Governing Internet Privacy: A Free-Market Primer See Bookstore for a full copy of this study

I. Introduction

In Washington, D.C., support is growing for new regulations aimed at protecting privacy on the Internet. Consumers fear that web sites abuse their power to collect and distribute personal information. Privacy activists claim information technologies are pushing the United States towards a privacy crisis. Until recently, legislators have avoided new regulations and instead waited for businesses to self-regulate and alleviate privacy concerns on their own. But Washington’s patience is waning.

Self-regulation is under attack, and federal legislators have introduced the first wave in what promises to be an onslaught of new Internet privacy regulations. Advocates of these measures claim that, unless government intervenes, individuals will have no control over the collection, use, and distribution of their personal information. This argument is built on two key assumptions: that sites abuse their power to collect information and that profit incentives contradict privacy interests. As this primer will demonstrate, both these assumptions are false.

In reality, everyone, including Internet users, controls their information. Under most circumstances, individuals are free to either keep their personal information private or distribute it to others. Internet users possess this control and may forge contracts that limit the use of their personal information by web sites. But if users give their information away unconditionally, sites may use and distribute it however they see fit. This relationship is supported by the legal framework governing privacy in the United States. Thus, individuals seeking greater privacy protection must turn to the private sector.

When Internet users express concerns about their privacy, businesses respond and alleviate these concerns. How they respond is something market forces are now determining: private companies have introduced a menagerie of new mechanisms and technologies, such as privacy policies and information intermediaries, that are intended to help consumers protect their privacy. This dynamic, self-regulatory process is only just beginning and could eventually quell privacy concerns altogether.

Government intervention would smother this process, harm consumers, hinder electronic commerce, and could erode the protections provided in the U.S. Constitution. Static, government-imposed privacy standards would deny consumers the flexibility promised by the growing number of products specifically designed to protect privacy. And they would smother the demand for these products by creating a false sense of security among Internet users. Consumers, in turn, would be denied the benefits of new innovations.

In addition, new privacy regulations would raise the start-up costs of online businesses, many of which are small and have limited capital. These regulations would dampen the web’s entrepreneurial character, limit the quantity and variety of commercial web sites, and invite new regulations pushed forward in the name of consumer protection. By creating a reliance on government solutions to the Internet’s "problems," such regulations would erode the sense of freedom, responsibility, and accountability that prevail on the World Wide Web. At the same time, Internet privacy regulations would set dangerous legal precedents.

Contrary to popular perception, privacy in the United States is not protected by the Constitution or a general law. Instead, the legal mechanisms governing privacy are a jumbled mix of statutes, judicial decisions, constitutional provisions, and legal interpretations. These protections strike a delicate balance between competing interests, such as privacy and free expression. By laying the groundwork for new privacy rights, Internet privacy regulations could upset this balance and erode several Constitutional protections that Americans cherish.1

As this paper explains, the best policy would avoid regulations and instead harness the profit incentives already driving businesses to protect consumer privacy. Such an approach would help consumers safeguard their privacy, protect the freedom and enterprise that underline the Internet’s promising future, and ensure that the Constitution remains intact.

 

II. Background: Technology, Direct Marketing, and Privacy

Introduction

Information technologies, particularly those related to the Internet, are making it easier for firms to collect, use, and distribute information about their customers. These information practices are the primary source of today’s privacy concerns; consumers and privacy advocates fear that direct marketers, armed with information about consumers, will steal away personal privacy in their quest to solicit potential customers. But individuals hold an increasing amount of control over who acquires their information and how this information is used. And advancing technology is ensuring that, when direct marketers do acquire names and addresses, their solicitations will simultaneously become more appealing and less intrusive.

 

Why Firms Are Collecting More Information

A competitive business requires sound information about customers and the demand for consumer information is rising. By making it increasingly practical for firms to collect, use, and store this information, advancing technologies give firms the tools to satisfy this demand. But they also ignite anxieties over consumer privacy.

As Moore’s Law notes, computer power doubles roughly every two years. At the same time, computer prices are plummeting. Consequently, it is becoming increasingly easy to consolidate information that was once widely dispersed. Businesses are using this to their advantage: they are gathering, analyzing, storing, and distributing vast amounts of information about nearly everything—including people.

Simply put, businesses collect personal information because it increases their potential profits. A business that understands consumer preferences, lifestyles, and buying habits can tailor itself to customer demand by altering its products and marketing itself to potential customers.

Responding to this value, a growing industry is dedicated almost exclusively to the trade in consumer information. Information resellers collect information about individuals, and then package it into lists that can be sold to businesses eager to learn more about consumers. This information typically includes the names and addresses of people likely to be interested in a particular product.

For example, the American List Counsel’s (ALC) primary business is selling lists of potential customers to firms who want to market their products. According to the ALC’s web site, the company has developed more than 16,000 lists compiled from "directories, phone books, public records, retail sales slips, trade show registrations, etc. They are used to identify groups of people with something in common, and are often overlayed with additional demographic information."2 

Another company, Best Mailing Lists, boasts a catalogue of lists that extends literally from A-Z, with thousands of names and addresses in nearly every category. A business wishing to market itself to such groups as "Adults by Age" (87,983,743 entries), "Artificial Limbs Dealers" (2,775), and "Zoology Professors" (12,436) need only purchase the appropriate list, which rarely costs more than a few hundred dollars, and send out solicitations.3  And new technologies are not only empowering list brokers.

Small businesses are benefiting, too. As the following section explains, the Internet is helping individual firms collect and store information about their customers. And these information practices are often the root of today’s privacy concerns.

 

The Facts About Online Data Collection

The Internet is making it easier than ever before for firms to collect, use, and distribute information about consumers. Online businesses can effortlessly track the habits of their customers, and can require visitors to relinquish information before granting access to a web site. Such practices are spawning concerns among consumers, as well as claims that web sites are violating privacy. But do web sites abuse their power to collect and distribute information? Here are the facts:

Sites typically collect information in two ways: they ask visitors to fill out registration forms or they try to feed them "cookies." When you arrive at some sites, registration forms pop up and ask for information about you. They want to know such things as your name, age, occupation, and email address. Usually, these forms can be left blank and access to the site will still be granted.

Cookies are more complicated. They are small files that some sites use to track information about your movements on the web. Cookies are planted on your computer’s hard drive after a site electronically asks your browser for permission to create them. While cookies alone cannot reveal your name or email address, sites can use them to track what sites you visit, what ads you pay attention to, and what products you like.

Site operators use the information they gather in several ways. Cookies reveal the traffic patterns on a web site, allowing online businesses to monitor what visitors like and tailor themselves to those interests. For example, if you frequently buy books on gardening from an online bookstore, that bookstore can use cookies to identify your preferences and, whenever you visit, automatically notify you of any new books on the subject.

Sites may also use your information in ways that are more intrusive: the information gleaned from registration forms is sometimes shared with other parties. If you give it to them unconditionally, sites can sell your name, address, and other information to third parties—such as the list sellers mentioned in the previous section. Sites can also use this information to launch their own campaign of mail, phone, and email solicitations.

 

The Future of Marketing?

Since the Internet makes it easier to collect and analyze personal data, skyrocketing Internet use and electronic commerce could empower the consumer information trade. But an increase in this trade would not necessarily translate into the mass marketing deluge that privacy activists predict. On the contrary, improving technology will likely streamline marketing efforts.

As the Internet’s popularity increases, one scenario predicts a boom in the consumer information trade. Under this scenario, as Internet use rises, consumers will trade away increasing amounts of personal information in return for the convenience of using web sites. More information about more individuals would be more available than ever before. But this is not a foregone conclusion.

As section VII of this paper explains, the private sector is introducing a variety of new technologies aimed at helping consumers control their information. These technologies make it even easier for individuals to keep their information away from web sites and direct marketers, and could potentially cripple the information resale industry. Assuming that the information trade does explode, will such an expansion inevitably drown consumers in unwanted, intrusive solicitations?

