August, 1998

Users control their information; Self-regulation works; Intervention would harm the Internet

In Washington, D.C., momentum is building behind new laws aimed at protecting privacy on the Internet. Regulators want to impose a uniform privacy policy on commercial web sites, starting with those that cater to children. These regulations are built on two assumptions: that sites abuse their power to collect information, and that business interests contradict privacy interests. These assumptions are false.

In reality, Internet users control their information and, when they express concerns about privacy, businesses respond and alleviate these concerns. How they respond is something market forces are determining. Self-regulation is rapidly occurring. Government intervention would hinder this and harm the Internet.

Underlying the government’s push is a recent Federal Trade Commission report that criticizes privacy practices on the web. As widely reported, the FTC surveyed 1400 sites and found that 92% collected data about visitors, while only 14% revealed how that data is used. Regulation advocates declared this to be evidence that self-regulation is failing. The truth is another matter.

While privacy concerns are real, the “privacy crisis” is not. Web sites collect information in two ways: they ask visitors to fill out registration forms or they try to feed them “cookies.” When you arrive at some sites, registration forms ask for information like your name and email address. Stored on your hard drive, “cookies” are files that tell sites information about you. They are planted after a site asks your browser for permission to create them. Cookies alone cannot divulge your name or address but they can reveal how long you stay at a page, what products you like, and what sites you visit.

Sites use the information they gather in several ways. They monitor what attracts visitors and tailor themselves to various interests. If you give it to them, sites sometimes sell your name to third parties, often to direct marketers who launch email solicitations.

Web users aren’t forced to submit to these practices. They never have to accept a cookie, fill out a form, or blindly relinquish information. Browsers that automatically accept cookies can be easily modified to seek the user’s permission first. Increasingly, web sites are posting privacy policies telling visitors how their information is used. Visitors who feel a site’s policy is unacceptable can leave before handing over information.

Market forces respond to this behavior, but regulation advocates insist that business interests contradict privacy interests. They point to recent polls indicating that privacy is web users’ foremost concern. But these concerns don’t indicate market failure, they ensure the market’s success.

The goal of commercial web sites is to attract customers. Because discriminating consumers won’t patronize sites with policies they feel are unacceptable, sites that don’t respect customer preferences will be punished as consumers migrate to sites that do.

These forces are already working as companies and organizations scramble to assuage privacy concerns. According to a survey by the Direct Marketers’ Association, 70% of the top 100 children’s sites had posted policies by May of this year, up from 38% in January. The Online Privacy Alliance recently announced a program to certify and police web sites that voluntarily comply with a standardized privacy policy. The Council of Better Business Bureaus has started a similar program. So has a company called TRUSTe. These organizations have over 1500 members including Disney, America Online, and Microsoft.

This is only the beginning. As more commerce migrates to the web, companies will have even greater incentives to quell privacy concerns. Consumer preferences will lead to a set of standardized privacy policies because, in many cases, good privacy policies are good business.

But many does not mean all. Some web users may be willing to relinquish all their information. Others may worry about their privacy but still give away information in return for certain benefits. And some may give information to some sites but not others. The point is, preferences vary between people and transactions. It’s possible that only 14% of web sites post their policies because many consumers aren’t demanding different behavior.

But Washington mistakenly assumes that all web users always want to protect all of their information. And regulators are proposing blanket policies to reflect this assumption. Six privacy bills have been proposed in Congress and the issue has caught the eye of Al Gore, who recently called for “an electronic bill of rights.” If adopted, these regulations will ultimately force all commercial web sites to comply with a uniform privacy policy.

These measures would harm the Internet. They would raise the start-up costs of web-based businesses, many of which are home operations with limited capital. They would impose compliance costs onto businesses that don’t need privacy policies. They wouldn’t allow businesses to choose from a variety of competing policies. And, by creating a reliance on government solutions to the Internet’s “problems,” they would erode the cornerstones of individual freedom, responsibility, and accountability that form the foundation of net culture.

Justin Matlick is a Chicago-based senior fellow in information studies for the Pacific Research Institute in San Francisco. He can be reached via email at jmatlick@pacificresearch.org.