The Commission's primary statutory jurisdiction in this area is the Fair Crediting Reporting Act and the Federal Trade Commission Act, which I would be happy to discuss further, not as part of my testimony, but in response to the members' concerns. We are focusing primarily in the testimony today on what the policy and self-regulatory approaches should be to Internet privacy.

The Commission's approach has been to first assess the impact of consumer protection issues for consumers online engaging in commercial transactions, to provide a public forum for the exchange of ideas and presentation of research and technology, and to encourage industry self-regulation. The Commission supports technological innovation and encourages industry self-regulation.

I want to touch on three areas of Internet privacy and privacy generally: first, look-up services; second, unsolicited e-mail and, third, online privacy generally.

First as to look-up services. In response to a growing public and Congressional concern, the Commission examined the availability of sensitive personal identifying information through computerized databases that are used to locate, identify or verify the identity of individuals. These are often referred to as individual reference services or look-up services. The Commission's study of this issue culminated in a report to Congress this past December.

The Commission found that a vast amount of information is available about consumers through these services both through proprietary networks and on the Internet. The Commission found that the look-up services provide some valuable benefits in terms of law enforcement agencies' ability to carry out their mission, parents' ability to find missing children, journalists to report the news and consumers to find lost relatives. At the same time the availability of this information poses risks to consumers' privacy and financial interests, including the possibility of increased incident of identity theft.

Fourteen companies, a substantial majority of the individual reference service industry, as well as the three major credit bureaus, agreed to abide by what are called the IRSG principles, a set of principles that address the availability of information obtained through these services. These principles primarily address access to individual information obtained from non-public sources contained in these databases.

It's noteworthy that the IRSG principles prohibit distribution to the general public over the Internet or otherwise of certain nonpublic individual, including Social Security number, mother's maiden name and date of birth.

These principles show particular promise because of their degree of specificity, their inclusion of a compliance assurance mechanism and the likelihood they will influence virtually the entire individual services industry.

The Commission concluded that these principles addressed many of the public concerns about these databases and suggested that these principles should be given a chance to operate before any legislation was enacted in this area.

Turning to unsolicited e-mail, the Commission has gathered a considerable body of information about the growing problem of unsolicited commercial e-mail.

Three initiatives have resulted from this effort.

One is we have encouraged a cross-section of interested parties, including Internet service providers, online firms, senders of unsolicited e-mail and privacy advocates to form a working_group, which they have done under the auspices of the Center for Democracy and Technology. They are expected to issue a report outlining some proposed solutions to this problem. Second, the Commission using its existing statutory authority has brought a number of enforcement actions in this area. And, third, we've launched an educational campaign.

If I could just have an additional minute or two on online privacy generally.

Mr. COBLE. Without objection.

Mr. MEDINE. The Commission has focused extensively on the collection of information about consumers online and through its public workshops has encouraged and facilitated self-regulatory efforts. This month we are surveying 1,200 web sites to assess whether they are posting privacy policies, giving consumers choice over use of their information and giving access, as well, to that information. We will be issuing a report to Congress in June reporting on the results of that as well as assessing industry self-regulatory guidelines.

We believe the report we submit to Congress will shed light on how much progress has been made in self-regulation and in achieving effective online protection for consumers, and if progress is inadequate in this area, appropriate alternatives may need to be explored.

Thank you for the opportunity to discuss these timely issues. [The prepared statement of David Medine follows:]

PREPARED STATEMENT OF DAVID MEDINE, ASSOCIATE DIRECTOR FOR CREDIT PRACTICES, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION

Mr. Chairman and members of the House Judiciary Committee: I am David Medine, Associate Director for Credit Practices, Bureau of Consumer Protection, Federal Trade Commission ("FTC" or "Commission"). I appreciate this opportunity to present the Commission's views on the important issue of privacy on the Inter

net. 1

I. INTRODUCTION

A. Internet Privacy

The Internet is an exciting new marketplace for consumers. It offers not only easy access to a vast array of goods and services, but also to rich sources of information that enable consumers to make better-informed purchasing decisions.