A more likely scenario is that improving technologies will diminish both the volume of solicitations and the circumstances in which marketers are perceived as overstepping their bounds. Direct marketers want nothing more than to streamline their efforts, cutting marketing costs while reaching the customers most likely to buy their products. This demand will drive rapid improvements in technology.

Helped along by the Internet, data collection will become more accurate. Data mining technologies will improve. Computers will continue to get stronger, faster, and cheaper. Consequently, marketing lists will become more specific, marketing efforts more precise. Consumers will be helped, not harmed, and instead of being doused in solicitations for products they’ve never dreamed of, people will receive offers to buy things they actually want.

These advantages remain in the future, however, and in the meantime many consumers fear that the information trade’s costs will outweigh its benefits. Thus, they are concerned about information practices on the World Wide Web. A recent survey by the Boston Consulting Group found 76% of Internet users to be concerned about sites that monitor their browsing.4  When asked what they felt was the most critical issue facing the Internet, 30% of respondents to a 1997 survey by Georgia Tech University replied that privacy was their foremost concern.5  As the following section explains, privacy advocates share these concerns and use them as the basis for their claim that government intervention is necessary to protect privacy.

 

 

III. The Push for Regulation

Introduction

Privacy advocates point to Internet users’ privacy concerns as signs the government must regulate the collection, use, and distribution of consumer information on the Web. These regulations would likely become a wedge used to justify new, general privacy rights. Such rights would begin by establishing a privacy environment similar to that of the European Union, which features privacy rights that impede both commercial speech and freedom of the press.

To date, U.S. policy makers have avoided this course. But in Washington, D.C., the allure of privacy regulations is growing. Privacy advocates have stepped up their attacks on self-regulation. With the Clinton Administration backing off its pledge to leave the Internet unregulated, Vice President Gore is spearheading efforts to establish new privacy rights on the Web. Following Gore’s lead, federal legislators have introduced the first wave in what promises to be an onslaught of regulations aimed at protecting privacy on the Internet.

This section chronicles this devolution and begins explaining why the proposed regulations are based on false assumptions and would be harmful. A better policy would avoid new regulations and instead harness the profit incentives currently driving businesses to help consumers protect their privacy.

 

Privacy Armageddon?

Privacy advocates claim the United States is on the brink of a privacy crisis, and that this crisis can only be averted by new privacy regulations. Advocates’ current goal is for the government to restrict information practices on the World Wide Web. By ascribing property rights to personal information, such restrictions would set the United States on course towards a restrictive privacy regime.

Privacy advocates’ fears and goals permeate their publications. According to Take Back Your Data, published by the American Civil Liberties Union, "…Americans’ right to privacy is in peril. The reason: our personal and business information is being digitized through an ever-expanding number of computer networks."6 

In a 1998 press release by the Privacy Rights Clearinghouse, PRC Director Beth Givens claimed that today’s privacy problems reflect a general inability among individuals to control their information. "The Internet," said Givens, "is simply exposing chronic problems caused by the lack of control Americans have over data about them."7  Givens’ colleagues assert that profit-driven businesses are eager to exploit this "lack of control." According to Robert Bulmash, President of Private Citizen Inc., privacy rights are "being commodified in America. Our government must now recognize that we are not sheep to be shorn of our privacy by direct marketers."8 

As Bulmash’s statement indicates, privacy advocates seek government solutions to alleged privacy problems. According to a letter submitted to the Department of Commerce by the Privacy Rights Clearinghouse, the Center for Media Education, the Consumer Federation of America and other advocacy groups, the federal government must "take decisive action to protect individual privacy online" and "develop administration initiatives and specific legislative proposals to protect individual privacy."9  The American Civil Liberties Union agrees: the authors of the ACLU handbook Your Right to Privacy declare it "crucial that reform of privacy laws be accelerated…so that rapid developments in computer technology do not strip individuals of the ability to maintain control over data about themselves."10 

As later sections will discuss, advocates want to restrict the collection, use, and distribution of personal information by businesses, starting with the Internet. Such restrictions would imply that personal information holds absolute property rights. For example, many advocates are demanding a law that would require online businesses to erase an individual’s information from their database upon that individual’s request.

Under this law, businesses would have no right to possess consumer information; their databases could be legally deflated at any time. By implication, this implies that Internet users have an absolute property right, which could be extended at any time, to their personal information. And Internet privacy regulations would only be privacy advocates’ first step.

Advocates’ ultimate goal is to establish general privacy rights and, by implication, property rights, that apply to all individuals under all circumstances. In fact, for more than thirty years, advocates have contended that the ideal policy would apply property rights to all personal information.

These calls can be traced to privacy pioneer Alan Westin’s landmark 1967 book Privacy and Freedom. Westin writes "Personal Information, thought of as the right of decisions over one’s private personality, should be defined as a property right with all the restraints on interference by public or private authorities and due process guarantees that our law of property has been so skillful in devising."11  Because of competing Constitutional interests (discussed in section V of this paper), Westin’s approach has historically been deemed untenable in the United States. The European Union, on the other hand, has essentially established these rights.

In October, 1998, the European Union enacted a privacy directive that severely restricts the private sector’s collection and use of personal information. A firm wishing to gather consumer information is required to declare how it intends to use that information, and to then obtain explicit, stated consent from individuals before collecting their information. In addition, businesses are effectively barred from selling personal information to third parties, and companies that violate or abuse these provisions can be sued for invasion of privacy.12 

By granting these new privacy rights, and making individuals’ control over their information absolute, the directive implicitly extends property rights to personal information. In so doing, it defines the extreme edge of the privacy regulation spectrum. As the following section explains, the United States has traditionally veered away from this extreme. But, as the proposed Internet privacy regulations demonstrate, the tide is slowly turning.

 

Internet Privacy: The U.S. Approach

The privacy approach of U.S. policy makers has, until recently, been the polar opposite of the E.U.’s directive. Legislators have opted out of new privacy regulations, waiting instead for businesses to alleviate privacy concerns on their own. But intensified attacks on self-regulation have spawned a reversal of this course.

Once an outspoken advocate of free-market Internet policies, the Clinton Administration now favors Internet privacy regulations. Following the Administration’s lead, legislators are proposing new laws that would restrict the collection, use, and distribution of personal information on the Internet.

The Clinton Administration’s Internet approach is torn by a conflict. On one side is the Administration’s stated faith in free-markets; in its 1997 paper "A Framework For Global Electronic Commerce," the Administration’s Information Infrastructure Task Force declares that "Governments should refrain from imposing new and unnecessary regulations…on commercial activities that take place via the Internet." On the other side is the Administration’s belief that government intervention is necessary to protect consumers from businesses.

The Administration’s approach to Internet privacy is a microcosm of this conflict. In a June, 1998 statement regarding Internet privacy policy, Vice President Gore declared that "We ought to start with strong, private-sector efforts, like self-regulation."13  But in the same speech, Mr. Gore declared privacy protection to be the "civic responsibility" of the state because, in his words, "the public looks to the government for consumer protection."14  In the battle between these two ideals, increasing attacks on self-regulation have helped the consumer protection agenda gain ground, strengthening the Administration’s support for new Internet privacy regulations.

The past year has featured intensified attacks on self-regulation, driven by privacy advocates’ skepticism of the private sector. So long as businesses are expected to regulate themselves, claim the advocates, privacy violations will be rampant. The Washington Post editorial page summarized this point of view when it wrote that "The trouble with urging companies to self-regulate is that the real incentives all lie in the other direction."15 

Doubts about self-regulation were bolstered in June 1998, when the Federal Trade Commission (FTC) released a report criticizing the privacy practices of commercial web sites. As was widely reported, the FTC surveyed 1400 sites and found that more than 85% collected data about visitors while only 14% revealed how that data is used.16  A full 89% of the children’s sites surveyed collected information, but only 23% of those sites told children to seek parental permission before handing over information.17  The report concluded by recommending that Congress pass new privacy laws.

