Thomas A. HemphillVisiting Instructor and PhD candidatein strategic management and publicpolicy, The George Washington Uni-versity, Washington, DC

O ver the past five years, alitany of survey results haveregistered the intense con-

cern American consumers have aboutthe security of their personal infor-mation once it has been provided tocommercial Web sites—despite thefact that a far greater quantity of suchpersonal information is availableoffline. Consumer WebWatch, a proj-ect of the nonprofit ConsumerUnion, reported that as of January2002, 65 percent of consumers sur-veyed believed it was very importantfor a Web site to display its privacypolicy—even though just 35 percentreported reading those policies onmost sites. The survey also revealedthat 93 percent of the consumersexpressed major concern that onlinecommercial Web sites they patronizemight not attach the highest impor-tance to statements of policy on theuse of personal information.

Survey results similar to this havebecome orthodoxy, even though aDecember 2001 HarrisInteractive Poll(Krane 2001) found that only 3 per-cent of consumers read privacy poli-cies most of the time, and two-thirdsspend little or no time reviewingthem. Nevertheless, although usersmay not always be diligent in reading

such key information, they are con-sistent in their demands that a sitemake the information easily avail-able when they do want to readthrough it. In response to consumerdemands, the American businesscommunity has now undertaken sig-nificant initiatives to address disclo-sure concerns about online privacy.

In November 2001, IBM announcedthe formation of the IBM PrivacyInstitute and the IBM Privacy Man-agement Council to focus exclusivelyon the privacy and data protectionchallenges facing its customers. TheInstitute focuses on developing tech-nologies that help preserve privacy inthe areas of e-commerce, including e-business, pervasive and mobile com-puting, knowledge management, andintrusion detection. The Council,consisting of participants from selectpublic and private institutions, lever-ages the expertise of privacy and secu-rity leaders across finance, healthcare, government, travel, and other

key industry segments. Memberswork with IBM to address emergingprivacy needs and define next-genera-tion privacy management software.

Following that announcement, inApril 2002, IBM unveiled a new pub-licly available software tool called theTivoli Privacy Wizard. The Wizardtransforms written policies into elec-tronically expressed privacy rules thatcan be understood by monitoringand enforcement software or ex-ported to standard-based privacy ruleprotocols, such as the World WideWeb Consortium’s Platform for Pri-vacy Preferences (P3P).

In February 2002, the Privacy Leader-ship Council (PLI), a partnership ofCEOs from major corporations andbusiness associations, partnered withthe US Chamber of Commerce tooffer “Privacy Made Simple,” a freeonline resource with tools and infor-mation that small to mid-sized busi-nesses can use to develop or upgradetheir privacy policies and notices.Together with the Internet EducationFoundation, PLI also provides anonline “consumer toolbox” offeringinformation and links to softwarethat can help consumers protect theirinformation.

PLI also funds extensive research byHarrisInteractive to improve under-standing on how best to provide use-ful privacy notices that consumerscan understand. And PLI and theRadio Advertising Bureau have co-produced a series of public service

3Executive briefing / Online privacy and e-commerce

The case for baseline federal regulation

Executive briefing / Online privacy and e-commerce

Consumer survey andmarket data say: Onlylegislation can ensurethe full economic poten-tial of the nation’s elec-tronic marketplace in anenvironment of trust.

announcements designed to helpconsumers protect their privacyonline.

For proponents of industry self-regu-lation, the results of a recent nationalsurvey of consumer privacy on com-mercial Web sites reveals that thesesites are continuing to evolve andimprove for consumers. In lateMarch 2002, the Progress & FreedomFoundation (P&FF), a Washingtonthink tank that promotes innovativepolicies for the IT environment,issued Privacy online: A report on theinformation practices and policies ofcommercial Web sites. With the pur-pose of keeping such informationcurrent, this report is the first datasurvey of these practices and policiesissued since May 2000, when the FTCreleased Privacy online: Fair informa-tion practices in the electronic market-place: A report to Congress.

At the base of any corporate or in-dustry e-privacy policy structure arethe Fair Information Practice Princi-ples, which cover notice, choice, access,integrity, and enforcement. First, beforeany personal information is disclosedor accepted, the firm must notify con-sumers of its information practices byposting clear consumer informationpolicies on its Web site in a promi-nent, unavoidable location. Next,consumers can choose how the infor-mation collected from them may beused beyond that necessary to com-plete the current business transaction.Two choices are usually offered: theproactive “opt-in” (“Yes, you may usethe data”) and the passive “opt-out”(“No, you may not use the data”).

