SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
62–502
2000
ELECTRONIC COMMUNICATION PRIVACY POLICY DISCLOSURE
HEARING
BEFORE THE
SUBCOMMITTEE ON COURTS AND INTELLECTUAL
PROPERTY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
MAY 27, 1999
Serial No. 55
Printed for the use of the Committee on the Judiciary
Page 2 PREV PAGE TOP OF DOC
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
ED BRYANT, Tennessee
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
MARY BONO, California
SPENCER BACHUS, Alabama
Page 3 PREV PAGE TOP OF DOC
JOE SCARBOROUGH, Florida
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director
Subcommittee on Courts and Intellectual Property
HOWARD COBLE, North Carolina, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
Page 4 PREV PAGE TOP OF DOC
ELTON GALLEGLY, California
BOB GOODLATTE, Virginia
WILLIAM L. JENKINS, Tennessee
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
MARY BONO, California
HOWARD L. BERMAN, California
JOHN CONYERS, Jr., Michigan
RICK BOUCHER, Virginia
ZOE LOFGREN, California
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
MITCH GLAZIER, Chief Counsel
BLAINE MERRITT, Counsel
VINCE GARLOCK, Counsel
DEBBIE K. LAMAN, Counsel
ROBERT RABEN, Minority Counsel
EUNICE GOLDRING, Staff Assistant
C O N T E N T S
HEARING DATE
Page 5 PREV PAGE TOP OF DOC
May 27, 1999
OPENING STATEMENT
Coble, Hon. Howard, a Representative in Congress from the State of North Carolina, and chairman, Subcommittee on Courts and Intellectual Property
WITNESSES
Bentivoglio, John, Chief Privacy Officer, U.S. Department of Justice
Berman, Jerry, President, Center for Democracy and Technology
Cerasale, Jerry, Senior Vice President, Government Affairs, Direct Marketing Association, Inc.
Lesser, Jill, Vice President, Domestic Public Policy, American Online, Inc.
Pittman, Terry, Board of Directors, TRUSTe
Rotenberg, Marc, Executive Director, Electronic Privacy Information Center
Varney, Christine, Chair, Online Privacy Alliance
Page 6 PREV PAGE TOP OF DOC
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Bentivoglio, John, Chief Privacy Officer, U.S. Department of Justice: Prepared statement
Berman, Jerry, President, Center for Democracy and Technology: Prepared statement
Cerasale, Jerry, Senior Vice President, Government Affairs, Direct Marketing Association, Inc.: Prepared statement
Goodlatte, Hon. Bob, a Representative in Congress from the State of Virginia: Prepared statement
Lesser, Jill, Vice President, Domestic Public Policy, American Online, Inc.: Prepared statement
Pittman, Terry, Board of Directors, TRUSTe: Prepared statement
Rotenberg, Marc, Executive Director, Electronic Privacy Information Center: Prepared statement
Varney, Christine, Chair, Online Privacy Alliance: Prepared statement
Page 7 PREV PAGE TOP OF DOC
APPENDIX
Material submitted for the record
ELECTRONIC COMMUNICATION PRIVACY POLICY DISCLOSURE
THURSDAY, MAY 27, 1999
House of Representatives,
Subcommittee on Courts and
Intellectual Property,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to call, at 10 a.m., in Room 2141, Rayburn House Office Building, Hon. Howard Coble [chairman of the subcommittee] presiding.
Present: Representatives Howard Coble, Bob Goodlatte, Edward A. Pease, Chris Cannon, Howard L. Berman, Zoe Lofgren and William D. Delahunt.
Staff present: Blaine Merritt, Counsel; Mitch Glazier, Chief Counsel; Eunice Goldring, Staff Assistant; and Bari Schwartz, Minority Counsel.
OPENING STATEMENT OF CHAIRMAN COBLE
Page 8 PREV PAGE TOP OF DOC
Mr. COBLE. Good morning, ladies and gentlemen. Welcome. The subcommittee will come to order.
Collecting demographic data, such as a consumer's address and telephone number, has become an important function of any business wishing to track customers and their habits. With the advent of the Internet as a medium for commercial transactions, the ability to acquire such information in exacting detail has been greatly enhanced. This development has also enabled businesses to take marketing strategies and offer those products and services which their customers truly want.
On the other hand, some critics believe that these gains have been offset by what they claim are the invasive nature of industry practices. They believe that greater efforts must be made to afford individuals better control of the subsequent use of any personal information collected by businesses with websites.
The purpose of this oversight hearing is to explore the tension between these two positions. In effect, this will be a state-of-the-industry examination of on-line privacy disclosure.
Mr. Berman will join us imminently. But I want to extend special thanks to the gentleman from Roanoke Valley, Mr. Goodlatte, who is here, for his leadership on this issue. He has a special interest in privacy disclosure. I welcome his input today as well as that of Mr. Berman, the ranking member, the gentleman from California.
Now we have a journal vote, but prior to going into a rest period, Mr. Goodlatte, would you like to be heard?
Page 9 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Mr. Chairman, thank you very much. I do have a statement that I will ask to be made a part of the record, and I will offer part of it right now.
I very much appreciate your holding this very timely and important hearing. The issue of privacy and security of personal information on the Internet is growing more important every day.
As consumers continue to look to the Internet more and more for commercial, financial, and business activities, the need for adequate privacy protections also continues to increase. On-line sales over the Christmas holiday last year topped $3 billion, Internet sales for all of last year topped $32 billion, and the numbers this year are expected to be even more impressive.
Nevertheless, these numbers represent only a fraction of the level of electronic commerce activity that could be realized if consumers' concerns about on-line privacy are addressed. Consumers have a fear of the Internet because they perceive that personal information, whether it is an address, phone number, credit card number, credit report or medical history, is not protected on the Internet.
Recent high-profile stories involving the release of sensitive consumer information on-line confirmed this in consumers' minds. Until consumers begin to have confidence that their information is protected from fraud or abuse, the Internet as a mode of commercial activity will not reach its full potential.
Page 10 PREV PAGE TOP OF DOC
There are several laws currently on the books today designed to protect consumer information both on-line and off-line. These include the Electronic Communications Privacy Act, the Fair Credit Reporting Act, the Right to Financial Privacy Act and the Health Insurance Portability and Accountability Act.
In addition, several laws have been passed specifically to address the privacy of information involving certain advanced technologies, including the Cable Communications Policy Act, the Telephone Consumer Protection Act, and the Electronic Funds Transfer Act. Most recently, Congress passed the Children's On-line Privacy Protection Act, which directs the FTC to develop regulations governing the on-line collection of information from children under the age of 13.
However, general privacy protections for consumer information on-line have not been addressed by Congress. This Congress, and myself in particular, have been reluctant to pass sweeping laws that place undue restrictions on Internet activity.
The Internet is, at its core, an open medium that has succeeded because of its lack of control by any single entity, whether government or private sector. In fact, I have sponsored several pieces of legislation that would reduce or remove the government from involvement in various on-line activities.
In addition, the private sector has taken a number of steps to address this perceived deficiency in privacy on-line. Many businesses have formed alliances for the purpose of creating and administering several regulatory programs.
Page 11 PREV PAGE TOP OF DOC
Some of these associations include the Online Privacy Alliance, representing more than 70 global companies concerned with on-line privacy; TRUSTe, a collaboration between the Electronic Frontier Foundation and Commerce Net; and the newly developed Internet Fraud Council, designed to develop tools and best practices to be used to alleviate the threat of on-line crime to their members and to the general public. Industry has also developed tools to encourage website operators to educate consumers about the privacy policies for their site.
Most recently, a study conducted by a Georgetown University professor at the request at the Federal Trade Commission demonstrated significant improvement in the use of disclosure policies that include one or more of the five core FTC privacy principles: notice, consent, access, security and enforcement.
Specifically, 93 percent of those commercial websites sampled collected at least one type of personal identifying information, 53 percent collected at least one type of demographic information, and 56 percent collected both types of information. Of those sampled, 66 percent posted at least some kind of privacy disclosure; that is, some kind of privacy policy notice or an information practice statement.
Of the top 100 websites, 94 percent posted at least——
Mr. COBLE. Would the gentleman suspend for just a moment. How long is your statement?
Mr. GOODLATTE. Just about 30 more seconds, Mr. Chairman.
Page 12 PREV PAGE TOP OF DOC
Mr. COBLE. All right.
Mr. GOODLATTE. The number of sites that provide consumers with the type of notice required by Online Privacy Alliance, the Better Business Bureau and TRUSTe and called for by the Federal Trade Commission remains around 10 percent of all commercial websites.
The Federal Government is no better. A study by the Center for Democracy and Technology of Federal agency websites found that just over 30 percent of Federal agencies had a privacy notice link from the agency's home page.
The private sector has made significant gains in the area of consumer privacy protection, but they must not be allowed to rest on their laurels. More must be done to ensure that the Internet is a medium that consumers can use with confidence, that their information is protected from fraud and abuse. I am hopeful that this hearing today will not only examine what has been accomplished but also examine what else needs to be done in the area of on-line privacy.
Mr. Chairman, I thank you for your forbearance.
Mr. COBLE. I thank the gentleman.
[The prepared statement of Mr. Goodlatte follows:]
PREPARED STATEMENT OF HON. BOB GOODLATTE, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF VIRGINIA
Page 13 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman, for holding this timely and important hearing this morning. The issue of privacy and security of personal information on the Internet is growing more important every day. As consumers continue to look to the Internet more and more for commercial, financial, and business activities, the need for adequate privacy protections also continues to increase. Online sales over the Christmas holiday last year topped $3 billion. Internet sales for all of last year topped $32 billion, and the numbers this year are expected to be equally impressive. Nevertheless, these numbers represent only a fraction of the level of e-commerce activity that could be realized if consumers' concerns about online privacy are addressed.
Consumers have a fear of the Internet because they perceive that personal information, whether it is an address, phone number, credit card number, credit report, or medical history, is not protected on the Internet. Recent high-profile stories involving the release of sensitive consumer information online confirm this in consumers' minds. Until consumers begin to have confidence that their information is protected from abuse or fraud, the Internet as a mode of commercial activity will not reach its full potential.
There are several laws currently on the books today designed to protect consumer information, both online and offline. These include the Electronic Communications Privacy Act, the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Health Insurance Portability and Accountability Act. In addition, several laws have been passed specifically to address the privacy of information involving certain advanced technologies, including the Cable Communications Policy Act, the Telephone Consumer Protection Act, and the Electronic Funds Transfer Act. Most recently, Congress passed the Children's Online Privacy Protection Act, which directs the FTC to develop regulations governing the online collection of information from children under the age of 13.