These findings were devoured in Washington, D.C. where privacy advocates and regulation proponents hailed the report as proof positive that online businesses won’t regulate themselves. "[S]elf-regulation has not worked," said Mark Rotenberg, director of the Electronic Privacy Information Center.18  "Things like privacy protection do require government action."19  Commerce secretary William M. Daley agreed. "There has to be a critical mass to make self-regulation work," he told reporters, "and we haven’t seen that yet."20

 

Internet Privacy Regulations Gain Momentum

In Washington, D.C., policy makers have responded to self-regulation’s critics by proposing and implementing new laws aimed at protecting privacy on the Internet. The 105th Congress enacted one privacy bill, and the 106th is considering several proposals. These proposals, which cover a broad spectrum, are aimed at the single goal of creating new, government-granted privacy rights on the Internet.

Support for these proposals has been bolstered by the Clinton Administration’s growing support for Internet privacy regulations. Shortly after the FTC’s report was released, Vice President Gore officially announced a new Administration privacy initiative, the Internet aspect of which focused on children. Barely a year after the publication of "A Framework for Global Electronic Commerce," the Initiative called for a set of "fair information principles" that prohibit web sites from collecting data from children without parental consent. And Mr. Gore’s rhetoric about privacy was not limited to children. "We need an electronic bill of rights for this electronic age," he said. "You should have the right to choose whether your personal information is disclosed; you should know how, when, and how much of that information is being used; and you should have the right to…know if it’s accurate."21 

The children’s aspect of the White House initiative was mirrored by regulations recently enacted with the intention of protecting children’s privacy on the Internet. Passed as part of the 1998 federal budget, the Children’s Online Privacy Protection Act (COPPA) restricts web sites’ data collection. Effective in May, 2000, the COPPA requires that child-oriented web sites obtain parental consent before collecting personally identifiable information from children under age 13.

Privacy advocates viewed the COPPA as the first step towards even stricter regulation. "It’s a start," declared David Sobel, general counsel for the Electronic Privacy Information Center, "but we think that everybody, regardless of age, needs privacy protection on the Internet."22  Sobel’s wish might come true.

Legislators appear eager to use the COPPA as a wedge to enact stricter privacy regulations applying to all web sites. The last two years have featured an increasing number of legislative proposals to regulate privacy, and members of the 106th Congress have resumed the privacy crusade. More than 50 privacy-related bills have been introduced this session. While the bills relating to the Internet cover a broad spectrum, the apparent regulations of choice would impose what are commonly referred to as "mandatory opt-in" or "mandatory opt-out" requirements on commercial web sites.

Mandatory opt-in requirements, which would force all web sites to obtain an individual’s explicit consent before collecting and distributing information about their visitors, are a component of several bills scheduled to be introduced this year. The most notable of these is the Consumer Internet Privacy Act of 1999, introduced by Representative Bruce Vento (D-MN). The Act would mandate that all web sites obtain written consent before distributing personally identifiable information, such as a person’s name, to a third party.23 

Leading the mandatory opt-out charge is the Online Privacy Protection Act, co-sponsored by Senators Conrad Burns (R-MT) and Ron Wyden (D-OR). Under the Act, web sites would be required to provide formal notice when they collect information, and to allow users to access sites without relinquishing personal information.24  Representative Edward Markey (D-MA) has announced he will introduce similar legislation in the House.25 

Together, the Clinton Administration’s initiative, the COPPA, and the proposed legislation represent the first wave of Internet privacy regulations. As more anecdotal evidence of privacy violations emerges, even more regulations will be proposed as politicians scramble to assuage privacy concerns. Given the existing proposals, the preferences of privacy advocates, and policy makers’ growing support of strict, technology-specific regulations, it seems likely that proposed privacy regulations will continue to veer toward the extreme by seeking to impose mandatory opt-in, mandatory opt-out, or other strict restrictions on all commercial web sites.

 

Worthy Goals, Wrong Assumptions, Dangerous Consequences

The goals of an effective government approach towards Internet privacy are straightforward: assure that Internet users can protect their privacy should they so desire; adhere to the legal framework governing privacy in the United States; protect online businesses and, in the process, defend the cornerstones at the foundation of the Internet’s growth. New Internet privacy regulations, which would actually hinder these goals, are unnecessary and would have dangerous consequences.

Regulation advocates base their calls for government intervention on the following key assumptions:

1) Individuals cannot control their information. According to privacy advocates, individuals, including Internet users, have little control over how or when businesses collect, use, and distribute personal information.

2) Current laws overlook privacy. In light of this alleged fact, advocates contend that new laws are necessary to protect consumer privacy.

3) Profit motives contradict privacy interests. Advocates claim that businesses have no incentive to help consumers protect their privacy, and that self-regulation is therefore destined to fail.

The following five sections of this paper demonstrate that these assumptions are false. Everyone controls their information, the legal framework governing privacy supports this control, and profit incentives are driving businesses to help consumers alleviate their privacy concerns. In the end, this flexible, dynamic process will best meet the needs of consumers, businesses, and even privacy advocates. And it will prove that new Internet privacy regulations are unnecessary.

At best, new regulations would simply mimic the privacy protections currently being implemented by the private sector. At worst, government intervention would successfully mandate a top-down privacy policy, imposing strict, inflexible controls on online businesses. By handicapping self-regulatory efforts while establishing de facto property rights to personal information, Internet privacy regulations would harm consumers, hinder electronic commerce, and eat away at the pillars supporting the Internet’s rapid growth. In addition, these regulations would set dangerous legal precedents that could eventually erode certain provisions of the U.S. Constitution.

 

 IV. How Internet Users Control Their Information

Introduction

The Internet privacy debate is riddled with two key misperceptions: that web sites coerce Internet users into giving away their information, and that Internet users cannot control how sites use their information. As previously mentioned, Vice President Al Gore asserts that the necessary remedies are new rights and regulations ensuring that web users "have the right to choose whether…personal information is disclosed" and the right to "know how, when, and how much of that information is being used."26

But Internet users already have these rights. They have direct control over whether their information is collected by a site. While they have always had indirect control over how their information is used and distributed once given to a site, this control is becoming increasingly direct: web sites and their users have begun forging contracts that govern the use of personal information. These contracts allow web users to hold offending sites accountable if they misuse personal information. And, as section V of this paper discusses, this control is consistent with the legal framework that governs privacy in the United States.

 

Internet Users Control Their Information

Everyone, including Internet users, controls their personal information. Under most circumstances, individuals are free to either keep their personal information private or distribute it to others. Internet users possess this initial control and may forge contracts that limit the use of their personal information by web sites. But if users give their information away unconditionally, sites may use and distribute it however they please.

Every time they visit a site, Internet users control what information they relinquish and how it is used. This control begins once users realize that commercial web sites are not public goods. They are commodities that online businesses provide to make goods and services conveniently available. As such, they are the property of businesses that have a right to charge for their use. And the access fee is often measured in information.

On the Internet, information is not only a commodity, it is also a currency. Web users trade it in return for access to a site. And, contrary to regulators’ claims, this exchange is a voluntary, informed, and negotiated transaction.

Every movement on the Web is processed as a request for information: you type in a site address and your computer asks the site for permission to view its information. The site can grant or refuse that request, depending on the access fee. Sometimes, access is free and the information transfers immediately. Other times the site first asks if it can plant a cookie or requests that users complete a registration form.

Web users aren’t forced to grant these requests. They don’t have to fill out a registration form: once it appears on the screen, users can turn away from a site without relinquishing information. Or they can refuse to provide information and still proceed; many sites that post registration forms allow users limited access even if they refuse to complete the form.