The online consumer market is growing exponentially. In early 1997, 51 million adults were already online in the U.S. and Canada.2 Of those people, 73% reported that they had shopped for product information on the World Wide Web ("the Web”), the interactive graphics portion of the Internet.3 By December 1997, the number of adults online in the U.S. and Canada had climbed to 58 million, and 10 million had

1 My oral testimony and responses to questions you may have reflect my own views and are not necessarily the views of the Commission or any one Commissioner.

2 CommerceNet and Nielsen Media Research, CommerceNet/Nielsen Media Demographic and Electronic Commerce Study, Spring '97 (March 12, 1997) (defining adults as individuals over 16 years old) (reported at <http://www.commerce.net/work/pilot/nielsen-96/press/97.html>) [hereafter CommerceNet / Nielsen Demographic Study, Spring '97]; IntelliQuest Communications, Inc., Worldwide Internet / Online Tracking Service (WWITSTM): Second Quarter 1997 Study (Sept. 4, 1997) (reported at <http://www.intelliquest.com/about/release32.htm>).

3 CommerceNet/Nielsen Demographic Study, Spring '97.

actually purchased a product or service online. Further, analysts estimate that Internet advertising-which totaled approximately $301 million in 1996—will swell to $4.35 billion by the year 2000.5

These figures suggest rapid growth of the online marketplace, but there are also indicators that consumers are wary of participating in it. Surveys have shown that increasing numbers of consumers are concerned about how their personal information is used in the electronic marketplace. This research indicates that consumers have less confidence in how online service providers and online merchants handle personal information than they have in how traditionally off-line institutions, such as hospitals and banks, handle such information.6 In fact, a substantial number of online consumers would rather forego information or products available through the Web than provide a Web site personal information without knowing what the site's information practices are. According to the results of a Business Week survey released earlier this month, consumers not currently using the Internet ranked concerns about the privacy of their personal information and communications as the top reason they have stayed off the Internet.8 These findings suggest that consumers will continue to distrust online companies and will remain wary of engaging in electronic commerce until sufficient consumer privacy protections are implemented in the online marketplace.

B. The FTC's Role

The mission of the FTC is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and increasing consumer choice by promoting vigorous competition. The Commission undertakes this mission by enforcing the Federal Trade Commission Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. The Commission's responsibilities are far-reaching. With the exception of certain industries, this statute provides the Commission with broad law enforcement authority over virtually every sector in our economy.10 Commerce on the Internet falls within the scope of this statutory mandate.

C. The FTC's Approach to Online Privacy

The Commission is taking a proactive approach to online privacy issues impacting consumers by: (1) identifying potential consumer protection issues related to online marketing and commercial transactions; (2) providing a public forum for the exchange of ideas and presentation of research and technology; and (3) encouraging self-regulation.

The Commission's first public workshop on privacy was held in April 1995. In a series of hearings held in October and November 1995, the FTC examined the implications of globalization and technological innovation for competition issues and consumer protection issues, including privacy concerns. At a public workshop held in June 1996, the Commission examined Web site practices in the collection, use,

and

4 CommerceNet and Nielsen Media Research, CommerceNet/Nielsen Media Demographic and Electronic Commerce Study, Fall '97 (December 11, 1997) (reported at <http:// www.commerce.net/news/press/121197.html>) [hereafter CommerceNet/Nielsen Demographic Study, Fall '97). See also Yankelovich Partners, 1997 Cybercitizen Report (Mar. 27, 1997) (reported at <http://www.yankelovich, com/pr/970327.HTM>) (finding that 23% of users ordered and paid for a product over the Internet, i.e., "transacted" business online).

5 Jupiter Communications, 1998 Online Advertising Report (Aug. 22, 1997) (reported at <http:/ /www.jup.com/digest/08229/advert.shtml>) (figure includes directory listings and classified ad

vertisements).

6 Commerce, Communications, and Privacy Online, A National Survey of Computer Users, by Louis Harris & Associates and Dr. Alan F. Westin (1997) (hereinafter referred to as "Westin Survey") at ix.

