The explosion of e-commerce has exposed consumers to an unprecedented level of risk regarding personal privacy. Businesses, government agencies and consumer groups agree that privacy protection needs to be drastically improved.
However, there is a tug-of-war brewing over how to accomplish that goal — whether protecting Internet privacy should be a government function or whether the private sector can provide adequate protection for consumers through industry self-regulation.
An initiative launched by the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) has brought the issue to a head and stirred a debate among all players. NTIA’s initiative will likely form the basis for the Obama administration’s policy on Internet privacy.
“America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs and economic growth,” said Commerce Secretary Gary Locke when he released NTIA’s report, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” in January.
In conjunction with the report, NTIA issued a Federal Register notice seeking comment on Internet privacy policy, and the agency is now sifting through responses from businesses and consumer groups. While NTIA posed 42 questions for a response — many dealing with various implementation mechanics — there are really two central issues in the privacy debate.
Issue No. 1: Industry vs. Government Regulation
NTIA’s position on industry self-regulation versus exclusive government regulation appears to come down squarely in the middle.
“Self-regulation without stronger enforcement is not enough. Consumers must trust the Internet in order for businesses to succeed online,” said Locke.
Yet the NTIA report supports the notion that industry self-regulation mechanisms remain a viable option for protecting consumer privacy.
NTIA has endorsed the adoption of stronger and more comprehensive “Fair Information Practice Principles” or FIPPs by industry. Currently, FIPPs used in the commercial sector address notices to consumers about personal data collection; choice mechanisms allowing consumers to allow — or not allow — data collection and distribution; consumer access to collected personal data; the provision of data security by collectors; and privacy breach enforcement mechanisms.
These measures still fall short, according to NTIA’s report. Enhanced FIPPS would constitute a “Privacy Bill of Rights,” and “should prompt companies to be more transparent about their use of consumer information; to provide greater detail about why data is collected and how it is used; to put clearer limits on the use of data; and to increase their use of audits and other ways to bolster accountability.”
The next step would be incorporating the enhanced FIPPs into industry self-regulatory codes of conduct, which would be the primary regulatory mechanism, with an indirect and “back-up” role for the Federal Trade Commission (FTC).
Companies and industries that adopted FTC-approved codes would be judged legally compliant from a regulatory standpoint — a concept known as a legal “safe harbor.” NTIA’s report indicates that breaches of industry codes could become the basis for FTC enforcement actions, and it notes that companies would be directly subject to federal and state regulatory action if they did not participate in a self-regulatory program.
A Hybrid Framework
It’s clear from comments that the commercial tech sector opposes direct and exclusive regulation by the federal government — but it appears it will tolerate a secondary role for the FTC in a “hybrid” industry-government regime.
“What we’re supporting is a more robust type of voluntary industry regulation that could be backed up by a governmental mechanism like the FTC,” DLA Piper partner Jim Halpert, general counsel to the Internet Commerce Coalition, told the E-Commerce Times. The coalition represents such heavy hitters as AOL, Amazon, AT&T, Comcast, eBay, Verizon and Tech America.
Such a hybrid self-regulatory framework would be preferable to “inflexible binding rules that would be implemented if the FTC were given rule-making authority,” the group said in its comments to NTIA.
On the other hand, the Consumer Federation of America (CFA) opposes the hybrid self-regulation proposal.
“What happens now with many self-regulatory programs is that if participating companies appear to be doing something that’s bad or that is different than what they publicly promised, the programs let agencies such as the FTC or state attorneys general know,” said Susan Grant, CFA’s director of consumer protection.
“That’s helpful, and sometimes there is a legal basis for taking action against the companies, but it’s not the same as having laws or regulations that companies have to abide by, that provide the consumer with uniform legal rights, and that can be enforced by consumer agencies or consumers themselves,” she told the E-Commerce Times.
“The problem with online privacy is that there are not already laws in place here in the U.S. to provide strong and enforceable consumer protection,” CFA told the NTIA. “It is not possible to fill this vacuum with self-regulatory programs. Participation is voluntary, and enforcement consists of admonishing or ejecting the member. These programs give consumers no enforceable rights.”
Issue No. 2: Consumer Court Remedies
A second major issue is whether consumers should have recourse to mechanisms outside of a regulatory program — such as the ability to take Internet operators to court over privacy matters — legally known as “private rights of action.” Here too, there is a split between the commercial tech sector and consumer representatives.
“Private lawsuits are extremely inefficient and enrich plaintiffs’ lawyers without significantly benefiting consumers,” said DLA Piper’s Halpert.
Some proposals — such as creating a private right of action for statutory or treble damages for “willful” violations and attorney fee shifting — “are in no way a viable compromise on this issue,” he added.
Such a mechanism “would attract nuisance lawsuits claiming huge statutory damages that consume significant litigation expense,” Halpert explained, noting “there are ample alternative incentives to induce companies to participate in self-regulatory programs without this wasteful tool.”
In a separate filing with NTIA, Microsoft supported the Internet Commerce Coalition.
“Microsoft does not believe, however, that a general private right of action for members of the public is necessary or appropriate. A private right of action would create both uncertainty for businesses and unnecessary litigation costs, without a corresponding benefit for consumer privacy,” said the company’s general counsel, Michael Hintze.
The Deterrent Factor
CFA disagrees. “We definitely support the ability of consumers to sue to enforce their rights. Government agencies can’t and won’t take on every issue that merits legal action — they don’t have the resources, and their priorities change. Plus, the damages that consumers can get against companies are in some cases much stronger deterrents than the weak penalties that government agencies can get,” Grant said.
Over the next several months, NTIA will be analyzing the responses as it develops recommendations for a national policy. In addition to major issues, NTIA also wants to address the role of state agencies and whether there is a need for a uniform national regulatory program to ensure equal treatment and consistent enforcement.
Some business sectors, such as finance, already have some form of self-regulatory program, and NTIA also wants to know how these can mesh with any national framework. Another privacy issue is forming standards that address differences between the collection of aggregated and generic anonymous data from Internet operations, as well as standards dealing with individual personal information.
NTIA’s goal is to develop a process that “allows us the speed to respond quickly to new issues of consumer privacy, and the flexibility to have new protections crafted in the most efficient manner,” said Lawrence Strickling, assistant secretary for communications and information at the Department of Commerce.
“We received nearly 100 sets of comments on these recommendations in January,” he told the E-Commerce Times, “and hope to issue a final policy pronouncement on behalf of the administration by late spring or early summer.”
There are definitely many opinions on how to approach consumer privacy. It will be interesting to see what kind of discussion comes out of the Senate’s hearing on the issue this coming Wednesday. If you’re interested in being part of a discussion about online privacy, Technology Academics Policy will be holding a Twitter chat (#TAPtalk)following the hearing. For details:http://techpolicy.com/Blog/March-2011/Care-about-Internet-Privacy–Join-the-Conversation.aspx.