Additional Comments at FTC Hearing on Consumer Privacy

Full Document Available in PDF

To the Secretary:

The Competitive Enterprise Institute and the National Consumer Coalition hereby file additional comments on the Commission’s June 10-13 hearings on “Consumer Privacy Issues Posed by the Online Marketplace.” CEI is a non-profit, non-partisan free-market research and advocacy group.1 The NCC is a coalition of nine organizations dedicated to the proposition that consumers are best served by a free market in goods and services.2 We thank the Commission for including us in the four Roundtable discussions during the hearings, and appreciate the opportunity to elaborate upon some of the issues raised during the course of the hearings.

What is Privacy? – Part II

In our opening comments, we wrote that when it comes to collection of consumer data, “privacy is not a right, it is a preference.” The evidence presented during the hearings regarding ways to “protect” privacy, as well as the surveys showing consumer views, have convinced us that this remains true.

The Harris/Westin survey was an interesting contribution to the discussion of privacy on the Internet. We are not convinced, however, that everyone interviewed understood “privacy” in the same way. Privacy is an abstraction, like “freedom” or “justice,” so it is likely that the people surveyed imposed their own concerns upon the term “privacy.” One point on which the survey is clear is that people who are concerned about their privacy have done something about it. In this case, it is more illuminating to look at what people do than at what they say.

Nevertheless, some have used this survey to support their arguments for federal regulation and congressional privacy legislation. Neither of these would be appropriate responses to consumers’ hesitance towards Internet commerce. It is the job of companies operating on the Internet to gain consumer confidence, not the duty of the government. Indeed, the proper role for the government is to guard against force, theft, and fraud.

Property Rights on the Internet

Professor Alan Westin said that web users “are worried that their e-mail communications may be intercepted, their visits to web sites can be covertly tracked, their participation in chat rooms and forums can be monitored without their consent.”3 One possible solution was to give individuals a “property right” in the information they have released onto the Internet. From this follows a call for federal protection of this “property right” via limits on the collection and sale of personal data.

The argument that people have a “property right” in their personal data is ironic, as it comes from those who would have the government infringe upon the property rights of both ISPs and companies on the Web. We believe that this upside-down conception of “property” will work against consumers’ interests in freedom of contract and association.

Traditionally, private property rights have been understood to be the means by which we secure our privacy, as expressed in the old adage, “A man’s home is his castle.” Our system of property rights enables us to enjoy privacy (i.e. from government intrusion). In recent years, however, the basis for legal claims has become the idea of an inviolate personhood. A “legal right” to information about oneself on the Internet, as some have advocated, is the next step. From this comes the “right” to control information about oneself after one has already released it. This is a step in the wrong direction.

If an individual has released information about himself in a contractual agreement with certain limits on it, then he has a right to see that that information is treated in a certain way. For example, if a company web page says that it will not collect information, and it does, then that is a broken contract. On the other hand, if a company says it will collect all kinds of information, then privacy-sensitive individuals have been warned and should avoid that site. From the examples discussed at the hearing, it seems that many companies are still getting used to the way the Internet works, and they are only beginning to understand the utility of publishing privacy policies. For example, the New York Times discovered during the course of the hearings that it had no published privacy policies on its web site, a situation it addressed immediately. Time-Warner’s Pathfinder site recently added prominent links to its privacy policy as well.

Sometimes information has been released to anybody and everybody, via chat rooms or other forums. Since this information becomes part of the knowledge of others, our “property right” to control this information is actually a “right” to control the actions of other people who now have this information. This is an infringement upon our basic freedoms of association, contract, and speech. There is nothing wrong with collecting information freely placed in public, as much of this information is. Nor is there anything wrong with one party selling information to another party as long as it was not under fraudulent circumstances. If a person objects to this information being sold, then it is up to the individual to make alternative arrangements with which he is more comfortable. . In other words, protecting your privacy is your responsibility. That is the value inherent in the freedom to contract.

Bringing back the original conception of property rights, as well as freedom of contract, is the best way of protecting an individual’s privacy preferences on the Internet. Rather than implementing a system of government regulation of data collection practices, people should be able to choose whether or not to contract with a company or otherwise. Restricting the downstream actions of others based upon a made-up right will undercut our other valued freedoms.

On Self-Regulation

We laud the Federal Trade Commission for its cautious response toward calls to regulate the Internet. We are also pleased with the Clinton Administration’s stated intention to refrain from regulating most parts of the Internet.4 We agree in principle that data-gatherers ought to inform consumers what kinds of data they are collecting and how that data will be used. If it really is true that consumers are highly concerned about this, then companies scrambling to sell goods and services over the Internet will accommodate them. (We also note that there are already strong incentives for information brokers to ensure the accuracy of information they collect, since there is no market for inaccurate information.)

What troubles us is the concept of “self-regulation.” Although the term implies a lack of government regulation, many of these codes are being developed in response to a threat of regulation. As the Clinton Administration’s recently released report on Internet commerce stated, “We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.”5 We believe that the Commission should not use “self-regulation” as a way to steer the development of policies on the Internet without going through the standard process for proposing regulations. The Commission must still defend whatever goals it proposes.

One component of this “self-regulation” was the Platform for Privacy Preferences. This template would allow consumers to fine-tune their preferences and allow them to know what sort of policies a web site has. This may be a fine idea, and we hope that if consumers find it acceptable, it will be adopted by many organizations.

