National Association of Attorneys General Internet Law Conference
Senator Maria Cantwell
Personal privacy has emerged as one of the most significant public policy issues in the digital age. During my campaign, polls consistently indicated that people rank personal privacy among their top five concerns. The concern remains as high a public priority today. The public is demanding protection and we have an obligation to find viable solutions.
I have long been concerned about how government can provide better protection for consumer privacy. I first became involved in this issue during my time in the House, where I fought for the export of strong encryption products recognizing the fact that unless companies were allowed to compete in the global marketplace, they would be hard-pressed to make available strong encryption to Americans.
The issue is not only one of personal communications or the data collection by commercial businesses. There are significant problems with how the government is handling personal data that it collects and manages. In September of last year, GAO reported that twenty-three of the seventy federal agencies that it studied share personal information. At least four agencies shared information with non-governmental third-parties. All of this without notice to the individuals.
GAO is now reporting that as government agencies share personal information, new personal information results anew. This linking and collocating of data may be simply for efficiency, but GAO believes that the sharing of information raises questions about how the 1974 Privacy Act and the 1988 Computer Matching and Privacy Protection Act are being enforced. Even in a matter as simple as the use of cookies, the executive branch's Inspectors Generals' reported recently that over 60 federal web sites continue to use cookies in spite of a Clinton Administration policy curtailing their use. Another troubling area is that of Carnivore, the government's system to facilitate screening of e-mail. Even if Carnivore turns out to be managed within the legal bounds of the Constitution `the questions being asked are critical and I believe this is an area where we will see new laws enacted to better assure an individual's 4th Amendment right against improper search and seizure. It may be that more people are concerned about the U.S. government obtaining DoubleClick's consumer profiles, than they are about DoubleClick collecting that information. So we need to assure proper constraints against such government intrusion, whether it is into our personal e-mail or other data sources.
I believe that privacy law should be as simple as possible and clear as to what citizens can expect. Your colleague Lawrence Lessig proposed a property right in privacy - you may or may not agree with a property right, but in this digital age, the time has come to clarify what aspects of privacy - generally speaking -- should be legally protected.
This is not to say the issue is not complicated. There are many important policy considerations that could be discussed such as whether one privacy law fits all, whether software and the Internet space should be treated differently than real world space. Let me focus for a moment specifically on online information that consumers are asked to provide when they access a web site or complete a transaction, and the information collected and aggregated to create consumer profiles.
Consumers certainly have differing expectations regarding information that they provide to retailers, as compared to medical or financial service providers. And while one may not be too concerned about providing personal information to one business, when that same individual becomes aware that this information is being aggregated with that of other businesses, and a consumer profile is being compiled by a third business, individuals are rightly concerned. The online industry has made some effort to address consumer concerns. Seal programs and the new "Network Advertising Initiative," which will allow consumers to opt-out of accepting advertiser's cookies, have been two approaches. But in many cases, these efforts have not been widely adopted or fully implemented or come close to dealing with the speed and proliferation of online information.
Self-regulation makes sense in a number of other business realms. The entertainment industry is charged with self-policing its rating systems--movies, games. In practice, the system is relatively simple - and merely provides a level of comfort to the public that they will be informed as to the character of a particular film or game. In contrast, personal privacy is at some level a Constitutional right - and even if you disagree with me on this point, it is incontrovertible that in regard to much of the information we are discussing, protection of privacy is a widely held public expectation. Absent adequate controls, actual and substantial harm can come to individuals and the public at-large. The worst case of this is identity theft. The victims find their lives turned upside down while they struggle for help in apprehending the perpetrators and straightening out their personal finances.
Some have argued that technology will be the solution. I believe technology will be part of the solution. Technology will be the means by which consumers will be able to control their personal data flow. Technology will be the mechanism that will impose compliance with the rules and laws. P3P will be a good start toward greater consumer control. And there are several technologies coming to market that incorporate P3P, and go farther. Microsoft's Hailstorm will be P3P compliant, and provide a wide range of other consumer controls for data. Another Seattle organization, XNS.org, has designed an open standard technology that gives consumers very granular control over their data and privacy choices. XNS, which is P3P compatible, has two components. The system facilitates compliance with laws, permissions, or business management imposed controls. But technology is only the means of execution, software does only that which the programmer designs it to do. And in this regard, Lawrence Lessig had a point. In my view, the code is an integral part of the implementation of the law. So technology alone is not the solution. Regardless of the technology, we must set rules.
In the last Congress, over 30 bills were introduced that addressed some aspect of consumer privacy. As to bills targeted at protecting a consumer's personally identifiable information on the Internet, two bills received substantial attention. Senator's McCain and Kerry introduced a bill that provided that a web site operator could collect personally identifiable information online only if the operator provided notice and an opportunity for a consumer to "opt-out" of particular uses or disclosure to third parties. The bill provided for state or Federal Trade Commission enforcement.
Senator Hollings introduced a broader bill, applying to online activities, with special provisions for book, recorded music and video sales, and satellite television services. Senator Hollings' bill incorporated all five "fair information practice" factors: notice, choice, access with the ability to correct the information, security and enforcement. The bill provided for a private right of action and preempted conflicting state law.
This Congress, Representative Eshoo has already introduced in the House Senator McCain's bill from the last Congress. Others have also introduced bills to address Internet privacy. Senators McCain and Hollings are expected to reintroduce versions of their legislation from last year and I expect we will see more to come. It is my impression that until hearings are scheduled, there will be no real movement on any of these bills.
Over the last two years, we have seen the mood of the affected industries swing from staunchly opposing regulation, to quite recently suggesting that federal law that preempts states laws could be acceptable to many segments of the affected community.
