Claiming that privacy concerns are retarding the growth of online commerce, the Federal Trade Commission says there ought to be a law governing the use of information obtained from Web site visitors.
To back up its call for legislation, the FTC cites surveys in which large majorities of consumers say they worry about online privacy. "This apprehension likely translates into lost sales due to the lack of confidence in how personal data will be handled," the commission argues in a recent report to Congress.
If so, the lost sales are hard to detect. "Since its inception in the mid-1990s," the FTC concedes, "the online marketplace has grown at an exponential rate."
According to the commission’s report, some 90 million Americans use the Internet regularly, and two-thirds of them bought something online in the third quarter of 1999. Online sales, which increased tenfold between 1997 and 1999, totaled nearly $3 billion in January alone.
Whatever their concerns about privacy, Americans are rushing online to buy stuff. Although they might like to control exactly how their "personal data" are used, they are quite willing to give up that prerogative in exchange for a good deal on a Palm Pilot or a list of helpful book recommendations.
Through their behavior, people demonstrate the tradeoffs they’re prepared to make. Economists call this "revealed preference," which can be quite different from the preferences people express in surveys.
But the FTC thinks opinion polls should trump the marketplace. Chairman Robert Pitofsky declares, "Consumers should not have to forfeit their privacy online in exchange for the rich benefits of e-commerce."
Why not? The answer seems to be that "privacy" is not merely a preference but a right.
That claim rings true in some situations. The Fourth Amendment’s protection against "unreasonable searches and seizures," for instance, is a demand, not a request.
In this case, however, "privacy" means the ability to dictate the terms of a transaction, insisting upon withholding information or restricting its use even if the other party does not agree. For Pitofsky, it’s not enough that the buyer can reject the transaction if he considers the seller’s requirements too intrusive or his explanations too vague.
This is odd, since the FTC continues to insist that privacy safeguards make good business sense because they reassure wary customers, thereby increasing sales. Based largely on that belief, the commission had until recently emphasized "self-regulation" to protect online privacy.
By the FTC’s own measures, that approach seemed to be working. In a random sample of Web sites, 88 percent had privacy disclosures this year, up from 14 percent in 1998, and 20 percent had implemented all four of the FTC’s "fair information practice principles," double last year’s rate. Among the 100 most popular Web sites, all had privacy disclosures, up from 71 percent in 1998, and 42 percent covered the four principles, up from 22 percent last year.
A variety of organizations, including TRUSTe and BBBOnline, have sprung up to certify information practices, although so far only a small minority of sites carry their seals. Major corporations, such as IBM, Microsoft, and Disney, now limit their advertising to sites with privacy policies they consider sound.
Despite the progress, the FTC is impatient. Presumably, it will not be satisfied until every commercial Web site--all 5 million, and counting--adopts its "fair information practice principles" of Notice/Awareness, Choice/Consent, Access/Participation, and Security/Integrity.
These principles, which the FTC lays out in its report, do indeed seem eminently fair--from the perspective of a professional privacy advocate. But the burden of implementing them to the FTC’s satisfaction, once it gets the authority to enforce them, may be too much for small businesses to bear.