The Federal Trade Commission has emerged as the dominant federal government regulator of Internet privacy, and is simultaneously pursuing several privacy initiatives which will affect how Internet companies collect and use information.
The FTC is following a multi-faceted approach toward Internet privacy, including implementation of new Internet-specific laws, enforcement of existing laws requiring fairness in interstate commerce and continued reliance on self-regulation by Internet companies.
Fair Information Practices. The FTC's Internet privacy activities share a common focus on generally accepted Fair Information Practices, including the widely-recognized privacy principles of:
- NOTICE about online information collection;
- CHOICE regarding uses of that information;
- ACCESS to ensure that information is accurate, complete, and up-to-date;
- SECURITY and integrity of information collected online; and
- ENFORCEMENT to provide effective recourse for improper breaches of personal privacy.
Children'sPrivacy. The FTC is responsible for enforcing the Children's Online Privacy Protection Act, which requires parental consent before commercial web sites may collect personal information from children under age 13. The FTC's children's privacy regulations went into effect on April 21, 2000 and were summarized in our February 11, 2000 Email Alert.
Consumer Financial Information. The FTC will also be responsible for enforcing the financial privacy provisions of last year's Gramm-Leach-Bliley Act. That statute imposed new privacy safeguards for financial institutions which obtain non-public information from consumers. The law requires mandatory notices about information-gathering and "opt-out" procedures to restrict disclosures of information to third parties. The FTC issued draft regulations in early March 2000. Although the Gramm-Leach-Bliley Act is not Internet-specific, the FTC's new regulations could extend to include a wide range of companies, including some business-to-consumer Internet companies, software producers, and data processors, which do not typically think of themselves as "financial institutions." Under one option proposed by the FTC, the new privacy rules would apply to anyone "significantly engaged in a financial activity" with consumers. The proposal does not define what financial activities would be considered significant, but the FTC indicated that they could include, for example, direct extensions of credit by online or traditional retailers.
Promoting Self-Regulation. In areas that are not regulated by specific Internet privacy laws, the FTC is continuing to promote self-regulation as a means of avoiding additional laws and regulations. One such area is online "profiling," in which web site operators use "cookies" or other automated tracking techniques to collect information about Internet users and their online activities without asking the users to volunteer the information themselves. The FTC has warned that its approach may change if self-regulation fails to adequately protect consumer privacy. The FTC is surveying commercial web sites to assess how many are voluntarily implementing privacy policies which reflect the principles of notice, choice, access, and security; the results of this new survey are expected later this month.
Policing the Web. It is important to note that self-regulation does not mean "unregulated." The FTC has clearly indicated that it plans to buttress industry self-regulation by taking administrative actions to enforce companies' privacy policies. The FTC's first Internet privacy case involved Geocities, which was alleged to have misrepresented its uses of personal information. The company settled the charges by implementing new privacy policies. More recently, the FTC disclosed in February 2000 that it was investigating whether DoubleClick, Inc., an Internet advertising company, acted improperly in its handling of personal information obtained through profiling. The FTC also pursues companies which violate the privacy policies of others, such as ReverseAuction.com, whose data mining of eBay's web site was alleged to violate eBay's privacy "rules." (FTC's stipulated consent agreement and final order with ReverseAuction.com; FTC press release)
Studying Access and Security. While the principles of notice and choice are increasingly addressed in new regulations and voluntary privacy policies, the FTC is studying ways to ensure adequate access to and security of information collected online. A private-sector Advisory Committee began to meet in February 2000 and may recommend new access and security standards to the FTC in the late spring of 2000.
The FTC is not waiting for new laws to address Internet privacy. Through a mix of regulation and self-regulation, under existing authorities and new ones, the FTC is emerging as the Federal Government's primary guardian of Internet privacy. The Commission's approach bears close attention as Internet privacy continues to emerge as one of the most high-profile public policy issues faced by Internet companies.
Hale and Dorr recently sponsored a presentation at the Greater Washington Board of Trade which discussed the FTC's Internet privacy initiatives. Click here to view this presentation.