1. Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001

2. Do People Care About Privacy? n 90 percent of Americans say they have lost all control over their personal information n WSJ poll 9/99

3. Overview n The Clinton Administration and privacy n This year

4. The Clinton Administration n Supported self-regulation generally n Sensitive categories deserve legal protection – Medical & Genetic – Financial – Childrens Online n Government should lead by example n Chief Counselor for Privacy

5. Internet Privacy n Quantity of policies – 15% to 66% to 88% from 1998 to 2000 n Quality of policies – Seek continued improvement on choice, access & security n Enforcement if company breaks its privacy promise – Unfair and deceptive trade practice

6. Internet Sectors n Individual Reference Services Group (1998) – Look up services code of conduct – Limits on distribution of SSNs n Network Advertising Initiative (2000) – Special sensitivity when a 3d party, unknown to user, compiles information n Safe Harbor for transfers with E.U. (2000) – Self-regulation as a core achievement

7. Childrens Online Privacy Protection Act of 1998 n FTC rules took effect 4/00 n Web sites targeted at under 13s n Key is verifiable parental consent

8. Medical Records Privacy n HIPAA 1996 called for legislation by 8/99 n President announced proposed regs 10/99 n Over 52,000 submissions of comments n Final rules 12/00 n Administration decision by February 26

9. Medical Records (cont.) n Fair information practices – Notice – Patient choice – Access – Security – Enforcement

10. Medical -- Who is Covered? n Covered entities – Providers – Plans – Clearninghouses n Business associates n Online/offline neutrality

11. Financial Privacy n Title V of Gramm-Leach-Bliley – Notice – Opt-out 3d parties – Enforcement n Online/offline neutrality n President Clinton called for greater protections last year

12. Government as a Model n Government web sites – Privacy policies at major sites – Presumption against cookies n Computer security n Coordination & oversight mechanisms

13. Government computer security n Good security is necessary for privacy – Weak security allows access to tax records, criminal investigative files, etc. – Good security helps stop hackers and other unauthorized users n Good security is not sufficient for privacy – What can an authorized user do with the data? – Post it to the Internet? – Privacy policies govern authorized users

14. Coordination & oversight n Coordination -- Chief Counselor position 3/99 n Must become aware of issues before you can affect them-- clearance n Alert decisionmakers before problems become public n No announcement on Bush approach

15. II. This Year n Fair information practices and Internet Privacy n Notice – Some favor notice only – Can do with technology, such as P3P – Less strict -- no other requirements – More strict -- a new law more likely later

16. Choice n The biggest debate so far n Opt out – Customer gets choice – But opt out may be hard to find on web page – Maybe spyware and no one to give notice

17. Choice (cont.) n Opt in – Strong privacy protection – Forces web site to explain why sharing is good – But, how do small sites find customers? n Robust opt out – Possible compromise

18. Access n Like FOIA -- check on abuse n Reasonable access – Cost matters n Some exceptions – Information about other persons – Trade secrets and proprietary

19. Access (cont.) n Access only to decisional information – Credit reports – Medical records n Access to all information – Psychographic information – Every memo in the company n Target marketing – Decisional? – Proprietary?

20. Security n Good security in layers – Hardware – Software – Personnel policies n Hard to measure n Law focuses on notice of security? n Detailed regs on security? n Must update anti-virus at least once a week?

21. Enforcement n FTC new powers n State AGs to help n Private right of action?

22. Enforcement (cont.) n What role for TRUSTe, BBBOnline? – Safe harbor in COPPA – Multiplies enforcement resources – Teams enforcement with consulting – Privatizes enforcement – Target for EU pressure

23. Other Internet Privacy Issues n Preemption n In favor: – Same web site sells to all 50 states – Possibly inconsistent state laws n Opposed: – The big reason for industry to accept legislation – Financial and engine for continued change – Dont place ceiling on human rights

24. Other Issues (cont.) n Customer lists in bankruptcy – Toysmart case n Law enforcement access to Internet records n Extend to offline, too? – Leary -- consistency requires it – But, ready to regulate each corner store?

25. Concluding thoughts n Many flows are good in Information Age, but not all flows are good n Self-regulation has been central to date n Treat sensitive data more carefully, subject to legal protections where appropriate n Will political system insist on Internet legislation? n In closing, a common sense test:

26. President Clinton, at Aspen Institute: Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media? If so, your policies are far more likely to survive, and help your organization prosper, in the information age.