7 Id. at 20-21.

8"Business Week/Harris Poll: Online Insecurity," Business Week, March 16, 1998.

915 U.S.C. §45(a). The Commission also has responsibilities under approximately thirty additional statutes, e.g., the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., which establishes important privacy protections for consumers' sensitive financial information; the Truth in Lending Act, 15 U.S.C. §§ 1601 et seq., which mandates disclosures of credit terms; and the Fair Credit Billing Act, 15 U.S.C. §§ 1666 et. seq., which provides for the correction of billing errors on credit accounts. The Commission also enforces over 35 rules governing specific industries and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which requires used car dealers to disclose warranty terms via a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of information to prospective franchisees; and the Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and prohibits deceptive telemarketing practices and other abusive telemarketing practices.

10 Certain entities, such as banks, savings and loan associations, and common carriers, as well as the business of insurance are wholly or partially exempt from Commission jurisdiction. See Section 5(a)(2) of the FTC Act, 15 U.S.C. §45(a)(2) and the McCarran-Ferguson Act, 15 U.S.C. $ 1012(b).

transfer of consumers' personal information; self-regulatory efforts and technological developments to enhance consumer privacy; consumer and business education efforts; the role of government in protecting online information privacy; and special issues raised by the online collection and use of information from and about children. A summary of the workshop testimony was published by the Commission in a December 1996 staff report entitled Consumer Privacy on the Global Information Infrastructure. The agency held a four-day workshop in June 1997 to explore issues raised by computerized databases that contain consumers' personal identifying information (also known as "individual reference services" or "look-up" services). This workshop also explored issues relating to unsolicited commercial e-mail, online privacy, and children's online privacy.

These FTC efforts have served as a foundation for dialogue among members of the information industry and online business community, government representatives, privacy and consumer advocates, and experts in interactive technology. Further, the Commission and its staff have issued reports describing various consumer privacy concerns in the electronic marketplace.11 În addition, FTC staff has written opinion letters delineating what types of practices in this area might violate the Federal Trade Commission Act.12

II. FOCUS OF FTC PRIVACY ACTIVITIES

Following the June 1997 workshop, the Commission focused on a number of key privacy issues impacting consumers. These issues were discussed in a July 31, 1997, letter (Attachment A) responding to a joint request from Chairman John McCain and Chairman Tom Bliley for a brief report on the Commission's findings from the workshop. The Commission's letter summarized its work and provided a plan to address concerns raised by the following issues: (1) computerized databases containing consumers' personal identifying information, i.e., individual reference services or look-up services; (2) unsolicited commercial e-mail; (3) online information collection; and (4) children's privacy in the online environment. I will address each of these issues today. In addition, as set forth in the July 31 letter, the Commission intends to issue a report to Congress in June 1998 that will focus on the Commission's efforts to monitor and assess the status of self-regulatory efforts by industry members involved in the online collection and dissemination of consumer information.

A. Individual Reference Services

In response to growing public and Congressional concern, the Commission examined the availability of sensitive personal identifying information through computerized database services that are used to locate, identify, or verify the identity of individuals, often referred to as individual reference services or look-up services. The Commission's study of look-up services culminated in a report to Congress in December 1997. The report summarized what the Commission had learned about the individual reference services industry; examined the benefits, risks, and potential controls associated with these services; assessed the viability of an industry self-regulatory proposal; and concluded with recommendations that address concerns left unresolved by the proposal.13

The Commission found that a vast amount of information about consumers is available to customers of individual reference services through the services' proprietary computer networks and increasingly over the Internet. Gleaned from various public and proprietary sources, information available through the services ranges from purely identifying information, e.g., name and phone number, to much more extensive data, e.g., driving records, criminal and civil court records, property records, and licensing records. 14 The Commission also learned that convenient access to this type of information confers a myriad of benefits on users of these services and on society. The look-up services enable law enforcement agencies to carry out their missions, parents to find missing children, journalists to report the news,

11 E.g., FTC Report to Congress: Individual Reference Services, December 1997; FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure, December 1996; FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace, May 1996. In addition, the Commission presented testimony on September 18, 1997, on the Implications of Emerging Electronic Payment Systems on Individual Privacy before the House Subcommittee on Financial Institutions and Consumer Credit, Committee on Banking and Financial Services.

