By now, everyone following privacy issues has heard about the June online privacy study by the Federal Trade Commission, which found a privacy wasteland on the Internet. Most American companies with Web sites are not even paying lip service to privacy. And no one can really claim to be surprised by this finding.
The broader question raised by the FTC is whether self-regulation is an effective way to promote the adoption of fair information practices. The FTC charitably said that industry efforts have “fallen short of what is needed to protect consumers.” Some privacy advocacy groups were not so polite. They proclaimed that privacy self-regulation is a failure.
I want to offer two points. First, American business is justifiably being beaten up with its own self-regulatory club. Businesses, aided and abetted by the Commerce Department, pushed the notion of privacy self-regulation for years. The standard response to European pressure on privacy was that we don't need legislation because we can do it all with self-regulation.
The trouble with that strategy is that no one thought it through. It was, just like most American privacy legislation, an ad hoc response to a current crisis. The goal was to have something to say while waiting for the Europeans to fold their privacy tent and leave us alone.
So far at least, the Europeans have not gone away. Even worse, the rest of the world is adopting privacy policies more in alignment with the European approach. As a result, the United States is becoming isolated in its approach to privacy.
The self-regulatory mantra was, at its heart, a do-nothing policy. Most American businesses hoped that the privacy issue would disappear. It hasn't. Privacy is stronger than ever, especially on the Net and especially concerning children.
Now the rhetoric is coming back to haunt businesses. The FTC was just the first to call the bluff. The agency looked at the results of self-regulation and found nothing there. Even the Commerce Department has begun to inch away from the do-nothing approach. To its credit, the department now talks about effective self-regulation, and that is a whole different kettle of fish.
For the last few years, self-regulation mostly meant self-serving, incomplete trade association privacy policies offering little to consumers but promising companies business as usual. These policies were often cynical public relations activities unrelated to the processing of consumer data in the real world. Commerce finally decided that it could not defend that type of self-regulation with a straight face.
It may be fair to call most current privacy self-regulation a failure, but it is too soon for final judgments. Some more enlightened businesses are working at better self-regulation. They are learning that self-regulation, just like privacy legislation, is difficult. It remains to be seen whether enough businesses can reach agreement on a credible policy, but the sincerity of some of these new efforts is noteworthy.
Secondly, the FTC is guilty of privacy revisionism. Trade associations have for years played the game of redefining fair information practices to suit themselves. Their privacy policies simply omit any inconvenient requirements. The Direct Marketing Association privacy policy is a good example. Much of the content of fair information practices has simply been left out of the DMA policy.
The FTC did the same thing, although not to the same degree. The report sets out five fair information practice principles: notice/awareness, choice/consent, access/participation, integrity/security and enforcement/redress. This is a better list than you will find in most industry codes, but it is incomplete.
For example, giving consumers a choice in how information collected from them is used can be perfectly reasonable up to a point. The DMA has refined this notion even further by saying, in effect, that privacy means opt-out and little else. But there is more to fair information practices than simply opt-out.
One principle is that there should be limits to the collection of data and that data should be collected by lawful and fair means. Other principles seek firm, predictable and known limits on the use and disclosure of information. These principles are not adequately recognized in the FTC report.
Privacy does not mean that anything goes as long as the consumer has not objected. We should not lose sight of the importance of the word fair in fair information practices. Some uses of data and some collection activities are simply inappropriate. Privacy is not just a game of wheedling consumers so that they do not object to anything that industry wants to do with data.
Marc Rotenberg of the Electronic Privacy Information Center has said that privacy policy is being revised to suit the needs of organizations rather than to protect the interests of individuals. Where once there was an understanding that individuals should have the right to access and correct data, now those who favor self-regulation believe it is necessary only to provide access to a privacy policy. Rotenberg surely has a valid point about diminished privacy standards.
I am not a purist when it comes to privacy. Progress rather than perfection is a worthwhile objective. But we have to recognize what we are doing. Ignoring the fundamentals of privacy will not fool anyone for long. The Europeans will look behind labels for content. Eventually, so will American consumers who are most concerned about privacy.
It may not be possible or practical to achieve all fair information practices through self-regulation. Even so, self-regulation may still have a place. Nevertheless, we just can't saw off the flagpole and act like the flag is at full mast.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is
