Introduction

The latter half of the 20th century has witnessed remarkable advances in the processing and communication of information. Business, education and leisure have all benefited substantially from this progress. In recent years, the expansion of the Internet has dramatically accelerated the pace of information access and management. However, as so often happens, improvement in technology threatens to outstrip our ability to use it without abuse by particular "bad actors." The accuracy, reliability and privacy of particular materials have generated recent discussion by Washington policymakers.

Americans' penchant for progress and speed has begun to conflict with our collective belief in "the right to be left alone." As information grows more accessible, and is more easily circulated than ever before, protecting privacy has become a much greater concern. This memorandum provides a brief overview of current legislative and regulatory efforts to protect privacy. It offers some preliminary recommendations to design responsible and voluntary on-line privacy procedures to prevent future government regulation.

Federal law offers little privacy protection relevant to Internet providers. Generally, it addresses privacy only in the context of the government safeguarding confidential material that it may possess, rather than setting standards for private entities. As a result, the law of privacy has developed in uneven steps, primarily at the state level, and with little national uniformity.

Protections for privacy on the Internet are particularly undeveloped, even in comparison to other fields that have been the subject of recent public debate, such as medical records or financial documents. There is no Federal policy on Internet privacy. Few states have addressed the issue.(fn1) The lack of effective government oversight results from a number of factors. The Internet is relatively new. Its application continues to evolve at breakneck speed. Early legal decisions have reinforced a broad interest in protecting the Constitutional free-speech protection of the medium. Moreover, the Internet remains daunting and unfamiliar to many. Anecdotal reports of misappropriation of information are beginning to lead to additional governmental monitoring and scrutiny. The free-flowing nature of the Internet is seen as integral to its success. Efforts to restrict the flow of information will face fierce opposition.

On August 6, 1999, the President issued Executive Order 13133 which convened a working group to evaluate specific "unlawful conduct on the Internet." The group is chaired by Attorney General Reno. It is composed of all relevant Cabinet Departments and independent agencies. It is required to prepare a report and recommendations by December 6, 1999 of the extent to which new laws are necessary to protect the public from unlawful conduct on the Internet. The working group is also evaluating the sufficiency of existing Administration policy. That policy, issued in July 1997, supported industry self-regulation where possible, technology neutral laws, and an appreciation of the Internet as an important medium both domestically and internationally for commerce and free speech.

In June 1998, the Federal Trade Commission (FTC) issued a report to Congress on Internet privacy.(fn2) It found protections to be scarce. Of 1,400 websites surveyed, only 14% provided any notice of their information collection practices. Only 2% posted a comprehensive privacy policy that users could view. Although critical of the situation, the FTC did not propose a regulatory fix (which would be inconsistent with White House policy). Instead, as a preliminary step, the report identified four core principles of what it termed "fair information practices" for the Internet. According to the FTC, a website should offer:

• Notice – A section setting out the company policy on gathering information, and for what purposes that information will be used;
• Choice – Options for visitors to decide what information they will provide to the site and how it will be used;
• Access – A mechanism for visitors to access and review the information collected from them; and
• Security – Procedures to protect information from unauthorized access during gathering, storage and use, as well as mechanisms for action in the event that the security of information is breached.

One year later, in June 1999, the FTC issued a second report, on self-regulation of privacy by the on-line industry.(fn3) It noted that the industry had made substantial progress in the area of privacy in the year since the first report to Congress. Citing two private studies of commercial websites, the report indicated that as many as 66% of sites surveyed were posting some notice about their information gathering practices. As many as 44% were posting privacy policies of some sort. Nonetheless, it found that the vast majority of sites did not comply with all four of the principles identified in the 1998 report.

The FTC concluded that, based on the industry's rapid progress towards self-regulation, no Federal legislation was necessary.(fn4) Instead, it proposed an agenda for raising industry and consumer awareness, including: public workshops about on-line profiling and websites' ability to track consumers' on-line behavior; two task forces of industry and privacy and consumer advocates to address implementation of fair information practices and incentives to encourage development of privacy-enhancing technology; and joint efforts with the Department of Commerce to promote private business education initiatives encouraging adoption of fair information practices.

The FTC also noted that there is an ongoing need to monitor the Internet to evaluate progress towards self-regulation. It has promised to be active in this regard. Indeed, between the issuance of its two reports, it brought and settled its first enforcement action related to on-line privacy. In August 1998, the FTC filed a complaint against the website operator Geocities, which ran a "virtual city" of personal home pages and e-mail exchanges, including special children's areas. The FTC charged that Geocities collected personal identifying information from adults and children for purposes of registration and participation in the site, and then sold it to marketing firms without disclosure or consent. In March 1999, Geocities agreed to settle the charges. The consent decree entered into by Geocities required it to post a "clear and prominent" privacy notice on its website, indicating what information is being collected, for what purpose, to whom it may be disclosed, and how consumers may access and remove their information.

