Subj: Online Privacy: Perspectives of Online Privacy Alliance From: Tim Lordan, 202-638-4371, tim@privacyalliance.org To: Internet Caucus Advisory Committee Excerpt from the Online Privacy Alliance Legal Framework White Paper, See http://www.privacyalliance.org/news/12031998-5.shtml THE FEDERAL TRADE COMMISSION: ENFORCING SELF- REGULATION Private self-regulatory bodies like the OPA -- which establish a framework of self- imposed data protection rules to govern the conduct of all entities in a given industry that agree to operate according to those standards -- can effectively regulate the behavior of their members and thereby safeguard the private information of consumers. Rather than having to investigate the idiosyncratic information practices of a given company, consumers will learn to associate a prominently displayed seal or notice with a well-known standard of data protection -- much as U.S. consumers today know that the "UL" (Underwriters Laboratories) symbol on electronic appliances [1] guarantees that a device's design meets a time-tested safety threshold. Thus, companies that agree to abide by a recognized self-regulatory standard gain the reputational advantage of being able to advertise a consumer-trusted seal of approval -- and those that do not bear a stigma that can be expected to affect their performance in the marketplace. Internal enforcement mechanisms guarantee that members live up to their promises by threatening violators with the penalty of losing the organization's stamp of approval. But the efficacy of collective self-regulation in the United States does not depend on the private sector alone. The Federal Trade Commission ("FTC") may use its enforcement authority under section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive trade practices" in interstate commerce, to prosecute companies that do not uphold the standards of a privacy seal or notice that they display for customers. The FTC has broad jurisdiction over companies doing business in the United States as well as substantial enforcement powers. FTC remedies include injunctive relief and other forms of redress and compensation, and thus impose an independent, objective incentive on companies to take industry standards seriously.[2] State and local consumer protection agencies and consumer advocates, as well as state attorneys general (the latter analogous to the federal Department of Justice), complement the FTC's authority by keeping a watchful eye on regional industries and smaller businesses. A. THE FEDERAL TRADE COMMISSION 1. FTC ENFORCEMENT AUTHORITY The FTC is an independent administrative agency that has been delegated broad enforcement authority under a variety of statutes designed to promote fair competition and protect the interests of consumers. Certain of these statutes - - like the Fair Credit Reporting Act (discussed below) -- specifically empower the FTC to investigate and prosecute violations of U.S. law governing the treatment of specific types of information relating to an individual's credit and finances. Others -- like the recently passed Children's Online Privacy Protection Act of 1998 (also discussed below) -- grant the FTC authority to regulate certain data protection practices and dictate minimum standards for the collection and distribution of discrete types of personal information (e.g., data relating to children). More generally, the FTC possesses broad authority under section 5 of the Federal Trade Commission Act to investigate and halt any "unfair or deceptive" conduct in almost **all** industries affecting interstate commerce.[3] This authority includes the right to investigate a company's compliance with its own asserted data privacy protection policies. Pursuant to section 5, the FTC may issue cease and desist orders and may also order other equitable relief, including redress of damages. While the FTC possesses only limited authority to prescribe regulations that have the force of positive law, it **can** determine (subject to judicial review) that a given practice is unfair or deceptive and therefore contrary to the public interest. Furthermore, if the agency through its adjudicatory procedures determines that a given practice constitutes unfair or deceptive conduct (usually in the form of issuing a "cease and desist order"), other parties who engage in similar conduct are subject to civil penalties if they have actual knowledge of the FTC's determination.[4] Typically, a company will choose not to run the risk of a full-scale FTC investigation and prosecution and will instead enter into a "consent order" with the agency in which a company agrees to comply with objective, judicially enforceable requirements. Thus, the agency often can set a **de facto** minimum standard of behavior through vigorous investigation of companies that engage in questionable conduct, exercising considerable influence over a wide variety of industry practices that the agency deems important to consumers and the public interest. The FTC's recent policy statements and reports leave no doubt that one such area of special concern for the agency is the commercial collection and distribution of personal information. As demonstrated by the **GeoCities** case (discussed below), the FTC has taken enforcement action to ensure that a company complies with its stated data protection standards.