Protection of Online Privacy
June 4, 2003
Through active dialogue with policymakers, the software and Internet
industry seeks to preserve the open and competitive environment that
has allowed the Internet to flourish, while building user confidence
in this powerful communications medium. In particular, the industry
recognizes its responsibility to create an environment of trust in
the protection of online privacy, through market and technology-driven
Public opinion polls have consistently shown that consumers are concerned
about Web sites sharing their personal information. The majority of
survey respondents think that government should regulate how personal
information is collected and would "opt out" of giving personal
information if given the choice.
Software Council Position:
- The Federal Trade Commission (FTC) has established a set principles
covering the privacy practices of online advertising firms. The
principles address four "fair information practices"
in the following ways:
Disclosure: Consumers will receive notice of
network advertisers' profiling activities on host Web sites and
have the ability to choose not to participate in profiling. If
personally identifiable information is collected, "robust"
notice (appearing at the time and place of information collection)
will be required before the personal data is entered. Where non-personally
identifiable information (or "clickstream" data) is
collected for profiling, clear and conspicuous notice will be
Choice: The method of choice depends on the type
of information collected and the consumers' knowledge about, and
level of control over, the original collection of information.
Any linkage of previously collected non-personally identifiable
data to personally identifiable data cannot take place without
the affirmative consent ("opt-in") of the consumer.
"Robust" notice and opt-out choice is required for prospective
uses of personally identifiable information. Use of non-personally
identifiable information would require opt-out choice.
Access: Consumers will be given reasonable access
to personally identifiable information and other information that
is associated with personally identifiable information retained
by a network advertiser for profiling.
Security: Network advertisers will make reasonable
efforts to protect the data they collect for profiling purposes
from loss, misuse, alteration, destruction, or improper access.
- Members of Congress and legislators in several states, including
Massachusetts, have filed legislation that would require an "opt-in"
approach toward the use of "sensitive" personal information
collected online. Other legislative proposals would permit an
"opt-out" approach to non-personally identifiable data,
such as information obtained from cookies, thereby allowing Web
advertisers to offer customized Internet ads so long as users
do not object.
- Several online privacy bills were filed during the 2002 Session
of the Massachusetts legislature, but no action was taken.
The Council supports the position that if companies voluntarily create
effective privacy policies for their web sites, regulation is not
needed, as companies would then be subject to the Federal Trade Commission's
existing authority to regulate false and deceptive practices.
To protect the privacy of users on-line, companies should voluntarily
create effective privacy policies for their web sites by:
- Implementing the "Fair Information Practices" of:
- notice: clear and conspicuous disclosure to users about
the use, or change of use, of personal information
- choice: giving users options regarding how information collected
from them online may be used, including the opportunity to
opt out of such use
- access: the right of individuals to have reasonable access
to information about them
- security: measures to prevent unauthorized disclosure of
information, to assure its reliability and to protect it from
loss, misuse or alteration;
- Participating in third party seal programs (Better Business
Bureau On-line; Trust E, etc.) to monitor and verify the implementation
of the Fair Information Practices and to provide for user complaint
- Incorporating the Platform for Privacy Preferences, P3P, in
order to aid users in understanding the privacy policies of web
sites they visit. The technology industry is increasingly emphasizing
this technology-based approach, a standard developed by the Worldwide
Web Consortium and implemented by Microsoft in Version 6 of Internet
The Council further supports the position that if legislation is
proposed to protect on-line privacy, it should be considered only
at the federal level, and it should only:
- Require web sites to provide users clear and conspicuous notice
about their information collection practices and the choice to
limit the disclosure of information;
- Authorize the FTC to enforce these notice and disclosure requirements
through civil penalties; and
- Pre-empt state laws regulating on-line privacy.
The Council believes that regulation at the state level is
impractical because state authorities can only reach servers located
within their jurisdiction, and state efforts to regulate Internet
content have been invalidated by courts as an unconstitutional regulation
of interstate commerce.
Finally, the Council believes that any proposed legislation should
not disadvantage the on-line world, as compared to the off-line
Software Council Activity:
For further information, see http://www.privacyalliance.org;
- The Council's Board of Trustees established a Privacy Task Force
to examine industry practices, regulatory proposals and technology
solutions regarding the protection of on-line privacy, and to
recommend public policy positions.
- The Task Force has met with Senator John Kerry and Congressman
Edward Markey to discuss legislative proposals for the protection
of online privacy, to share information about the advances in
technology approaches to the protection of online privacy, in
particular, P3P, the Platform for Privacy Preferences, and to
emphasize the industry's efforts to self-regulate, implement fair
information practices, and participate in third party seal programs.
- Council Trustees, along with Council staff, held several meetings
with former Acting Governor Swift to discuss the impact of legislation
on entrepreneurs developing online businesses.
- The Council co-sponsored a Massachusetts public opinion survey
and white paper by MassInsight on consumer confidence in online
privacy protection and sponsored a demonstration by Microsoft
of P3P running in Version 6 of Internet Explorer for the former
- The Council co-sponsored a workshop with the Internet Education
Foundation on the implementation of P3P for web site developers.