“Privacy and the Internet”

Professor Peter P. Swire

Ohio State University

National Press Foundation

February 14, 2001

Do People Care About Privacy?

90 percent of Americans say they have “lost all control” over their personal information

WSJ poll 9/99

Overview The Clinton Administration and privacy This year

The Clinton Administration

Supported self-regulation generally Sensitive categories deserve legal protection

– Medical & Genetic– Financial– Children’s Online

Government should lead by example Chief Counselor for Privacy

Internet Privacy

Quantity of policies– 15% to 66% to 88% from 1998 to 2000

Quality of policies– Seek continued improvement on choice, access

& security Enforcement if company breaks its privacy

promise– Unfair and deceptive trade practice

Internet Sectors

Individual Reference Services Group (1998)– Look up services code of conduct– Limits on distribution of SSNs

Network Advertising Initiative (2000)– Special sensitivity when a 3d party, unknown to

user, compiles information Safe Harbor for transfers with E.U. (2000)

– Self-regulation as a core achievement

Children’s Online Privacy Protection Act of 1998 FTC rules took effect 4/00 Web sites targeted at under 13s Key is “verifiable parental consent”

Medical Records Privacy

HIPAA 1996 called for legislation by 8/99 President announced proposed regs 10/99 Over 52,000 submissions of comments Final rules 12/00 Administration decision by February 26

Medical Records (cont.)

Fair information practices– Notice– Patient choice– Access– Security– Enforcement

Medical -- Who is Covered?

“Covered entities”– Providers– Plans– Clearninghouses

Business associates Online/offline neutrality

Financial Privacy

Title V of Gramm-Leach-Bliley– Notice– Opt-out 3d parties– Enforcement

Online/offline neutrality President Clinton called for greater

protections last year

Government as a Model

Government web sites– Privacy policies at major sites– Presumption against cookies

Computer security Coordination & oversight mechanisms

Government computer security

Good security is necessary for privacy– Weak security allows access to tax records, criminal

investigative files, etc.– Good security helps stop hackers and other

unauthorized users Good security is not sufficient for privacy

– What can an authorized user do with the data?– Post it to the Internet?– Privacy policies govern authorized users

Coordination & oversight

Coordination -- Chief Counselor position 3/99

Must become aware of issues before you can affect them-- “clearance”

Alert decisionmakers before problems become public

No announcement on Bush approach

II. This Year

Fair information practices and Internet Privacy

Notice– Some favor notice only– Can do with technology, such as P3P– Less strict -- no other requirements– More strict -- a new law more likely later

Choice

The biggest debate so far Opt out

– Customer gets choice– But opt out may be hard to find on web page– Maybe “spyware” and no one to give notice

Choice (cont.)

Opt in– Strong privacy protection– Forces web site to explain why sharing is good– But, how do small sites find customers?

Robust opt out– Possible compromise

Access

Like FOIA -- check on abuse “Reasonable” access

– Cost matters Some exceptions

– Information about other persons– Trade secrets and proprietary

Access (cont.)

Access only to decisional information– Credit reports– Medical records

Access to all information– Psychographic information– Every memo in the company

Target marketing– Decisional?– Proprietary?

Security

Good security in layers– Hardware– Software– Personnel policies

Hard to measure Law focuses on notice of security? Detailed regs on security? Must update anti-virus at least once a week?

Enforcement

FTC new powers State AGs to help Private right of action?

Enforcement (cont.)

What role for TRUSTe, BBBOnline?– Safe harbor in COPPA– Multiplies enforcement resources– Teams enforcement with consulting– Privatizes enforcement– Target for EU pressure

Other Internet Privacy Issues

Preemption In favor:

– Same web site sells to all 50 states– Possibly inconsistent state laws

Opposed:– The big reason for industry to accept legislation– Financial and engine for continued change– Don’t place ceiling on “human rights”

Other Issues (cont.)

Customer lists in bankruptcy– Toysmart case

Law enforcement access to Internet records Extend to offline, too?

– Leary -- consistency requires it– But, ready to regulate each corner store?

Concluding thoughts

Many flows are good in Information Age, but not all flows are good

Self-regulation has been central to date Treat sensitive data more carefully, subject to

legal protections where appropriate Will political system insist on Internet

legislation? In closing, a common sense test:

President Clinton, at Aspen Institute:

“Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media?”

If so, your policies are far more likely to survive, and help your organization prosper, in the information age.