Ruling E-Commerce: The FTC, self-regulation, or both? - Government Activity

Life, for the most part, springs from our private moments. The thoughts and actions that take place behind closed doors affect the lives we lead. We so value our privacy that we're willing to endure the consequences of obtaining and keeping it. Seeking privacy is what led to the Princess Diana tragedy. There's often something in the news about some celebrity confronting some photographer for stepping over the line.

This reverence for privacy isn't, of course, limited to the famous. There's also the little guy--like the one writing this article--who goes online frequently throughout any given day mainly for research, but who also enjoys reading major newspapers, occasionally surfing, and doing a little (very little) shopping. The little guy, who cherishes his privacy as much as the well-known, wants to take part in the Web revolution without fretting over who may know about his or her lifestyle and buying habits.

The issue of privacy on the Internet ranks up there with the controversy over taxing e-commerce. While the jury is out (and may be out for a while) on the taxing issue, those involved in e-commerce policy say it's time for the Federal Trade Commission (FTC) to step up to the plate on behalf of the privacy rights of Internet consumers. Others claim there's no need; give self-regulation a chance to win the game. Besides, the FTC has enough regulations on the books, and more would impede Internet growth. And, there are those who maintain that self-regulatory measures and FTC standards can work together harmoniously to police e-commerce.

"A few years ago we were dealing with companies collecting information about some of their users," says Andrew Shen, a policy analyst for the Electronic Privacy Information Center (EPIC), a research organization that studies privacy issues and technology. "Now we're dealing with online advertisers whose entire business is to track Internet users. Things have gone from uncomfortable to very uncomfortable."

They've become uncomfortable because online companies now have the technology to surreptitiously place information-gathering nuggets of software--cookies--on PCs. There was a time when the information was anonymous; now they know your name. The seal programs-- TRUSTe, BBBOnline--are inherently ineffective self-regulatory measures, Shen says.

"What there really needs to be, what would make consumers more comfortable and increase the frequency of online buying, are some rules of the road--some basic guidelines, basic standards, basic requirements that e-commerce companies have to meet. And I think that's really where the FTC comes in," Shen adds.

Tom Santaniello, a public policy analyst for the Computing Technology Industry Association (CompTia), a lobbying group for high-tech businesses, says self-regulation is working. "Customers choose. If they don't like the way the Website looks, they walk away and go to one that's got a TRUSTe or BBBOnline seal." Santaniello adds, "Consumer education and existing and soon-to-debut software tools to enhance privacy will obviate the need for government intrusion," he says.

Of course, the FTC's mission isn't limited to privacy issues. Claudia Bourne Farrell, an agency spokeswoman, says that since 1994 the FTC has taken law enforcement action against more than 125 Website operators, involving more than 300 defendants. Still, privacy remains the number one concern among Internet users.

"Every survey of consumers that talks about Internet commerce," Farrell says, "finds that the single most influential element in dissuading people from engaging in Internet commerce is privacy. They are fearful that if they use their credit card, someone else will get it. They're nervous that people will be tracking what books they're ordering or what goods they're purchasing. Internet commerce will not achieve its potential unless consumers are convinced the Internet is a secure environment where they do not have to worry about privacy."

Farrell puts the commission's involvement in Internet privacy in perspective: "The FTC traces its interest in the matter back to 1995, the year it held the first of six public forums exploring privacy-related issues. Both the industry and the Federal Trade Commission, at that time, were calling for industry self-regulation as the best route to travel."

In March 1998, the FTC surveyed more than 1,400 Websites, including 200 child-oriented sites. The vast majority collected personal information, but only a small percentage provided a privacy policy. An even smaller fraction of children's sites were woefully deficient in providing parental consent notices. Alarmed at the kind of information that was being collected from children, the FTC approached Congress with a legislative recommendation that would restrict sites from collecting data from children without parental permission. The Childrens' Online Privacy Protection Act was the result, and the FTC has the power to enforce it.

In 1999, two industry-sponsored surveys found the number of sites giving notice to consumers about their information practices had increased substantially since the commission's study. Progress had been made, and the FTC was pleased with the industry's self-regulatory efforts. So, it concluded that while a lot had to be done, industry leaders were demonstrating that they were committed to fair information practices, Farrell explains.

