
Length: 2726 words (7.8 double-spaced pages)
Abstract: In this paper, I will briefly define privacy and "fair information practices." Then I will discuss the regime of self-regulation that is currently in place in the United States to protect these principles as they relate to consumer online data collection and dissemination. Specifically, I will show that there are some problems with this system. In particular, I will point out that privacy practices are not universal, and that companies may not be driven to implement fair information practices by market forces because of the strong financial incentives for them to do otherwise. Finally, I will suggest that legislation like that used in the European Union might be a viable alternative to self-regulation in the United States.
I enjoy shopping online. As a college student in rural New Hampshire, the abundance of online retailers is a dream come true, as it allows me to buy the latest fashions and other items directly from my dorm. But what price do I pay for such luxury? I compromise my privacy as a consumer and open myself up to a world of customer profiling, targeted advertising, and analysis of my online behavior.
Currently, there are no all-encompassing legal restrictions on the collection and use of customer-provided data, clickstream data, and other forms of personal information collected about adult consumers over the Internet.1 Instead, we rely on a system of industry self-regulation, built on a market model, to protect consumer privacy. There are several problems with this system. First, it is not universally implemented; sites are not required to disclose their privacy practices. Second, since online businesses stand to gain financially from the use of personal data, especially in targeted marketing campaigns, and because most consumers are not knowledgeable enough to protect themselves, companies may not actually be driven to protect consumer privacy by the market, as was originally thought. Instead, legislation, similar to that passed in 1998 by the European Union, may be required to guarantee Americans' online privacy.
Defining Fair Information Practices
First, it is necessary to define privacy and fair information practices as they pertain to online commerce. Back in 1973, the US Department of Health, Education, and Welfare developed a Code of Fair Information practices (US Dept. of Health 1973). It is based on five general principles (US Dept. of Health 1973):
* There must be no personal data record-keeping systems whose existence is a secret.
* There must be a way for a person to find out what information about him or her is in a record and how it is used.
* There must be a way for a person to prevent information that was obtained for one purpose from being used or made available for other purposes without his or her consent.
* There must be a way to correct or amend a record of identifiable personal information.
* Any organization "creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data."
Over time, these five principles have evolved into those currently suggested by the Federal Trade Commission with regards to consumer online privacy: Notice, Choice, Access, Security, and Enforcement (FTC 2000).
A System of Self-Regulation
Defining fair practices is only the first step in guaranteeing privacy. Next, the principles must be put into practice. There are three primary tactics for promoting these principles and for regulating the online collection and use of personal information. These approaches include legislation, industry self-regulation, and new technologies meant to limit the exchange of personal information (Kotz 1999).
In its 1999 report to Congress, the Federal Trade Commission (FTC) reported that it considered a method of self-regulation to be "the least intrusive and most efficient means to ensure fair information practices online, given the rapidly evolving nature of the Internet and computer technology" (FTC 1999). This statement shows that the five principles of fair information practices are merely suggested, not legally required. The system of self-regulation is based on a pure-market model, which concludes that companies should be driven to protect consumer privacy because doing so would build consumer confidence and boost their own revenues (Dept. of Commerce 1997).
The FTC's statement points to online privacy seal programs as "a particularly promising development in self-regulation" although it stated that further improvement was still necessary to protect consumers' online privacy. Specifically, the FTC cited TRUSTe and the Better Business Bureau Online as examples of promising programs. (FTC 1999)
We monitor our licensees for compliance with their posted privacy practices and TRUSTe program requirements through a variety of measures. Our oversight process includes initial and periodic web site reviews, 'seeding,' and online community monitoring. (TRUSTe)
More simply, the BBBOnline describes compliance with its program as "say what you do, do what you say, and have it verified" (BBBOnline).
These programs build on the market model because companies seek to obtain privacy seals in order to promote consumer confidence in their sites, and to increase business and revenue. According to the BBBOnline description of benefits for sites, participating in the privacy program allows a business to "distinguish [itself] from online competitors that have not pledged to the high standards set forth in the BBBOnline" and to "help increase consumer confidence in the web as a safe place to shop" (BBBOnline).
