The Internet continues to expand in importance as a new communications medium. Toward the end of 1998, there were more than 320 million Web pages published, and analysts expect that number to double within six to 12 months. Meanwhile, the use of the Internet to collect and transfer personally identifiable data both nationally and internationally continues to expand, raising profound privacy issues.

   The Federal Trade Commission (FTC) has taken the lead in enforcing existing consumer protection laws on the Internet in the advertising and privacy areas, and the National Telecommunications and Information Administration (NTIA) of the Department of Commerce has taken the laboring oar in working with international bodies to ensure that European Union (EU) data privacy initiatives do not stop the flow of information across the U.S. border.

   Both areas have significant First Amendment implications. FTC enforcement actions can require Web site operators to take down speech that the FTC believes violates the Federal Trade Commission Act (classic prior restraint) and to publish corrective text on their Web sites (classic forced speech). In the data privacy area, an EU initiative that was slated to take effect Oct. 25, 1998 could have resulted in an unprecedented order preventing data from being transferred across U.S. borders without active negotiations by the United States to prevent that result. Both areas are likely to expand along with the growing influence of the Internet.

Administrative Agency Actions

   The FTC continued to take enforcement actions against various Web site operators and on-line services that allegedly used the Internet to engage in deceptive and misleading trade practices. The FTC has taken actions against more than 35 companies operating on the Internet. In one case, for example, it required that the Web site operator take down the allegedly deceptive content and publish information warning consumers that its operations had been fraudulent. The agency's actions on this score use the mechanism of a consent decree with the offending Web site operator. Although some of these actions were taken against on-line services, the FTC told Congress in 1998 that most of these schemes have involved "old-fashioned scams dressed up in high-tech garb." State regulators have begun to follow the FTC's lead in this area. For example, the North American Securities Administrators Association, representing state regulators across the United States, Canada, and Mexico, launched an effort to gather information from consumers on Internet fraud and planned to forward complaints to the FTC, the Securities Exchange Commission, and other regulatory bodies.

   The FTC also launched a rulemaking proceeding intended to result in a formal policy statement on the applicability of FTC laws and rules to the Internet. The proposal would provide guidance on how disclosures should be made in Internet advertising and would create guidelines for how the FTC would assess the adequacy of disclosures. It would eliminate technical difficulties with enforcing the law in an on-line context, including eliminating uncertainty about whether Internet publications are "written" within the meaning of the FTC's rules and statutory authority. The proposal is still in draft form.

   The FTC also took groundbreaking enforcement actions in the area of Internet privacy. On Aug. 13, 1998, the FTC and GeoCities Inc. reached a proposed settlement agreement covering the firm's use of personal identifying information on the Internet. The FTC charged GeoCities with deceptive trade practices under Section 5(a) of the Federal Trade Commission Act for misrepresenting the purposes for which it collected personal identifying information from children and adults. Under the proposed settlement agreement, GeoCities would be required to provide clear and prominent notice to consumers about its collection and use of personal identifying information on its home page and at each location on its Web site where such information is collected. In addition, with respect to personal identifying information already collected and disclosed to third parties, GeoCities would be required to provide "reasonable" means by which this data could be removed from third-party databases. GeoCities also would be obligated to obtain parental consent before collecting personal identifying information from children 12 years old and under.

   In addition to its role in individual enforcement actions, the FTC also took a leading position in proposing to Congress that it provide legislative protections for individual privacy on the Internet < if the industry fails to provide effective self-regulatory mechanisms. The FTC issued a report to Congress on June 4, 1998, urging Congress to adopt fair information practices to protect children's privacy. In December 1998, it announced a survey of Web sites that would be completed in March 1999, effectively delaying potential legislation. The FTC's report emphasized the immediacy and ease with which personal information can be collected from children who access the Internet. In essence, the FTC's report recommends that Congress put parents in control of on-line collection and use of their children's personal information.

   The FTC's report is based on a sampling of more than 1,400 commercial Web sites, including those directed to children. The FTC stated that its sampling of Web sites, in addition to evidence available in consumer surveys and industry self-regulatory guidelines, indicates that parental involvement is critical to avoid widespread misuse of information collected from children. Specifically, in its report the FTC notes that 89 percent of the 212 children's sites surveyed collected personal details from young children, but only 7 percent promised to notify parents of data collection practices. Finding that the collection of on-line information from children raises several safety and privacy concerns, the FTC urged Congress to act quickly to legislate in this area. The FTC intends to recommend "an appropriate response to protect the privacy of all on-line consumers."

   President Bill Clinton and Vice President Al Gore voiced support for the FTC's report. In a statement to the press, Gore noted that the FTC's steps "will move us further toward the creation of an'electronic bill of rights.'" Speaking on behalf of himself and Clinton, Gore also commended the "FTC's determination to investigate and sanction firms or individuals who mislead children about privacy protection on the Internet."

   On July 29, 1998, FTC Chairman Robert Pitofsky, testifying before the House Telecommunications, Trade, and Consumer Protection Subcommittee, outlined a legislative proposal to protect on-line privacy. According to Pitofsky, legislation will be necessary if, by the end of 1998, the Internet community fails to develop and implement an effective self-regulatory program to protect on-line privacy. Proposed legislation would require each Web site to inform consumers of its information-collection practices, give consumers a choice as to how their personal information is used beyond the purpose for which it was collected, provide consumers with access to their information, and ensure that consumers' personal information is secure.

