Introduction

In the debate over government’s role on the Internet, online privacy is the latest issue to take center stage. Policy makers are concerned that web sites abuse their power to collect and distribute information about Internet users, particularly children. Until recently, legislators have taken a hands-off approach, waiting for online businesses to self-regulate and alleviate privacy concerns on their own. But Washington’s patience is waning, and the 106th Congress will likely consider an onslaught of regulations intended to protect privacy on the Internet.

These regulatory efforts begin with measures aimed at protecting children. One bill, the Children’s Online Privacy Protection Act (COPPA) has already been enacted, and broader proposals are pending. But, while protecting children from the Internet’s perils is critical, none of these measures will do so. A better approach would both protect children and avoid new regulations.

Only parents can protect the privacy of their children. While this task may seem daunting, markets are providing simple tools that help parents alleviate their concerns. Regulations, on the other hand, create a false sense of security among parents and impose compliance costs on online businesses. As this paper documents, the optimal policy would leave online privacy unregulated, thereby empowering parents and protecting the mechanisms behind the Internet’s growth.

The Facts About Online Data Collection

Do web sites abuse their power to collect and distribute information about their visitors? Here are the facts:

Web sites collect information in two ways: They ask visitors to fill out registration forms or they try to feed them "cookies." Registration forms ask for information such as your name, age, and email address. Stored on your hard drive, cookies are files that tell sites information about you. They are planted after a site asks your browser for permission to create them. Cookies alone cannot divulge your name or address, but they can reveal how long you stay at a page, which products you like, and which sites you visit.

Sites use the information they gather in several ways. They monitor what attracts visitors and tailor themselves to various interests. If you give it to them, they sometimes sell your name to third parties, often to direct marketers who launch email solicitations, commonly known as "spam." Web users are worried about these practices.

A recent survey by the Boston Consulting Group found 76% of Internet users to be concerned about sites that monitor their browsing. When asked what they felt was the most critical issue facing the Internet, 30% of respondents to a 1997 survey by Georgia Tech University replied that privacy was their foremost concern.

Fortunately for these users, online businesses are responding by posting privacy policies. These policies announce how visitors’ information is used, allowing them to make an informed decision about relinquishing information. But many sites don’t yet post such policies.

From a policy standpoint, these practices raise two interrelated questions. First, when web sites distribute visitors’ information, are they respecting visitors’ rights? Second, do the sites have the right to engage in these practices? Federal legislators don’t think so, especially when the Internet users involved are children.

Children on the Web: Privacy Implications

As children migrate to the web, businesses are targeting them with products and pitches. Many advocacy groups interpret this as a precursor to violations of children’s privacy, and Congress has enacted regulations intended to prevent such abuse. These claims and regulations will likely be the wedge leading to further restriction of data collection and distribution.

According to the Federal Trade Commission, nearly 10 million children are using the web. Of those 10 million, 5.7 are logging on from home computers where adult supervision may be limited. In response to this growing online presence, content providers and marketers have started devising ways to attract the interest of net-savvy kids. The last two years have seen an explosion in such sites as Cyberkids, Disney’s "Blast Online," and Nickelodeon.com, where children find games, interactive stories, kids-only chat rooms, and other activities.

As kids navigate these sites, they are bombarded with advertisements for toys, computer games, movies, and other products that appeal to their interests. Sometimes, these ads take the shape of contests, sweepstakes, and raffles, where kids must fill out registration forms to be eligible for prizes. Other times, the sites themselves are quasi-advertisements. At tonythetiger.com, for example, Tony himself beckons kids to "join Team Tiger" by providing their name, email address, and parent’s email address, which they must do in order to participate in the site’s interactive mysteries. Such advertisements allow businesses to collect valuable information about children's preferences and buying habits. Sometimes, this information is distributed to direct marketers, who then solicit children.

Children’s privacy advocates claim that such practices should be curbed by strict regulations. They argue that, if left unregulated, web sites and online marketers will violate children’s privacy. Specifically, these advocates fear that children will divulge information their parents would rather keep private, or be coerced into making purchases. In her paper "Web of Deception," Kathryn Montgomery of the Center for Media Education summarizes these concerns. "By capturing [children’s] attention," Montgomery writes, "marketers are able to circumvent their normal guardians…Whether a child receives a personalized message from the Power Rangers or a special offer to buy a product he or she really wants, it will be hard to resist."

