Vol. 2, No. 32, August 15, 2000
The following article is the first in a series of more in-depth coverage of policy issues for nonprofits around e-commerce. After examining three case studies and an overview of the policy and practical issues relevant to nonprofits involved in e-commerce , this article addresses the critical issue of privacy and the regulation of the collection of personal information online. Most debates around e-commerce and privacy focus on for-profit companies and self-regulation versus government regulation, particularly by the Federal Trade Commission. This article however, focuses on the non-profit sector which, with few exceptions outlined below, is exempt from current privacy regulation and has some leeway in adopting its own standards and practices.
Privacy is a fundamental human right and essential to the full development of our human potential. Privacy has often been defined as "the right to be left alone" (Justice Louis Brandeis, Olmstead v. U.S., 1928), but it also encompasses the right to control one's personal information and thus the right to control the image that others construct of ourselves. Privacy therefore is regarded by many as fundamental to human development and expression of self. Privacy allows us to experiment with our behavior. It enables us to learn and not to fear making mistakes as we do not fear being watched. Privacy allows us to assume new personas that do not conform with (stereo)types that others have formed of us. Privacy allows us to develop complex personalities and not to be judged indefinitely by a limited range of data about our past behavior. In other words, privacy is not only essential to our individual humanity but also essential to a complex, diverse, creative and innovative society.
Moreover, privacy protection is and will be one of the key factors determining the ubiquity and success of e-commerce. Many consumers and users of the Internet are uncomfortable with the idea that their personal information is out of their control once relinquished at a Web site (see Privacy Surveys). For e-commerce to be as successful as many predict, consumer confidence, a sense of control over one's personal information, must be built and strengthened. If control and rights are guaranteed, both users and providers stand to gain considerably.
Privacy has been a hot policy issue for a while now, particularly with the development and pervasiveness of new information technologies in recent decades. Most recently, privacy has become an issue of much concern due to the rapid deployment and applications of e-commerce. As the United States has no comprehensive privacy protection law for the private sector, the approach in the past has been to pass specific sectoral laws governing, for example, video rental records or financial privacy. Rather than providing some basic privacy rights and principles to consumers and citizens, the approach has been to regulate a few areas of data collection in terms of the industry and the type of data involved. With the exception of the 1998 Children's Online Privacy Protection Act (COPPA), which prohibits the collection of personal information from children under the age of thirteen without prior parental consent, there is no general privacy law regulating online data collection on commercial Web sites.
Moreover, there is no privacy oversight agency in the US as there is in many European nations and Canada. The Federal Trade Commission is the only federal agency with some authority over the private sector with regard to the collection of personal information. The FTC has oversight and enforcement powers for laws protecting consumer credit information and fair trading practices. It has almost no authority to enforce privacy rights other than those arising from fraudulent or deceptive trade practices (for example, a deceptive privacy statement) or those specifically granted through COPPA. Until recently, the FTC has been reluctant to regulate data collection online, despite the fact that its own workshops and studies generally show that industry protection of privacy on the Internet is poor. The current position of the White House and most of the private sector is that self-regulation will be sufficient and that no new laws should be enacted except for protecting medical information and some financial information.
There have been several key privacy advocacy organizations around for a while who have argued repeatedly that industry has shown no improvement in protecting users' privacy and thus have asked for comprehensive privacy legislation and the establishment of a federal privacy agency. The organizations most active and outspoken in this area are the Electronic Privacy and Information Center, the Consumer Federation of America, Junkbusters, US Public Interest Research Groups, the Consumer Project on Technology, and Center for Democracy and Technology. The Center for Media Education has been particularly active on behalf of children's online privacy. EPIC has a comprehensive resources section on its Web site.
The FTC has argued until recently that industry should have more time to make self-regulation work. On May 19, however, the commission voted 3-2 to ask Congress to pass a law guaranteeing "a basic level of privacy protections for consumer-oriented commercial Web sites." At a hearing in Congress on May 25, the commission asked Congress to pass a law mandating "clear and conspicuous" privacy notices; to require that consumers be offered a "choice" as to how their personal information is used; to allow "reasonable" consumer access to personal information collection online; and to require sites to take "reasonable steps" to secure the personal information collected. In other testimony before a Senate committee on June 13, however, the FTC testified that it encouraged effective industry self-regulation by Internet network advertising companies such as Double Click and Engage, on issues of online privacy and online profiling. These companies manage and provide advertising for numerous unrelated Web sites. Online profiling refers to the practice of tracking users' action when they view ads without their consent and then linking them to "cookies" on the computer rather than the specific person. In many instances, however, this practice also allows the collected information to be linked or merged with personally identifiable information. Privacy advocates oppose online profiling without the explicit prior "opt-in" permission from consumers. "Opt-in" would require the affirmative fully informed consent of the user prior to the data collection.