This year, Congress considered its response to the issue of safeguarding privacy in an information age. Nine bills have been introduced to address the privacy of medical records. fn5) Two Financial Services Modernization bills contain provisions on privacy, including requirements that institutions disclose plans to sell or share consumer financial information.(fn6) In May 1999, the Clinton Administration announced a series of legislative initiatives offering an additional mix of provisions on confidentiality of records held by financial institutions.

In contrast to the FTC's conclusion that no new laws are necessary, there has been a flurry of legislative activity directed at Internet providers. At least 14 bills are currently pending in the 106^th Congress that relate to protection of privacy on the Internet. Proposals range from a ban on sale of children's personal information without parental consent to banking privacy laws that would extend to information provided by on-line banking customers.(fn7) Although the bills address many topics, certain common themes emerge. Primary concerns include: alerting Internet users to the possibility that information about them may be gathered, and preventing dissemination of personal information without the consent of those who provide it. Several examples are illustrative:

• HR 367, the Social Security On-line Privacy Protection Act of 1999, prohibits interactive computer services from disclosing individuals' social security numbers or related personally identifiable information without prior informed written consent.
• HR 2162, the Can Spam Act, prohibits persons from using the equipment of an electronic mail service provider for transmission of unsolicited commercial e-mail in violation of a posted policy of such provider.
• S. 809, the Online Privacy Protection Act of 1999, authorizes the FTC to promulgate regulations requiring operators of websites or online services to protect the confidentiality, security, and integrity of personal information they collect from individuals (age 13 and above), including a process for them to consent to, or limit, the disclosure of such information.

In each case, the law is aimed at preventing the accumulation or manipulation of information about individuals without their knowledge and consent.

It is not clear whether any of these competing bills will become law, and if so, in what form. It is most likely that a set of public hearings will precede any legislative action. Such hearings occurred in July 1999 related to the sale of pharmaceuticals over the Internet (termed "e-pharmacy"). Consumer groups attacked the practice when a child was reportedly able to obtain the impotence drug Viagra® without a prescription by using his parents' medical information. Testimony by FTC, FDA and other regulators led to the introduction of legislation introduced by Rep. Ron Klink (D-PA) to require pharmacy licensing information, disclosure and confirmation of valid prescription information.(fn8)

The issue is unlikely to fade from public view. Some regulatory action will ultimately be taken. In the meanwhile, the FTC may act on its own, based on its existing authority to curtail deceptive trade practices, if it finds an individual instance compelling. It is not uncommon for an agency to bring a number of high-profile enforcement actions in order to spur an industry towards self-regulation.

One exception to the general dearth of legal protections of privacy is the area of children's privacy. The Children's Online Privacy Protection Act of 1998 (COPPA) prohibited unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.(fn9) The COPPA directed the FTC to issue regulations requiring operators of websites or online services directed to children to: (1) provide notice on the website of what information is collected from children by the operator, how it is used, and how the operator may disclose it; (2) obtain verifiable parental consent prior to collecting, using or disclosing personal information from children; and (3) provide parents the opportunity to refuse to permit the operator's further use or maintenance of the personal information from the child, and a means to obtain the personal information collected from the child.(fn10) The COPPA provided protection from liability for disclosures made in good faith and following reasonable procedures in responding to a request for information from the parent of a child.(fn11) It also allowed the creation of self-regulatory guidelines by the marketing or on-line industries, to be approved by the FTC in rulemaking, for protection of children's privacy. Operators who complied with these "safe harbors" would not be held to the COPPA standards.

In July 1999, the FTC published its final rule implementing the COPPA. Those regulations, which take effect on April 21, 2000, expanded the general provisions of the COPPA, filled in details such as the placement of notice on a website, what personal information will be subject to the protections of the Act, content of the notice, and mechanisms for obtaining verifiable parental consent to collect, use and disclose information. For example, notice should be posted in a clear and prominent manner on the home page. The preamble to the regulation recommended that it appear on the first screen that a visitor will see, without scrolling down. The notice should be posted at each area on the website where children provide, or are asked to provide, personal information.(fn12) Mechanisms for verifiable parental consent must be reasonably calculated to ensure that the person providing consent is the child's parent. Examples include: a consent form to be signed by the parent and returned by mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free number staffed by trained personnel; and an e-mail accompanied b a PIN or password obtained through one of the above methods.(fn13) Finally, the regulations set criteria for approval of the self-regulatory "safe harbor" guidelines.(fn14)

Even in the absence of a formal government policy, it is important that owners and operators of websites consider issues of privacy and protection of information. The White House and the FTC has stated unequivocally that industry self-regulation may preempt government action. Preparing appropriate policies now can protect against FTC enforcement, forestall unwelcome efforts at external regulation, and ease the way towards compliance with any future standards (voluntary or otherwise) that may be developed. Equally important, websites containing disclosed privacy protections will likely be deemed more credible by consumers.