Page 14 PREV PAGE TOP OF DOC
However, general privacy protections for consumer information online have not been addressed by Congress. This Congress, and myself in particular, has been reluctant to pass sweeping laws that place undue restrictions on Internet activity. The Internet at its core is an open medium that has succeeded because of a lack of control by any single entity, whether government or private sector. In fact, I have sponsored several pieces of legislation that wold reduce or remove the government from regulating in various online activities.
In addition, the private sector has taken a number of steps to address the perceived deficiency in online privacy. Many businesses have formed alliances for the purpose of creating and administering self-regulatory programs. Some of these associations include the Online Privacy Alliance, representing more than 70 global companies concerned with online privacy, TrustE, a collaboration between the Electronic Frontier Foundation and CommerceNet, and the newly developed Internet Fraud Council, designed to develop tools and best practices to be used to alleviate the threat of online crime to their members and to the general public.
Industry has also developed tools to encourage website operators to educate consumers about the privacy policies for that site. This posting of privacy policies on commercial websites can empower consumers to make educated choices about whether they wish to deal with the particular merchant based, in part, on the level of privacy protection the online operator provides.
Most recently, a study conducted by a Georgetown University professor at the request of the Federal Trade Commission demonstrated significant improvement in the use of disclosure policies that included one or more of the five ''core'' FTC privacy principles: notice, consent, access, security, and enforcement. Specifically, 93 percent of those commercial websites sampled collected at least one type of ''personal identifying'' information, 53 percent collected at least one type of ''demographic information,'' and 56 percent collected both types of information.
Page 15 PREV PAGE TOP OF DOC
Of those sampled sites, 66 percent posted at least one kind of ''privacy disclosure''—that is, some kind of privacy policy notice or an information practice statement. Of the top 100 commercial websites, 94 percent posted at least one type of privacy disclosure. While these statistics reflect significant improvement on the part of online commercial websites, the amount of information disclosed to consumers remains inconsistent. The number of sites that provide consumers with the types of notices required by the Online Privacy Alliance, the Better Business Bureau, and TrustE and called for by the Federal Trade Commission remains around 10 percent of all commercial websites.
The Federal government is no better. A study by the Center for Democracy and Technology of federal agency websites found that just over 30 percent of federal agencies had a ''privacy notice'' link from the agency's home page.
The private sector has made significant gains in the area of consumer privacy protection, but they must not be allowed to rest on their laurels. More must be done to ensure that the Internet is a medium that consumers can use with the confidence that their information is protected from fraud and abuse. I am hopeful that this hearing today will not only examine what has been accomplished, but also what remains to be done in the area of online privacy. I thank the Chairman for holding this hearing this morning, and I look forward to hearing from our witnesses. Thank you.
Mr. COBLE. We will suspend for the moment, go vote; and I have a markup in transportation. Mr. Goodlatte, will you be able to assume the chair?
Page 16 PREV PAGE TOP OF DOC
Mr. GOODLATTE. I will.
Mr. COBLE. And I will be back and forth.
We have two panels today. Good to have all of you with us. We will return imminently.
[Recess.]
Mr. GOODLATTE. [Presiding.] The subcommittee will reconvene.
At this time, the chair is pleased to recognize the ranking member, Mr. Berman of California.
Mr. BERMAN. Thank you very much, Mr. Chairman. I appreciate your consideration.
I have to go to International Relations in a little while, so I would like to give the statement and then come back to hear as much of the witnesses' testimony as I can.
I think it is an excellent idea that you and Chairman Coble are holding this hearing. This is a very important social issue, and I think it falls right within the jurisdiction of our subcommittee.
Every day millions log on to the Internet and provide personal information—age, gender, address, phone number, marital status, credit card and even very personal family, medical and financial information and much other information—to public and private organizations from whom they want information or a service or to owners of websites that they are simply interested in exploring.
Page 17 PREV PAGE TOP OF DOC
Every day millions undertake Internet searches and create a trail that, if followed, could reflect details about an individual's interests and often reveal facets of that individual's personality that few may know.
Every day millions provide personal information on the use of ATM and credit cards and through other electronic transactions. Some foresee a single card that carries our ''personal identity'' on it.
Financial, medical, government and other institutions that manage vast volumes of private information are finding new uses for this information.
As new means are developed to collect and manage personal information gathered through the Internet and other electronic means, the American public is becoming more aware of the potential uses and misuses for this personal information; and people are becoming more interested in finding ways to protect their privacy and control the use of information that they disclose and that which is captured as they navigate the electronic world.
Some testifying today will argue for legislation. Some will propose continued industry self-regulation as the solution. I will be interested in what everyone here has to say, and I will be listening with an awareness of the uniqueness of the Internet environment.
Some describe that environment as anarchic in nature, since anyone can maintain a website and can do so essentially without accountability, except to their conscience.
Page 18 PREV PAGE TOP OF DOC
This is not to say that businesses cannot develop and adhere to good privacy policies, doing so would certainly be good business practice; and this is not to say that individuals using the Internet have no responsibility in protecting their own privacy, though we have to look hard at the environment that we are creating for this truly is a new world.
Personal information that was once unavailable de facto, just a simple mass of—the inaccessibility of it—an example being county property records gathering dust at the Recorders office—is now available in a keystroke.
Information that was one considered private has become a commodity to the bought, sold and traded.
Information that once we gave freely, knowing that the particular piece of information provided little insight into our life-styles, is now aggregated to reveal the patterns of our personal behavior.
Where once we would walk into a bookstore and pay cash for a book, remaining entirely anonymous, we now provide detailed information to benefit from the cost savings of buying on-line.
With this in mind, we must consider the current and potential effectiveness of self-regulation, including how self-regulation may work in the context of frequently changing business models, mergers and acquisitions.
And we need to consider the role of government in protecting the privacy interests of the individual.
Page 19 PREV PAGE TOP OF DOC
Finally, I would like to note as we address privacy in electronic communications, it is among our responsibilities to consider whether current law is adequate to restrain the misuse of government-held private information in the modern electronic environment.
We are at a critical juncture where we must assess whether new laws are necessary to protect the right of individuals to privacy and whether industry is on the right track toward healthy self-regulation, and I look forward to hearing and reading the testimony from each of our witnesses today.
Thank you, Mr. Chairman.
Mr. GOODLATTE. I thank the gentleman.
Does the gentlewoman from California have any opening statement?
Ms. LOFGREN. No.
Mr. GOODLATTE. Thank you.
Well, we are very pleased to welcome the very patient Mr. John Bentivoglio—is that how you pronounce your name?
Mr. BENTIVOGLIO. Correct.
Page 20 PREV PAGE TOP OF DOC
Mr. GOODLATTE [continuing]. Our government witness this morning, who is the Chief Privacy Officer for the Department of Justice.
The Chief Privacy Officer reports directly to the Attorney General and Deputy Attorney General on privacy policy matters and chairs the Department's Privacy Council. The Council serves as a clearinghouse for privacy-related legislative regulatory and policy initiatives, provides advice to senior Department officials on privacy matters and provides a forum for exchanging information about important developments in the field of privacy.
In addition, he serves as the Department's special counsel for health care fraud, where he is responsible for overseeing and coordinating the Department's health care fraud program, including civil and criminal enforcement matters and prevention and compliance efforts.
Mr. Bentivoglio received his undergraduate degree at the University of California-Berkley and his law degree from the Georgetown University Law School Center.
The subcommittee has copies of your testimony, which, without objection, will be made a part of the record; and we would welcome you. And please limit your oral statement to 5 minutes.
STATEMENT OF JOHN BENTIVOGLIO, CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF JUSTICE
Mr. BENTIVOGLIO. Thank you. Good morning, Mr. Goodlatte, Ms. Lofgren.
Page 21 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Chairman works while I am here.
Mr. BENTIVOGLIO. I am sorry.
I am John Bentivoglio, and I serve as the Chief Privacy Officer for the Department. In that job, I am responsible for coordinating the Department's efforts to protect individual privacy rights. I appreciate this opportunity to present the Department's views on the issue of electronic privacy disclosure practices.
Before I do so, however, I would like to briefly describe what the Department is doing to ensure we engage in appropriate privacy practices and set a good example for others in both the public and private sector.
Last year, as you noted, the Attorney General created the position of Chief Privacy Officer and established a Privacy Council within the Department. The Council, which I chair, is composed of senior officials from the FBI, DEA, the Criminal and Civil Divisions, and other key DOJ components. I should add that the Criminal Division and FBI are very strong supporters of the Council and participate in a very, very meaningful way; and we feel this is very important.
The Council is currently reviewing a number of important privacy issues, including the Department's compliance with the Privacy Act, the sharing of information among Federal, State and local law enforcement agencies, and the impact of new law enforcement technologies on individual privacy. I am also pleased to note that we have posted a privacy policy on the Department's website.
Page 22 PREV PAGE TOP OF DOC
In addition, the Department has enacted internal policies and procedures to ensure strict adherence to communications privacy protections, and we have a record of aggressively pursuing violations of the Electronic Communications Privacy Act.
Turning to the primary subject of today's hearing, electronic privacy disclosure practices raise a host of important issues, including law enforcement issues of concern to the Department of Justice. There has been a great deal of discussion over public concern about the loss of on-line privacy and the adequacy of industry self-regulatory efforts with respect to the collection, use, and disclosure of personal information on-line.
We share these concerns. We believe, however, that industry has made substantial strides, as evidenced by the recent draft Georgetown Internet Privacy Policy Survey. As you know, that survey—based on a sample of more than 360 of the most popular websites—found that 65.7 percent—nearly two-thirds—of the sites surveyed—posted a privacy policy or an information practice statement.
Contrasted with the 14 percent rate of privacy policy disclosure found by the Federal Trade Commission's similar survey in 1988, the dramatic 1-year improvement reflects a determined effort on the part of industry to improve its information practices. This progress follows calls by the President, Vice President and others for industry to lead the way in protecting on-line privacy, and many industry leaders, including the Online Privacy Alliance and its members, deserve recognition for their efforts.
While we are encouraged by these results, we would also point out another important finding of the Georgetown study. Less than 10 percent of the most frequently visited sites and less than 15 percent of the sites that collect personal information had a comprehensive privacy policy that includes a posted privacy policy and addresses five key principles of fair information practices—notice, choice, access, security and contact information.
Page 23 PREV PAGE TOP OF DOC
Thus, while we are pleased at the significant progress made by industry in the past 12 months, we need the final third of websites to post privacy policies that adhere to all the principles of fair information practices.