12 E.g., Letter from Bureau of Consumer Protection Director to Center for Media Education, July 15, 1997. 13 FTC Report to Congress: Individual Reference Services, December 1997.

14 Id. at 4-5.

and consumers to find lost relatives. 15 At the same time, the increasing availability of this information poses various risks of harm to consumers' privacy and financial interests, including the possibility of increasing the incidence of identity theft.16

At the June 1997 workshop, a group of industry members (the "Individual Reference Services Group" or "IRSG") announced its intent to address concerns associated with its industry through self-regulation. Commission staff worked with this group to encourage it to adopt an effective self-regulatory program. In December 1997, 14 companies, a substantial majority of the individual reference service industry, agreed to abide by the "IRSG Principles," a set of principles that addresses the availability of information obtained through individual reference services.

The IRSG Principles restrict access to certain information obtained from "nonpublic" sources contained in each signatory's database. This non-public information includes what is called "credit header" information, which is that portion of a credit report purchased from a credit reporting agency that contains an individual's name, address, aliases, Social Security number, current and prior addresses and telephone number.17 The restrictions vary according to the category of customer. Customers that have less restricted access to non-public information are subject to greater controls. It is noteworthy that the IRSG Principles prohibit distribution to the general public over the Internet or otherwise of certain non-public information, including Social Security number, mother's maiden name, and date of birth. In addition, consumers will be able to access the non-public information maintained about them in these services and to prevent the sharing (i.e., “opt out") of the non-public information distributed to the general public. 18

The IRSG Principles show particular promise because they include a compliance assurance mechanism and are likely to influence virtually the entire individual reference services industry. First, signatories must undergo an annual compliance review by a professional third party such as an accounting firm, the results of which will be made public. Public examination of the results of compliance reviews and the possibility of liability under the FTC Act and similar state statutes should create an incentive for compliance by signatories. Second, signatories that are information suppliers (e.g., the three national credit reporting agencies) are prohibited from selling information to entities whose practices are inconsistent with the Principles. Therefore, non-signatories whose practices are inconsistent with the Principles likely will be unable to obtain non-public information easily for redissemination through their services. Thus, the IRSG Principles should substantially lessen the risk that information held by these services will be misused, and they should address consumers' concerns about the privacy of their non-public information. 19

The Commission concluded that the IRSG Principles address many of the concerns associated with the increased availability of non-public information through individual reference services while preserving important benefits conferred by this industry. However, important issues related to individual reference services remain. For example, the IRSG Principles do not give consumers access to the "public information" (e.g., real estate, motor vehicle, and court records) maintained about them and disseminated by the look-up services. Accordingly, consumers will not be able to check for inaccuracies resulting from transcription or other errors occurring in the process of obtaining or compiling the public information by the look-up services. IRSG members have agreed to revisit this issue by June 1999, and to consider whether to conduct a study quantifying the extent of any such inaccuracies. The Commission has urged the IRSG to conduct an analysis to determine whether the frequency of inaccuracies and the harm associated with them are such that consumer access to public record information or other safeguards are in fact unnecessary,20

In its report to Congress, the Commission also encouraged public agencies to consider the potential consequences associated with the increasing accessibility of public records when formulating or reviewing their public records collection and dissemination practices. Finally, the Commission has acknowledged and encouraged the ongoing efforts of many privacy advocates, consumer groups, government agencies, and the IRSG to educate the public about information privacy issues.21

15 Id. at 9-11.

16 Id. at 13-16.

17 Id. at 5-6 and n. 42. Non-public information on an individual's financial status, employment background, credit history, and medical records can be found in a credit report, but the dissemination of that information by a credit reporting agency is strictly regulated under the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681u (1997).

18 Id. at 25-28.

19 Id. at 28-30. 20 Id. at 31-32. 21 Id. at 32-33.