Another concern is that children could be victimized by criminals attracted to the Internet’s anonymity. Children participating in electronic pen-pal programs, bulletin boards, and chat rooms make information about themselves available to anyone surfing the web and evidence indicates that sexual predators are starting to take advantage. According to the Federal Trade Commission, "The FBI and Justice Department’s ‘Innocent Images’ investigation has revealed that online services and bulletin boards are quickly becoming the most powerful resources used by predators to identify and contact children."

The Push For Regulation

Internet users and children’s advocates are not the only ones concerned about privacy. The Federal Trade Commission is worried, too. And the FTC’s concerns have added momentum to proposed regulations aimed at protecting the privacy of children on the Internet.

In June, 1998, the FTC released a report criticizing the privacy practices of commercial web sites. The FTC surveyed 1400 sites and found that more than 85% collected data about visitors while only 14% revealed how the data are used. 89% of the children’s sites surveyed collected information, but only 23% of those sites told children to seek parental permission before handing over information. The report recommended that Congress pass new privacy laws.

These findings were devoured in Washington, D.C., where regulators are eager to wedge their way online. According to regulation advocates, the report proved that online businesses will not regulate themselves. Unless government intervenes, they said, a privacy crisis will overtake the Internet. "[S]elf regulation has not worked," said Mark Rotenberg, director of the Electronic Privacy Information Center. "Things like privacy protection do require government action."

These doubts about self-regulation are the motivating force behind proposed regulations aimed at protecting privacy on the Internet. Several bills have been introduced in Congress, and Vice President Al Gore has repeatedly called for an "electronic bill of rights." Gore has also spearheaded the Clinton Administration’s proposed privacy initiative, which focuses on children. The initiative calls for "fair information principles" that prohibit web sites from collecting data from children without parental consent. The initiative also declares that, should self-regulation fail, "The Administration fully intends to implement privacy protection consistent with the authority given to us by law."

The White House initiative appears to have been the model for the recently enacted regulations intended to protect children’s privacy. Passed as part of the 1998 federal budget, the Children’s Online Privacy Protection Act restricts web sites’ data collection. Effective in May, 2000, the COPPA requires that child-oriented web sites obtain parental consent before collecting personally identifiable information from children under age 13. As will be discussed later, many of the law’s provisions remain unclear.

Regulation advocates view the COPPA as the first step towards strict regulation. "It’s a start," declared David Sobel, general counsel for the Electronic Privacy Information Center, "but we think that everybody, regardless of age, needs privacy protection on the Internet."

Sobel’s wish might come true: the COPPA may be the wedge used to enact stricter privacy regulations pertaining to all commercial web sites. Several bills have been proposed that would impose what are commonly referred to as "mandatory opt-in" requirements. Such requirements call for web sites to obtain an individual’s explicit consent before collecting and distributing personal information. Representative Bruce Vento’s (D-MN) Consumer Internet Privacy Protection Act of 1997, for example, would mandate that web sites obtain a person’s consent before disclosing any of their information to a third party. The Data Privacy Act of 1997, introduced by Representative Billy Tauzin (R-LA), would impose similar requirements. By creating new property rights to personal information, such regulations would amount to new privacy rights on the Internet. The implications of such privacy rights will be discussed later.

Together, the FTC’s recommendations, the Clinton Administration’s initiative, the COPPA, and the proposed legislation represent the first wave of regulations aimed at protecting privacy on the Internet. As more anecdotal evidence of privacy violations emerges, more regulations will be proposed as politicians scramble to assuage privacy concerns. Given policy makers’ willingness to restrict Internet content and encryption technology, privacy regulations will likely veer towards the extreme and seek to impose a uniform privacy policy, including an opt-in requirement, on all commercial web sites. But none of these regulations will effectively protect Internet users in general or children in particular.

Regulations Won’t Protect Children’s Privacy

As more children migrate to the Internet, it is critical their privacy be protected. Contrary to the claims of regulation advocates, regulations are not an efficient means to this end. Instead, existing mechanisms allow parents the best chance to protect their children’s privacy. Because companies have an incentive to respond to parents’ concerns, the quality and variety of these mechanisms will improve rapidly. While regulations would not be effective, they could actually weaken parents’ control of children’s information. This section clarifies the important principles beneath this argument by separating it into the following three segments:

1) Parents Set Rules

Parents can directly and indirectly control children's Internet use. They can set rules that are easily enforceable. When enforcement is difficult, other mechanisms allow for indirect control. These rules and mechanisms are among the most effective tools parents can use to protect their children.