Mr. Chairman, I think my statement goes into this at greater depth, but there is an important connection between on-line privacy and our efforts to fight fraud and other criminal conduct.
In closing, I want to reiterate the Department's commitment to furthering the administration's principles as outlined in the Framework for Global Electronic Commerce. The Framework urged a multipronged approach to privacy protection, relying on a combination of industry self-regulation, sector-specific legislation, and enforcement efforts to prevent unfair deceptive trade practices. In addition, the Department will vigorously enforce Federal laws designed to protect individual privacy, including the new identity theft statute.
We look forward to working with Congress and the private sector to achieve these goals.
Mr. GOODLATTE. Thank you very much.
[The prepared statement of Mr. Bentivoglio follows:]
PREPARED STATEMENT OF JOHN BENTIVOGLIO, CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF JUSTICE
Page 24 PREV PAGE TOP OF DOC
My name is John Bentivoglio. I serve as the Chief Privacy Officer for the U.S. Department of Justice, where I am responsible for coordinating the Department's efforts to protect individual privacy rights. I appreciate this opportunity to present the Department's views on the issue of electronic privacy disclosure practices.
Before I do so, however, I would like to briefly describe what the Department of Justice (DOJ) is doing to ensure we, as a Department, engage in appropriate privacy practices and set a good example for others in both the public and private sector. Last year, the Attorney General created the position of Chief Privacy Officer and established a Privacy Council within the Department. The Council, which I chair, is composed of senior officials from the FBI, DEA, the Criminal and Civil Divisions, and other DOJ components. The Attorney General directed that the Council ''serv[e] as a clearinghouse for privacy-related legislative, regulatory and policy initiatives, provid[e] advice to senior Department officials on privacy matters, and provid[e] a forum for exchanging information about important developments in the field of privacy.'' The Council is currently reviewing a number of important issues, including the Department's compliance with the federal Privacy Act; the sharing of information among federal, state, and local law enforcement agencies; and the impact of new law enforcement technology on individual privacy. I am also pleased to note that we have posted a privacy policy on the Department's web site.
In addition, the Department has enacted internal policies and procedures to ensure strict adherence to communications privacy protections and we have a record of aggressively pursuing violations of the Electronic Communications Privacy Act. That Act establishes a number of substantive and procedural safeguards on law enforcement access to electronic communications, which is sometimes required in the course of the investigation of federal crimes.
Page 25 PREV PAGE TOP OF DOC
Turning to the primary subject of today's hearing, electronic privacy disclosure policies raise a host of important issues, including law enforcement issues of concern to the Department of Justice. There has been a great deal of discussion over public concern about the loss of online privacy and the adequacy of industry self-regulatory efforts with respect to the collection, use, and disclosure of personal information online. We share these concerns. We believe, however, that industry has made substantial strides, as evidenced by the recently reported results of the draft Georgetown Internet Privacy Policy Survey. As you know, that survey—based on a sample of more than 360 of the most popular web sites—found that 65.7%—nearly two thirds of the sites surveyed—posted a privacy policy or an information practice statement. Contrasted with the 14% rate of privacy policy disclosure found by the Federal Trade Commission's similar survey in 1998, the dramatic one-year improvement reflects a determined effort on the part of industry to improve its information practices. This progress follows calls by the President and Vice President for industry to lead the way in protecting online privacy, and many industry leaders, including the Online Privacy Alliance and its members, deserve special recognition for their efforts.
While we are encouraged by these results, we would also point out another important finding in the Georgetown study—less than 10 percent (9.4%) of the most frequently visited sites and less than 15 percent (14.7%) of the sites that collect personal information had a comprehensive privacy policy that includes a posted privacy policy and addresses five key principles of fair information practices—notice, choice, access, security, and contact information. Thus, while we are pleased at the significant progress made by industry in the past 12 months, we need the final third of web sites to post privacy policies that adhere to all the principles of fair information practices. Posting a privacy policy is an essential first step to protecting privacy in cyberspace, but to be effective, privacy policies must be ubiquitous and comprehensive. We believe more can and should be done by industry to safeguard the privacy of online consumers.
Page 26 PREV PAGE TOP OF DOC
The Department strongly supports industry efforts to enhance and safeguard online privacy. In addition to protecting online privacy, the use of third-party certifications, such as those developed by TRUSTe, BBBOnline, and CPA Webtrust can help consumers avoid web sites that have inadequate privacy safeguards, including web sites operated by scam artists—a growing concern to the Department of Justice.
Although there are strong market incentives to develop privacy disclosure policies, and we support industry self-regulatory efforts, some practices involving the collection and use of personal information may run afoul of federal and state laws. Under the Federal Trade Commission Act, for example, the FTC may pursue injunctive relief against businesses whose information collection and use practices constitute an unfair or deceptive trade practice, such as the failure to comply with a web site's posted privacy policies. The FTC has brought enforcement actions in this area.
Although the Department of Justice has no authority to sanction businesses that fail to establish privacy disclosure policies, we are concerned about the interplay between online privacy and consumer fraud. The disclosure of personal information in the online environment may unwittingly expose individuals to a host of on- and offline dangers. For example, posting personal information in a chat room can expose a person to solicitations for fraudulent investments, electronic harassment or stalking (both on- and offline), and, in the case of minors, attempts to establish an illicit sexual relationship or contact. Since the Internet offers anonymity not available in the offline world, some individuals are not sufficiently aware of the dangers of disclosing sensitive information in the online environment. The Department has launched a number of initiatives to respond to these issues, including a new Internet Fraud Initiative, which is designed to increase federal prosecution of Internet fraud scams and to prevent such scams through consumer education and prevention.
Page 27 PREV PAGE TOP OF DOC
We also are concerned about the growing problem of ''identity theft,'' the use of another person's identifying information to commit an offense (such as using a Social Security number to obtain a credit card fraudulently). In some instances, this information is obtained without any contact with the victim of the fraud, such as when sham information brokers obtain personal financial information through pretext calls. In other instances, the information is obtained from the victim online when the perpetrator poses as a business person and gains the victim's trust through frequent and seemingly innocent communications. Armed with such information as a person's social security number, bank account information, and date of birth, scam artists have been stealing thousands of dollars from individual consumers—without any contact whatsoever with the victim. Last year, Congress enacted legislation aimed at this problem, and the Administration has announced an enforcement and prevention initiative that contemplates referral of cases among federal, state, and local law enforcement and regulatory agencies, and development of a private-public partnership to educate consumers on ways to protect themselves.
In addition, at our request, the U.S. Sentencing Commission amended its guidelines to allow for increased penalties for fraudulent offenses that involve a significant invasion of individual privacy. The Commission also is charged with amending the guidelines, as appropriate, to provide penalties for each offense under 18 U.S.C. §1028, including the new identity theft statute. We hope the new statute and these enhanced penalties will serve as a deterrent to fraud artists who invade individual privacy in order to commit their scams.
Finally, we are working closely with the FTC and others to ensure aggressive enforcement of federal laws designed to protect individual privacy. For example, the Fair Credit Reporting Act provides criminal penalties for knowing and intentional violations of the Act. The FTC receives consumer complaints about potential violations of the Act and refers potential criminal violations to the Department for appropriate follow-up, and we are working with the FTC to better identify cases suitable for criminal prosecution.
Page 28 PREV PAGE TOP OF DOC
Significantly, ubiquitous electronic privacy disclosure policies should help educate consumers about the dangers associated with the unguarded disclosure of sensitive personal information. If privacy disclosure policies and third-party privacy certifications become the norm, consumers may be more cautious about disclosing personal information to web sites that may not be privacy sensitive or are merely electronic fronts for scam artists. In educating consumers about online personal privacy, and in promoting informed disclosure by consumers based on individual choice, such private-public partnerships will also serve to inform Internet users about the potential risks of unguarded disclosure of personal information. In sum, our hope is that enhanced public awareness, brought about in part through the educational efforts of the private sector, will promote responsible decision-making among Internet users about when and to whom to disclose personal information, thereby reducing harassment and misuse.
In closing, I want to reiterate the Department's commitment to furthering the Administration's principles as outlined in the Framework for Global Electronic Commerce in July 1997. The Framework urged a multi-pronged approach to privacy protection, relying on a combination of industry self-regulation, sector-specific legislation (as for fraudulent ''pretext calls'' used by unscrupulous data brokers to obtain private financial records), and enforcement efforts to prevent unfair or deceptive trade practices. In addition, the Department will vigorously enforce federal laws designed in whole or in part to protect individual privacy, including the new identity theft statute.
We look forward to working with Congress and private industry to achieve these goals. I would be happy to answer any questions you might have.
Page 29 PREV PAGE TOP OF DOC
Mr. GOODLATTE. I wonder if you might comment in some detail about how well the Electronic Communications Privacy Act is combating privacy violations and fraudulent activity.
Mr. BENTIVOGLIO. Well, we think ECPA, as it is referred to, is doing a good job in that sense. It includes strong protections, including criminal penalties for violations of communication privacy rules.
We have brought a number of factors for violations of ECPA. One important factor, though, is that the public is not always aware of violations of ECPA and thus they don't bring those to our attention. So we don't really know how serious the problem is because many people don't know that it is being violated. When they do, they bring them to our attention; and we pursue them very vigorously.
Mr. GOODLATTE. Are there any ongoing efforts to make the public aware of their rights under that law?
Mr. BENTIVOGLIO. We have engaged industry very aggressively in this regard, and that is because industry would probably know earlier than others about potential violations. If someone is hacking, industry might know that, private sector communications providers might know that and bring that to our attention. That is an important source of referrals.
But we do try to engage others and use various public forums to highlight those protections so that people will bring them to our attention.
Page 30 PREV PAGE TOP OF DOC
Mr. GOODLATTE. But you find that that law is an effective tool for law enforcement in helping to reduce fraud in electronic communications?
Mr. BENTIVOGLIO. It is one of the tools we use, yes.
Mr. GOODLATTE. Okay. Is there a need for laws like ECPA to address the fact that, even though there are many, many dedicated folks in industry who are attempting to combat fraud through self-regulation, you are always going to have some bad actors out there who want to carve out a niche for themselves, where they are going to benefit by the fact that everyone else is complying with the law and they are going to try to slip under the radar screen, if you will?
Mr. BENTIVOGLIO. We don't believe that legislation is necessary at this time.
Mr. GOODLATTE. No, but I am talking about ECPA.
Mr. BENTIVOGLIO. I don't think that we foresee changes necessarily to ECPA.
Mr. GOODLATTE. No, no, no, that is not what I am referring to. I am saying legislation like ECPA is helpful in ferreting out the bad actors that you deal with on a regular basis.
