Congress could certainly pass a law mandating privacy protections on-line, for example, but enforcement of such a law, even if possible, might require enormous resources. We don't want to give Internet users a false sense of security based on an unenforceable law.

Therefore, the Clinton Administration has also been active with respect to the specific issues of protecting privacy on the Internet. In 1993, the Administration set up the Information Infrastructure Taskforce (IITF), a cabinet level group charged with articulating and implementing the Administration's program, to promote the development of the Information Superhighway; the group was chaired by the late Secretary of Commerce, Ron Brown. The Clinton Administration quickly realized that successful development of the information infrastructure would require enhanced privacy protections. Quite simply, while the infrastructure might get built, consumers will not use it until their personal data is adequately protected. Accordingly, in 1995, the IITF examined privacy in the electronic environment and issued Privacy Principles updated for the information age.

The Privacy Principles were developed with substantial input from industry and consumer groups. They provide a general framework from which more specific laws and quidelines could be written for particular sectors of the economy or to remedy particular abuses. The Principles explicitly call upon the private sector to develop detailed guidance responsive to particular needs of the individual sectors.

Similarly, when the Administration issued its policy statement on electronic commerce, A Framework for Global Electronic Commerce, it supported private sector efforts to implement meaningful, consumer-friendly, self-regulatory regimes based on the fair information practice principles. (These principles were contained in a report presented in 1973 to the then Department of Health, Education and Welfare, now the Department of Health and Human Services; adopted by the international community in the early 1980s in the form of the OECD's Guidelines for the Protection of Personal Data and Transborder Data Flows; and formed the basis for the Privacy Principles.) They include consumer awareness, choice, appropriate levels of security, and consumer access to their personally identifiable data.

Consumer awareness of information practices is essential to promoting on-line information privacy. Information about their rights and responsibilities in personal data enables consumers to make judgments about the levels of privacy available to them and to make meaningful choices about the use of their data. At a minimum, consumers must know the identity of the collector of their personal information, the intended uses of the information, and the means by which consumers may limit its disclosure. Accordingly, businesses must develop policies that articulate the manner in which they collect, use, disclose, and protect data, and the choices they offer consumers to exercise rights in their personal information. Notice of companies' information practices is a first principle in advancing privacy. Notification must be written in language that is clear and easily understood, and must be displayed prominently and in a manner that allows consumers to access it prior to relinquishing information to the company.

Consumers must be given the opportunity to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. Consumers must be provided with a simple, readily available, and affordable mechanism-whether through technological means or otherwise to exercise this option. For certain kinds of information, e.g., information related to children, affirmative choice by consumers may be appropriate personal information may not be used by companies unless it is specifically released by the individual or his or her parent or guardian.

Security of information is critical if electronic commerce is to flourish. Companies creating, maintaining, using or disseminating records of identifiable personal information must take reasonable measures to assure their reliability for their intended uses and must take reasonable precautions to protect them from loss, misuse, alteration or destruction. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to its own.

Consumers must have reasonable access to information about them that is held by businesses, and should have a right to request corrections and amendments of that information. Mechanisms must be in place to make it possible to exercise that right, although the extent of access may vary from industry to industry. Decisions about the level of appropriate access necessarily must take into account a number of factors, such as the nature of the information collected, the number of locations in which it is stored, the nature of the enterprise, the ways in which the information is to be used, and the cost of access.

Let me be clear: to be meaningful, self regulation must be more than an articulation of broad policies or guidelines. Effective self regulation must involve sub

stantive rules, as well as the means to ensure that consumers know the rules, that companies comply with them, and that consumers have an appropriate means of redress for injuries resulting from noncompliance.

A self-regulatory regime to protect privacy must have some enforcement mechanism to assure compliance with the rules and appropriate redress to an injured party when rules are not followed. Such mechanisms are essential tools to enable consumers to exercise their rights in data, and must, therefore, be readily available and affordable. They may take several forms, and businesses may need to use more than one of these tools depending upon the nature of the enterprise and the kind of information the company collects and uses. But in the end, we think that enforcement mechanisms will provide at least three elements: consumer recourse, verification, and consequences.

1. Consumer recourse. Companies that collect and use personally identifiable information should offer consumers a mechanism by which their complaints can be resolved. Such mechanisms must be simple, readily available, and affordable.

2. Verification. Verification provides attestation that the assertions businesses make about their privacy practices are true, and that privacy practices have been implemented as represented. The nature and the extent of verification depends upon the kind of information with which a company deals-companies using highly sensitive data may be held to a higher standard of verification.