Problems with Self-Regulation
While seal programs are a promising development, self-regulation still has some significant flaws. One basic problem with the current system is that it is not universal. For instance, the use of seal programs by consumer sites is purely optional, and legally the only requirement is that companies not violate their own posted privacy policies, as this would be considered a deceptive business practice (Killingsworth 1999). A site can get around this problem by just not making any promises regarding privacy (Killingsworth 1999).
According to one study, the majority of consumer sites collect at least one type of personal information (Culnan 2000). However, more than half of consumer sites still do not post privacy policies or information practice statements that address each one of the areas of notice, choice, access, and security (Culnan 2000). Moreover, "nearly one-third of web sites did not post any disclosures" (Culnan 2000). As for the touted privacy seal programs, a 2000 survey by the FTC determined that "the seal programs have yet to establish a significant presence on the Web" (FTC 2000). They found that less than one-tenth of the randomly sampled sites displayed a privacy seal (FTC 2000).
Another major problem with the self-regulatory system is the ignorance of consumers. The motivation for businesses to collect personal information is great, and because many consumers do not know how to protect themselves, the market model may actually not apply. The personal information of customers, both online and offline, is extremely valuable to companies, especially for marketing. Online, this information is collected in three general ways: by directly recording the information typed by the user into a web page, by indirectly keeping track of an individual's web-surfing activity such as the pages he visits, and finally by correlating data from multiple sources to infer new facts about a person (Kotz 1999). More specifically, information is collected through server logs, cookies, and web forms (Kotz 1999). After it is collected, this information can be used to tailor advertisements to the specific customer. For example, if a consumer browsed a travel site looking for inexpensive airline tickets to Paris, an intelligent direct-marketing system would bring up ads for travel books and hotels.
Entire companies have been built on the idea of online direct marketing. DoubleClick, mentioned above, is one example. The company's "DART"(Dynamic Advertising Reporting & Targeting) product is sold to advertisers as a sophisticated marketing tool. According to DoubleClick's web site, "it enables you to reach your customers, measure their response, and turn information into wisdom" (DoubleClick). Net Perceptions and Engage also advertise that they offer similar services. (Engage) (Net Perceptions)
In addition to direct marketing services, other online businesses make use of consumer data in managing customer relationships. For example, online shopping networks such as MyPoints.com and Clickrewards invite consumers to become members of their respective programs. In exchange for providing personal information and for making purchases through the companies' sites, customers are awarded "points" or "miles" respectively, which are redeemable for merchandise, travel, etc. (MyPoints) (ClickRewards).
While businesses clearly have the incentive to collect personal information, the majority of consumers are concerned about online privacy (Robuck 2000). Yet, they often do not know how to protect themselves. (Robuck 2000) In one survey, the majority of Americans questioned believed that the customer tracking done by web sites is harmful because it invades their privacy (Robuck 2000), but at the same time, 56% of Americans did not know what a cookie was (Robuck 2000), even though it is one of the most widely-used data collection mechanisms.
According to one source, "there are critical normative flaws in the theory of self-regulation for information practices...self-regulation assumes that all privacy values can and should be resolved by a marketplace" (Reidenberg 1999). "This is a classic case of market failure. Without disclosure by corporations, citizens cannot ascertain how their personal information is acquired and used" (Reidenberg 1999).
Alternative Methods of Promoting Privacy
For these reasons, it seems that the United States should try a different tactic for promoting online privacy - legislation. Many other countries, including all members of the European Union, have already taken this approach. Furthermore, in 2000 the Federal Trade Commission reversed its 1999 suggestion in recommending to Congress that it pass similar legislation (FTC 2000).
The system of self-regulation that is in place in the United States differs significantly from the systems used in other countries. Specifically, "The European Union views data privacy as a fundamental right that is best protected by legislation and federal policing. The United States, in contrast, relies largely on a self-regulatory approach to effective data privacy and protection" (Tan 1999). "The provisions of the EU law require businesses to collect private data only for clearly stated purposes and forbid data disclosure to third parties unless consumers grant permission. European consumers [also] have the right to sue companies that don't adhere to these rules" (Perine July 2000).
In 2000, the Federal Trade Commission voted to recommend that the United States pass similar legislation (FTC 2000). According to its 2000 report to Congress, industry efforts to date "fall far short of broad-based implementation of self-regulatory programs" (FTC 2000). For this reason,
while there will continue to be a major role for industry self-regulation in the future, a majority of the Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online... The proposed legislation would set forth a basic level of privacy protection for consumer-oriented commercial Web sites. Such legislation would establish basic standards of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act (FTC 2000).