Page 31 PREV PAGE TOP OF DOC
Mr. BENTIVOGLIO. ECPA is helpful in that regard, yes.
Mr. GOODLATTE. Good. Good.
Those are all the questions I have. Ms. Lofgren.
Ms. LOFGREN. Just a few.
On page 5 of your testimony, you discuss the Justice Department's initiatives including the Internet Fraud Initiative Against Scams. We all agree that is important. How many prosecutions have occurred in the course of this fraud initiative?
Mr. BENTIVOGLIO. The initiative was just announced approximately 2 weeks ago by the President, so there have been no prosecutions since that time. We have brought prosecutions against Internet fraud scams, although this is a relatively new area, and so the number would not be that great.
Ms. LOFGREN. How many agents and U.S. Attorneys are assigned or intended to be involved in this prosecutorial activity and where are they assigned?
Mr. BENTIVOGLIO. Right now, we are working with the FBI, the Fraud Section in the Criminal Division and the U.S. Attorneys to get this initiative under way and implemented. I don't know the specific numbers. But, for example, we have computer and telecommunications coordinators in every U.S. Attorney's Office. They are a resource for these types of cases, as are white-collar-crime prosecutors. So all the U.S. Attorney's Offices will be engaged to some extent in this initiative.
Page 32 PREV PAGE TOP OF DOC
Ms. LOFGREN. Well, without mentioning any office, some offices have more depth in this area than others and some offices have virtually no capacity in terms of who happens to be there as an attorney to deal with these types of matters. What systematic effort is under way to upgrade the skillset in offices where that is the case?
Mr. BENTIVOGLIO. Well, you highlight an important issue, which is the training and expertise of our agents and prosecutors. These days not only do you need to be a good lawyer, you need to be very knowledgeable about technology and communications issues and the like. We have taken a number of steps in that regard.
First, in every U.S. Attorney's Office, as I mentioned, there is a computer and telecommunications coordinator, a CTC. They receive extensive training from the Computer Crime Section and the Criminal Division on these type of issues. So every U.S. Attorney's Office has some expertise and depth in this area.
We also have training programs—local, regional and national training programs to boost the training and expertise of our prosecutors and investigators. The investigative side is very important. And the FBI has invested a lot of resources and energy—those resources, of course, provided by Congress—to this effort. So there is a steep learning curve here.
I can't say that we have done everything—I can't say that we have the expertise that we are comfortable with, but we are working very diligently in that regard.
Page 33 PREV PAGE TOP OF DOC
Ms. LOFGREN. I don't know whether you can discuss in depth the FBI. But, as one example, there recently was a change in Silicon Valley. The FBI disbanded its high-tech unit. We found this very mysterious—especially in Silicon Valley. The unit has recently been reformatted somehow—although not as a separate unit.
When I looked at expertise, I looked at some of the prosecutions we've had and the training level in two various FBI offices. I find it is all over the board. It really does seem to be fortuitous. There are some officers that have computers at home, learn about computers and know about it. Other officers think that a mouse is an animal with a tail. It doesn't seem to be a cohesive effort on the part of the Bureau. Is there something more systematic under way—other than having an officer who is supposed to be in charge? Unless there's more, it is really not going to translate out to the troops in terms of putting a case together?
Mr. BENTIVOGLIO. There is a very systematic effort under way within the Bureau to develop the expertise and the capability in the computer crime area, and I think it would be probably easiest to provide details for the record and to you on that issue. But I know that the Bureau is very, very committed to this issue. They do have rigorous training efforts under way. And their CART teams, which are in various offices around the country, are some of the most sophisticated computer crime experts anywhere in the world.
Ms. LOFGREN. Don't misunderstand me. The Bureau has excellent people: I don't mean to suggest otherwise. But it is a bit spotty.
If I could, Mr. Chairman. I realize my light is on. Could I ask one more question? Thank you.
Page 34 PREV PAGE TOP OF DOC
On page 6, you talk about stealing identification information, and the like. How many prosecutions have occurred in this arena? What kind of forces are deployed in this effort?
Mr. BENTIVOGLIO. I am not aware of any prosecutions since that new statute has passed. We have prosecuted identity theft under prior statutes, mail and wire fraud statutes. That statute was passed late last year. It has been approximately 6 months. I believe we have some investigations under way. I don't think there have been any prosecutions.
I can say that the FBI is working with the Secret Service, which has jurisdiction over this as well, and they have a number of ongoing investigations under way. And they are working very closely together to share information, to make sure we are diligently pursuing that statute.
Ms. LOFGREN. Okay. Thank you, Mr. Chairman.
Mr. GOODLATTE. Mr. Bentivoglio, I wonder if you might comment on some of the types of fraud that you have encountered on-line.
Mr. BENTIVOGLIO. They range in complexity from very simple scams where legitimate-appearing websites will offer certain services—that if you provide a credit card number, they will provide certain services, and then the credit card number is provided on-line. The account is billed, and then no services are rendered.
Page 35 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Have you prosecuted anybody under those types of scams?
Mr. BENTIVOGLIO. I believe we have.
There are also more sophisticated scams, and those scams also could be prosecuted by State district attorneys' offices, depending on where the people are and the like. And in some cases where the dollar amounts are low, we might refer those for handling by State and local authorities.
On the other hand, there have been sophisticated securities fraud scams which we are working with the SEC in pursuing. Those are more sophisticated scams, targeted at many investors, some of them whom are very sophisticated, who have been scammed by these fraud artists.
Mr. GOODLATTE. Now, if these website operators were to fully disclose what their purpose is in gathering information, some of these instances of fraud would be reduced, would they not?
Mr. BENTIVOGLIO. Not necessarily. Sometimes you can disclose a privacy policy, and then the policy can be a complete sham. We think privacy policies help us on the fraud front, primarily by educating consumers about the need to be cautious about the information that they do provide. You can post a seal or you can create the appearance of a seal that gives the appearance of legitimacy. Yet it could be just a fraudulent site. So that alone won't stop them.
Page 36 PREV PAGE TOP OF DOC
But really the consumers are the first line of defense here, and the more they know about the dangers of providing information on-line and how to do it safely, the less fraud there will be.
Mr. GOODLATTE. If they give the appearance of protecting somebody's privacy by posting a fraudulent policy, does that give you any additional remedies that you can take against them in terms of criminal prosecution?
Mr. BENTIVOGLIO. Like under the mail and wire fraud statute, there has to be a scheme or an artifice to defraud primarily for financial gain. So if they just fail to post a privacy policy or didn't comply with it but there was no further scheme or artifice to defraud, we probably would not have jurisdiction to pursue them criminally. Although, in that sense, criminal prosecution might be too much in that regard; a regulatory action or a civil action may be the appropriate approach.
If there is financial gain, though, that would tend to fall within the mail and wire fraud statutes; and we would probably go after that.
Mr. GOODLATTE. Most of the industry folks represented here today I think are very conscious and aware of this and are participating in these various programs I have described to give adequate information, adequate notice to consumers about what may be used with information. But what do you do with the person who is using the information they gather for a legal purpose? They are not committing credit card fraud or something like that. They are simply going to legally sell information they gather to somebody else who may use it for some purpose that the consumer, not being aware of that fact, may not want their particular information used for that purpose. What do you do about those kinds of circumstances where there is no disclosure?
Page 37 PREV PAGE TOP OF DOC
Mr. BENTIVOGLIO. Under the fact pattern you described, we wouldn't have jurisdiction to pursue that.
Mr. GOODLATTE. Do you have a concern about that type of problem?
Mr. BENTIVOGLIO. We do. I know the Federal Trade Commission might have jurisdiction in that regard as that practice could, depending on the facts, constitute an unfair deceptive trade practice. They might have jurisdiction there.
I think we are concerned generally because of the connection to fraud and also because we think, you know, the high level of consumer concern about this is something we should take seriously. On the other hand, we don't have the authority to pursue that type of action.
Mr. GOODLATTE. But in order to deal with those portions of the website operators who are not participating voluntarily in these types of things and who are engaged in what otherwise would be perfectly legal uses of these things, in order for you to help that, you would need to have legislative authority, is that not right?
Mr. BENTIVOGLIO. That is correct.
Mr. GOODLATTE. Okay. She obviously doesn't have any other questions. I would very much like to thank you for your participation today.
Page 38 PREV PAGE TOP OF DOC
And at this time we will move on to our next panel, and we look forward to continuing to work with the Justice Department as this issue evolves. It is one that has a great deal of ramifications, and we want to proceed with a good deal of caution and with as much encouragement of the industry to take care of this problem as we possibly can.
Mr. BENTIVOGLIO. Thank you, Mr. Chairman.
Mr. GOODLATTE. So thank you.
We now invite our next panel.
Our first witness is Christine Varney, who is chair of the Online Privacy Alliance. Mrs. Varney has lectured extensively both in the United States and abroad on various legal issues in American politics. Ms. Varney's postgraduate degrees include a 1986 JD from Georgetown University Law Center, and a 1978 master's in public administration from the Maxwell School at Syracuse University. She attended Trinity College in Dublin, Ireland, and is a 1977 graduate of the State University of New York in Albany.
Ms. Varney is a member of the District of Columbia Bar, the New York State Bar, the American Bar Association and the National Lawyers Counsel.
Next, we will be hearing from Mr. Terry Pittman, who was elected to the Board of Directors for TRUSTe, a privacy initiative designed to stimulate the growth of electronic commerce by building consumer trust and confidence in the Internet and shape public policy regarding website's disclosure of individuals' personal and private information.
Page 39 PREV PAGE TOP OF DOC
Mr. Pittman received his AB in 1980 from the University of North Carolina at Chapel Hill School of Journalism and mass communication.
Third, we will hear from Jerry Cerasale—am I right? I am two for two—who is Senior Vice President of Government Affairs at the Direct Marketing Association, who is in charge of the DMA's contact with the Congress, all Federal agencies and State and local governments.
Prior to joining the DMA, he was the Deputy General Counsel for the Committee on Post Office and Civil Service at the U.S. House of Representatives. He served for 12 years at the Postal Rate Commission as legal advisor to Chairman Steiger and most recently special assistant to the Commission. He received his BA in government and economics from Wesleyan University, Middletown, Connecticut, and his JD from the University of Virginia School of Law.
Next, we will hear from Jill Lesser, who is Vice President of Domestic Public Policy at America Online in Dulles, Virginia. She leads the company on domestic public policy, regulatory and industry relations activities and heads the Washington, D.C., office. At America Online, Ms. Lesser has led industrywide efforts on a number of emerging public policy issues effecting the Internet and the new information society.