Cookies are also simple to avoid. Browsers that automatically accept cookies can be easily modified to seek the Internet user’s permission first. Browsers come pre-equipped for such modification; the process is simple and takes only a few seconds. On Internet Explorer, for example, the user need only pull down the toolbar marked "View," select "Internet Options," click "Advanced," then scroll down to the box marked "Prompt before accepting cookies." Netscape Navigator’s process is even more straightforward.27

Surveys indicate that Internet users understand these mechanisms and put them to use. According to a 1997 survey by Georgia Tech University, 75% of web users know what cookies are, 86% know what their cookie settings are, and 61% have made an explicit choice about these settings.28  Only 22% always accept cookies.29  An April, 1999 study by AT&T Research Labs validated these numbers.

According to the study, 88% of the Internet users surveyed understood cookies.30  Of that 88%, 56% had "changed their cookie settings to something other than accepting all cookies without warning."31  More notably, Internet users were actually willing to accept cookies in return for the convenience of a customized site; the study found that "78% of respondents would definitely or probably agree to web sites using persistent identifiers (possibly implemented using cookies) to provide a customized service."32 

These statistics indicate that web users are making informed, rational decisions about what information they distribute to whom. These discriminating consumers can also be expected to understand that, if a site requires them to relinquish information in return for access, they can check to see if a "privacy policy" is posted.

Privacy policies are a promising response by businesses to consumers’ concerns. Posted at site entrances, these policies announce what information sites collect and how that information will be used. Internet users can read these policies and then make well-informed decisions about whether or not to relinquish information to a site. However, as privacy advocates are quick to point out, the number of sites with privacy policies is multiplying rapidly, but many sites don’t yet post their policies (these policies are discussed in greater detail in section VII). Consequently, Internet users sometimes find that registering with one site leads to having their information spread around to a variety of others.

Wary users can avoid this fate by being attentive and discriminating. If a site’s policy is hidden, or if the posted policy is unacceptable, users can leave before their information is transferred. But if they relinquish their information, a contract is forged.

In return for granting access, the site receives permission to use the visitor’s information. At this point, the user relinquishes direct control of her information to the site. If the site has a posted policy, that policy acts as a contract, and the site must abide by it or face legal consequences. If its policy is not posted, the site may use visitors’ information in any way it sees fit.

Internet users willing to give away their personal information must therefore recognize that it acts as a form of currency. It begins as their possession, private and within their control. They may trade it, along with direct control over it, in return for access to a site. The site may then sell or distribute the information unless the site has entered into an agreement that limits this right. This agreement, which can take the form of a privacy policy, gives Internet users a legal mechanism they can use to hold web sites accountable. But if users give their information to a site without a policy, they lose control of this information entirely.

Regardless of how they use it, web sites that collect information about their visitors are not violating anyone’s rights. Individuals don’t have a right to visit web sites without relinquishing information; they voluntarily relinquish information about themselves in return for the convenience of accessing goods and services on the Internet. Those unwilling to relinquish information always have the less convenient, but more anonymous options of shopping in traditional stores, reading print instead of online newspapers, or making telephone calls to gather information.

Privacy advocates proclaim that this approach violates web users’ privacy rights but, as the following section explains, this approach is in fact supported by the legal framework that governs privacy in the United States.

 

 

V. Privacy Laws in the United States:  A Delicate Balancing Act

Introduction

Contrary to many advocates’ claims that Internet users have a specific "right to privacy," privacy in the United States is not protected by explicit, government-granted rights. Instead, the legal mechanisms governing privacy are a jumbled mix of statutes, judicial decisions, constitutional provisions, and legal interpretations. But while privacy protections may be confusing, they are not confused.

These protections rest on a principled legal framework that strikes the necessary balance between competing constitutional interests while allowing individuals to exercise varying levels of control over their personal information. This framework allows individuals to control their personal information by keeping it private and/or using contracts to limit its use. And it simultaneously protects the rights of third parties, most notably law enforcers and the press, to collect, use, and distribute an individual’s personal information. New Internet privacy regulations could set dangerous precedents that disrupt this framework and consequently erode Constitutional protections that Americans hold dear.

 

Conflicting Values

Privacy protection in the United States is limited and confusing because any legal mechanisms intended to govern privacy must balance conflicting Constitutional provisions. The popular belief that the Constitution grants a right to privacy, and that this right governs the private sector’s information practices, is false. The Constitution does not grant a right to privacy.

In fact, as Ellen Alderman and Caroline Kennedy note in The Right to Privacy, "The word ‘privacy’ does not appear in the United States Constitution."33  And even if a general privacy right could be gleaned from the Constitution, it would not affect the private sector: with the exception of the Thirteenth Amendment, which bans slavery, Constitutional protections govern only the relationship between U.S. citizens and their government.

But while the Constitution does not grant a right to privacy, it does outline a set of competing interests that simultaneously works against privacy and places an implicit value upon it. As Fred H. Cate writes in Privacy in the Information Age, "[P]rivacy protection in the United States is fundamentally in tension with other cherished values…[such as] the prevention of crime and prosecution of criminals, free expression and an investigatory press, the acquisition and use of property, and a limited role for government in daily life."34 

The Fourth Amendment provides a good example of this conflict. By protecting citizens against "unreasonable" searches and seizures, the Fourth Amendment implies that individuals have a certain level of privacy. But it simultaneously ensures that law enforcers can conduct searches that are "reasonable," even if those searches invade a person’s private space. Consequently, courts and policy makers have been forced to strike a balance between the investigative interests of law enforcers and the privacy interests of citizens. While Fourth Amendment concerns are important, the First Amendment is the central battleground where the competing interests clash.

On one side stands the citizens’ "right to be let alone," their interest in keeping certain sensitive information about themselves, such as their religious beliefs or political associations, private. On the other side stands the First Amendment’s emphasis on the free flow of information and its protection of both freedom of speech and the right of the press to uncover and publicize the truth, regardless of whether that truth contains sensitive, private details. The conflict between such interests explains why privacy protection is limited; judges and policy makers have been repeatedly forced to strike a delicate balance.

Any privacy-based challenge to the Constitution’s free expression guarantees must survive the difficult test of strict scrutiny. In cases such as Breard v. City of Alexandria35 , the Court has regularly elevated the First Amendment’s guarantees of free expression above privacy interests. As Fred H. Cate writes, "When privacy rights conflict with free expression, the latter prevail, virtually without exception."36  And, as the following section explains, elevating free expression above privacy leads to a situation in which privacy rights are necessarily limited.

 

Private vs. Public Information: A Framework

"An inability to vindicate a personal predilection for greater privacy may be part of the price every person must be prepared to pay for a society in which information and opinion flow freely."37 

— New York Court of Appeals, ruling in Arrington v. The New York Times Company, 1983.

In the process of balancing privacy and free expression, judges and policy makers have established a legal framework containing a complex amalgam of statutes, torts, precedents, and legal interpretations. Except in a few, limited circumstances, this framework does not establish any substantial new privacy rights against either the public or the private sector. The framework does, however, implicitly outline a relationship between people and their personal information.

Generally speaking, the control of personal information is left in the individual’s hands. An individual may protect the privacy of this information either by not disclosing it or by forging contracts that limit its use. But disclosure of private, personal information, even on a casual or unintentional basis, transforms that information into public information. And once personal information becomes public, it can be freely distributed and publicized. But how does this transformation occur?

Private information is transformed into public information as people begin operating in society. People reveal certain information about themselves as they conduct transactions and forge relationships. Typically, this information is limited to what can be gleaned from a casual encounter, i.e. a person’s name, hair color, temperament, etc. If this information is revealed unconditionally, it can be distributed by third parties with impunity. This distribution is simply the price a person must pay in return for the benefits of operating in society.