Roger Clarke, a visiting fellow at Australian National University, sums up the international need for data protection legislation as follows:
Legislation is essential, to establish incentives that encourage compliance; and disincentives that discourage inappropriate behaviour. The statute needs to be designed to strengthen the hand of industry associations as they seek to achieve order within their sectors, and to rein in the cowboys (Clarke 1999).
He then goes on to suggest that legislatures establish a set of privacy protection principles (Clarke 1999), which would be similar to those already defined by the FTC. He also suggests that an agency be established with the authority to enforce these principles (Clarke 1999).
The current system of privacy regulation for online commerce in the United States has several main flaws. The system of self-regulation was initially adopted as a means of promoting the Department of Health and The Federal Trade Commission's fair information practice principles. The system relies heavily on a market model, which states that companies should want to promote customer privacy because it will encourage business and boost revenue. This concept is most directly evidenced by the spreading use of privacy seal programs. However, fair information practices are far from universal, with most consumer sites not posting privacy policies that address all of the defined areas of privacy. Also, the market model may not hold up for online commerce because consumers do not generally know enough to understand when their privacy is being compromised. Based on this analysis, it seems as though other systems of privacy regulation should be explored. Specifically, legislation similar to that of the EU should be considered.
 The Children’s Online Privacy Protection Act of 1998 places more restrictions on the online collection of personal information from children under age thirteen. (Children’s Online Privacy Protection Act)
Better Business Bureau Online web site. http://www.bbbonline.com
Clarke, Roger. "Internet Privacy Concerns Confirm the Need for Intervention." Communications of the ACM. February 1999. Available at http://www.acm.org/pubs/citations/journals/cacm/1999-42-2/p60-clarke
ClickRewards web site. http://www.Clickrewards.com
Children's Online Privacy Protection Act of 1998. Available at http://www.ftc.gov/ogc/coppa1.htm
Culnan, Mary J. "Protecting Privacy Online: Is Self-Regulation Working?" American Marketing Association Journal of Public Policy & Marketing. Spring 2000.
DoubleClick.net web site. http://www.DoubleClick.net
Engage web site. http://www.engage.com
Federal Trade Commission. "Self-Regulation and Privacy Online." July 13, 1999.
Federal Trade Commission. "Privacy Online: Fair Information Practices in the Electronic Marketplace." May 25, 2000.
Federal Trade Commission letter to Christine Varney, Esq., attorney for DoubleClick Inc. January 22, 2001. Available at http://www.ftc.gov/os/closings/staff/doubleclick.pdf
Killingsworth, Scott. "Minding Your Own Business: Privacy Policies in Principle and in Practice." Journal of Intellectual Property Law Association. Fall 1999.
Kotz, David. "Technological Implications for Privacy." January 3, 1999.
MyPoints.com web site. http://www.mypoints.com
Net Perceptions web site. http://www.netperceptions.com
Perine, Keith. "Not Enough Privacy?" The Industry Standard. July 10, 2000.
Perine, Keith. "Privacy Activists File DoubleClick Complaint." The Standard.com. February 10, 2000. Available at http://www.thestandard.com/article/article_print/0,1153,9694,00.html
Reidenberg, Joel R. "Restoring Americans' Privacy in Electronic Commerce." Berkeley Technology Law Journal. Spring 1999.
Robuck, Michael. "Survey Says Internet Privacy A Concern Among Consumers: But Most Consumers Don't Know How to Protect Themselves." Boardwatch Magazine. October 2000.
Tan, Domingo R. "Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union." Loyola of Los Angeles International & Comparative Law Journal. August 1999.
TRUSTe web site. http://www.truste.com
U.S. Department of Commerce: National Telecommunications and Information Administration. "Privacy and Self-Regulation in the Information Age." Chapter 1. June 1997. http://www.ntia.doc.gov/reports/privacy/privacy_rpt.htm
US Dept. of Health, Education, and Welfare Secretary's Advisory Committee on Automated Personal Data Systems. Records, Computers, and the Rights of Citizens viii 1973.