Ms. Lesser earned her BA with honors in political science from the University of Michigan in 1987 and a JD from Boston University School of Law.
Then we will hear from Mark Rotenberg, Executive Director of the Electronic Privacy Information Center here in Washington, a public interest research organization working to protect privacy, free speech and constitutional values in the on-line world. Mr. Rotenberg is also an adjunct professor at Georgetown University Law Center, where he has taught the Law of Information Privacy since 1990, and a senior lecturer Washington College of Law.
Page 40 PREV PAGE TOP OF DOC
He is a graduate of Harvard College and Stanford Law School.
And then last, but certainly not least, we will hear from Jerry Berman, President of the Center for Democracy and Technology. The Center was founded in December 1994 by Mr. Berman. Mr. Berman coordinates CDT's free speech and privacy policy working groups comprised of communications firms, associations and civil liberties groups which address Internet policy issues. He also chairs the Advisory Committee to the Congressional Internet Caucus, of which I am co-chairman.
Mr. Berman received his BA, MA and LLB from the University of California at Berkley.
Mr. GOODLATTE. We are pleased to start with Ms. Varney.
STATEMENT OF CHRISTINE VARNEY, CHAIR, ONLINE PRIVACY ALLIANCE
Ms. VARNEY. Thank you. Good morning, Mr. Chairman and members of the subcommittee. I would like to talk with you this morning about the efforts of industry to create a trusted on-line environment that respects individual privacy.
On behalf of the Online Privacy Alliance, a coalition of more than 80 companies and associations committed to consumer privacy, I would like to thank Dr. Mary Culnan of Georgetown University and the FTC for the excellent work done on the Georgetown Internet privacy study. The study has shed a great deal of life on the status of on-line privacy and provided guidance for our future efforts; and there will be future efforts, but a great deal remains to be done.
Page 41 PREV PAGE TOP OF DOC
First, let us look at what has already been accomplished. In 1998, the Federal Trade Commission found that only 14 percent of websites had posted privacy policies. Although the Georgetown study survey sampled differed from last year's, the progress is indisputable. This year, in a sample drawn from the net's most popular sites, a remarkable 66 percent of sites had posted privacy policies. The astonishing leap to 66 percent shows that privacy on-line is becoming the standard.
This progress is largely the result of the partnership between the private sector working together with government, both the Congress and the executive branch, to make privacy the norm; and the progress has been just as notable among the top 100 most popular websites, 94 percent of which now have posted a privacy disclosure. This is up from 71 percent last year. These are the sites that consumers most often visit.
The unduplicated reach of the top 100 sites is about 94 percent, while the reach of the larger sample is about 98.8 percent. Consumers can now look for privacy policy at every website where they plan to transact business. They can refuse to do business with sites that don't have a policy; and they can, and should, send E-mail to websites without privacy policies asking or demanding that the site post one.
The Georgetown survey, while providing evidence of significant progress, also pointed out where more work needs to be done. The study showed the differences in the quality of privacy policies. The study showed that fewer than 15 percent of sampled sites included all the elements necessary for an acceptable privacy policy, including disclosure, choice, access and security.
Page 42 PREV PAGE TOP OF DOC
The OPA also requires websites to provide contact information so consumers can get in touch with someone at a company when they have a privacy concern.
The Georgetown findings showed that the percentage of websites providing notice and disclosure is quite high, 87 percent of the sites surveyed; and the study found 77 percent of websites provide consumers with choice about how their personal information is used.
We believe that the 46 percent in the survey posting security precautions may not reflect the actual practice. It is likely that many sites which do indeed appropriately safeguard personal information are not clearly disclosing their security precautions in the privacy policy. This is not necessarily a problem of security but certainly a problem of communication. It needs to be fixed, and we intend to help do that.
Nevertheless, more work needs to be done to make privacy policy across the net meet basic standards for informing consumers about the policies and practices of on-line businesses. The policies must be easy to find, read, and understand.
The Online Privacy Alliance will work in the coming year to increase the number of websites posting privacy policies, and we will work to make sure the privacy policies give consumers the information they need to make informed decisions. We believe we can reach the skull through the enforcement of existing law and the industry promotion of best practices. Consumers who have the information they need to make informed choices are the best enforcers of privacy on-line.
Page 43 PREV PAGE TOP OF DOC
Consumers must also take some responsibility and look for privacy policies, read them and make the choices. They must remember on the digital street as on the Main Street, think before you share information.
Thank you very much.
Mr. GOODLATTE. Thank you.
[The prepared statement of Ms. Varney follows:]
PREPARED STATEMENT OF CHRISTINE VARNEY, CHAIR, ONLINE PRIVACY ALLIANCE
The Internet is poised to become an explosive economic growth opportunity that will redefine global commerce in the information age. That growth cannot and will not occur without consumer confidence. Privacy is one of the cornerstones of consumer confidence in the Internet.
Last year numerous companies and associations came together to create policies and practices that can make privacy a reality for everyone on the Internet. These companies and associations, the Online Privacy Alliance, are pleased to submit the attached documents. First is the Mission Statement describing the goals of the Online Privacy Alliance, second are the Guidelines for Privacy Policies that will be adopted by all Online Privacy Alliance members, third are the Principles for Children's Online Activities, and fourth are the Guidelines for Effective Enforcement of Self-Regulation.
Page 44 PREV PAGE TOP OF DOC
The Online Privacy Alliance has worked diligently to come up with policies that can be applied across many industry sectors. These guidelines, principles and statements reflect not only a deep commitment to online privacy, but also new policies which the Online Privacy Alliance members support. First, the Online Privacy Alliance believes that when there is use or distribution of individually identifiable information for purposes unrelated to that for which it was collected, individuals should be given the opportunity to opt out of such unrelated use or distribution. Second, the Online Privacy Alliance members believe that sites targeted at children under 13 should not engage in the collection and maintenance of information from children without prior parental consent. Finally, the Online Privacy Alliance members believe that self-regulation requires robust enforcement and they are committed to ensuring such.
Over the past year the OPA has worked to expand the adoption of effective online privacy policies by organizations doing business online. Clearly, the recent Georgetown Internet Privacy Policy Study (''the Georgetown Privacy Study'') indicates that significant progress has been made in safeguarding privacy online. The fact that close to 66 percent of sites in the sample posted a privacy disclosure demonstrates that adoption and disclosure of privacy policies is becoming the norm on the Internet. Last year, the FTC reported that only 14 percent of Web sites notified consumers about their privacy policies. Although the universe from which the survey samples are drawn differ, it is very clear that there has been enormous progress.
The OPA and its supporting organizations will continue to work to ensure that effective online privacy practices are adopted and implemented among the private sector. In particular, we will be focusing on continuing outreach through business and consumer education, while increasing awareness of various privacy assurance programs. The Georgetown Privacy Study will serve as a road map to help us ensure that robust privacy practices are the norm online. It has been a pleasure working with this group and I look forward to continuing to work with the Online Privacy Alliance to build consumer confidence in the Internet.
Page 45 PREV PAGE TOP OF DOC
Note: Additional materials supplied by Ms. Varney on Online Privacy Alliance (www.privacyalliance.org) are in the subcommittee's files.
Mr. GOODLATTE. Mr. Pittman.
STATEMENT OF TERRY PITTMAN, BOARD OF DIRECTORS, TRUSTE
Mr. PITTMAN. Thank you very much, ladies and gentlemen of the committee.
Let me just add that, in addition to my role as a director at TRUSTe, I am an executive in a California Silicon Valley start-up and have spent the last 4 years in that space.
I would like to thank you first for inviting TRUSTe to testify on the very important issue of Internet privacy. For the past 2 years, TRUSTe's mission has been to increase trust on the Internet by promoting responsible and fair information collection and use practices on-line. TRUSTe's privacy program is based on the fair information practices called for by the Federal Trade Commission. Since the inception of our program in 1997, all TRUSTe licensees must post a privacy statement in a prominent location that fully discloses information collection and use practices.
In October 1998, TRUSTe introduced several additional elements to our program. All licensees must now provide a mechanism for consumers to update or correct personal information; provide an opportunity for users to opt-out of secondary use of their personal information; take reasonable security precautions to protect information that is collected; and, last, follow the requirements of the TRUSTe Children's Program, when the licensed website is targeted to children under the age of 13.
Page 46 PREV PAGE TOP OF DOC
The cornerstone of TRUSTe's program is our verification and oversight. TRUSTe performs periodic reviews of each website to ensure compliance with TRUSTe requirements. TRUSTe also tracks usage of personal identifiers or personal information in the licensee's database, a process known as seeding. Seeding involves visiting and registering with the website under an assumed identity and then tracking how that information is used.
TRUSTe's consumer complaint resolution process, also known as our escalation process, begins if TRUSTe believes a licensee is in noncompliance of their stated privacy practices or if a consumer files a complaint through TRUSTe's watchdog site. If the investigation reveals that a site has violated its privacy statement, TRUSTe will require remedial measures. To assure that problems have been corrected, the site may be asked to undergo a—third party—audit. If the problem is not resolved through TRUSTe's satisfaction, we may revoke the TRUSTe sale, also called a trustmark. If an egregious or malicious privacy breach has occurred, the site may be referred to an appropriate local law enforcement agency or to the FTC.
As of today, TRUSTe has more than 675 licensed sites, those sites accounting for 1/3 of all U.S. Internet traffic. TRUSTe anticipates more than 1,500 sites will join the TRUSTe program by December 1999.
TRUSTe's growth is a result of aggressive business-to-business outreach. When we launched the TRUSTe seal program in June 1997, we understood that educating the most visible sites would be the key to the widespread adoption of privacy protection practices on the web.
Page 47 PREV PAGE TOP OF DOC
Of particular note is that all major portal sites have joined TRUSTe, including America Online, Excite, Infoseek, Lycos, Microsoft, Netscape, Snap, and Yahoo. Forty-five of the top 100 sites are TRUSTe licensees. What is more, 80 percent of our licensed sites are small businesses.
As we move into the third year of our program, we are noticing a new trend. That is, traditional off-line brands, such as major manufacturers and Fortune 100 companies, are entering the TRUSTe program with greater and greater frequency.
The growth of interest in seal programs is clearly linked to one factor, the desire to build a web environment that consumers feel comfortable in. To that end, it has been TRUSTe's mission to provide outreach and education to web users about how to take control of their information on-line.
TRUSTe's grass-roots privacy partnership education campaign was the largest ever on-line public service announcement initiative. In a span of just 3 weeks, 200 million donated banner advertisements ran on the most visited U.S. websites. More than 1 million web users visited the educational campaign website to learn more about protecting their privacy. The campaign was a huge success.
