Subj: Online Privacy: Perspectives of Online Privacy Alliance From: Tim Lordan, 202-638-4371, tim@privacyalliance.org To: Internet Caucus Advisory Committee LAYERED APPROACH TO DATA PRIVACY PROTECTION SURVEY OF REGULATORY OVERSIGHT AND ENFORCEMENT OF PRIVACY IN THE US The United States has a long history of respecting privacy of Americans. There currently exists numerous laws on the books designed to ensure the privacy of Americans. Some of these restrictions on the collection and use of personal information are based upon how the data is used (FCRA), some on the demographics of the citizen (COPPA), and some on the sensitivity of the data (HIPPA, FSMA). These rules apply online as well as offline. See below for full review. LAYERED APPROACH : In the online world, consumers are afforded additional protections that flow from a layered framework designed to ensure data privacy. This flexible, layered approach starts with publicly announced corporate policies and industry codes of conduct (e.g. Posted privacy policies, publicly endorsed industry codes of conduct via group such as OPA/DMA). ENFORCEMENT : Regulations allow the FTC and state and local agencies to enforce these publicly stated policies on behalf of consumers. With the vast majority of Web sites posting privacy policies, this give these enforcers jurisdiction over just about the whole dot com Internet. In cases where truly bad actors refrain from posting privacy policies in an attempt to avoid enforcement, the FTC has cautioned that "in certain circumstances, information practices may be **inherently** deceptive or unfair, regardless of whether the entity has publicly adopted any fair information practice policies," leading to the possibility of an FTC enforcement action under section 5 of the FTC Act. FLEXIBILITY : As industry best practices and self-regulatory principles change, FTC's authority with regard to those practices is already remains in place (no waiting for legislative authority to address issues arising from a new business model). SUCCESSFUL HISTORY : This approach has a long and successful history in the United States. For example, many professions that traditionally have been trusted to safeguard the confidentiality of personal data -- lawyers, doctors, and accountants, for example -- abide by self-regulatory codes backed up by government or judicial enforcement mechanisms, and the result has been a high level of protection that has stood the test of time. THIRD PARTY ENFORCEMENT MECHANISMS : These enforcement mechanisms provide additional back up to FTC and local enforcement. At present, the OPA endorses several effective "seal" programs (BBBOnLine, CPA Web Trust, ESRB, TRUSTe) and several other enforcement mechanisms (The DMA, IRSG). Thousands of the top sites on the Internet participate in these mechanisms to ensure privacy protections for their consumers. TEETH IN SELF REGULATION : This layered approach was proven in the GeoCities case, where the FTC challenged the accuracy of certain representations in the website operator's privacy policy. The FTC and GeoCities entered into a consent decree in which GeoCities agreed to implement several additional robust privacy practices. GeoCities implemented new practices dealing with information from children - these practices pre-dated COPPA by years. A similar enforcement action was brought against Liberty Financial's Young Investor site last year. Again, the site's publicly announced privacy practices were adequately enforced by the FTC. SURVEY OF EXISTING PRIVACY LAWS Many laws addressing industry specific sectors that address the use of personal information exist including: - the Electronic Communications Privacy Act (ECPA), - the Fair Credit Reporting Act, - the Children's Online Privacy Protection Act, - the Electronic Funds Transfer Act, - the Video Privacy Protection Act, - the Telephone Consumer Protection Act of 1991, - the Cable Communications Policy Act of 1984, - the Communications Act itself, - the Financial Services Modernization Act, - the Federal Aviation Act, - the Health Insurance Portability and Accountability Act (HIPPA), - the Right to Financial Privacy Act of 1978, - a myriad of State law protections. MORE ROBUST PRIVACY THAN EUROPE : The sectoral approach to privacy in the US provides much more effective protections than the omnibus approach to privacy that exists within Europe. For example, ECPA, Electronic Communications Privacy Act, provides far more privacy protection to US citizens when they engage in personal and private communications online via email. Through ECPA, the privacy of US citizens is ensured in the most sensitive of Internet communications - via email messages. Email communications between US citizens are protected under this high privacy standard. However, once a US citizen shares personal Internet communications with an EU citizen via email, EU law does not respect ECPA privacy assuring standards on that end of the message. For more detailed review, see http://www.privacyalliance.org/news/12031998-5.shtml