The Federal Trade Commission
and Department of Commerce have spearheaded efforts to encourage self-regulation by hosting workshops with the online industry to help develop standard privacy guidelines. To date, industry has made little progress in satisfying the administration's Internet privacy concerns.
Ira Magaziner, the president's Internet policy guru, has warned that time may be running out for industry self-regulation.
Already the FTC has concluded that industry efforts governing the online privacy of children are inadequate. The agency has called for legislation to give parents control of the online collection and use of personal information about their children by requiring actual notice to parents and explicit parental consent.
Myriad bills have been introduced in Congress to address this and other aspects of Internet privacy.
The European Union's Data Protection Directive may
enhance pressure on the Clinton administration to abandon
an industry-led solution for Internet privacy. The directive
is slated to become effective Oct. 25 and requires any nation that trades personal information with EU member states to adopt similar privacy standards. The directive precludes the transfer of personal information about EU citizens to nations determined to have inadequate Internet privacy safeguards in place.
It is not likely that the United States will convince EU regulators that the online industry's existing voluntary privacy standards are sufficient, which could ignite an Internet trade war.
Effective privacy protection is necessary for the continued growth of electronic commerce. Surveys reveal that
consumers are reluctant to purchase products over the Internet or divulge personal data out of
fear their information will be compromised.
Indeed, a wide variety of personal information is systematically collected online. Personal data can be combined with transactional data to produce detailed consumer profiles. Consumers' personal information is collected through online registration, surveys, contest entry forms, order forms and public records, including court records, property records and motor vehicle records.
Web sites also use "cookies," a file saved to a consumer's computer,
to track consumer preferences and
offer products and advertisements tailored to an individual's tastes upon a return visit to the site. Consumers generally have no effective means to prevent companies from selling personal information compiled on them to others and have no means to correct errors.
Several highly touted industry self-regulation initiatives
are widely considered failures. Industry has greeted
the TRUSTe program, for example, with apathy. Only
about 150 companies have joined this initiative, which
establishes a standard logo for placement on Web sites to
designate sites that have voluntarily adopted stringent TRUSTe-approved privacy practices.
Online consumers can click on the TRUSTe icon to obtain a copy of the privacy practices statement. TRUSTe licensees must agree to be audited by third parties to verify compliance with the posted privacy policies so the logo can function as a seal of approval.
Not only are online companies reluctant to adopt TRUSTe's strict privacy policies, according to a recent FTC report the vast majority of online companies are not even taking the rudimentary step of posting a statement that discloses their privacy policies.
The FTC surveyed 1,400 Web sites and found that while 92 percent of commercial Web sites collect personal information, a mere 14 percent provide any notice of their privacy policies and only 2 percent provide notice by means of a comprehensive privacy practices statement.
Other efforts at self-regulation are also unimpressive. In December 1997, 14 members of a trade group consisting of companies that provide database services used to locate, identify or verify the identity of individuals, released self-regulation guidelines for Internet privacy.
The guidelines prohibit distribution to the general public of sensitive, nonpublic information, such as Social Security number, mother's maiden name and date of birth, which can be used to gain access to personal financial data for fraudulent purposes.
This same information, however, can be sold to licensed businesses if gathered from a public record. The guide-
lines are a modest first step designed to forestall com-
prehensive federal regulation rather than an effective privacy shield.
Pressure is mounting on the Clinton administration to abandon its hands-off approach. Time may run out for self-regulation as the FTC is expected to unveil new Internet privacy recommendations this summer.
David Nadler is a partner in the Washington law firm of Dickstein Shapiro Morin & Oshinsky LLP. He may be contacted at NadlerD@dsmo.com. Edward Kirsch, an associate with the firm, contributed to this article.
Copyright 1998 Post-Newsweek Business Information, Inc. All rights reserved