I would like to spend a moment now briefly commenting on the results of the web survey completed recently by Mary Culnan of Georgetown University.
Mr. GOODLATTE. If you could do it briefly, we would appreciate it.
Page 48 PREV PAGE TOP OF DOC
Mr. PITTMAN. Okay. I will wrap up.
When the program was launched 2 years ago, one of our most significant changes was to convince Web site owners that privacy was an important part of their activities. Now with 65.7 percent of commercial websites addressing the consumer privacy issue, we believe it is a remarkable demonstration; and that message has been received and acted on.
Finally, I would like to comment that we are launching programs around the globe with our European interim director; and we have ongoing discussions with agencies in Singapore, Australia and other countries who are interested in launching local TRUSTe programs there.
I would like to thank you for your invitation to speak here and look forward to serving as a resource for the committee and the House. Thanks.
Mr. GOODLATTE. Thank you.
[The prepared statement of Mr. Pittman follows:]
PREPARED STATEMENT OF TERRY PITTMAN, BOARD OF DIRECTORS, TRUSTE
Ladies and Gentlemen of the Committee:
I would like to thank you for inviting TRUSTe to testify on the very important issue of Internet privacy. For the past two years, TRUSTe's mission has been to increase trust on the Internet by promoting responsible and fair information collection and use practices online. TRUSTe's privacy program is based on the fair information practices called for by the Federal Trade Commission. Since the inception of our program in 1997, all TRUSTe licensees must post a privacy statement in a prominent location that fully discloses information collection and use practices.
Page 49 PREV PAGE TOP OF DOC
In October 1998, TRUSTe introduced several additional features to our program. All licensees must now:
Provide a mechanism for consumers to update or correct personal information;
Provide an opportunity for users to opt-out of secondary use of their personal information;
Take reasonable security precautions to protect information that is collected; and
Follow the requirements of the TRUSTe Children's Program when the licensed Web site is targeted to children under the age of 13.
The cornerstone of TRUSTe's program is our verification and oversight. TRUSTe performs periodic reviews of each site to ensure compliance with TRUSTe requirements. TRUSTe also tracks usage of unique identifiers in a licensee's database, a process we call seeding. Seeding involves visiting and registering with the Web site under an assumed identity, then tracking how that registration information is used.
TRUSTe's consumer complaint resolution process, also known as our escalation process, begins if TRUSTe believes a licensee is in non-compliance of stated privacy practices or if a consumer files a complaint through TRUSTe's watchdog site. If an investigation reveals that a site has violated its privacy statement, TRUSTe will require remedial measures. To assure that problems have been corrected, the site may be asked to undergo a third-party audit. If the problem is not resolved to TRUSTe's satisfaction, we may revoke the TRUSTe seal, also called a trustmark. If an egregious or malicious privacy breach has occurred, the site may be referred to an appropriate local law enforcement agency, or to the Federal Trade Commission.
Page 50 PREV PAGE TOP OF DOC
As of today, TRUSTe has more than 675 licensed sites; those sites account for one-third of all US Web traffic. TRUSTe anticipates that more than 1,500 sites will join its privacy oversight program by December 1999.
TRUSTe's growth is a result of aggressive business-to-business outreach. When we launched the TRUSTe seal program in June of 1997, we understood that educating the most visible sites would be key to the widespread adoption of privacy protection practices on the Web.
Of particular note is that all major Internet ''portal'' sites have joined TRUSTe, including America Online, Excite, Infoseek, Lycos, Microsoft, Netscape, Snap, and Yahoo! 45 of the top 100 sites are TRUSTe licensees. What's more, 80% of our licensed sites are small businesses. As we move into the third year of our program, we are noticing a new trend. Traditional ''off-line'' brands, such as major manufacturers and Fortune 100 companies, are entering the TRUSTe program with greater and greater frequency.
The growth of interest in seal programs is clearly linked to one factor: the desire to build a Web environment that consumers feel comfortable in. To that end, it has also been TRUSTe's mission to provide outreach and education to Web users about how to take control of their information online. TRUSTe's grass-roots Privacy Partnership education campaign was the largest ever online public service announcement initiative. In a span of 3 weeks, 200 million donated banner advertisements ran on the most trafficked U.S. Web sites. More than one million Web users visited the educational campaign Web site to learn more about protecting their privacy. The campaign was a huge success, with more than 800 Web sites joining in to run banner ads.
Page 51 PREV PAGE TOP OF DOC
I would like to spend a moment now commenting on the results of the survey of Web sites recently completed by Mary Culnan of Georgetown University. When TRUSTe launched, nearly two years ago, one of our most significant challenges was to convince Web site owners that privacy was an issue they should put resources toward. The fact that now, 65.7% of commercial Web sites are addressing consumer privacy is a remarkable demonstration that the message has been received, loud and clear.
Now that two-thirds of all sites are posting some type of privacy notice, the mission of seal programs is clear—evangelize the need for comprehensive statements that address all fair information practices. Seal programs offer turn-key solutions to sites by ensuring they adhere to all fair information practices prior to granting the seal.
Finally, I would like to mention that TRUSTe was launched with the intent of creating a globally recognized seal program. Already, we have licensees in English-speaking countries around the world. This year, we launched our European program by appointing an interim European director. We have ongoing discussions with agencies in Singapore, Australia, and several other countries with an interest in launching the TRUSTe program locally. We will continue to keep you updated on these international efforts.
We thank you for the opportunity to speak here today and look forward to serving as a resource for the Judiciary Committee and all members of the House of Representatives.
Mr. GOODLATTE. Mr. Cerasale.
STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCIATION, INC.
Page 52 PREV PAGE TOP OF DOC
Mr. CERASALE. Thank you very much.
I appreciate the opportunity to testify here today on behalf of Direct Marketing Association and ask that my written testimony submitted for the record.
Mr. GOODLATTE. Without objection. In fact, all of your written testimony will be made a part of the record.
Mr. CERASALE. Thank you.
The Direct Marketing Association represents numerous companies that offer products to consumers through all types of media. The Internet is one that our companies are beginning to look at as a new way to reach customers, offer them products and goods at a reasonable price; and we depend upon consumer confidence and consumer trust in order to have these marketplace grow; and so it is very important for us to ensure that there is trust of the consumer in the marketplace.
We have taken a good deal of effort on a number of public education and technology and self-regulatory initiatives to advance privacy and consumer choice in the on-line environment.
We are very pleased with the results of the Georgetown study. It shows a significant improvement in posting of privacy policies on the net. But is the job done? It is not, as others have said here today. We have a long way to go. But we are on the right track, and that is the direction we are moving.
Page 53 PREV PAGE TOP OF DOC
We have specifically supported and helped craft the Children's Privacy Protection Act, and we are now working with the Federal Trade Commission as we move forward with the regulations to implement that act and try to protect children in the use of their information on-line.
In the next 2 months, the Direct Marketing Association will implement two self-regulatory initiatives to try and further empower in the marketplace on-line. On July 1st, 1999, the DMA's privacy promise will become mandatory for all DMA members. Basically, that is in the on-line and the telephone and in the mail media. Companies will have to give notice of what they use—what information they collect and how they use it, whether they give it out to third parties and provide an opportunity for the consumer to say no. We think that that is a major push, and I think that is one area where we have to grow and continue our efforts, based upon the Georgetown study.
We are also developing an E-mail preference service, which would be a service that individuals can put their E-mail address on and our companies would have to not send an unsolicited E-mail message to them—very similar to our mail preference service and our telephone preference service.
We have been working with the worldwide web consortium to create a privacy policy tool to try and let the Internet be seamless in a privacy means, to allow a consumer to put his or her privacy policy on his or her browser, have the companies put their privacy policy on the front of their Web site. If there is a match, you go in; if not, there is some dialogue between the company and the consumer.
Page 54 PREV PAGE TOP OF DOC
I think it is very important as we look at this Internet that there are many, many major technological tools that are being developed to try and help promote control of the consumer over information that he or she gives over the net.
We also believe that we are pushing hard now with TrustE, with BBB Online and other seal programs that will become more and more known to consumers on the Net, and that way self-regulation will be moving forward. We think it is very important that, with the Internet being borderless, we should be very careful to try not to overregulate it because our regulation may not be exactly what other countries will do, and we can very much tie up the Net and prevent the growth that we are all looking forward to.
Thank you very much.
[The prepared statement of Mr. Cerasale follows:]
PREPARED STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCIATION, INC.
SUMMARY
I am Senior Vice President of Government Affairs for The Direct Marketing Association, Inc (''The DMA''). The DMA is the largest trade association for businesses interested in direct, database, interactive marketing and electronic commerce. The DMA represents more than 4,500 companies in the United States and 54 other nations. Founded in 1917, its members include direct mailers and direct marketers from 50 different industry segments, as well as the non-profit sector. Included are catalogers, financial services, book and magazine publishers, retail stores, industrial manufacturers, Internet based businesses and a host of other segments, as well as the service industries that support them.
Page 55 PREV PAGE TOP OF DOC
The DMA member companies have a major stake in the success of electronic commerce, and are among those most likely to benefit immediately from its growth. The DMA's leadership is continuing to extend into the Internet and electronic commerce areas with its recent acquisitions of the Internet Alliance and the Association for Interactive Media. Members of The DMA include L.L. Bean, Time Inc., Dell Computer, Gateway 2000, DoubleClick, autobytel.com, BMG Direct, Charles Schwab & Co., Lucent Technologies, eBay, Acxiom, AT&T, America Online, IBM, MCI WorldCom, and others. Accordingly, The DMA has been working diligently to apply its successful self-regulatory system from the traditional media to the Internet and its World Wide Web.
We have worked intensively on a number of public education, technology and self-regulatory initiatives that advance privacy and consumer choice in the online environment. Due in large part to the efforts of our members, self-regulation is working in the Internet context. Just last week this conclusion was reinforced with the release of the results of the Georgetown Internet Privacy Policy Study. This study demonstrates that significant progress has been made in safeguarding privacy online. In the past year, 66 percent of all sites surveyed posted privacy policies, a dramatic increase from the 14 percent rate shown by a study last year. Moreover, the study showed that 94 percent of the top 100 sites posted privacy policies.
In the next two months, The DMA will implement two self-regulatory initiatives that will further empower consumers and demonstrate the tenacity of industry in acting responsibly on this issue. First, on July 1, 1999, The DMA Privacy Promise goes into effect. This initiative requires, in part, as a condition of membership to The DMA, that companies, which market to consumers, participate in The DMA's mail and telephone preference services. These services are offered free of charge to consumers, giving them the ability to remove their names from the lists of national marketers, substantially reducing their mail and telephone marketing calls. Moreover, companies would have to provide notice to consumers if they transfer data to others and provide the consumer the ability to opt-out of such transfers.