An Internet privacy policy should be modeled on the FTC's recommended core principles. These were not intended as an operational checklist, but rather to identify concerns to address. The degree of emphasis given to each point may vary depending upon the nature of the site. A privacy policy should be considered as a whole, and no individual component is likely to be dispositive by itself. With that in mind, a privacy policy should include the following elements:

• Prominence – The policy should be easy for consumers to access and read from the moment they arrive at a website. Most policies appear on a separate page within the site, where they can be explained in detail. Thus, the site's home page should contain a link to the privacy policy in a prominent position. The link should appear on all other pages of the site at which a user is prompted to give information.
• Identity – A privacy policy should adequately identify the owner of a website and the affiliates involved in its business. If other parties are involved in the site's operation, and may have access to information submitted, they should be identified as well. Name, address and other contact information should be included.
• Collection of personal identifying information – Personal identifying information is that which, by itself or together with other data, could identify an individual (name, street or e-mail address, phone number etc.). A privacy policy should explain whether and how the website will collect personal identifying information from visitors. Thus, if personal identifying information will only be collected upon explicit request and voluntary submission by the visitor, the policy should state that. If it may be obtained through some other mechanism, that should be made clear.
• Collection of non-identifying information – Websites may also gather information that is not linked to a person's identity; for example, aggregate details on purchasing patterns. If the procedures for collection of this information differ from those for personal-identifying information, they should be explained as well.
• Non-personal information – Many website servers automatically collect information from visitors' computers, such as the kind of web browser used, the operating system of the computer, and the Internet location from which the visitor connected to the site. In addition, the server may place so-called "cookies" on a visitor's hard drive, to enable it to trace communications back or identify the computer when it reconnects. This often occurs without the visitor's knowledge. The privacy policy should explicitly state whether the site collects this information or utilizes cookies or other tracking techniques.
• Use of information collected – Information can be used in many ways. For example, a company may use information gathered on its website to conduct product evaluations or develop marketing programs. Alternatively, it may wish to send promotional offers to site visitors, either through regular or electronic mail. Visitors should be offered a choice as to whether their personal identifying information will be used in this way. One common approach is the so-called "opt-in" method, whereby a visitor is asked in advance whether information submitted may be used in this way. Alternatively, sites may employ an "opt-out" method, whereby consumers are informed that their information may be used in certain ways, unless they object.
• Sharing of information with other entities – A privacy policy should state whether information collected by the operator of a website will be disclosed. Moreover, if the owner or operator of the website is affiliated with other corporate entities, the privacy policy should indicate whether they will have access to the information collected.
• Removal Option – Many sites permit visitors to change their minds about personal identifying information that they may have submitted. Generally, an e-mail address is listed, through which visitors may request that their information be removed from the site operator's records.(fn15)
• Security – A privacy policy should assure visitors that procedures are in place to ensure the security of information collected on the website, e.g., encryption, company policies and training programs for personnel. It is not necessary to provide details of these protections, but they should be identified to visitors in a general way. Children – In the wake of COPPA and the Geocities action discussed above, many sites have begun to include statements in their privacy policies that they do not wish to gather personal identifying information on children younger than a certain age (often 14 years of age). This is often accompanied by a recommendation to parents to advise their children not to send out personal identifying information.

It should be no surprise that the innovative Internet industry has already created a number of websites to assist companies in designing and implementing privacy policies. The sponsors of search engines also use "pop-up" boxed warnings when information may be unprotected. Privacy-related websites include TRUSTe (www.truste.org) and HONcode (www.hon.ch). These services provide permits to other websites which comply with specified privacy policies, and which pay a fee, allowing those sites to display a "seal of approval."

Below is some "boilerplate" disclosure language which various law firms have drafted to comply with the FTC standards, state privacy laws and the principles of websites displaying these "seals of approval."

• Confidentiality – We at [name of company] recognize your right to confidentiality and are committed to protecting your privacy. We use the information that we collect on our site to provide you with a full range of services. When you order, we will ask you to set up "your account." This includes your name, e-mail address, mailing address, credit card number and expiration date, as well as certain other information when you order products. In addition, we ask that you indicate whether you would like to receive e-mail from [name of company] keeping you informed of new products or features. If you would like to review or revise the information we have in your account, you may access such information by clicking on the "your account" icon on any screen. We protect your account information against unauthorized access or release. We will not give, sell, rent, or loan any identifiable personal information to any third party, unless legally required to do so. We may share non personal, summary, or aggregate customer data with partners and other third parties.
• OnLine Security – When you place an order online, your personal information and credit card information are encrypted using SSL encryption technology before being sent over the Internet. This makes it virtually impossible for your information to be stolen or intercepted while being transferred to [name of company]. Your credit card information is always stored in encrypted form in a database that is away from our website database so it isn't connected to the Internet, and is therefore safe from hackers.
• Cookies – In order to enhance the service we can provide, we use a feature on your Internet browser called a "cookie." Cookies are small files that your web browser places on your computer's hard drive. We use cookies to let us know that you are a prior customer and that you found us through a particular site or advertisement. We also use cookies to retrieve certain information previously provided to us so that you don't need to reenter this information every time you shop at the site. Cookies are not used to access information entered on the secure server. This information can only be accessed when you enter your name and password.