Parents can dictate the terms of their children’s Internet use. Many families set rules pertaining to television, and they can do the same for the Internet. Privacy-conscious parents can prohibit their children from relinquishing information to web sites. Parents concerned about cookies should modify their children’s browser to reject cookie requests. Such rules represent parents’ best chance at preventing their children from relinquishing information they would rather keep private.

Given that criminals may use the Internet to target children, parents should take steps to keep their children away from web sites where they are vulnerable. Parents already use a combination of rules and supervision to protect their children from public dangers, and they can do the same for the Internet. Parents should make their children aware of potential online dangers, should direct their children to avoid forums where they may be vulnerable, and should directly supervise their children's Internet use when appropriate.

Parents have explicit opportunities to enact established rules. Children cannot access the Internet without either direct or indirect assistance from an adult. Children wishing to open an Internet account must have access to a credit card.

While children may access the Internet in schools or libraries, parents have indirect control over this access. They can voice their concerns to these bodies, who can respond by requiring parental permission to use Internet terminals, or by eliminating Internet terminals altogether.

2) Market Forces Respond to Parents’ Concerns

Regulation advocates often propose exceptional scenarios. Parents can set rules, they say, but what if the parents are not home to supervise? What if a child decides to break these rules?

Market forces are answering these questions. For those who fear that children will secretly go online, the market has created browsers equipped with passwords that allow Internet access to only the intended user.

Markets are also providing programs that alleviate parents’ concerns that children will break the rules or accidentally relinquish information. One program, "Net Nanny," can be instructed to block out the content of registration forms. The program can also prevent access to undesirable sites and filter away inappropriate Internet content, including pornography.

These two examples illustrate how markets are providing mechanisms that protect children’s privacy. As more children go online, the market for these products will grow, and both their number and variety will increase.

3) Online Privacy Regulations Will Not Protect Children

These mechanisms are not perfect. Children can still access the Internet from a library or a friend’s house. But this doesn’t justify government intervention. New regulations, including the Children’s Online Privacy Protection Act, will not protect children; there is no effective way for government to protect the privacy of children online. But new regulations could dilute parental control of Internet use.

As mentioned earlier, the COPPA prohibits child-targeted sites from collecting information from children under 13 without prior parental consent. While this prohibition may sound enticing, it is impractical and will be ineffective.

There is no efficient way for sites to obtain parental consent. The most common way to verify consent online, via email, is ineffective because children can easily send disguised email from their parents’ account. Credit card verification schemes or consent-by-mail plans are more effective, but they end up limiting a child’s access to kids’ sites. And, as Julie Richer of Able Minds Incorporated recently pointed out in the New York Times, these limitations may consequently push children towards adult alternatives. "The government is making it harder for kids to get into web sites specially targeted for them," Richer said. "So where are they going to go? Adult sites."

An even bigger problem is that no available mechanism allows web sites to verify the age of their visitors. The best that web sites can do is ask visitors to divulge their ages. Those who claim to be under 13 will be forced to obtain parental consent before entering a site or filling out a form. But children under 13 cannot be prevented from lying about their age.

While the COPPA and other measures will not protect children’s privacy, they will create a false sense of security among parents. Regulations give the false impression that sites are not collecting children’s information. Many parents will assume there is no need to monitor their child’s Internet use.

 

Regulatory Costs Would Harm the Internet

As mentioned earlier, privacy activists may use the COPPA as a wedge to impose broader privacy regulations. Any regulations, including those aimed at protecting children, would impose regulatory costs that hinder the growth of electronic commerce. A better policy would rely on existing market mechanisms to promote self-regulation.

Online privacy regulations would create costs that hinder electronic commerce. Government-imposed privacy policies, including the COPPA, will force web sites to bear both the costs of implementing the policy and of complying with it. In addition, web sites would also bear the liability costs of non-compliance. These costs are particularly troubling because sites cannot effectively verify age or consent. A web site operator doing his/her best to comply could still be fined or imprisoned.