Page 56 PREV PAGE TOP OF DOC
Second, shortly, The DMA will launch an e-mail preference service. This service will allow individuals to remove their e-mail addresses from marketing lists in a similar manner to that used in the telephone and mail preference services. This ambitious undertaking is aimed at empowering consumers while also preserving the many societal benefits of marketing continuing to expand in the interactive economy. Once the e-mail preference service is up and running, participation in this service will also be a requirement of DMA membership.
These two efforts will complement the multitude of already existing and ongoing initiatives that compose a robust and effective self-regulatory framework for online privacy. These initiatives include:
The DMA's award-winning guide for parents, children and educators created in an effort to ensure child safety online
The Privacy Policy GeneratorA program on our web site which hundreds of companies have used to create privacy policies
Active support and participation in the P3P privacy technology, which will automatically inform consumers if a web site's privacy practices differ from their privacy preferences, allowing consumers to ''negotiate'' over those practices
Development of strong privacy guidelines for marketing online that are enforced by The DMA's Ethics Policy Board with the authority to publicly censure, suspend, or expel members
Page 57 PREV PAGE TOP OF DOC
We believe that the efforts of The DMA and its members continue to prove the utility of effective self-regulation in the online environment. We congratulate the Chairman for his interest and exploration of these issues, and look forward to working with the Courts and Intellectual Property Subcommittee.
STATEMENT
I. Introduction
Good morning, Mr. Chairman, and thank you for the opportunity to appear before your subcommittee as it examines online privacy issues. I am Jerry Cerasale, Senior Vice President of Government Affairs for The Direct Marketing Association, Inc. (''The DMA'').
The DMA is the largest trade association for businesses interested in direct, database, and interactive marketing and electronic commerce. The DMA represents more than 4,500 companies in the United States and 54 foreign nations. Founded in 1917, its members include direct marketers from 50 different industry segments, as well as the non-profit sector. Included are catalogers, financial services, book and magazine publishers, retail stores, industrial manufacturers, Internet-based businesses and a host of other segments, as well as the service industries that support them.
The DMA member companies have a major stake in the success of electronic commerce, and are among those most likely to benefit immediately from its growth. The DMA's leadership role is continuing to evolve in the Internet and electronic commerce areas with the Association's recent acquisitions of the Internet Alliance and the Association for Interactive Media. Members of The DMA include Lands' End, L.L. Bean, Time Inc., Dell Computer, Gateway 2000, DoubleClick, autobytel.com, CDW, Micro Warehouse, BMG Direct, Charles Schwab & Co., Lucent Technologies, Bell Atlantic, CheckFree, DLJdirect, eBay, Prodigy Acxiom, AT&T, America Online, IBM, MCI WorldCom, and many others. The DMA has been working diligently to apply its successful self-regulatory system from the traditional media to the Internet and its World Wide Web.
Page 58 PREV PAGE TOP OF DOC
Today I will discuss The DMA's long-time commitment to self-regulation and peer regulation, and our work on a number of public education, technology and self-regulatory initiatives that advance privacy and consumer choice in the online environment. We continue to examine how best to ensure that consumers are afforded opportunities both to learn about products and services of interest to them and to express and obtain their preferences regarding marketers' collection, use, or dissemination of information about them. We are particularly pleased that the Online Privacy Allianceof which The DMA is a signatory, BBBOnline, TrustE, and others have joined us in this effort for effective self-regulation on the Internet.
Mr. Chairman, The DMA is convinced that self-regulation and technology are the most effective methods for establishing privacy protection in the borderless world of the Internet, and must be the cornerstone of any domestic or global approach for ensuring privacy online. As reinforced recently by the Georgetown Internet Privacy Policy Study, self-regulation of privacy on the Internet is working. The Georgetown study indicates that significant progress with respect to Web privacy policies has been made in less than a year since the announcement of the Online Privacy Alliance principles and the release of the FTC study on online privacy. The fact that this progress is already reflected in business practices is particularly encouraging given that a multitude of new self-regulatory programs continue to be developed. Industry self-regulatory principles, consumer choice technologies, and an extensive educational campaign are now in place to create a privacy regime that is both flexible and effective—requirements for the Information Age.
For DMA members, the main use of information collected over the Internet is for marketing purposes. For example, a site may remember that I purchased a particular product there previously and direct me to the same section of its online store. This type of personalization is one of the unique attributes of the Internet that is driving its growth. Any ''harm'' associated with the collection and use of information in such contexts is minimal, and outweighed by the beneficial uses of the information such as improving the visitor's experience.
Page 59 PREV PAGE TOP OF DOC
Nonetheless, The DMA believes that visitors to Web sites should be informed of a site's information practices and have the opportunity to express and obtain their preferences regarding marketers' collection, use, or dissemination of information about them. When visitors who care to evaluate the site's practices are informed of them, they can make an informed decision about whether to enter the site or take their business elsewhere. The DMA has developed special Online Marketing Principles that embrace these concepts. The DMA also is in the final stages of developing an e-mail preference service that will allow consumers the choice of removing their email addresses from marketing lists used by DMA members. Additionally, The DMA is actively promoting a technology, P3P, that will enable users to receive this information in a convenient, seamless fashion, with enhanced capabilities such as the ability to negotiate with the site over its practices as described below.
I would also like to mention that last fall The DMA supported the passage of the Children's Online Privacy Protection Act. The DMA supported this legislation because we believe that young children present a special case. Unlike adults, children may not fully understand choices regarding privacy. Based in part on existing guidelines developed and followed by The DMA, this legislation contains strong protections for children, prohibiting the collection or distribution of personally identifiable information from children under 13 without prior parental consent or direct parental notification. The DMA is currently working with the Federal Trade Commission as it develops regulations to implement this Act.
II. Self-Regulation On The Internet Is Resulting In Effective Consumer Privacy And Empowerment As Electronic Commerce Rapidly Continues To Grow
Page 60 PREV PAGE TOP OF DOC
Since the inception of the commercial Internet, the United States and numerous governments around the world have allowed for the unfettered development of this medium by adopting a ''hands-off'' approach coupled with industry self-regulation. Without question, this approach is working.
For adults, consumer empowerment tools together with appropriate notice and choice provide the best means for protecting privacy. Self-regulation is better suited for the Internet than legislation as the diversity and technology of this medium foster an environment that is responsive to market forces. This medium is truly global in nature, and the technology is changing rapidly with new issues and solutions thereto emerging daily. Companies at the forefront of the Internet's development truly appreciate how to address consumer concerns without stifling the growth of the medium.
A. Progress From Industry Self-Regulatory Efforts For Internet Privacy Is Significant
With the recent explosion of the commercial Internet, The DMA has worked intensively on a number of public education, technology and self-regulatory initiatives that advance privacy and consumer choice in the online environment. Due in large part to the efforts of our members, self-regulation on the Internet is working.
This conclusion is reinforced by the recent results of Georgetown Internet Privacy Policy Study. The study shows that 94 percent of the top 100 web sites have posted a privacy policy notice or an information practice statement. When considered in light of the fact that the experiences of a majority of Internet users are dominated by visits to the more popular sites, it is clear that meaningful and effective privacy practices do currently exist online for consumers. Moreover, there has been a significant increase in the number of policies posted in the past year. In fact, close to 66 percent of all sites now post privacy policies, up from 14 percent in last year's FTC study.
Page 61 PREV PAGE TOP OF DOC
Since January 1998, The DMA has scanned many sites on the Web and directly contacted those sites that did not have a privacy policy posted. The improvement in privacy practices of Web sites reflects the progress made as a direct result of efforts to familiarize industry with appropriate online information practices. To be certain, this is just the beginning. Although the Georgetown study indicates significant progress in the number of privacy polices on web sites, there still exists room for improvement in the content of the privacy policies. The study showed that most of the sites do not yet include all of the elements set out in the Online Privacy Alliance Principles. However, 87 percent of sites provide notice with 77 percent providing choice. These statistics are significant to The DMA as notice and choice empower consumers to determine the uses of their information.
The improvements in both the number of Web sites posting privacy policies and the quality and effectiveness of those policies will continue as more companies and individuals are educated about online information practices. Some of the privacy seal programs that have developed specific and detailed criteria to comply with the Online Privacy Alliance Principles are just recently, after much development, beginning to accept applicants to their programs.
B. Electronic Commerce Continues To Grow Rapidly
All evidence continues to indicate that electronic commerce is growing at a unprecedented rate. As the Georgetown study attests, this pace should continue as improvements in privacy practices reinforce consumer confidence in online transactions. The DMA believes that the Congress should be particularly hesitant to enact laws that may disrupt the exponential growth of the Internet, particularly as companies are developing responsible business practices in this medium without regulation.
Page 62 PREV PAGE TOP OF DOC
In addition to the strong indications that self-regulation is working for Internet privacy, the facts continue to make clear that consumers are not reluctant to engage in Internet commerce or to use the Internet. Internet usage continues to increase dramatically, with the number of user computers connected to the Internet having increased in the period from January 1998 to January 1999 from 29 million to more than 43 million. Likewise, revenues from Internet transactions are expected to rise in some estimations to more than $330 billion in 2002 up from $26 billion in 1997. We anticipate that these numbers will continue to grow.
III. The DMA And Others In Industry Continue To Develop And Implement Self-Regulatory Regimes That Are Providing Effective Protection Of Privacy Online
As the impact of self-regulation on Internet privacy is being recognized and e-commerce continues to grow, The DMA is continuing to improve its self-regulatory efforts to empower consumers. In the next two months, The DMA will implement two self-regulatory initiatives that will further demonstrate the tenacity of industry in acting responsibly on this issue. First, on July 1, 1999, The DMA Privacy Promise goes into effect. This initiative requires, as a condition of membership to The DMA, that companies participate in The DMA's mail and telephone preference services. These services are offered free of charge to consumers, giving them the ability to remove their names from the lists of national marketers, substantially reducing their mail and telephone marketing calls. Moreover, companies would have to provide notice to consumers if they transfer data to others and provide the consumer with the ability to opt-out of such transfers.
Second, The DMA will soon launch an e-mail preference service. This service will allow individuals to remove their e-mail addresses from marketing lists in a manner similar to that used in the telephone and mail preference services. This ambitious undertaking is aimed at providing consumers choice while continuing to expand in the interactive economy. Once the e-mail preference service is up and running, participation in this service will also be a requirement of DMA membership. This will include the requirements of notice of transfer to others and opt-out of such transfers.