3. Consequences. For self regulation to be effective, failure to comply with fair information practices must have consequences. Among these may be cancellation of the right to use a certifying seal or logo, posting the non-complier on a publicly available "bad-actors" list, or disqualification from membership in an industry trade association. Non-compliers could be required to pay the costs of determining its noncompliance. Ultimately, sanctions should be stiff enough to be meaningful, and swift enough to assure consumers that their concerns are addressed in a timely fashion. When companies make assertions that they are abiding by certain privacy practices and then fail to do so they may be liable for fraud and subject to action by the Federal Trade Commission.

On July 1, the Commerce Department and OMB will report to the President on private sector implementation of effective self regulation for privacy, including codes of conduct, industry developed rules, technological solutions to protect privacy on the Internet, and means for ensuring the privacy of children online. We are looking for a commitment from industry to establish enforcement mechanisms to ensure that sector-specific self regulatory codes (1) are easy for consumers to recognize, (2) comport with fair information practices, (3) verify compliance through audits or other procedures, (4) provide prompt and efficient dispute resolution and recourse for consumers harmed by misuse of personal information, and (5) provide appropriate consequences (trade association disciplinary measure, revocation of seals, etc.) for those who violate privacy policies.

In anticipation of this report, the Department of Commerce will hold a privacy conference in May. This two-day DOC conference will bring together the private sector and consumer groups to work toward establishing enforcement mechanisms for privacy self regulation. The conference will serve several purposes. First, it will raise consumer awareness of privacy issues; second, it will allow companies to begin to present the status of their efforts toward self regulation; third, it will allow a full and fair discussion of the role that self regulation can play in online privacy protection; fourth, it will allow presentation and public discussion of enforcement mechanisms self regulation; and fifth, it will set the stage for further evaluation of privacy protection technology.

The Department of Commerce will follow up the May conference by continuing the dialogue with industry and consumer groups in a variety of informal and perhaps more formal ways.

The Administration considers privacy protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.

That concludes my comments on the issue of privacy. I will be happy to answer any questions.

Mr. COBLE. I thank you both for your testimony. Pardon my abrupt departure. I had to go to the Crime Subcommittee for a markup. It was not that I was not interested in what you all were saying.

Ambassador, what sort of response are you getting from businesses to the Administration's policy statement regarding the im

plementation of fair information practice principles, or in a more simplified way is the business/commercial community taking adequate steps to implement these principles?

Mr. AARON. We are encouraged, Mr. Chairman. The Secretary of Commerce has met with me personally on two occasions. We will have further meetings to encourage a positive industry response. We believe that by the time we make our report to the President on July 1 that we will have something positive and concrete to present to him.

In addition, the Commerce Department is holding a conference in May which will offer an opportunity for business, interested nongovernmental organizations, privacy organizations and the rest to come together and begin the process of evaluating the steps that businesses are taking. I think that as we prepare the report to the President we will have an opportunity to see in more concrete terms what industry is proposing to do.

Mr. COBLE. Ambassador, currently what type of consumer recourse is available to members of the public when they have had their privacy rights violated?

Mr. AARON. If I may, I would like to turn to Ms. Burr to respond to that.

Mr. COBLE. Sure, that's fine.

Ms. BURR. Thank you very much. Aside from the protections that the Federal Trade Commission offers with respect to deceptive practices and unfair practices in commerce, there is not yet widespread, systematic consumer recourse. That is something that we are very much expecting to be developed in the coming months. The Secretary in his visits with members of the business community has indicated some need to hasten the process, and we believe that there are several models. For example, the Better Business Bureau online is providing some dispute resolution services, and there are a couple of other models. But I would have to say at this point there is not outside of the Federal Trade Commission widely available, simple-to-use dispute resolution procedures.

Mr. COBLE. Thank you.

Mr. Medine, in your written testimony you indicate that the Internet as a commercial entity likely will not flourish until the public is assured that their personal information is protected, and I'm inclined to agree with that conclusion.

On our second panel today we will hear from witnesses who will advocate a hands-off approach by the Congress. Now how do you respond to that admonition?

Mr. MEDINE. Well, we do believe that electronic commerce provides some tremendous opportunities, and we really are at a crossroads right now as to whether this marketplace will develop or not. What we've heard from consumers through surveys and through our workshops is that they are very concerned about their privacy online, and many consumers are reluctant to shop online and don't even go online because of privacy concerns.

So the question is how do you protect that privacy online? The approach that we've taken in response to industry's request, is to encourage self-regulation, to facilitate and provide forums in which all interested parties are able to sit at the same table and discuss these important issues. We think that industry self-regulation can

provide tremendous flexibility, can adapt to changing technology, and limit the use of government resources in trying to accomplish these ends. But self-regulation has to be effective to provide these protections or this marketplace will not flourish.