That conclusion and the sentiments it engendered were jettisoned upon the completion of a survey that the FTC conducted early this year. While the survey showed improvement, it found only about 20 percent of the Websites had adequate standards for protecting the privacy of Internet users. The rest fell short because they didn't measure up to the four essential elements of privacy practices as defined by the FTC: notice, choice, access, and security. Commission officials voted to recommend legislation and attended congressional hearings in May. According to The New York Times, the chances are slim that any privacy legislation will be passed this year.

Santaniello says the "overwhelming" majority of his organization's 8,000 members post privacy policies. "We recognize that we have to give consumers confidence in what they're doing online if we expect e-commerce, the Internet to thrive," he says. "We are in 100 percent support of providing consumers with personal privacy protection."

He was highly critical of the FTC's most recent survey. The criteria used to judge the privacy policies of Websites came out of the FTC's back room--there was no input from the industry. Santaniello cited the FTC's requirement that the security disclosure should be posted within the privacy policy. If it wasn't, the Website didn't make the grade. If companies had known beforehand, they would have complied, Santaniello says.

In addition, Santaniello believes more should have been made of the study finding that 90 percent of those Websites surveyed carried privacy policies, a significant increase over the last survey.

"I don't think there's anyone in this industry who does not agree that when it comes to medical, financial, sexual preferences, and child issues...nobody's going to disagree that those are issues of privacy," he says. He fears too much regulation will hurt the mom-and-pop businesses because they don't have the resources to decipher complex laws.

The industry is making rapid headway in self-regulation, Santaniello says, citing the industry's efforts at consumer education and the possible introduction of software that will take Internet users to Websites carrying, for example, only seals from TRUSTe and BBBOnline.

BBBOnline, launched in 1997, offers programs that award businesses reliability and privacy seals. The latter indicates that a Website meets specific standards for protection of personal data, says Gary Laden, director of the BBBOnline privacy program, which started in 1999 and signed up its 500th member in May.

Laden says e-commerce is big enough to accommodate both self-regulation and FTC requirements. "It seems to me we complement each. We do certain things the FTC doesn't do. We review Websites very carefully to make sure they meet all their privacy practices. We get involved in individual dispute resolutions. On the other hand, we don't have law enforcement authority, and the FTC does. So, it's good to know we can make a referral to the FTC if we see a serious problem," he says.

But Shen, from EPIC, says squealing on companies is something seal programs don't do. "We have serious questions about how willing the seal programs are to enforce their standards, to insure compliance of their licensees," Shen says. He was particularly critical of TRUSTe, which has a checkered history.

He maintains that seal programs have an inherent conffict of interest. They have to enforce rules on companies that are paying for the right to carry their seals. No licensee has ever been brought before the FTC. TRUSTe has never forwarded anything to the FTC. It's never revoked any seals from licensees, says Shen.

Shen adds that he wouldn't call seal programs vital to self-governance because so far they've penetrated so little of the e-commerce industry.

"That's complete baloney," says David Steer, a spokesman for San Jose, California-based TRUSTe. "Enforcing the program's rules or punishing a company might be a problem if TRUSTe had, say, only 100 licensees and was dependent upon that revenue base. But when you have almost 2,000 sites that are part of your program, no one Website, no 10, no 100 sites are worth risking the reputation of the program. I would much rather kick a site out of the program, if we have just cause, and give up whatever nominal fee they pay us than risk ruining the credibility of the organization."

TRUSTe, a three-year-old nonprofit, has yet to revoke a license. "We have forced sites to change their business practices," Steer explains. "We've actually forced sites to bring in independent, third-party auditors." He was happy to disclose that no company has been expelled from the program.

Steer says the FTC's legislative recommendation for an e-commerce privacy law, if passed without too much compromise, will benefit consumers and TRUSTe. "TRUSTe and other seal programs were formed not to prevent laws, but in the

absence of laws," Steer says. "TRUSTe saw the need to step in and create a standard of business practice. That standard isn't intended to prevent government oversight. What it is intended to do is actually quite the opposite: When government oversight does happen, it is well-informed."

Mark Richard Moss is a freelance writer based in North Carolina.

COPYRIGHT 2000 Quality Publishing
COPYRIGHT 2002 Gale Group