On Oct. 4, the new chairman of the Federal Trade Commission announced that he would not support new privacy legislation, but rather would intensify the FTC’s enforcement of existing laws. In making this statement, chairman Timothy J. Muris reversed the FTC’s 2000 recommendation to Congress that it enact a general privacy law.
While this policy change at first blush may appear favorable to industry, a close look at Muris’ reasons underlying his position, and the implications of having no legislation at all, reveals otherwise.
Muris said he did not favor new privacy legislation for several reasons. First, he commented, “It is too soon to conclude that we can fashion workable legislation” to address consumer concerns about the collection and use of personal information. Second, he contended that the financial industry’s compliance with the Gramm-Leach-Bliley Act resulted in “a blizzard of barely comprehensible privacy notices” that have been characterized as “creating a ‘digital mattress tag.’ ” Third, he expressed hesitation at enacting privacy legislation that would apply only in the online context. Last, he noted the slowing of the growth of the Internet and expressed the need for a more detailed cost/benefit analysis of new privacy legislation in the online context.
“Virginia, there is no privacy law.” In the absence of a general privacy law to guide marketers in their data collection and use practices, industry will continue to feel its way in the dark, risking liability at each wrong turn. Many of the privacy-related regulatory enforcement actions and private lawsuits to date have resulted from online marketers engaging in activities that until recently have been considered “business as usual,” and in some cases, pursuant to legal mandate.
For example, when Toysmart.com declared bankruptcy, it sought to sell its assets for the benefit of its creditors, which it is required to do by law. Little did the owners of the company realize that the FTC and more than two dozen state attorneys general would seek to stop the sale, claiming that it would violate the defunct toy seller’s privacy policy.
Further, who would have thought that stating “We do not share customer information with third parties” in a privacy policy would be interpreted so broadly as to prohibit the provision of customer data to a service provider, such as a site evaluation firm? Every day, offline marketers use and share customer information with third-party service providers with no public or regulatory outcry. But an online entity that seeks the same outside help gets crucified. Perhaps this disparate treatment is what prompted chairman Muris to say that he is hesitant to recommend privacy legislation that applies only to online marketers.
And what about the online/offline privacy debate? Will Muris’ position on no new legislation today result in a law tomorrow that covers all data, online and offline? The list industry is well advised to make sure that this never comes to fruition.
Significantly, without legislation, marketers are left unsure as to the basics: What is an acceptable privacy policy? What type of notice is sufficient? Opt in or opt out? Can an online business change its policy every time it changes its business plan? As most marketers know, the answers to these questions are far from clear.
Last, without general privacy legislation, with few exceptions, there is no legal requirement to create and post a privacy policy, so why bother? Indeed, the only sure way a marketer can attract the attention of the FTC or become the target of a class-action suit is to create a privacy policy, and then violate it. On the other hand, industry leaders vociferously trumpet the virtues of posting a privacy policy: Build customer trust! Keep Washington out of our business!
These competing interests have placed online marketers in a schizophrenic state, resulting in privacy policies that are written by lawyers for lawyers. In the end, what was intended to help consumers understand a marketer’s data collection and use policies has resulted in barely understandable notices that no one reads anyway.
New agenda. In lieu of recommending new privacy legislation, Muris outlined his plans for the FTC to take a more active role in enforcing existing laws. For example, Muris announced that the FTC would expand and make systematic reviews of Web site privacy policies and undertake proactive enforcement efforts, such as seeding lists with names in order to ensure that disclosure restrictions are followed. This approach underscores the anomalous position in which online marketers that post privacy policies find themselves, in contrast to marketers that choose not to post a privacy policy.
The chairman’s revised FTC agenda also includes the scrutiny of products touting privacy or security features, to ensure that sellers that offer such features deliver on their promises of increased privacy or security.
Enforcement of existing sectoral laws. Muris gives a mixed message on the enforcement of existing sectoral privacy statutes. He indicated that efforts to enforce the Children’s Online Privacy Protection Act would continue, though he was highly critical of the Gramm-Leach-Bliley Act. He said that the privacy notices issued under the GLB Act “should give everyone pause about whether we know enough to implement effectively broad-based legislation based on notices.” The chairman’s GLB agenda entails the scheduling of an information workshop; no mention of enforcement of this privacy statute was made other than in the context of combating “pretexting” (obtaining personal financial information about a customer by posing as the customer).
Telemarketing. Muris indicated that the FTC’s current focus on telemarketing as a fraud issue would be expanded to include consumer privacy as well. He recommended an amendment to the Telemarketing Rule that would establish a federal “one-stop do-not-call” list. While current federal law requires telemarketing firms to create and maintain their own internal do-not-call lists and some states require firms to subscribe to state-run lists, Muris’ proposal would create a single national registry.
This proposal, while well-intentioned, has been considered and defeated in past governmental rule makings. As many professionals in the telemarketing industry know, the Federal Communications Commission considered and rejected a national DNC list when it promulgated rules pursuant to the telephone Consumer Protection Act of 1991. A national DNC list is problematic for other reasons, such as companies sending en masse the names of their customers to a national DNC center so that their competitors are unable to contact them.
Industry-driven initiatives. The chairman’s presentation included statements supportive of industry efforts on privacy issues, including the U.S.-European Union “safe harbor” program and efforts to encourage Internet sites to post privacy policies.
Muris heralded the debut of the Platform for Privacy Preferences, a technology that permits Internet users greater control over the provision of personal information, commenting that the P3P approach is “much more manageable than today’s site-by-site, notice-by-notice regime.” Again, a great idea in theory but, to be truly effective, every Web site would need to “write” its privacy policy in XML (extensible markup language) so that consumers with P3P loaded on their browsers will be able to “read” these policies.
While Muris’ position on general privacy legislation may come as a relief to many in the marketing industry, companies are well advised to not just sit back and breath a sigh of relief. Instead, the challenges become greater than they were before. In addition to the privacy quagmire remaining murky, the FTC will no doubt increase its enforcement initiatives to cover not just online data collection and use practices, but also telemarketing and other marketing channels.