That's the reason why this month we are surveying 1,200 web sites to get a sense, after 3 years of working with industry to try to facilitate an awareness of this issue, whether it has taken hold and whether companies are providing consumers adequate disclosures of privacy policies, and when we report to the Congress in June on this we will have a sense of whether that has worked or not.

Mr. COBLE. Mr. Medine, will you elaborate on the FTC public workshops' efforts to educate parents on the dangers of having their children's information on the Internet. Bring us up to speed on that.

Mr. MEDINE. I would be happy to. The Commission has historically devoted special attention to protecting children in commerce. The Internet provides an unprecedented ability not only to give information to children, but to gather information from children without the intervention of their parents, and that raises special concerns for the Federal Trade Commission because of the possible misuse of that information by pedophiles and others.

So we have devoted a lot of attention in our public workshops to highlighting the extent to which technology can protect children. But, we have also issued a staff opinion letter stating that the Federal Trade Commission Act does apply to the collection and distribution of information from children on the Internet in two particular ways.

First, if information is gathered from young children and there is not adequate disclosure of how that information is going to be used and why that information is being collected, we believe that to be a deceptive trade practice under current law.

We also believe that if information is gathered from children for distribution to third parties that poses a special risk to the child and that parental consent is required in that instance before the information is distributed to third parties, and failure to obtain parental consent is an unfair trade practice under the Federal Trade Commission Act.

We also have encouraged industry efforts to provide further protections and notice to children, but we believe there is a base legal authority that currently applies to the very sensitive issue of gathering information from children on the Internet.

Mr. COBLE. Thank you, Mr. Medine.

The gentleman from Massachusetts, Mr. Frank.

Mr. FRANK. Well let me begin with that, and, first, I want to thank the witnesses for helping us in this. You said there is a basic legal authority that covers this, and would you elaborate on that. Mr. MEDINE. It has not yet been tested in court, but the staff has issued an opinion that the Federal Trade Commission Act's deception and unfairness authorities do apply in particular to the gathering of information from young children.

Mr. FRANK. And the unfairness aspect of it?

Mr. MEDINE. Unfairness looks primarily toward injury that can't be easily avoided, and we believe that gathering information from

59-923 00-2

children on the Internet when it's being distributed to third parties presents a special risk to children and that it is an unfair trade practice unless parental consent is obtained.

Mr. FRANK. Is there an effort to find an appropriate test case going on?

Mr. MEDINE. We are currently investigating online firms for their practices regarding collection of information from children and do expect enforcement actions in this area in the future.

Mr. FRANK. The reason I ask is that I would think as we begin to look for areas where we could act that would be one where we have run into this situation. This would be one where we will get a lot of fake reasons, and fake reasons play a very important role in the legislative process. Fake reasons are what you put forward when you don't think your real reason will stand the light of day, and it often happens in legislative debates. People will express reasons why something shouldn't be passed, it is unnecessary, it's confusing, it doesn't go far enough or it goes too far. I expect that if we were to try to legislate protection for children we would hear from a lot of businesses that now make money from this information from children and we would hear a lot of their fake reasons, and their real reason would be they want to continue to make money off children.

I think that's an area where we'll be legislating. So I'll be interested to see what your result is. But I would also say people who might be inclined vigorously to contest your enforcement efforts on the grounds that you don't have sufficient statutory authority should be aware that they will be helping us make the case for a more explicit statutory authority. So people should understand that. I'm glad that you're planning to go ahead, and if your efforts should be frustrated by some legal interpretation, then we are talking about our statutory right.

In fact, let me ask all of the witnesses. One of the things we hear from the private business community is, oh, don't worry, we can do self-regulation. I take from you, Mr. Medine, because you are talking about proceeding legally, you obviously do not accept that argument; is that correct?

Mr. MEDINE. Well, I think there are two issues there. I mean there are always going to be firms that don't comply with the law, and that's when enforcement actions are appropriate. But the question is whether the bulk of industry is voluntarily providing protections to consumers.

Mr. FRANK. You said complying with the law, but self-regulation I assume means there is no law. I mean the argument for self-regulation is we're here in a new medium, and we have people saying we don't need any laws, we are the good citizens of cyberspace. This is a Lockean state of nature and not a Hobbesian one. We all get along and everybody is going to be fine and wonderful and we'll respect each other's rights. Maybe it's even Rousseauean. Locke would require too much government. I take it you are implicitly rejecting that saying we do need some law.

Now I think there are two obvious questions. One is do you need any law at all. There is nobody here but us well-motivated anarchists who say you don't need any law at all. Then there is a second-level question which is given the basic legal structure how in