Page 63 PREV PAGE TOP OF DOC
The privacy policies adopted by individual companies are subject to enforcement by the FTC and state attorneys general. By publicly posting policies consistent with criteria set out in the DMA and Online Privacy Alliance guidelines, companies become themselves subject to deceptive practice enforcement actions under existing federal and state consumer protection law if they do not comply with their stated policies. Thus, this self-regulatory framework is far more than a system of voluntary compliance.
These two efforts will complement the multitude of existing and ongoing initiatives of The DMA that compose a robust and effective self-regulatory framework for online privacy. We describe these efforts below.
A. Online Privacy Principles
The DMA has been at the forefront of developing effective, responsible self-regulatory codes governing the uses and transfer of information by the direct marketing industry. The cornerstone of the industry's self-regulatory codes is The DMA's Guidelines for Ethical Business Practice. These guidelines apply to marketing in all media including the Internet. In addition, The DMA has developed Privacy Principles and Guidance for Marketing Online in order to explain and highlight the issues unique to online and Internet marketing.
The DMA, as a result of its extensive membership, has been very effective in establishing industry-wide compliance with its various codes and guidelines. Through its Committee on Ethical Business Practice, a peer review program, The DMA responds to cases of alleged Guideline violations brought to its attention by an array of sources—business, consumers, public officials, and the media. This peer-review process is effective. Most cases are resolved through cooperation with the Committee and its recommendations. Members that do not resolve complaints cooperatively are also subject to review by The DMA Ethics Policy Committee with the potential for suspension, expulsion, or censure. The DMA has initiated a process that reveals all cases and their resolution. Furthermore, where the subject company has not agreed to follow guidelines after review, its name is publicly disclosed. In instances where violations of law are also found, the Committee refers matters to the appropriate law enforcement agencies.
Page 64 PREV PAGE TOP OF DOC
B. Public Education
The DMA has a vital interest in educating its members and the general public about the responsibilities of people who collect and use data, as well as educating consumers about the process. As a result, The DMA has developed a Web page devoted to privacy and launched its Privacy Action Now and Privacy Promise initiatives.
The DMA has made a special effort to empower children, parents, educators, and librarians by establishing its http://www.cybersavvy.org Web page for them and providing them with tools, information, and resources to ensure safe Web surfing. Additionally, we have produced a ''hard copy'' version of the Web site, Get CyberSavvy!. (available on-line) Get CyberSavvy has the distinction of being awarded first place honors for excellence in consumer education by the National Association of Consumer Affairs Administrators.
C. Technology Solutions
In light of the unique characteristics of the Internet, technology will play an important role in helping users determine and enforce the ways that information about them is used and collected. The DMA and marketers have been, and continue to be, instrumental in the development of this important technology by encouraging, supporting, indeed helping develop and promote, such software. Under this approach, it will be the individual users, rather than industry or government, who will determine the uses of their personal information.
An initiative that supports this concept, the Platform for Privacy Principles or P3P, will soon be available. This initiative, undertaken by the World Wide Web Consortium, is developing a ''negotiation'' approach for protecting privacy. A broad coalition of information providers, advertising and marketing specialists, software developers, credit services, telecommunications companies, and consumer and online advocates are working together on P3P to achieve a technological solution that will protect privacy without hindering the development of the Internet as a civic and commercial channel. P3P allows a user to agree to or modify the privacy practices of a web site, and be fully informed of the site's practices before interacting with or disclosing information to a site.
Page 65 PREV PAGE TOP OF DOC
This approach will use ''negotiation'' or ''handshake'' technology to cater to an individual's privacy preferences with specificity and effectiveness not available in other media. P3P will allow Webmasters to classify information practices on their sites according to a uniform classification system, and enable consumers to ''set'' personal privacy preferences within their Web browsers. When a consumer visits a Web site that collects information from visitors, the Web site will collect and use personal information of the consumer only according to the consumer's pre-set preferences.
The DMA also has created and made available from its Web site a technical tool that allows companies to create and post effective privacy policies. This Privacy Policy Generator (http://www.the-dma.org/policy.html) enables companies to develop customized privacy policies for posting on their web sites based on the companies' policies regarding the collection, use, and sharing of personal information. The utility of this tool, and the ease with which it is used, is demonstrated by the more than 700 companies that have used it and have sent policies to The DMA for review.
IV. Conclusion
The DMA believes self-regulation and technology initiatives alike, backed by enforcement of existing laws, offer the most effective means to protecting the privacy of individuals in their interaction with Web sites, while ensuring that consumers are afforded opportunities to learn about products and services of interest to them. This approach is already allowing electronic commerce to flourish, while at the same time enabling the development of a privacy regime that is flexible and effective for the Information Age. We congratulate the Chairman for his interest in and exploration of these issues, and look forward to working with the Courts and Intellectual Property Subcommittee.
Page 66 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Thank you.
Ms. Lesser, welcome.
STATEMENT OF JILL LESSER, VICE PRESIDENT, DOMESTIC PUBLIC POLICY, AMERICAN ONLINE, INC.
Ms. LESSER. Thank you, Mr. Chairman, members of the subcommittee. I appreciate the opportunity to be here today to discuss online privacy with you on behalf of America Online, a company that knows very well the value of privacy and the importance of the online medium.
The online medium is quickly revolutionizing the way we learn, communicate and do business. It impacts industries as diverse as booksellers and brokers and also consumers with unprecedented opportunities in convenience. Our customers can sign on to AOL and instantaneously do research, send a letter and find the best deal on an airline ticket, tasks that a few short years ago would have consumed far more of their time. But the technology of the Internet offers something even more unique, the ability to customize and personalize their online experiences.
Consumers can communicate specific preferences online that will allow them to receive services or information targeted to their personal needs. For example, an AOL member can set up her online preferences to get the weather forecast for her own ZIP code, read news stories about her professional interest, or get a notice about the availability of a new CD from her favorite musician.
Page 67 PREV PAGE TOP OF DOC
Still, the power of the Internet can only be fully realized if consumers feel confident that their online privacy is protected. For AOL, protecting our consumers' privacy is essential to earning their trust, and trust is crucial to the success of our business. Indeed, AOL learned this important lesson through our own mistake not long ago when an AOL employee was lured into wrongly revealing one of our member's screen names to the government, something we never want to repeat.
Recognizing the importance of building consumer trust, AOL has taken a number of steps to create a privacy-friendly and trust-rich environment. Building on the lessons we have learned and the input we have received from our members, which is critical, we have adopted a privacy policy to clearly explain to our users what information we collect, why we collect it and how members can exercise choice about the use of that information. We have based our policy on core principles that reflect consumer needs and expectation. For example, we will not read a member's private e-mail. We will not disclose any information to anyone about where a member goes online, and we will not give out a member's phone number, credit card information or screen name without consent.
We give consumers clear choices about how their personal information is used and make sure that our members are well informed about what those choices are. For example, if a customer decides he does not want to receive any marketing materials from us that are targeted to him based on his personal information or preferences, he can simply check a box on our service to let us know, a box that is easy to find and always available.
We also make sure that our policies are well understood and implemented by our employees. We provide training about our privacy policy and require all to sign and agree to abide by a privacy policy as a condition of employment, and we continually review state-of-the-art technology to ensure the most advanced technologies possible to defend consumer data security.
Page 68 PREV PAGE TOP OF DOC
We take extra steps to protect the safety of children online and have created a special environment called Kids Only that allows people to make sure that their children do not interface with strangers or allow strangers to contact their children, and our parental controls allow parents to set safeguards so that members make sure that children don't talk to people they really shouldn't.
In addition to adopting and implementing our own policies, AOL is committed to fostering best practices among our business partners, and we believe this is critical. One of the strongest examples is our certified merchant program, which guarantees our members are satisfied with the merchants they buy from the online environment who participate in this program. We offer a money-back guarantee to dispel consumer concerns about shopping security and increase consumer trust in this powerful medium.
We believe the more work we are able to do with our business partners and require high standards of them, the more likely it is that these standards will become the marketplace norm. As you heard from Christine Varney, we are key supporters of the Online Privacy Alliance and believe that the Georgetown study recently released indicates a lot of progress, more progress than even we would have expected, on an industrywide basis, an industry that is growing so quickly, but as she indicated, our work has only just begun.
We believe the technology is key to this, and we will continue with you, Chairman Goodlatte, to advocate widespread availability of the use of strong encryption to make sure that privacy can be protected across this country and abroad.
Page 69 PREV PAGE TOP OF DOC
And finally, I know I am out of time. Let me just say that we are trying to craft the rules of the road and that good business practices ultimately will dictate whether the industry grows, whether the medium grows and whether e-commerce grows. The challenges that lie ahead will give us the chance to prove we can work together to promote effective online privacy through industry-led, market-driven initiatives with strong government enforcement of laws that prohibit fraud and make certain bad actors on the Net disappear.
Ultimately it is the consumer who will be the judge of whether these efforts are adequate. No matter how extraordinary the opportunities for electronic commerce may be, we know our business will fail if we cannot meet consumer demands for privacy protection and gain their trust.
I appreciate the opportunity to be here, and I am happy to answer any questions you may have.
Mr. GOODLATTE. [Presiding.] Thank you, Ms. Lesser.
[The prepared statement of Ms. Lesser follows:]
PREPARED STATEMENT OF JILL LESSER, VICE PRESIDENT, DOMESTIC PUBLIC POLICY, AMERICAN ONLINE, INC.
Chairman Coble, Congressman Berman, and Members of the Subcommittee, I would like to thank you, on behalf of America Online, for the opportunity to discuss online privacy with you today. My name is Jill Lesser, and I am the Vice President for Domestic Policy at AOL.
Page 70 PREV PAGE TOP OF DOC
The online medium is quickly revolutionizing the way we learn, communicate, and do business. People are migrating to the Internet to meet their commerce and communications needs at an extraordinary rate because it is convenient and fast, and offers an ever-growing selection of information, goods and services. AOL subscribers can sign on to our service and do research, shop for clothes, and buy airline tickets all in a matter of minutes.
In addition, the online environment offers users unique benefits of customization and personalization. Consumers can communicate specific preferences online that will allow them to receive information targeted to their own interests. For instance, AOL members can set their online preferences to get the weather forecast for their own zip code, read news stories about their own hometown, or receive notices about special discounts on their favorite CDs. No other commercial or educational medium has ever afforded such tremendous potential for personalization.
But the power of the Internet can only be fully realized if consumers feel confident that their privacy is properly pr