Access refers to the ability to viewone’s personal data and contest itsaccuracy and completeness in atimely and inexpensive way. To en-sure data integrity, a business shoulduse only reputable sources for infor-mation, cross-reference the dataagainst multiple sources, offer con-sumers access to the data, and de-stroy or convert data to an anony-mous form when it is no longer use-ful. Finally, enforcement ensures that

all the preceding principles will beeffective online. Among the alterna-tive enforcement approaches are:industry self-regulation (includingthird-party privacy/security seal certi-fication programs); legislation creat-ing civil remedies for consumers; andpublic regulation enforceable throughcivil and criminal sanctions.

● P&FF survey results

The P&FF survey released in March2002 was designed to be directlycomparable with the results of theFTC’s 2000 survey ofcommercial Web sites.Advice was even so-licited from FTC stafffamiliar with the designand implementation ofthe earlier study, inwhich two samples of commercialWeb sites, both B2C and B2B, werestudied: (a) a random sample of 335drawn from all sites experiencingmore than 39,000 monthly visitors(totaling 5,625); and (b) 91 of the100 busiest, or “most popular,” sites.

In the P&FF study, three groups werestudied: (a) a random sample of 302sites drawn from all those with morethan 39,000 monthly visitors (total-ing 7,821); (b) a refined randomsample of 209 that included onlythose sites in the top 5,625; and (c)85 of the 100 busiest, or most popu-lar, sites. The results were revealing,with proponents of industry self-reg-ulation able to point to the followingprogress in privacy practices andpolicies over the last two years:

• Web sites were collecting lessinformation as of early 2002. Forexample, firms in the most popu-lar group gathering personallyidentifying information (PII)other than e-mail (name, address,and so on) fell from 96 percent to84 percent; in the random sample,the number dropped from 87 to74 percent.

• The proportion of Web sites thatuse third-party “cookies” to trackWeb surfing behavior fell from 78

to 48 percent for the most populargroup and from 57 to 25 percentfor the random sample group.

• Virtually all of the most populargroup and 83 percent of the ran-dom sample sites provide at leastone privacy disclosure, littlechanged from the 2000 data.

• For choice over third-party use,consumers opting in more thandoubled from 15 percent to 32percent among the most populargroup, while those opting out fellfrom 49 percent to 30 percent. Inthe random sample group, opt-inrose from 11 to 18 percent, whileopt-out declined slightly from 59to 53 percent.

• For privacy seal programs, inwhich third parties independentlyoversee and audit data privacy, therandom sample displaying sealsincreased to 12 percent, up from 8percent in 2000. For the mostpopular group, participationremained virtually unchanged (44percent in 2002 from 45 percentin 2000).

Although these results indicate animproving environment for preserv-ing consumer privacy, they also re-veal persistent weaknesses. The over-whelming majority of commercialWeb sites continue to collect PII onconsumers, whereas nearly half themost popular group still use third-party cookies to track consumers.Most of the random sample providesome level of privacy disclosure, butonly about half of them displaying aprivacy seal have policies that in-clude notice, choice, and security. Pri-vacy seal programs such as TRUSTeand BBBOnLine—strongly recom-mended for adoption by variousindustry groups as an important dis-closure enhancement—still comprisea small percentage of the randomgroup. Finally, the opt-in choiceoffered to consumers among the ran-dom sample is still less availablethan the more passive opt-outoption.

4 Business Horizons / January-February 2003

Paula Breuning, staff counsel of theCenter for Democracy & Technology,a public advocacy group in Washing-ton, DC, welcomed the study butcommented that “it also shows thatprivacy protections on the Internetremain so inconsistent that some sortof ‘baseline legislation’ is needed”(O’Harrow 2002). Moreover, thestudy noted but did not highlight thefact that fewer than half of the ran-dom sample group offer consumerssome notice and choice about howinformation is used. “Consumersneed to be able to go online and…have a consistent expectation that theprivacy of their information will berespected,” said Breuning.