This relationship between individuals and their information is a necessary outgrowth of a society that values justice and free expression. An individual’s control over personal information must be limited in the interest of protecting both law enforcers’ interest in conducting searches as part of a criminal investigation, and the right of the press to uncover and publicize news. Limited privacy rights allow law enforcers conducting an investigation to gather personal, private information provided they have reasonable cause. Similarly, the press may gather and publicize private information so long as it is newsworthy and the details are accurately conveyed. As the following section explains, new Internet privacy regulations could alter this relationship and, in the process, set the stage for future encroachments upon the Constitution.

 

Internet Privacy Regulations Could Upset this Balance

As mentioned earlier, regulations requiring web sites to obtain consent before collecting and distributing data would create new privacy rights on the Internet. And, while these rights would apply only to the Internet, they would likely become a wedge used to enact broad new privacy rights across the entire private sector. Such rights would upset the balance between the Constitution’s competing provisions. Perhaps most disturbing is the prospect that such rights would weaken the free expression guarantees of the First Amendment.

For example, a mandatory opt-in requirement applied to all businesses, and the accompanying privacy rights, would restrict the rights of entities to share the information that is voluntarily relinquished to them; their right to speak freely would be encroached upon. This idea was pioneered by Solveig Singleton in her paper "Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector." According to Singleton, "[Mandatory opt-in] would conflict with our tradition of free speech. From light conversation, to journalism, to consumer credit reporting, we rely on being able to freely communicate details of one another’s lives. Proposals to forbid businesses to communicate with one another about real events fly in the face of that tradition."38 

Claims that Internet users cannot control their information without new rights and regulations are false. Internet users exercise a substantial and increasing amount of control over their personal information. But this control is not, and never should be, absolute.

Instead, this control is structured in such a way that an individual’s personal information resembles currency. Individuals initially control information about themselves, but they can trade it in return for benefits such as the convenience of using commercial web sites. Because individuals possess this initial control, they may protect their information by forging contracts that limit its use.

Privacy rights are limited for a reason: they compete with freedom of speech, freedom of the press, and other interests that must be protected in order for a democracy to function effectively. Courts and policy makers have balanced these competing interests by defining a relationship that guards Constitutional protections while still allowing individuals to protect their privacy by keeping their information private or using contracts to protect it.

New Internet privacy regulations could upset this balance. They would likely pave the way for the broad new privacy rights that activists currently demand, and these expanded rights would necessarily erode the conflicting Constitutional protections. And the detrimental effects of regulation would extend to the Internet. As the following section explains, new Internet privacy regulations would upset the cost structure currently facing online entrepreneurs, hindering electronic commerce in the process.

 

VI. The Threat of Compliance Costs

Online businesses resemble traditional businesses but they also are unique in many ways. Relative to traditional sectors, it is easy and cheap for businesses to open an online store. Prospective business owners don’t have to lease a building or acquire enough merchandise to fill the shelves. Consequently, anyone with a promising idea can create a firm and virtually anyone with a computer can start a home-based enterprise that features low maintenance costs. And these small businesses can quickly expand into multi-million dollar enterprises. But limited capital costs are not the only advantage.

Online businesses are relatively free from regulation. Contrary to popular belief, these businesses are not "unregulated"; they are subject to the same system of rules and laws that generally govern other businesses. But electronic commerce and the businesses that comprise it have to date been spared the industry-specific regulations that hinder other sectors. As a result, online businesses aren’t burdened with substantial regulatory compliance costs.

New Internet privacy regulations would end this situation, raising the costs of starting and maintaining an online business. In the process, they would set a precedent for imposing new "consumer protection" regulations on commercial web sites.

Regulators have been on a crusade to wedge their way online; hundreds of Internet-related laws were introduced before the last Congress, ranging from the widely publicized effort to limit "indecent" web content to lesser-known proposals to outlaw Internet gambling. These efforts have largely been fruitless, but new Internet privacy regulations could turn the tide.

Such regulations would signal policy makers that "consumer protection" measures are necessary and acceptable on the Web. Regulators would likely respond with an onslaught of new regulations. And these regulations would begin eroding the low entry costs that are the linchpin of electronic commerce.

Government-imposed consumer protection requirements, including Internet privacy regulations, would force web sites to bear the costs of implementing these requirements, the costs of complying with them, and the liability costs of noncompliance. Firms would be forced to devote increasing amounts of capital and income to regulatory compliance. The experience of Able Minds, Inc., a San Francisco company that operates the children’s site Cyberkids, chronicles the damage that such regulations can inflict on small businesses.

Julie Richer, President of Able Minds, explains how today’s limited Internet regulations are already hurting her company. According to Richer, the Children’s Online Privacy Protection Act has burdened Able Minds with substantial compliance costs. Richer estimates her company has spent $10,000 to date in its effort to implement the COPPA—this amounts to more than 10% of the site’s annual $90,000 budget.39  These costs include the valuable staff time Richer says Able Minds has had to dedicate to menial tasks such as sorting and logging the written consent forms that parents are required to send in before their children may use the site.40 

In addition, says Richer, "One of the main problems are the barriers to entry" that the COPPA has erected in front of her site. According to Richer, the COPPA’s consent requirement has led to "reduced traffic" on her site.41  At the same time, it has placed Able Minds at a disadvantage to "bigger companies, like AOL," who charge for use and therefore have access to credit card numbers that can be used in lieu of written consent forms.42  AOL and other net giants also have more resources to devote to compliance and advertising. Richer’s comments illustrate how even "minor" regulations burden small businesses.

Entrepreneurs will not ignore these regulations. By raising electronic commerce’s entry bar one notch higher, regulatory compliance costs will likely prevent many small businesses from setting up shop online. And, as the Able Minds example shows, compliance costs and procedures will absorb a significant portion of the resources online businesses devote to improving their sites and services.

The end result of new regulations, including Internet privacy regulations, would be to harm consumers. Existing businesses would pass some of the increased costs along to consumers in the form of price increases. Also notable is the negative effect that some privacy regulations would have on businesses’ ability to tailor themselves to customers: under mandatory opt-out, for example, sites would be prohibited from requiring information in return for access.

All Internet users would be handed the right to access sites without having to trade away information in return. This would hamper the ability of online businesses to assess the preferences of their customer base. Sites would end up being less responsive to customers and, consequently, consumers would be robbed of at least some of the benefits of tailored sites.

The cumulative effect of regulation’s negative implications would be to place an unfair burden on small online business. As a consequence, regulations would prevent some new businesses from arising, limiting the quantity and variety of commercial web sites. Consumers would suffer from these limited opportunities. However, there is hope: as the following section explains, regulations are not the necessary answer to privacy concerns.

 

 

VII. Solution: Self-Regulation

Introduction

The most effective policy approach to Internet privacy would avoid new regulations, relying instead on the market forces that are already driving businesses to alleviate privacy concerns. Privacy advocates claim that the profit motive contradicts privacy interests, and that this is why self-regulation can never work. They are wrong. Businesses have every incentive to respond to the demands of customers, and privacy concerns are not an exception.

In a large and growing number of cases, businesses understand not only that consumers value their privacy but also that privacy concerns could limit profits by hindering the growth of electronic commerce. Consequently, businesses have begun taking action to alleviate consumer’s concerns and, in many cases, this action mimics the measures that advocates want enacted into law. To date the primary means to this end have been privacy policies: the key players in web commerce have been pushing hard towards the goal of making privacy policies a voluntary industry standard. But privacy policies are only one part of the self-regulation phalanx.

A burgeoning industry is designing and producing products that will enhance Internet users’ control over their personal information. These "infomediaries" are introducing software that empowers users, allowing them to automatically communicate their privacy preferences to web sites, and to avoid sites with privacy policies that contradict those preferences. These businesses intend to profit not by violating privacy but by protecting it, an intention that further debunks the claims of privacy advocates.

By demonstrating how market forces are leading businesses to respond to privacy concerns, this section details how a dynamic self-regulatory environment is emerging on the web. New regulations would smother this process.