Just at the end of July the FTC and the Network Advertising Initiative (NAI) announced an agreement that is being submitted to Congress for review. According to EPIC, one if the major shortcomings of the agreement is that the plan permits the linking of offline identity with online profiles without the clear affirmative consent of the individual concerned. Further, EPIC points out that the FTC-NAI plan "encourages the development of Internet advertising models based on the collection and use of personally identifiable information. ...We Believe the FTC has simply failed to consider adequately the technical and policy implications of profile-based advertising."
It remains to be seen whether or not the House and the Senate, which are dealing with over 300 initiatives for privacy legislation, will pass a comprehensive bill addressing online data collection practices that would give individuals adequate privacy protections.
According the David Medine, Assistant Director of Financial Practices at the Federal Trade Commission the FTC does not have jurisdiction over the operation of data collection by nonprofit organizations. Nonprofit organizations are excluded, except for nonprofit organizations such as trade associations who operate to the economic benefit of their members. In other words, the vast majority of nonprofit organizations in the United States are not covered by laws regulating data collection, online or otherwise.
Nonprofits Collect Information And Should Adhere To Fair Information Practices
Nonprofit organizations, like other organizations who establish a presence on the Internet, are increasingly collecting personal information, even if they are not engaged in e-commerce activities. For example, many nonprofits allow Internet users to sign up for membership online, or for updates through email listservs. It is also increasingly popular to fundraise and solicit contributions from Web site visitors online. This, of course, involves the exchange of sensitive financial information. In addition, some nonprofit organizations are exploring the potentials of doing e-commerce, i.e. selling books, tickets, merchandise, or providing tailored services such as matching volunteers with appropriate organizations or providing an online job search facility.
Fair Information Practices
Although nonprofits are not subject to privacy regulations, it should be incumbent upon nonprofits to lead by example and show for-profit enterprises what responsible online practices look like. This is not only good business sense for any organization trying to build a trusting relationship between the user and the provider, it is also forward looking and anticipates developments that seem almost inevitable in the future. Moreover, non-profit organizations should keep in mind, like the for-profit sector, that we all are users and consumers of electronic commerce at one time or another. Good privacy practices not only protect each of us individually, but in the long run ensure that our society and culture is diverse, vibrant, risk-taking and open.
Specifically, nonprofits should adopt what is generally referred to as "Fair Information Practices." These Fair Information Practices articulate rules covering the handling of electronic data, and specifically describe personal information as data that are afforded particular protection at every step from collection to storage and dissemination. Many organizations, such as the Organization for Economic Cooperation and Development, have adopted fair information practices. The OECD requires in its Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data that personal information be:
Privacy experts also generally advocate that the collection of personal information only come after a fully-informed person gives her consent. This "opt-in" principle assumes that an individual objects to data collection and its subsequent use without being asked. "Opt-out," on the other hand, would require the person to actively request no subsequent use of her personal information after data collection. This would be a burden placed on the individual who often is not even aware that any personal information has been collected in the first place.
Fair information practices differ from the FTC suggested principles, particularly with the concept of "choice." Choice is a term usually used to conceal that the customer has to opt-out, i.e. that the individual is carrying the burden to take the initiative to protect her personal information. The term "consent" is much clearer in putting the burden on the data collector for seeking the customer's express, informed consent. This usually requires that the data collector fully discloses who will get what information about you, for what purpose.
Based on the above fair information practices, nonprofits should follow the following practices when seeking to collect personal information online. Personal information usually refers to the name, address, phone number and e-mail address, or any other information that can be linked to personally identifiable information.
Responsibility
Notice
Opt-In and Consent
Access
Limitation of Use
Security
Education
The case of nonprofits and the absence of any kind of general privacy regulations providing users of Web sites, whether commercial or non-profit, with any kind of right or protection is another example of why the sectoral approach by the United States to a data collection regulatory regime has major problems. Sectoral privacy laws typically regulate a particular business sector, e.g. "credit reporting agency," "video tape service provider," "telecommunications carrier." They do not grant general rights to the individual and her personal information.
"Unless a non-profit organization is engaged in one of these business practices, its activities would not generally be covered," concurs Marc Rotenberg, executive director of EPIC. The sectoral approach requires legislation for each new type of organization or data collection practice that emerges. As e-commerce on the Internet grows and more and more different kinds of organizations and data collection practices are established, the weaknesses of the sectoral approach are going to become even more questionable. Why should one type of personal information be protected and regulated, and not the other? Rotenberg testified in 1998 to this effect: "The Internet offers the ideal environment to establish uniform standards to protect personal privacy. For the vast majority of transactions, simple, predictable uniform rules offer enormous benefits to consumers and businesses." And now, one might add, also to nonprofit organizations and their clients.
(c)Benton Foundation, 2000. Redistribution of this email publication - both internally and externally -- is encouraged if it includes this message. Past issues of Digital Beat are available online at (http://www.benton.org/publibrary/digitalbeat/). The Digital Beat is a free online news service of the Benton Foundation's Communications Policy Program (../cpphome.html).
(c) Benton Foundation
950 18th St. NW
Washington DC 20006 USA
ph:202-638-5770 fax:202-638-5771
email: cpp@benton.org
www.benton.org