● The FTC and onlineprivacy enforcement

Under Section 5 of the FTC Act of1914, if a firm posts a privacy noticeand does not abide by it in its busi-ness practices, it is liable to be prose-cuted for deceptive and unfair adver-tising practices. The FTC has success-fully brought civil actions againstseveral Web sites under this statute,including three charging online pri-vacy violations and one involvingsecurity—all of which have beensettled.1

As part of his Privacy Agenda an-nounced in October 2001, the FTC’snew chairman, Timothy J. Muris,promised that new agency effortswould focus on cases involving thefollowing: sensitive information;transfers of information as part of abankruptcy or reorganization; en-forcement of privacy promises underthe Gramm-Leach-Bliley FinancialModernization Act and the Chil-dren’s Online Privacy Protection Act;

and failure to meet commitmentsmade under the European Safe Har-bor program to protect consumer pri-vacy. The FTC will also investigateclaims touting the privacy and secu-rity features of products and services.

The inherent problem with federalenforcement under this statute, how-ever, is that a commercial Web site canbe prosecuted only if it has a posted pri-vacy policy. Many sites do not, or haveonly a selective policy. To amelioratethis inconsistency under present FTCstatutes, the government needs toenact federal “baseline legislation”requiring commercial Web sites tooffer privacy policy notice and choiceas interpreted under regulations tobe promulgated by the FTC. Suchmandatory disclosure makes con-sumers more aware of a site’s infor-mation disclosure practices, providesuniform standards for privacy poli-cies, offers consumers an opt-inchoice, does not adversely penalizefirms that currently post privacynotices, and allows the FTC to civillyenforce deceptive and unfair advertis-ing practices. It should also allow forprivate civil remediation by aggrievedconsumers.

Based on its 2000 Online Privacy Sur-vey results, the FTC, in a 3-2 opinion,recommended to Congress to enactlegislation that, in conjunction withcontinuing industry self-regulationprograms and developing tech-basedprivacy enhancement software, wouldensure adequate protection of con-sumer privacy online. Such legisla-tion, the majority of the Commissionheld, would establish legally enforce-able basic standards covering the FairInformation Practice Principles ofnotice, choice, access, and integrityfor online information collection(but with the recognition that differ-ent Web sites and different kinds ofinformation may require differentversions of the four principles). Itwould also provide an implementingagency with the authority to promul-gate more detailed standards pur-suant to the Administrative Proce-dures Act.

The ascension of new FTC chairmanMuris has altered the FTC’s majorityposition on a legislative remedy.Muris, along with commissionersOrson Swindle and Thomas B. Leary,now make up a majority of the com-mission on record against such gen-eral online privacy legislation asS.2201 (“Online Personal PrivacyAct”), which contains extensive re-quirements for online adoption ofthe Fair Information Practice Princi-ples. S.2201 prohibits ISPs, onlineproviders, and commercial Web sitesfrom collecting or disclosing a cus-tomer’s PII unless they supply clearand conspicuous notice. Moreover,the Act requires them to obtain con-sumer consent, as well as providenotice to consumers of any change inprovider policy on PII collection anddisclosure. Providers must also allowconsumers reasonable access to theirown information and establish andmaintain procedures to protect itssecurity, confidentiality, and integrity.Enforcement of this act will be under-taken by the FTC, private users, andstates on behalf of residents.

On April 19, 2002, Senator JohnMcCain (R-AZ), ranking minoritymember of the Senate Committee onCommerce, Science, and Transporta-tion, requested the written views ofall five commissioners of the FTC onS.2201. In his reply, FTC chairmanMuris noted the potential benefitsfrom general privacy legislation,including a clear set of workableindustry rules that could raise con-sumer confidence in the Net, as wellas consistent regulation of privacypractices across the 50 states. How-ever, he emphasized five importantpoints that make the enactment ofS.2201 unwarranted:

1. Drafting workable legislative andregulatory standards is extraordi-narily difficult, as seen in financialinstitutions’ efforts to comply withthe notice requirements of theGramm-Leach-Bliley Act (“overone billion privacy notices mailedto consumers with little currentevidence of benefit”).

5Executive briefing / Online privacy and e-commerce

1FTC v. Toysmart.com, No. 00-11341-RGS,D.Mass. filed July 10, 2000; Liberty FinancialCompanies, Inc., FTC Dkt. No. C-3891, consentorder entered on August 12, 1999; GeoCities,FTC Dkt. No. C-3849, consent order enteredon February 12, 1999); and, under Standardsfor Safeguarding Customer Information, 66 Fed.Reg. 4162, In the Matter of Eli Lilly and Co.,FTC File No. 012 3214, consent order enteredon January 18, 2002.