 

How Privacy Policies are Becoming an Industry Standard

Privacy policies are on course to become a standard among online businesses. Driving this progress are the economic incentives that push businesses to regulate themselves. Businesses and organizations are responding to these incentives en masse, suggesting that the vast majority of commercial web sites will soon implement privacy policies in response to consumer concerns.

The market mechanism beneath this process is simple. As previously discussed, Internet users (who are also web sites’ customers) are concerned about how sites use the personal information they gather. The goal of commercial web sites is to attract these customers. Because discriminating consumers won’t patronize sites that use personal information invasively, sites must respond to their customers’ privacy concerns. Otherwise, consumers will migrate to competing sites.

Hoping to profit from electronic commerce, a variety of businesses and organizations are scrambling to implement consumer-friendly privacy policies. These efforts are being facilitated by organizations created to help sites implement privacy policies, and to enforce those policies. The leader among these organizations is the California-based TRUST-e.

TRUST-e certifies and polices sites’ privacy policies. Its members are required to tell their visitors what information about them is gathered and how that information is used. In return for their compliance, TRUST-e rewards them with a "trustmark" seal of approval that sites post at their entrances, notifying visitors of their compliance. TRUST-e also provides web sites with a template privacy policy, and its members include the web giants eBay, Yahoo!, and Excite. The program’s popularity—according to TRUST-e, its more than 500 members attract over 90% of web traffic—illustrates that companies are using privacy policies to respond to consumer concerns.43  And TRUST-e is not alone.

The Council of Better Business Bureaus has started a similar program. Conceived and sponsored by companies such as America Online and Dell Computer Corporation, this program sets privacy standards, posts a seal of approval on sites that abide by those standards, and resolves privacy disputes between individuals and online businesses.44  At the time this program began, in March, 1999, more than 300 companies had begun the application process to become members.45 Its efforts were bolstered on April 12 when the American Electronics Association announced it will urge each of its 3,000 members to implement the BBB program.46 

The privacy policy crusade has also been aided by the Online Privacy Alliance and the IBM corporation. Backed by such companies as Microsoft and Disney, the Online Privacy Alliance (OPA) operates an outreach program intended to foster the proliferation of privacy policies. The OPA works towards this goal by requiring its members to implement privacy policies, and by providing online businesses with privacy guidelines that they may adapt.47  IBM added momentum to the OPA’s efforts when, in April, 1999, it announced that it will only advertise on sites with acceptable privacy policies.

In order to be acceptable to IBM, privacy policies must tell site visitors what information about them is collected and how that information is used, and they must give visitors the option of using the site without relinquishing any information. IBM hopes that, by channeling $60 million in advertising expenditures towards more than 700 sites, it will facilitate the self-regulation process.48  According to company spokesman John Bukovinsky, IBM’s intention is to "help build consumer confidence in the use of the Internet as a medium for conducting business."49 

These examples demonstrate how the profit motive is driving online businesses to respect the privacy concerns of their customers. A May 1999 study led by Georgetown University professor Mary Culnan found that the majority of online businesses are now posting some type of privacy policy. The study investigated 364 commercial web sites and found that, of sites that collected personal information, nearly two-thirds (65.7%) notified visitors of this collection.50  Robert Pitofsky, Chairman of the Federal Trade Commission and one of self-regulation’s most outspoken critics, told the New York Times that the study was "exceptionally well-done" and demonstrated "a remarkable improvement."51 

The Online Privacy Alliance added punch to Culnan’s findings with a study of its own. The OPA study found that, of the 100 most popular web sites, 94% posted privacy policies.52  As these studies and Pitofsky’s remarks demonstrate, the self-regulatory process is quickly leading to a situation in which privacy policies are a web standard.

This situation clearly benefits web users by taking the guesswork out of accessing a site. Posted, enforced privacy policies, particularly those backed by organizations such as TRUST-e, help consumers make informed decisions about when to trade away their information. An April, 1999 survey by AT&T Research Labs proved this fact: 58% of those surveyed said they were more likely to provide information to sites that post privacy policies and have a third-party seal of approval.53  The proliferation of privacy policies also has other, more substantial benefits.

Since privacy policies are also contracts, they give Internet users a new way to hold online businesses accountable if they misuse personal information. And once the majority of sites have adopted privacy policies, a framework will be established for an even greater response to consumer privacy concerns.

Once web sites establish privacy policies, they can amend them to match the preferences of their customers. For example, if the majority of consumers demand that sites allow access without information requirements, many sites will then be forced to respond by eliminating the requirement that consumers trade information in return for access. This prospect is only one of many exciting, private-sector responses to privacy concerns.

 

Infomediaries

Information intermediaries, or "Infomediaries", are a new type of product that simplifies Internet users’ control over their personal information. As such, infomediaries respond to consumer privacy concerns more directly than privacy policies. And they further demonstrate that privacy interests and the profit motive are complementary, not contradictory.

Infomediaries are usually based on the "platform for privacy preferences" (P3P), a technology that allows Internet users and web sites to automatically communicate about privacy preferences and practices. Using P3P software, users can "specify under which conditions they are willing to divulge personal information online."54  The software can then automatically identify whether a web site’s privacy policy is consistent with those conditions. If the conditions and the policy match, the software automatically relinquishes the information the site requires in return for access. If the policy violates the user’s preferences, the software notifies the user, who can then avoid the site.

In order for a P3P communication to occur, both the web site and the Internet user wishing to access it must possess the software. Today, the software is not widely used, and P3P communications are uncommon. But recent developments suggest that this situation will soon be remedied: P3P-based products are on the verge of a popularity boom.

Microsoft and the Electronic Frontier Foundation recently announced a program to popularize the use of P3P software by web sites. The organizations are working together to launch the "Privacy Wizard," an inexpensive, standardized product that provides web sites with a "universal standard…to disclose how they use personal information gathered about consumers."55  By integrating P3P into web sites, the privacy wizard will let browsers, search engines, and other P3P-based products analyze a site’s privacy policy and alert Internet users if the policy contradicts their preferences.56  But integrating P3P into web sites only solves half of the infomediary equation.

Entrepreneurs are solving the other half: companies are now releasing P3P-based products that enhance Internet users’ information control. In March, 1999, for example, Novell introduced "Digitalme." Using Digitalme, which incorporates technology similar to P3P, Internet users can record their personal information, specify if and when they want that information released to web sites, and then let the software automatically review sites’ privacy policies.57  Lumeria, Incorporated’s new "Superprofile" technology accomplishes a similar task.

According to the company’s web site, Superprofile "allows you to decide who gets to see what parts of your profile under what circumstances…[and] protects your privacy while allowing you the opportunity to reveal what your interests are when and for whatever reason you wish, without revealing your identity."58  The product—which will be given away to consumers free of charge—also includes a "SuperOptOut" feature, a free service that helps consumers remove "their names from mailing lists," and also makes them "harder to reach through traditional channels."59 

Lumeria’s goals aren’t limited to helping Internet users control their information. The company also aims to deflate the information resale industry by "transferring ownership of personal data (used for direct marketing and personalized services) to the individual."60  The individual—and not the information reseller—would then be free to profit from the sale and use of their own information. The relationship between consumers and direct marketers would be upended.

Lumeria CEO Fred Davis outlined this goal in an interview with Wired News. "There is a lot of information [out there] about what I buy," said Davis, "It is my information, and yet there are these other companies…selling this information, and they are not cutting me in."61  Davis’s goals illustrate how infomediaries are working to profit from alleviating web users’ privacy concerns.

 

The Promise of Self-Regulation

Markets are answering the most critical questions swirling around privacy on the Internet. Businesses are providing consumers with an unprecedented array of creative, flexible mechanisms that protect privacy and quickly respond to changing consumer preferences. As Lumeria’s Fred Davis suggests, the economic incentives driving self-regulation could eventually lead to products that upset the traditional relationship between consumers and direct marketers, alleviating most privacy concerns in the process.

