As part of a feverish effort to show that self-regulation can protect consumer privacy online, the Online Privacy Alliance last week proposed relying on electronic seals of approval for enforcement of information collection and use policies.
In the meantime, Federal Trade Commission chairman Robert Pitofsky told a House subcommittee that although the FTC still is hopeful that self-regulation can work, “unless industry can demonstrate that it has developed and implemented broad-based and effective self-regulatory programs by the end of this year, additional governmental authority in this area would be appropriate and necessary.”
Under the alliance's proposal, companies that post a privacy seal on their Web sites would have to clearly disclose how they gather and use marketing data to online consumers. The organizations also would have to agree to work with the seal program manager to resolve consumer complaints.
The alliance is a group of 50 or so companies doing business on the Internet, including Xerox, Yahoo, AT&T, Microsoft and America Online. Though the group's proposal doesn't mention a specific seal program, three current online seal-program managers are nonprofit TRUSTe (www.truste.com), the Better Business Bureau's BBBOnLine (bbbonline.org) and the American Institute of Certified Public Accountants Online (www.aicpa.org).
The alliance's plan comes after an FTC sweep in March of 1,400 Web sites revealed that just 14 percent made “even a passable attempt” at publishing their information collection and use practices online. It also comes on the heels of the Commerce Department's privacy summit in June, in which industry representatives reportedly served as verbal punching bags for privacy advocate panelists.
While the proposal is being hailed as progress, the industry still has its work cut out for it.
“What chairman Pitofsky said was that the industry has made enormous stride, but the work is incomplete,” said Christine Varney, spokeswoman for the alliance and former FTC commissioner. “He is going to be looking again at the end of the year to see where we are.”
Ira Magaziner, senior adviser on policy development to President Clinton, said, “What they're doing now is definitely in the right direction. What we have to do is monitor and make sure it gets done.”
Pat Faley, vice president of ethics and consumer affairs at the Direct Marketing Association, characterized Magaziner's statement as “particularly significant,” adding “clearly the FTC sees action on behalf of industry, but they're also realistic enough to understand that any action of the part of industry takes time.”
However, FTC commissioner Mozelle W. Thompson said industry self-regulation faces two barriers: getting universal adherence to privacy protection policies and crafting an effective enforcement mechanism.
“We're still far away from where we need to be,” Thompson said. “The DMA has focused [its online privacy efforts] on the most heavily trafficked sites, but I don't think that's going to be enough to give consumers confidence to use the Internet as a means for commerce.”
In testimony to the House Subcommittee on Telecommunications, Trade and Consumer Protection, the FTC presented a baseline legislative model that it says would address consumer privacy online if self-regulation fails. Under the proposal, all commercial Web sites that collect personal identifying information from or about consumers would be required to:
* Provide consumers notice of their information practices.
* Offer consumers choices as to how their information is used beyond the purpose for which the information was provided.
* Offer consumers reasonable access to their information and an opportunity to correct inaccuracies.
* Take reasonable steps to protect the security and integrity of personal information.
Marc Rotenberg, director of the Electronic Privacy Information Center, Washington, characterized the alliance's proposal as “too little, too late” and called the FTC's legislative model “in the ballpark.”
Faley said that although the DMA contends that privacy legislation is unnecessary, the general concepts proposed in the FTC's legislative model mirror the general concepts in the DMA's privacy guidelines. However, she said, the DMA has concerns over the access portion of the FTC's proposal.
While consumer access to potentially harmful information — like that in medical records — may be necessary, Faley said, “we do not think that it's necessary for consumers to have access to the databases of direct marketers to determine whether somebody bought a green or blue mitten.”
Meanwhile, the United States still is on a collision course with a European Union directive, the results of which could hurt U.S. business and be politically embarrassing. The directive, slated to become national law among all 15 EU member states by Oct. 24, would bar data from flowing out of Europe into countries with inadequate data protection laws, of which the United States is one.