2. The legislation would have a dis-parate impact on the online in-dustry, even though most ob-servers recognize that informationcollection today is widespreadoffline as well.

3. There is insufficient informationabout costs and benefits.

4. Rapid evolution of the online in-dustry and privacy programs iscontinuing, as reflected in theresults of the 2002 P&FF study.

5. Concern with the diversion of re-sources from ongoing law enforce-ment and compliance activities,including the implementation offive new federal statutes since1996, have had a substantial im-pact on privacy-related issues.

● Wanted: Uniformprivacy policies

While it is true that “rapid evolutionof the online industry and privacyprograms” is continuing, fewer thanhalf of the randomly selected sites inthe P&FF survey offer consumerssome notice and choice about howtheir personal information is to beused—not exactly an overwhelmingmajority of Web sites. Nor, as the sur-vey reports, is there consistency inwhat is being offered as notice andchoice. Muris is correct in pointingout the inconsistency in applyingone set of personal data collection tothe online business environment andanother to offline business opera-tions.

The FTC is now broadening its policyinitiatives, focusing on the misuse ofpersonal information collected off-line as well as that collected via theInternet. The offline business envi-ronment is a looming target for PII

protection and will be a future regu-latory battleground. But the eco-nomic effects of consumer privacyconcerns are now threatening the fur-ther development of e-commerce,especially at the retail level. Forexample, the US Department ofCommerce estimates that in 2001 theAmerican consumer spent $32.6 bil-lion on e-commerce retail sales—afigure that could approach $40 bil-lion for 2002. Unfortunately, in its2000 report the FTC estimated thatlost online retail sales due to privacyconcerns may be as much as $18 bil-lion, with Forrester Research puttingforth a lower figure of $12 billion for1999.

As the P&FF study results show, in-dustry self-regulation efforts havebeen helpful to online consumers,but they are inconsistent in theirapplication and uniformity and notvery effective. P3P, though a promis-ing protocol for describing privacypractices (especially if non-repudia-bility mechanisms that negate suchprivacy protections are developed), isstill no substitute for legislation.However, it does not constrain theuse of personal information and thusshould not be taken into account bylegislators in assessing the degree ofprivacy enforced “by the market.”

The results of an accumulation ofconsumer survey and market datalead to one inescapable conclusion:To ensure that the full economicpotential of the nation’s electronicmarketplace be attained, it is nowtime for business, government, andconsumers to create a bond of trust,one based on personal informationpractice disclosures, voluntary con-sent, and civil enforcement that iscodified in federal legislation. ❍

References

Adkinson, William F., Jr., Jeffrey A. Eise-nach, and Thomas M. Lenard. 2002.Special report: Privacy online: A reporton the information practices and poli-cies of commercial Web sites. Progress& Freedom Foundation @ www.pff.org(March).

Alderman, Ellen, and Caroline Kennedy.2000. Briefing: The Internet, consumers,and privacy. Internet Policy Institute @www.internetpolicy.org/briefing/cur-rent.html (site no longer exists).

Beales, Howard. 2002. Privacy noticesand the Federal Trade Commission’s2002 privacy agenda. Progress & Free-dom Foundation, Progress on Point @www.pff.org/Publications/PoP9.10BealesPrivacyAgenda.pdf (March).

Consumer WebWatch News. 2002. Amatter of trust: What users want fromWeb sites @ www.consumerwebwatch.org/news (May 1).

Galil, Yair. 2001. P3P—an imperfect toolfor privacy. The Internet Law Journal @www.tilj.com/content/ecomhead07140102 (14 July).

Internet Education Fund. 2002. IEF tool-box @ www.neted.org/p3ptoolbox.shtml.

Krane, David. 2001. HarrisInteractive, pri-vacy leadership initiative—privacynotices research @ www.ftc.gov/bcp/workshops/glb/presentations/krane.pps(December).

Levitt, Jason. 2001. P3P: Protector of con-sumers’ online privacy. Informationweek.com @ www.informationweek.com/shared/printableArticle?doc_id=IWK200010816S0004 (20 August).

O’Harrow, Robert, Jr. 2002. Survey of Webfinds gains on privacy issues. Washing-ton Post (28 March): E02.

US Department of Commerce. 2002. Re-tail e-commerce sales in fourth quarter2001 were $10 billion, up 13.1 percentfrom fourth quarter 2000. CensusBureau Reports @ www.census.gov (24February).

6 Business Horizons / January-February 2003