There's no business like your business: protecting consumer privacy online

With the advance of online technology and its integration into the world of electronic commerce, issues surrounding consumer privacy influence daily business ventures worldwide. While the immediacy of online transactions provides crucial time-saving benefits to consumers, the question of online privacy remains unresolved for personal and business consumers in the United States.

The Clinton administration's 1997 Framework for Global Electronic Commerce urged American companies to construct a self-regulatory approach to safeguard online businesses and industries that account for more than $40 billion in U.S. exports. The result has been the formation of the Online Privacy Alliance, a coalition of more than 50 U.S. companies and trade associations that has adopted comprehensive privacy principles, and committed to the announcement of specific recommendations by September 15, 1998. The alliance has also acknowledged the need for enforcement mechanisms for privacy policy as well as a system of consumer redress.

While the Fourth Amendment to the U.S. Constitution guarantees individual privacy protection to citizens, there is no specific protection afforded to information privacy. Historically, Americans have discouraged centralized authority, and the U.S. Government has been reluctant to regulate unnecessarily private sector industry out of concern for government excess. However, nearly a year has passed since the President's mandate to American business for self-regulation, with no clear policy established.

At a recent privacy conference sponsored by the Department of Commerce, Secretary of Commerce William Daley urged American businesses to find a solution to self-regulation with regard to privacy or face the consequences of government intervention. The Commerce Department has issued a federal register notice requesting public comment on self-regulation and enforcement with regard to information privacy. The Department of Commerce, along with the Office of Management and Budget, provided a progress report to the President in July.

According to the Federal Trade Commission Report to Congress on Privacy Online, released June 4, greater self-regulation in protecting consumer privacy is still needed to boost consumer confidence and participation in the online marketplace. The report included information from the Commission survey of 1,400 web sites, a result of the three-year FTC privacy initiative supporting self-regulation.

Businesses Fail to Comply

Only 14 percent of U.S. commercial web sites surveyed provide any notice of information collection practices, while less than 2 percent provide a comprehensive privacy policy. As a result of these findings, the Commission concluded the need for widely accepted core principles of fair information practice to include notice, choice, access, and security. Adoption of these elements as industry standards would enable companies to build consumer confidence and ensure consistent procurement, management, and availability of information. The FTC further emphasized the need for strict enforcement mechanisms to ensure compliance with these core recommendations. If consumer concerns regarding privacy are not addressed, online commerce will be unable to reach potential. The Commission encourages substantial incentives to business and industry to self-regulate the implementation of basic privacy principles. Specific recommendations will be made concerning the nature of these incentives later this summer.

Children's Online Privacy Concerns

Web sites targeted specifically at children are of grave concern to the FTC. Nearly 90 percent of surveyed children's sites collect personal information directly from children. Of these, 23 percent instruct children to seek parental permission before providing information, but less than 7 percent actually notify parents of their information-gathering practices. Less than 10 percent provide any type of parental control over the collection and use of information. The Commission recommends that Congress develop legislation that places parents in total control of information collected about children. The Commission suggests that such legislation should define and direct basic standards governing the collection and use of children's information, and require all commercial web sites directed at children to comply with those standards. Recommendations regarding this issue, as well as an appropriate response to protect the privacy of all online consumers, will be forthcoming later this summer.

Currently, the only two pieces of legislation designed and adopted to deal with forms of privacy concerns are the Fair Credit Reporting Act (FCRA) and the Cable Communications Policy Act (CCPA). The FCRA ensures proper disclosures of credit information by credit reporting agencies and is comprehensive in scope. The FCRA limits the disclosure of credit information to businesses that have a legitimate need for specific information, and requires that consumers have access to information maintained and disseminated about them. The CCPA established a national cable communications policy by setting guidelines for the cable television industry with regard to cable subscriber privacy. Names, addresses, and any other personally identifiable information is protected, as is the collection process for personal information. There is currently no legislation in place that safeguards consumer privacy online.

E-Commerce Trade with Europe

The advent of electronic commerce has already begun to bolster and reshape economies around the world. The European Union, however, has already taken steps to deal with consumer privacy with the issuance of a directive on data protection. Without a clear privacy protection policy for the United States, differences in enforcing data protection could disrupt the flow of data between U.S. and EU businesses.

Viewed throughout Europe as a fundamental human right, information privacy is advocated at both the private sector and government levels. After more than a decade of research, a directive was issued by the EU in 1995 to specifically address information privacy issues. The Council Directive on the Protection of Individuals with Regard to the Processing of Personal Data and On the Free Movement of Such Data (Directive) takes effect in October, and applies to all member states of the EU*. Each member state must comply with the directive by the effective date. All EU members will have a government agency responsible for implementing and enforcing privacy laws through a networked data environment.

The directive provides protection for individuals online by requiring that consumers not only consent to giving information, but also be apprised of where and how the information collected will be used. Furthermore, information gathered must be used for the original purpose identified to the consumer. For example, with regard to a consumer that provides information to receive a credit card: that information may not be sold to another entity that may target the consumer for a different service. In addition to information protection, the directive defines sensitive data as that pertaining to health, racial, or ethnic origins; sexual orientation; and political or religious beliefs.

Potential problems that could arise for European companies doing business with the United States stem from the directive's comprehensive regulatory approach to privacy. The directive limits secondary uses of information to all industry sectors, and mandates the creation of independent national data authorities.

Companies must register with those authorities before gathering, copying, or transmitting any information, and with few exemptions, forbids the transfer of personal information to non-EU countries that fail to meet the directive's "adequacy" standard.

While the United States continues dialogue with the EU, U.S. businesses and industries are working to find an acceptable mix of self-regulation and government legislation to remain viable competitors in the Internet world market. No matter what policy is adopted by the United States, it is essential that consumer online privacy be protected while maintaining the free flow of information in a global economy.

(*) EU member states include Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom.

COPYRIGHT 1998 U.S. Government Printing Office
COPYRIGHT 2004 Gale Group