• The Federal Trade Commission (FTC) has established a set principles covering the privacy practices of online advertising firms. The principles address four "fair information practices" in the following ways:
  
  Disclosure: Consumers will receive notice of network advertisers' profiling activities on host Web sites and have the ability to choose not to participate in profiling. If personally identifiable information is collected, "robust" notice (appearing at the time and place of information collection) will be required before the personal data is entered. Where non-personally identifiable information (or "clickstream" data) is collected for profiling, clear and conspicuous notice will be in the host Web site's privacy policy.
  
  Choice: The method of choice depends on the type of information collected and the consumers' knowledge about, and level of control over, the original collection of information. Any linkage of previously collected non-personally identifiable data to personally identifiable data cannot take place without the affirmative consent ("opt-in") of the consumer. "Robust" notice and opt-out choice is required for prospective uses of personally identifiable information. Use of non-personally identifiable information would require opt-out choice.
  
  Access: Consumers will be given reasonable access to personally identifiable information and other information that is associated with personally identifiable information retained by a network advertiser for profiling.
  
  Security: Network advertisers will make reasonable efforts to protect the data they collect for profiling purposes from loss, misuse, alteration, destruction, or improper access.
  
• Members of Congress and legislators in several states, including Massachusetts, have filed legislation that would require an "opt-in" approach toward the use of "sensitive" personal information collected online. Other legislative proposals would permit an "opt-out" approach to non-personally identifiable data, such as information obtained from cookies, thereby allowing Web advertisers to offer customized Internet ads so long as users do not object.
• Several online privacy bills were filed during the 2002 Session of the Massachusetts legislature, but no action was taken.

• Implementing the "Fair Information Practices" of:
  • notice: clear and conspicuous disclosure to users about the use, or change of use, of personal information
  • choice: giving users options regarding how information collected from them online may be used, including the opportunity to opt out of such use
  • access: the right of individuals to have reasonable access to information about them
  
  
  • security: measures to prevent unauthorized disclosure of information, to assure its reliability and to protect it from loss, misuse or alteration;
    
• Participating in third party seal programs (Better Business Bureau On-line; Trust E, etc.) to monitor and verify the implementation of the Fair Information Practices and to provide for user complaint resolution;
• Incorporating the Platform for Privacy Preferences, P3P, in order to aid users in understanding the privacy policies of web sites they visit. The technology industry is increasingly emphasizing this technology-based approach, a standard developed by the Worldwide Web Consortium and implemented by Microsoft in Version 6 of Internet Explorer.

The Council further supports the position that if legislation is proposed to protect on-line privacy, it should be considered only at the federal level, and it should only:

• Require web sites to provide users clear and conspicuous notice about their information collection practices and the choice to limit the disclosure of information;
• Authorize the FTC to enforce these notice and disclosure requirements through civil penalties; and
• Pre-empt state laws regulating on-line privacy.

The Council believes that regulation at the state level is impractical because state authorities can only reach servers located within their jurisdiction, and state efforts to regulate Internet content have been invalidated by courts as an unconstitutional regulation of interstate commerce.

Finally, the Council believes that any proposed legislation should not disadvantage the on-line world, as compared to the off-line world.

Software Council Activity:

• The Council's Board of Trustees established a Privacy Task Force to examine industry practices, regulatory proposals and technology solutions regarding the protection of on-line privacy, and to recommend public policy positions.
• The Task Force has met with Senator John Kerry and Congressman Edward Markey to discuss legislative proposals for the protection of online privacy, to share information about the advances in technology approaches to the protection of online privacy, in particular, P3P, the Platform for Privacy Preferences, and to emphasize the industry's efforts to self-regulate, implement fair information practices, and participate in third party seal programs.
• Council Trustees, along with Council staff, held several meetings with former Acting Governor Swift to discuss the impact of legislation on entrepreneurs developing online businesses.
• The Council co-sponsored a Massachusetts public opinion survey and white paper by MassInsight on consumer confidence in online privacy protection and sponsored a demonstration by Microsoft of P3P running in Version 6 of Internet Explorer for the former Acting Governor
• The Council co-sponsored a workshop with the Internet Education Foundation on the implementation of P3P for web site developers.