WASHINGTON (05/12/2000) - Even as the Federal Trade Commission prepares to testify on Capitol Hill about online privacy, its staff is working to finalize a rule, based on last year's Financial Services Modernization Act, that could formally regulate privacy protections for Web surfers.
The law requires all financial institutions to safeguard customer information, provide consumers with clear privacy notices and offer consumers the chance to "opt out" of the sharing of information such as credit card and account numbers with unaffiliated third parties. The definition of "financial institution" under the law includes businesses "engaging in activities that are financial in nature" or "incidental to such financial activities." Other government agencies, including the Federal Reserve, have already issued rules related to conventional financial institutions, such as banks.
The FTC won't discuss the specifics of its rule, which is scheduled to be released tomorrow. But observers agree that the commission could interpret the law's privacy provisions as applicable to online travel agencies, stock trading sites, online credit card companies such as NextCard and, by extension, NextCard partners such as Amazon and Flooz.com. "For the first time, a range of activities and companies not subject to regulation will be, by us," said one FTC insider.
The FTC is also preparing a broad report for Congress on online privacy. The commission will combine the results of a March sweep of Web sites' privacy practices with an upcoming report by a special advisory committee on online access and security to write its own report, which commissioners will use as grist for high-profile Capitol Hill testimony in the coming weeks. The advisory committee's report, due to the commission on May 15, will present the FTC with four scenarios regarding what constitutes appropriate consumer access to personal data.
The report makes a single recommendation for an online security standard, saying that each commercial Web site should maintain a security program with specified elements, applied on a case-by-case basis. The commission has already leaked some details of its internal survey results. Among the most revealing statistics: Just 20 percent of the sites that the FTC visited in March satisfied its online privacy standards, which include the posting of privacy policies, allowing consumers some control over their personal information, allowing some consumer access to information, and providing some level of data security. FTC staff members are recommending that the commissioners ask Congress for new online privacy legislation.
Although the results of the survey, which follow embarrassing privacy-related gaffes during the last year from companies such as DoubleClick, are pushing FTC staff toward favoring new laws, it's still far from clear how the commission will vote on the staff recommendations. Commissioners Orson Swindle and Thomas Leary are expected to continue favoring industry self-regulation, while Commissioner Sheila Anthony is expected to vote in favor of requiring legislation.
The swing votes are held by Commissioner Mozelle Thompson and FTC Chairman Robert Pitofsky. In a February congressional oversight hearing, Pitofsky told a Senate committee that he was "increasingly coming around to the view" that some new privacy legislation was needed. That stance is at odds with the commission's latest set of recommendations, delivered last summer, in which Pitofsky urged legislators to let industry police itself.
"I think that what we need is a commitment to enforce the laws that are already on the books," said Dave Steer, a spokesman for TRUSTe, an independent company that vets Web sites' privacy practices. Steer said the FTC needs to offer industry more informal guidance. The commissioners have been deluged with invitations to testify from various committees in both houses of Congress, which is already considering a raft of privacy legislation.
The commissioners are expected to release their report this month and to testify on the Hill in the coming weeks. But although their testimony is sure to grab headlines, it's far from certain that Congress will be spurred to act on meaningful online privacy legislation before it wraps up its work for the year in October.