However, we do not believe that a single privacy standard is necessarily desirable. There are many real-world examples of competing standards co-existing peacefully. There are different monetary systems, there are different systems of measurement (English and metric, Celsius and Fahrenheit), there are different languages. The Commission should be wary of backing a single standard for the Internet.

The threat of regulation is nearly as serious as actual regulation. It may well be that the solutions supported by the Commission and the Administration are the best ones. It also may be that there is an alternate solution around the corner, one which we cannot predict now but one which might be stifled because it does not match the goals supported by current government officials. This could have very serious ramifications for the future development of the Internet. After all, companies already entrenched in a particular market that ask for regulation often do so in order to constrain the actions of future competitors and to derive windfall benefits, a practice known as “rent-seeking.” If regulation stymies the growth of the Internet, we will have no way of knowing what we have given up as a result.

The idea that federal regulation of the Internet is somehow better than a market solution to privacy questions is completely unfounded. Indeed, the evidence is that federal regulation in every other sector of American life has had adverse and unforeseen consequences which end up hurting consumers.6 There is no reason to believe that federal regulation of privacy practices will be any better than the current situation, and it may well be worse.

Children and The Internet

The fear over children seeing sexually explicit materials online led to hasty calls for Internet censorship in the Communications Decency Act. Yet the Supreme Court recently struck down the law, ruling that the Federal government should not be in the business of trying to protect children with such a blunt – and patently unconstitutional – instrument. Similarly, the rhetoric surrounding the issue of children’s privacy on the Internet has led to hasty calls for regulation. Indeed, the Administration has taken a strong, even ominous position: “This problem warrants prompt attention. Otherwise, government action may be required.”7

We believe that before the Commission begins to regulate in the name of children, it should recognize from the start that today’s children are tomorrow’s adults, and that these regulations may restrict their rights when they are grown up. The Commission should be wary of proposals which would effectively treat adults like children.

The Center for Media Education’s report on the privacy practices of some web sites seemed to shock the Commission. Yet we are not sure why the fact that a toothpaste company which sends a solicited e-mail to a child in the name of the Tooth Fairy – an e-mail which contains neither the name of the product being sold nor the name of the company –is so disturbing, especially since for many years people have been able to have letters from Santa Claus sent to children. We are in fact puzzled as to why similar “information collection practices” which have gone on for decades (e.g. children sending box tops away for magic decoder rings) are suddenly sinister when performed over the Internet.

We note that CME’s primary objection is advertising itself, and “privacy” is just a means to criticize it. For example, one target of CME’s outrage is “animated product spokescharacters,” e.g. Tony the Tiger, which “interact with your children…fostering intimate relationships that compel your children to buy specific products and services.”8 That these “spokescharacters” also ask children for e-mail addresses appears to be a slightly less urgent concern. CME’s recommendations to the Commission include restrictions on the use of these cartoons: “Product and other fictional figures should not be used to solicit personally identifiable information from children.”9 Indeed, elsewhere CME states explicitly that “there should be no direct interaction between children and product spokescharacters”10 on web pages. This is tantamount to a ban on selected content simply because of its advertising nature.

This is not the proper forum for a discussion of the great value of advertising to consumers, and why advertising is not, and never was, a sinister seducer of consumers.11 We will, however, say that children are far more skeptical of advertising than CME gives them credit for. No matter how much advertising, or how little, there is, children will still want things and their parents can still tell them, “No.” In short, it appears that this issue has very little to do with privacy on the Internet, and far more to do with CME’s anti-advertising agenda.

Nonetheless, CME did introduce some interesting issues. CME looked at the existence and content of privacy practices on children’s web sites, and publicized them. There is nothing wrong with this; indeed, if children’s privacy is such a high concern for individuals, then companies will respond (many of the web sites in question addressed the issue as soon as it was brought to their attention). As more and more people become comfortable with the Internet, and become aware of its capabilities, we expect to see all kinds of practices – from content, to advertising, to data collection – to become more refined in response to consumer demand.

CME also raised the question of how and when to obtain verifiable parental consent to collect information from children. One suggestion was to have parents mail in a signed form indicating that their child may use the web page and may divulge certain information. Not only would this curtail what is an essentially benign practice – not even CME can explain what actual harm might result from this collection – but anyone who has ever known a child to forge his parent’s signature to play hooky knows that this is not a good solution.

It is an irony of the Internet that the technology which enables data-gatherers to collect information on what people look at can easily be thwarted by Anonymizers and other disguising technologies. It still holds true that sometimes on the Internet, as the famous New Yorker animal cartoon showed, “nobody knows you’re a dog.” Nobody has to know that you are or are not a child, either. Obviously, forcing children to identify themselves as minors, especially in such a public area as the Internet, would be unwise.

Consequently, regulations aimed at “protecting children’s privacy” are going to hit adults as well. For this reason, we urge the Commission to refrain from drawing up regulations specifically targeted towards children. Nor should the role of parents be underestimated or tossed aside in favor of federal regulation. Though the Harris/Westin survey showed a nearly unanimous belief that children’s privacy ought to be protected on the Internet, the survey also said that not even a plurality of parents have done much to protect it. There are a plethora of technologies available to enable parents to monitor and adjust what their children see, and more are on the way. We urge parents to keep in mind that just as they would think twice before allowing a child wander around New York City alone, they should supervise their children on the Internet.


The Commission is under a great deal of pressure, from within the government and without, to regulate at least some parts of the Internet. As more and more people become Internet users, it is even more important for the government to refrain from regulating. The Commission should confine itself to policing fraud and investigating any actual injury.