And most recently, we have heard that many of those briefly supportive of a federal law are now backing away. If this is indeed the case, I believe this latter shift is very short sighted.
There must be a federal legal framework--a floor if you will, that will protect the consumer and provide adequate recourse where personally identifying information is mishandled. The framework should be something that can apply to technology as it evolves. We cannot even fathom the possible technologies that will be on the market in only a few years.
Lawrence Lessig proposed a property right in privacy, there is a simplicity in the notion that I appreciate. People should be as familiar with their privacy rights as they are with the Miranda warning. They should understand that regardless the technology or context for data collection or storage, they can have clear expectations.
What should the overarching goals of this privacy framework be?
Transparency: Consumers should be able to understand what information is being collected about them and know how the information may be used by those collecting it.
Property Rights: Consumers should be able to say "no" if they do not want their information used in a particular way.
Predictability: The law should be clear so as to create an environment of certainty and predictability for both consumers and online businesses.
Flexibility: The law must be flexible enough to adapt to technological solutions yet to be developed. The Washington State Legislature with help of Attorney General Christine Gregoire tried to create a uniform law that would protect Washington citizens from: "fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information." The legislature attempted to find that dissemination of certain sensitive information causes a great risk of harm to the consumer and that requiring consumer authorization to disseminate such sensitive information best balanced the benefits and harms of disclosure. This legislation did not pass as the legislature learned that indeed, creating certainty with flexibility is a challenge.
And the number of bills and range of the proposals that we have seen introduced at the federal level reflects how complex this issue is, as well. But we need to move forward and reconcile the different viewpoints because we are only at the tip of the iceberg of the information age.
There are a number of issues that we have to address in designing a federal privacy scheme. The first, and the most fundamental, question is whether a law should incorporate the five fair information practices - notice, choice, access, security and enforcement. There are some who say this should not be our starting place.
I disagree. These basic principles have been developed and accepted through years of study, and in some cases are law. They have evolved from the then Department of Health, Education and Welfare work that was the basis of the 1974 Privacy Act. In my view, a federal law should address each of these factors in a manner that would meet the goals I have described.
I will comment briefly on each of these practices, although there certainly are nuances that to we need to consider. I know you will be delving deeper into these principles throughout this conference. Notice is the cornerstone of transparency. The provisions should assure consumers are enabled to provide truly informed consent when they so chose. But I would expect that a very flexible framework would be established. A federal law has to be compatible with the range of technologies not even in place yet. But the bottom line is that notice has to be clear, conspicuous and easy to understand.
Choice and access are fundamental to recognizing that an individual has a right to control information about the individual. There are reasonable arguments that support the notion that in some circumstances, if the notice (and the "opt-out" device) and is clear, conspicuous and in plain English then opt-out may be a reasonable option. The important point is that a consumer should be provided the opportunity to make the choice, and if he or she wants, to change his or her mind.
Access and a consumer's ability to correct inaccurate information is a very complex matter. There must be a mechanism for a consumer to access personally identifying information and make corrections. But the process must be a reasonable one. First, it is in business' best interest to want to have the most reasonably accurate information possible. More importantly, if the information is going to be used to make decisions that may have significance to the consumer, the consumer should be able to check that the information is correct. As to security, this is an area that is of substantial concern to consumers and businesses alike. Companies should be required to take reasonable steps to protect consumer's information once it has been provided.
The final element of the fair information practices, enforcement, is somewhat interconnected with preemption. Should there be only federal agency enforcement? State enforcement of the federal law? A private right of action? If there is only federal enforcement, will there be adequate resources to fulfill the promise of the law? Will state attorneys general have adequate resources? If you empower every individual, will there be frivolous lawsuits? If you don't empower individuals, will the law be meaningful?
The goal of the legislation is to protect individuals not only from major industry players that fail to adequately protect privacy - in fact, these may be the least likely businesses to break the law, but also from smaller, more numerous bad actors. I think this may be an area to look for alternative models rather than simply looking at who can enforce - possibly we could consider a hybrid of the three most often discussed options.
I am not offering any legislative proposals here, but it may be worth thinking of other models. One construct that has been mentioned to me would provide a consumer an opportunity for recourse only after he or she gives a government agency the opportunity to pursue an action, something akin to the process for an employment discrimination action. An individual with a complaint must first file with the EEOC, and if the EEOC takes no action, the employee has a period of time to file a lawsuit. Another approach would be to mandate an alternative dispute resolution precursor to litigation. Or maybe the law could provide an incentive for companies to participate fully in a seal program by creating a safe harbor for participants. One bill introduced in the House has such a provision. Possibly this could be a first line action - with some ability to bring a complaint to the government thereafter. These are just some ideas to think about.
A major question, to which I know you are particularly sensitized, is that of federal preemption of state law. There are good arguments, in light of the national, or actually international, nature of the Internet to have a federal standard. But historically, states have had a primary responsibility for protecting consumers. Indeed, states have led in consumer protection. Today, most states have developed a substantial and sound body of law in the area. Even in regard to personal privacy, states have been struggling against strong forces to develop meaningful protections for the consumer. So it is a difficult question. Regardless of the framework, we must insist that you, representing your states, are involved in developing those protections.
As you will all be discussing today and tomorrow, there are many complex issues that we need to address. I have outlined only one basic framework. A legislative solution must be crafted with all affected parties at the table. We need to bring together Members of Congress, state and consumer representatives, the online business communities, and importantly, the companies developing new technologies, to craft the proper federal framework. The ultimate law should, as I said, provide flexibility for both the consumer and businesses and create a transparent environment for data sharing. We need to work effectively together to craft a federal law that will protect consumers and bring to consumers the promise of the Internet.
Next Article Previous Article