[5] As companies increasingly adopt and announce privacy policies, therefore, their practices become subject to FTC enforcement. Even where a company has not publicly embraced privacy standards, the FTC has cautioned that "in certain circumstances, information practices may be **inherently** deceptive or unfair, regardless of whether the entity has publicly adopted any fair information practice policies," leading to the possibility of an FTC enforcement action under section 5 of the FTC Act.[6] For example, prior to the recent adoption of the Children's Online Privacy Protection Act, the FTC issued an opinion letter concluding that "it is likely to be an unfair practice" to collect personal identifying information from children without a parent's prior consent.[7] As principles of data privacy protection become more ingrained and accepted, other privacy practices similarly could become sufficiently widespread and expected that a company's failure to comply with such practices -- at least absent notice to consumers - - might be deemed unfair by the FTC.[8] B. ENFORCING PRIVACY PROTECTION UNDER SECTION 5 OF THE FTC ACT A recently settled FTC enforcement action against a website operator demonstrates the FTC's use of section 5 of the FTC Act to assure that companies operate in accordance with their announced information protection practices -- thereby putting teeth in self-regulatory programs.[9] This represents the FTC's first resolution of a privacy action in the Internet context by way of a consent order, and illustrates the flexibility of existing U.S. law to adapt to new industry sectors in a timely way. In the GeoCities case, the FTC challenged the accuracy of certain representations in the website operator's privacy notice regarding the use of marketing information collected from persons registering at the site. The FTC's complaint further alleged that GeoCities implied that it operated a website for children without disclosing to the children or their parents that the website was in fact operated by an independent third party. The company denied these allegations but promptly instituted information policies and procedures in accord with standards proposed by the FTC, as ultimately reflected in a proposed consent order. Under the terms of the consent order, the company agreed to provide clear and prominent notice to consumers of its actual information practices, including what information is collected through its website, the intended uses for that information, any third parties to whom that information will be disclosed, the means by which a consumer may access information collected from herself or himself, and the means by which a consumer may have that information removed from the company's databases.[10] The company agreed that it would not misrepresent the identity of any third party that collects data from a website promoted or sponsored by the company. The company agreed to contact all consumers from whom it previously collected personal information and afford those individuals an opportunity to have data removed from the databases both of the company and any third parties.[11] Finally, the company agreed to implement procedures to obtain a parent's express consent prior to collecting and using a child's identifying information; moreover, the company may not collect or use a child's identifying information if it has actual knowledge that the child does not have the permission of a parent (or guardian) to disclose that information. The consent order's provisions concerning information gathered from children are virtually identical to those found in the more recently enacted Children's Online Privacy Protection Act. As a result of this enforcement action, the company must comply on an ongoing basis with the binding rules of conduct specified in the consent order. Beyond that, this highly publicized FTC enforcement action concerning a prominent website operator serves as a benchmark for other companies establishing information practices for their websites. C. AN INDUSTRY MODEL FOR FACILITATING FTC ENFORCEMENT OF CORE PRIVACY: THE IRSG PRINCIPLES FTC enforcement is also a powerful tool with respect to enforcement of industry- wide codes of conduct as opposed to company-specific standards or practices. Collective self-regulatory groups can use marketplace dynamics to encourage (or coerce) adherence to a common set of industry "best practices" - - no company can afford to be tarred as a recalcitrant that is unconcerned with the privacy concerns of the public (as illustrated on several occasions in recent years when companies withdrew commercial offerings or practices that were publicly criticized as overly intrusive [12 ].) Moreover, in contrast to the self- regulatory efforts of individual companies, self-regulatory groups can adopt joint mechanisms to investigate and resolve consumer complaints and thus collectively can enforce each company's compliance with a given industry's best practices. FTC oversight -- in conjunction with that of state and local authorities -- complements such self-regulatory enforcement mechanisms by providing an independent legal incentive for each member company, and the group as a whole, to live up to its promised standard of behavior. The FTC has made clear that, in signing on to an industry group's data protection principles, "a signatory represents that its information practices are consistent with" those principles and that action inconsistent with them subjects a company to liability "under the FTC Act (or similar state statutes) as a deceptive act or practice."