The reality is that the profit motive is driving businesses to protect consumer privacy. Businesses hoping to profit from electronic commerce are well aware that privacy concerns may push consumers away from the Internet and consequently hinder potential profits. In the interests of protecting those profits, businesses are rapidly responding to privacy concerns by posting privacy policies.

Infomediaries demonstrate that the profit motive is working at a higher level, illustrating the degree to which businesses have become aware of privacy concerns. It is one thing to use privacy policies to protect the growth of an existing market. It is another thing to invest in and develop an entirely new market based solely on the prospect that there is direct profit to be earned from protecting privacy. Businesses’ willingness to absorb the costs and risks associated with developing intermediaries proves that market forces will provide mechanisms that alleviate widespread privacy concerns. This dynamic process has only just begun.

Several promising events, such as the Better Business Bureau’s program launch and the release of Lumeria’s Superprofile, occurred in March and April of 1999. Privacy advocates suggest that self-regulation is already faltering, but these events demonstrate that the process is still rising, its apex is not yet in sight, and it could eventually alleviate privacy concerns altogether. Government intervention, on the other hand, would smother this process and harm consumers.

A single, government imposed privacy policy, such as mandatory opt-in, would deny consumers the flexibility promised by the private sector’s products, allocating a single remedy to consumers currently demanding a variety of solutions. And it would smother the demand for these products by creating a false sense of security among Internet users. Companies like Lumeria would be crippled. Consumers would be denied the benefits that new innovations promise.

 

 

VIII. Conclusion: Innovation, Not Regulation

The most effective governing strategy towards Internet privacy would accomplish three goals:

1) Assure that Internet users can protect their privacy.

2) Adhere to the legal framework governing privacy in the United States.

3) Protect online businesses and, in the process, defend the foundation of the Internet’s growth.

New Internet privacy regulations hinder these goals and quash the dynamic market process that is driving businesses to help consumers protect their privacy. An evolving set of promising private-sector solutions would be replaced by a single government remedy. And Internet privacy regulations would also hinder electronic commerce by harming online businesses.

By saddling online business with new compliance costs, Internet privacy regulations would upset the cost structure that helps account for electronic commerce’s meteoric growth. Relatively free from targeted regulations, online businesses have faced low entry costs and low maintenance costs. Consequently, they have been free to devote the majority of their resources to maintaining and upgrading the services they offer. Internet privacy regulations would reverse this situation and set the stage for further, Internet-specific consumer protection requirements.

Online businesses would be forced to bear the costs of implementing and complying with new regulations. These costs would make it more expensive to start a new business on the web, deterring entry into web commerce. Regulations would also hamper the innovative capacity of small online businesses by forcing them to devote valuable resources to regulatory compliance. Larger, established businesses would be handed an advantage by the government. Thus new Internet privacy regulations would dampen the web’s entrepreneurial characteristics, limiting the quantity and variety of online businesses available to consumers. Also troubling is the negative effect that Internet privacy regulations could have on the legal principles governing privacy in the United States.

The current legal framework governing privacy strikes a delicate balance between competing interests that simultaneously value privacy and work against it. The First Amendment to the United States Constitution, for example, validates an individual’s interest in keeping certain information, such as political associations, private. At the same time, it emphasizes the free flow of information by protecting the press’s right to uncover and freely speak the truth, even if that truth contains sensitive, private facts. When these competing interests clash in the courts, freedom of speech prevails.

Internet privacy regulations alone are unlikely to upset this balance. However, these regulations are likely to be used as a precedent to enact the broader privacy rights that advocates cherish. Endowing personal information with absolute property rights would erode the media’s right to publicize information. In some cases, publication would amount to "theft" of personal information. If codified into law, this right would necessarily impinge on the First Amendment’s provisions.

Internet privacy regulations, therefore, would harm consumers, hinder electronic commerce, and set a dangerous legal precedent. A free-market policy, on the other hand, would avoid these costs while accomplishing an effective policy’s three goals. The ideal policy would avoid new regulations altogether and instead harness the profit incentives currently driving businesses to help consumers protect their privacy. Such a policy would:

1. Protect consumer privacy by harnessing economic forces. When users express concerns about their privacy, businesses respond and alleviate these concerns. A dynamic economic process is driving businesses to devise innovative new ways to help consumers protect their information. Privacy policies help Internet users make informed decisions about when to trade their information for a web site’s benefits. Because individuals have initial rights to their personal information, they can use these policies as contracts. Such contracts help Internet users hold sites accountable when those sites misuse personal information.

Information intermediaries, commonly referred to as "infomediaries," are another promising, private sector response to Internet users’ privacy concerns. Typically based on the Platform for Privacy Preferences, infomediaries enhance users’ information control by allowing them to automatically dictate what personal information is given to a site under what conditions.

Privacy policies and infomediaries are only the beginning. They are symbols of a dynamic economic process that could eventually quell privacy concerns altogether. If they are allowed to flourish, the firms devoted to privacy protection will continue to devise creative, flexible mechanisms that protect privacy and quickly respond to changing consumer preferences.

2. Leave the legal framework governing privacy intact. By treating personal information in such a way that it resembles currency, the current legal framework explains how all individuals, including Internet users, control their information.

Private information can be traded in return for the benefits of society—such as the convenience of using a web site. If private information is traded away unconditionally, it becomes public information that can be freely distributed among third parties.

The relationship between private and public information explains why individuals cannot only control their personal information initially but also can use contracts—such as privacy policies—to limit the distribution of this information. A free-market policy approach to Internet privacy, which necessarily implies the absence of new Internet privacy regulations, would leave this relationship intact.

In so doing, it would leave open a window of opportunity for privacy-conscious individuals to use contracts to protect their information. At the same time, it would protect businesses that collect and use the information provided by willing individuals. In the process, it would avoid setting a precedent that could eventually damage the legal relationship that simultaneously allows for privacy and free speech.

3. Protect the economic forces driving the Information Age. In the absence of government regulation, the Internet is developing as a consumer-driven medium. For a variety of reasons, online businesses have been free to tailor themselves to the unique and changing demands of individuals.

If left free from targeted regulations such as Internet privacy regulations, this grand enterprise promises to continue and flourish. Small online businesses will maintain today’s rapid pace of innovation. In search of profits, entrepreneurs will continue launching new enterprises aimed at satisfying ever-smaller market niches. The Internet will enable more individuals to access more products and services that are more tailored to their particular tastes than ever before.

The conclusion is clear: New Internet privacy regulations would harm consumers, hinder electronic commerce, and set dangerous legal precedents. A free-market approach, on the other hand, would help consumers, protect the Internet’s future, and leave treasured United States legal principles intact. Until advocates of regulation recognize these realities, policy makers will continue marching forward with proposals that threaten consumers, businesses, and the future of the Internet itself.

As electronic commerce, the Internet, and telecommunications blossom into an ever more integral part of the economy and society, policy makers will face many quandaries similar to Internet privacy. These problems will continue calling for innovative new governing strategies and solutions.

Only free-market policy approaches will empower the most effective innovation. These approaches will ensure a brighter future by leaving individuals and business limited only by their own creativity, effort, and the rule of law.

