Prepared Statement of FTC Chairman Robert Pitofsky. Re: House Telecom Subcommittee hearing on online privacy. Date: July 13, 1999. Source: House Commerce Committee.

Mr. Chairman and members of the Subcommittee, I am Robert Pitofsky, Chairman of the Federal Trade Commission ("FTC" or "Commission"). I appreciate this opportunity to present the Commission's views on the progress of self-regulation in the area of online privacy.

In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers= online privacy. Based in part on its extensive survey of over 1400 commercial Web sites, the Commission concluded that effective self-regulation had not yet taken hold. The Commission recommended that Congress adopt legislation setting forth standards for the online collection of personal information from children; and indeed, just four months after the 1998 Report was issued, Congress enacted the Children's Online Privacy Protection Act of 1998. As required by the Act, on April 20, 1999, the Commission issued a proposed Children=s Online Privacy Protection Rule, which implements the Act's fair information practices standards for commercial Web sites directed to children under 13, or who knowingly collect personal information from children under 13. Commission staff is reviewing comments on the proposed rule and will issue a final rule this fall.

When the 1998 report was released, there were indications that industry leaders were committed to work toward self-regulatory solutions. As a result, in Congressional testimony last July the Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs. In the ensuing year, there have been important developments both in the growth of the Internet as a commercial marketplace and in consumers' and industry's responses to the privacy issues posed by the online collection of personal information. The Commission has just issued a new report on these developments, Self-Regulation and Online Privacy: A Report to Congress (June 1999) ("1999 Report"). The 1999 Report assesses the progress made in self-regulation to protect consumers' online privacy since last June and sets out an agenda of Commission actions in the coming year to encourage industry's full implementation of online privacy protections. I am pleased to present the 1999 Report's findings to the Committee.

The Commission believes that self-regulation is the least intrusive and most efficient means to ensure fair information practices online, given the rapidly evolving nature of the Internet and computer technology. During the past year the Commission has been monitoring self-regulatory initiatives, and the Commission's 1999 Report finds that there has been notable progress. Two new industry-funded surveys of commercial Web sites suggest that online businesses are providing significantly more notice of their information practices than they were last year. Sixty-six percent of the sites in the Georgetown Internet Privacy Policy Survey ("GIPPS") post at least one disclosure about their information practices. Forty-four percent of these sites post privacy policy notices. Although differences in sampling methodology prevent direct comparisons between the GIPPS findings and the Commission's 1998 results, the GIPPS Report does demonstrate the real progress industry has made in giving consumers notice of at least some information practices. Similarly, 93% of the sites in the recent study commissioned by the Online Privacy Alliance ("OPA Study") provide at least one disclosure about their information practices. This, too, represents continued progress since last year, when 71% of the sites in the Commission's 1998 "Most Popular" sample posted an information practice disclosure.

The new survey results show, however, that, despite the laudable efforts of industry leaders, significant challenges remain. The vast majority of the sites in both the GIPPS and OPA surveys collect personal information from consumers online. By contrast, only 10% of the sites in the GIPPS sample, and only 22% of the sites in the OPA study, are implementing all four substantive fair information practice principles of Notice/Awareness, Choice/Consent, Access/Participation, and Security/Integrity. In light of these results, the Commission believes that further improvement is required to effectively protect consumers' online privacy.

In the Commission's view, the emergence of online privacy seal programs is a particularly promising development in self-regulation. Here, too, industry faces a considerable challenge. TRUSTe, launched nearly two years ago, currently has more than 500 licensees representing a variety of industries. BBBOnLine, a subsidiary of the Council of Better Business Bureaus, which launched its privacy seal program for online businesses last March, currently has 42 licensees and more than 300 applications for licenses. Several other online privacy seal programs are just getting underway. Together, the online privacy seal programs currently encompass only a handful of all Web sites. It is too early to judge how effective these programs will ultimately be in serving as enforcement mechanisms to protect consumers' online privacy.

The self-regulatory initiatives discussed above, and described in greater detail in the 1999 Report, reflect industry leaders' substantial effort and commitment to fair information practices. They should be commended for these efforts. Enforcement mechanisms that go beyond self-assessment are also gradually being implemented by the seal programs. Only a small minority of commercial Web sites, however, have joined these programs to date. Similarly, although the results of the GIPPS and OPA studies show that many online companies now understand the business case for protecting consumer privacy, they also show that the implementation of fair information practices is not widespread among commercial Web sites.

Based on these facts, the Commission believes that legislation to address online privacy is not appropriate at this time. We also believe that industry faces some substantial challenges. Specifically, the present challenge is to educate those companies which still do not understand the importance of consumer privacy and to create incentives for further progress toward effective, widespread implementation.

First, industry groups must continue to encourage widespread adoption of fair information practices. Second, industry should focus its attention on the substance of web site information practices, ensuring that companies adhere to the core privacy principles discussed earlier. It may also be appropriate, at some point in the future, for the FTC to examine the online privacy seal programs and report to Congress on whether these programs provide effective privacy protections for consumers.

Finally, industry must work together with government and consumer groups to educate consumers about privacy protection on the Internet. The ultimate goal of such efforts, together with effective self-regulation, will be heightened consumer acceptance and confidence. Industry should also redouble its efforts to develop effective technology to provide consumers with tools they can use to safeguard their own privacy online.

The Commission has developed an agenda to address online privacy issues throughout the coming year as a way of encouraging and, ultimately, assessing further progress in self-regulation to protect consumer online privacy:

• The Commission will hold a public workshop on "online profiling," the practice of aggregating information about consumers' preferences and interests gathered primarily by tracking their movements online. The workshop, jointly sponsored by the U.S. Department of Commerce, will examine online advertising firms' use of tracking technologies to create targeted, user profile-based advertising campaigns.
• The Commission will hold a public workshop on the privacy implications of electronic identifiers that enhance Web sites' ability to track consumers' online behavior.
• In keeping with its history of fostering dialogue on online privacy issues among all stakeholders, the Commission will convene task forces of industry representatives and privacy and consumer advocates to develop strategies for furthering the implementation of fair information practices in the online environment.
  • One task force will focus upon understanding the costs and benefits of implementing fair information practices online, with particular emphasis on defining the parameters of the principles of consumer access to data and adequate security.
  • A second task force will address how incentives can be created to encourage the development of privacy-enhancing technologies, such as the World Wide Web Consortium=s Platform for Privacy Preferences (P3P).
• The Commission, in partnership with the U.S. Department of Commerce, will promote private sector business education initiatives designed to encourage new online entrepreneurs engaged in commerce on the Web to adopt fair information practices.
• Finally, the Commission believes it is important to continue to monitor the progress of self-regulation, to determine whether the self-regulatory programs discussed in the 1999 Report fulfill their promise. To that end, the Commission will conduct an online survey to reassess progress in Web sites' implementation of fair information practices, and will report its findings to Congress.

The Commission is committed to the goal of full implementation of effective protections for online privacy in a manner that promotes a flourishing online marketplace, and looks forward to working with the Subcommittee as it considers the Commission's 1999 Report.