[13] The data privacy standards announced by the Individual Reference Services Group ("IRSG") -- an association of fourteen major companies in the individual reference services industry -- exemplify a self-regulatory approach emphasizing an industry group's seal of approval. The individual reference services industry gathers personal information about individuals from a number of sources, both public (e.g., state driving records) and private (e.g., credit information) and provides that information for a fee to private parties and the government. To protect the often sensitive personal data with which IRSG members deal on a day-to-day basis, the group has adopted binding standards for the protection of personal information. The IRSG developed these rules with the advice and participation of the FTC, and the agency has endorsed them as a promising mechanism to "lessen the risk that information made available through [individual reference] services is misused . . . [and] address consumers' concerns about the privacy of non-public information in the services' databases."[14] The FTC further recommended that the IRSG's self- regulatory efforts be given an opportunity to demonstrate their effectiveness in conjunction with the FTC's own enforcement activities (and those of sectoral regulatory authorities).[15] --------------------------- FOOTNOTES [1 /] The "UL" symbol serves a function similar to the "CE" symbol on products sold in Europe. [2 / ' See Federal Trade Commission, Individual Reference Services: A Report to Congress 29 & n.297 (FTC Dec. 1997). [6 /] Privacy Online at 40 (emphasis added). [7 /] See Letter from Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Center for Media Education, July 15, 1997, available at http://www.ftc.gov/os/9707/cenmed.htm. [3 /] Industries exempt from the FTC's enforcement authority under section 5 are in general subject to specific regulatory schemes that tend to be both comprehensive and rigorous. See, e.g., 47 U.S.C. § 45(a)(2) (exempting banks and savings and loan institutions). [4 / ] See 47 U.S.C. § 45(m)(1)(B). [5 /] See Privacy Online at 40 ("[F]ailure to comply with stated information practices may constitute a deceptive practice . . . and the Commission would have authority to pursue the remedies available under the [FTC] Act for such violations."). [8 /] State and local consumer protection agencies also scrutinize the extent to which companies engage in deceptive or misleading practices by failing to adhere to announced codes of conduct, and thus provide additional oversight. See, e.g., Cal. Bus. & Prof. Code §§ 17200, 17500 (West 1998) (revised in 1998 to apply explicitly to Internet commerce); N.Y. Gen. Bus. Law §§ 349, 350 (Consol. 1998); People v. Lipsitz, 663 N.Y.S.2d 468 (N.Y. Sup. Ct. 1997) (applying N.Y. consumer protection statute to false advertising on Internet); Andrew Countryman, "America Online Deal Reached with 44 Attorneys General," Chicago Tribune, May 29, 1998 (describing deal reached between AOL and state attorneys general regarding AOL business practices). In particular, state and local agencies may be better positioned than the FTC to examine the behavior of smaller and regional companies and to respond to the complaints of individual consumers. See John Borland, "States Prepare To Examine New Internet Legislation," CMP TechWIRE, Jan. 12, 1998 (describing anticipated state legislation to protect Internet consumers). Thus, the enforcement powers and activities of local and state officials and agencies supplements the authority of the FTC and provides an additional layer of protection for personal information. [9 / ] See In the Matter of GeoCities , File No. 9823015 (FTC 1998); see also Michael D. Scott, GeoCities Targeted by FTC in Internet Privacy Enforcement Action , Cyberspace Lawyer 5-11 (Sept. 1998). [10 /] At all points at which information is collected, the company must post either this notice or a link informing consumers that data is being collected and directing them to a complete explanation of the company's information practices. [11 /] The company agreed as well to cease doing business with any third party that refuses to agree to comply with the data removal provisions of the consent order. [12 / ] See, e.g., Individual Reference Services at 1, 13 & n.1 (describing consumer outrage at Lexis- Nexis's "P-Trak" service, which allowed subscribers to identify an individual's social security number; Lexis quickly changed its policies) [13 /] Id. at 29 & n.297. [14 / ] Id. at 31. [15 /] See id.