 

 

End Notes

---

1   I am greatly indebted to Dr. Eugene Volokh, Professor, UCLA Law School, for his input into the legal analysis present in this paper. Specifically, Dr. Volokh assisted me in understanding and highlighting the critical tradeoffs between privacy and free speech.
2   See www.amlist.com/types.html.
3   See www.bestmailing.com.
4   Lawrence Magid, "Privacy is good business," Information Week, June 15, 1998, p. 240.
5   The Graphic, Visualization and Usability Center at Georgia Tech University, "The Graphic, Visualization, and Usability Center’s Eighth World Wide Web User Survey" (Atlanta, Georgia: Georgia Tech University, 1997), p. 4. Available: www.gvu.gatech.edu/user_surveys/survey-1997-10/.
6   The American Civil Liberties Union, "Take Back Your Data," February, 1998, p. 1, available: www.aclu.org/action/tbyd.html.
7   June 22, 1998, "Leaving Industry to ‘Regulate’ Itself Will Worsen Privacy Invasions, Experts Say," Joint news release by organizations including the Center for Media Education, Junkbusters Corporation, Privacy International, Privacy Times, Privacy Journal, and Private Citizen, Inc. Available: www.igc.org/pirg/consumer/privacy/rel_0622.html.
8  Ibid.
9   "Privacy and Consumer Advocates call on Secretary Daley and White House to develop a National Privacy Policy," submitted by a conglomerate of advocacy organizations, including the ACLU and the Center for Democracy and Technology on June 22, 1998. Available: www.cdt.org/privacy/daleyletter.html.
10 Evan Hendricks, Trudy Hayden, Jack D. Novik, Your Right to Privacy (Carbondale, IL: Southern Illinois University Press, 1990), Introduction, p. xxi.
11 Alan Westin, Privacy and Freedom (New York: Athenaeum, 1967), pp. 324-25.
12 Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, issued October 24, 1995.
13 Ted Bridis, "Gore Warns Execs Over Net Privacy," Associated Press Online, June 24, 1998.
14 Ibid.
15 Staff Editorial, "Privacy from whom?," Washington Post, June 29, 1998, p. A14.
16 The Federal Trade Commission, "Privacy Online: A Report to Congress" (Washington, D.C.: The Federal Trade Commission, 1998), p. 2. Available: www.ftc.gov/reports/privacy3.
17 Ibid.
18 Jeri Clausing, "Guidelines are sought for Internet privacy," New York Times, June 5, 1998, p. D2.
19 Hiawatha Bray, "FTC urges steps to guard privacy on the Internet," Boston Globe, June 5, 1998, p. A1.
20 "Guidelines are sought for Internet privacy," New York Times, June 5, 1998
21 Vice President Gore has made this statement on at least two occasions. The first was in a commencement speech at New York University delivered on May 14, 1998; the text of this speech is available through the White House Press Office. The second was upon announcement of the Clinton Administration’s privacy initiative (Protecting Americans’ Privacy in the Information Age: An Electronic Bill of Rights) on August 4, 1998. For the text of the announcement see the White House, Office of the Vice President, "Vice President Gore Announces New Steps Toward an Electronic Bill of Rights," released July 31, 1998. Available: www.cdt.org/privacy/gore_press.980811.html.
22 John Borland, "Activists: Kids’ Privacy Law is Only First Step," Tech Web News, October 23, 1998, p. 1.
23 H.R. 313, the "Consumer Internet Privacy Protection Act of 1999," introduced by Representative Bruce Vento on January 6, 1999. Available: www.thomas.loc.gov/cgi-bin/query/z?c106:H.R.313.IH:.
24 S.809, the "Online Privacy Protection Act of 1999," filed by Senators Conrad Burns and Ron Wyden in April, 1999. Available: http://thomas.loc.gov/cgi-bin/query/D?c106:1:./temp/~c106VSBheW::.
25 Jeri Clausing, "Lawmaker Plans Bill to Protect Consumer Privacy Online," New York Times, April 8, 1998. Available: http://www.nytimes.com/library/tech/99/04/cyber/articles/08privacy.html.
26 For the text of the announcement see the White House, Office of the Vice President, "Vice President Gore Announces New Steps Toward an Electronic Bill of Rights," released July 31, 1998. Available: www.cdt.org/privacy/gore_press.980811.html.
27 To prevent Netscape Navigator from automatically granting cookie requests, pull down the tool bar marked "edit," click "preferences," then "advanced," and then select either "disable all cookies" or "warn me before accepting cookies."
28 The Graphic, Visualization and Usability Center at Georgia Tech University, "The Graphic, Visualization, and Usability Center’s Eighth World Wide Web User Survey (Atlanta, Georgia: Georgia Tech University, 1997), p. 7. Available: www.gvu.gatech.edu/user_surveys/survey-1997-10/.
29 Ibid.
30 Lorrie Faith Cranor, Joseph Reagle, and Mark S. Alderman, "Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy" (Red Bank, NJ: AT&T Labs, April 14, 1999), p. 3. Available: www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm.
31 Ibid.
32 Ibid.
33 Ellen Alderman and Caroline Kennedy, The Right To Privacy (New York, NY: Random House, 1995), p. xiii.
34 Fred H. Cate, Privacy in The Information Age (Washington, D.C.: Brookings Institution Press, 1997), p. 100.
35 Breard v. Alexandria, 341 U.S. 622 (1951).
36 Cate, Privacy in the Information Age, p. 70.
37 Arrington v. New York Times Co., 434 N.E.2d 1319, 449 N.Y.S.2d 941 (N.Y. 1982), cert. denied, 459 U.S. 1146, 1983 U.S. LEXIS 3098 (1983).
38 Solveig Singleton, "Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Public Sector," (Washington, D.C.: The Cato Institute, January, 1998), p. 1.
39 Telephone conversation with Julie Richer, President, Able Minds Incorporated, May 12, 1999.
40 Telephone conversation with Julie Richer, President, Able Minds Incorporated, May 11, 1999.
41 Ibid.
42 Ibid.
43 This and other information about TRUST-e can be found at www.truste.org.
44 This and other information about the Better Business Bureau’s program can be found at www.bbbonline.org.
45 Ibid.
46 Robert MacMillan, "American Electronics Association to Promote BBB Online," Newsbytes, April 12, 1999.
47 This and other information about the Online Privacy Alliance can be found at www.privacyalliance.org.
48 Bruce Meyerson, "Web Privacy Disclosure Pushed," The Boston Globe, April 1, 1999, p. D5.
49 Ibid.
50 Jeri Clausing, "New Privacy Study Says Majority of Sites Provide Warnings," New York Times, May 12, 1999.
51 Jeri Clausing, "New Privacy Study Says Majority of Sites Provide Warnings," New York Times, May 12, 1999.
52 Online Privacy Alliance News Release, "Online Privacy Alliance Says Web Sweeps Confirm Significant Progress in Privacy Self-Regulation," May 12, 1999. Available: http://www.privacyalliance.org/news/05121999.shtml. Summary of results available at: http://www.privacyalliance.org/resources/100_summary.shtml.
53 Lorrie Faith Cranor, Joseph Reagle, and Mark S. Alderman, "Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy" (Red Bank, NJ: AT&T Labs, April 14, 1999), p. 3. Available: www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm.
54 Chris Oakes, "Your Data, Your Choice," Wired News, March 24, 1999. Available: www.wired.com/news/news/technology/story/18678.html.
55 Michael Paulson, "Internet Privacy Solution Proposed," The Seattle Post-Intelligencer, April 6,1999, p. C1.
56 Tara Lemmey and Saul Klein, "Architecture is Policy; Case Study: Cooperative Development as a Means for a Standards-based Implementation for Privacy on The Internet," (San Francisco: The Electronic Frontier Foundation), April, 1999. Available: www.eff.org/privacypaper.
57 Chris Oakes, "Your Data, Your Choice," Wired News, March 24, 1999. Available: www.wired.com/news/news/technology/story/18678.html.
58 See www.lumeria.com.
59 "Lumeria Announces the Superprofile at Spring Internet World," Press Release, April 14,1999. Available: www.lumeria.com/press4.html.
60 "Lumeria Announces Intent to Acquire InterOmni Services, Inc," Press Release, March 9, 1999. Available: www.lumeria.com/press3.html.
61 James Glave, "The Dawn of the Infomediary," Wired News, February 24, 1999. Available: www.wired.com/news/news/business/story/18094.html.