By raising both the start-up and operating costs of commercial web sites, compliance and liability costs would limit the quantity and variety of these sites. They would deter new commercial sites from arising. And instead of responding to the privacy preferences of their visitors, sites will be forced to implement a single policy instead of designing their own or choosing from competing, standardized policies.

Regulations would also harm the mechanisms behind the Internet’s growth. Because the Internet has been relatively unregulated, online businesses have been free to innovate. But new regulatory costs would increase the start-up and operation costs of online businesses, deterring new business and limiting the diversity of electronic commerce. And the subsequent erosion of the web’s entrepreneurial spirit would hinder the medium’s dynamic growth.

Solution: Self-Regulation

A more effective policy approach would avoid new regulations, relying instead on the market forces that are already driving businesses to regulate themselves. Regulation advocates claim the profit motive contradicts privacy interests, and that this is why self-regulation can never work. They’re wrong. Businesses have every incentive to respond to the demands of their customers, including children and parents, and privacy concerns are not an exception. Self-regulation is already occurring and will grow increasingly effective as more people begin using the Internet.

The market mechanism behind this fact is simple. As previously illustrated, Internet users (who are also web sites’ customers) are concerned about how sites use the information they gather. These customers include concerned parents. The goal of commercial web sites is to attract these customers – and, in some cases, their children. Because discriminating consumers won’t patronize sites with policies they feel are unacceptable, sites must respond to their customers’ privacy concerns. Otherwise, consumers will migrate to competing sites with privacy policies that reflect their preferences.

These forces are already working: Companies and organizations are scrambling to assuage the privacy concerns of Internet users, including parents and children. According to a survey by the Direct Marketing Association, 70% of the top 100 children’s sites had posted policies by May of 1998, up from 38% in January of that year. The Online Privacy Alliance, whose members include Disney, the Direct Marketing Association, and Microsoft, announced last year a program to certify and police web sites that voluntarily comply with a standardized privacy policy.

This policy requires web sites to allow their visitors to choose how their information is used and to opt-out when sites want to distribute personal information to third parties. It also prohibits sites from collecting a child’s address or email address without prior parental consent; guarantees that its members will not allow children under thirteen to post their addresses, email addresses, phone numbers, or other personal contact information in public forums; and prohibits sites from using games, prizes, or other activities to entice children into giving away unnecessary information. An organization called Trust-e, whose members include the Netscape KidZone, eToys, and Gamecenter, operates a similar program.

Conclusion: Innovation, Not Regulation

New online privacy regulations will not protect children. But they will impose new costs that harm the Internet. An unregulated, free-market "policy," on the other hand, would accomplish what online privacy regulations cannot. Such a policy would:

1) Allow Internet users to control and protect their information. Internet users already have the power to manage how their information is used and distributed. They can avoid sites that have unsatisfactory or unposted privacy policies, and they can set their browser to reject cookies. If Internet users relinquish information to a site with a posted policy, a contract has been formed. If the site then violates that policy, users can take legal action under existing contract law.

2) Allow parents to protect the privacy of children. Markets are providing parents with mechanisms that regulations would not. Parents already have the means at their disposal to protect the online privacy of their children. While regulations would not effectively protect children’s privacy, they would create a false sense of security among parents.

3) Avoid the costs of regulation while protecting electronic commerce. New online privacy regulations would impose direct costs on online businesses. These costs would limit the growth and variety of online commerce while eroding the entrepreneurial spirit that has been a driving force behind the Internet’s growth.

4) Allow online businesses to respond to consumer preferences in innovative ways. Web sites have direct incentives to respond to the privacy concerns of their visitors. An unregulated, free-market policy would allow sites maximum freedom to respond to these incentives. Regulatory costs would be minimized, and web sites would be free to self-regulate in innovative ways that are not only cost effective but also accurately reflective of consumer preferences.

The conclusion is clear: An unregulated, free-market policy can and will accomplish what online privacy regulation would not. Internet users would have the means to protect their privacy, parents could protect their children’s information, and web sites would be free to innovate in response to the preferences of their visitors. Perhaps most important, the mechanisms that have driven the Internet’s growth would be unharmed and left in place.

Justin Matlick is Director of the Center for Freedom in Technology at the Pacific Research Institute for Public Policy, a San Francisco think tank. He can be reached via e-mail at: jmatlick@pacificresearch.org