   Executive Branch agencies are focusing on Internet privacy issues as well. In an Aug. 17, 1998 letter to the chief executives of banks and thrifts supervised by the Federal Deposit Insurance Corporation (FDIC), the FDIC encouraged financial institutions to adopt responsible privacy policies and information practices, disclose those policies and practices to consumers, educate employees on proper information collection practices, and institute adequate internal controls to minimize the improper use of customer information. The FDIC indicated its support for industry self-regulation and urged financial institutions to refer to the privacy principles proposed by the FTC, which, according to the FDIC, represent "the foremost articulation of what a privacy policy should contain."

Executive Branch Actions

   Representatives from the United States and the European Union have been negotiating to resolve conflicts with U.S. law that may have been created by the EU Data Protection Directive, which took effect Oct. 25, 1998. The Department of Commerce has taken the leading role in these negotiations. The directive prohibits the transfer of personal information, such as survey results, databases, medical records, and credit ratings, from the EU to countries that lack "adequate" protection for data privacy. The United States and EU take diametrically opposed views of the protection of personal privacy < the EU has a highly developed system of privacy law administered by privacy registrars in each member state, while U.S. law relies largely on self-regulation and only protects personal privacy in a few narrow areas. EU officials promised to avoid any interruption of data flows with the United States while discussions aimed at resolving the issues raised by the directive continued.

   Negotiations have focused on the development of a "safe harbor" that could be found to be equivalent to EU privacy protections. Such a "safe harbor" would require U.S. companies to comply with a U.S. government-created privacy code of conduct, which the FTC would enforce under existing unfair competition laws. On Nov. 4, 1998, NTIA proposed a code of conduct, which closely resembled Elements of Effective Self Regulation for Protection of Privacy, issued by NTIA in June 1998. This draft paper proposes an effective self-regulatory privacy program intended to increase consumer awareness of on-line privacy issues and to allow consumers to exercise choice about whether and under what circumstances to disclose personal information on the Internet. The NTIA discussion paper focuses on nine proposed characteristics of effective self-regulation: awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification, and consequences. In late December 1998, the EU voiced concern over the NTIA proposal; the parties are expected to complete negotiations by Spring 1999.

   On July 31, 1998, Vice President Gore detailed his proposal for an "Electronic Bill of Rights," which he first announced during a May 14 commencement speech at New York University. According to Gore, consumers should have the right to decide whether to disclose personal information; the right to know how, when, and how much of that information will be used; and the right to determine whether the information is accurate and to correct it if necessary. Gore called for action in four areas: (1) shielding sensitive personal information; (2) curtailing identity theft; (3) protecting children's on-line privacy; and (4) promoting voluntary private sector action to preserve consumers' privacy rights. This approach was echoed in the U.S. Government Working Group on Electronic Commerce annual report, issued Nov. 30, 1998.

   In response to these clear statements of intent to create new laws regulating Web site behavior, the industry responded swiftly with three self-regulatory initiatives. First, a group of companies and industry associations announced the formation of the Online Privacy Alliance (OPA) whose aim is to promote self-regulation of the on-line collection and use of personal information. The OPA released "Guidelines for Privacy Policies," "Principles for Children's Online Activities," and a "Statement on Enforcement of Self-Regulation."

   These documents reflect three principles: (1) Individuals should be given the opportunity to opt-out of uses of their personal information unrelated to the purpose for which it was collected; (2) Web sites targeted at children under 13 should not collect personal information from children without parental consent; and (3) self-regulation requires "robust" enforcement. Observers of the Alliance note that its members, which include nearly 50 of the largest Internet-related businesses and associations in America, have not yet agreed on enforcement measures, which are considered crucial to the effectiveness of any self-regulatory regime. The Better Business Bureau and a coalition called TRUSTE launched parallel initiatives.

   Second, 12 trade associations representing more than 11,000 information technology companies announced in a June 3, 1998 letter to President Clinton that they have developed a self-regulatory framework to encourage businesses to protect consumers' on-line privacy. The plan, based on the implementation of "opt-out" regimes, requires businesses to collect only necessary information from consumers and to disclose such information only to third parties that have implemented privacy protection practices.

   Third, the World Wide Web Consortium (W3C) proposed technical specifications for a system that would enable Web sites to disclose their privacy practices and would allow consumers to control the use of personal information they send over the Internet. The specifications are outlined in "The Platform for Privacy Preferences (P3P) Syntax Specification." The P3P platform, which is in the drafting stages, would allow consumers to tailor their relationships with specific Web sites. Although it does not contain normative standards for privacy protection, the P3P standard would facilitate individual choice about privacy preferences and could implement other initiatives.

Congressional Actions

   On Oct. 21, 1998, President Clinton signed into law the Children's Online Privacy Protection Act of 1998 (S. 2326). The legislation directs the FTC to develop rules that Web site operators will be required to follow when collecting and using personal information from children under the age of 13 on the Internet. The rules issued pursuant to the legislation will require operators to obtain verified parental consent when collecting information from children and will give parents the right to audit information collected from their children and terminate consent at any time.

   Meanwhile, the Protection of Children From Sexual Predators Act of 1998, Pub. L. No. 105-314, was passed by Congress and signed by the president. The law prohibits the publication of personally identifying information, through the use of any facility that affects interstate or foreign commerce, relating to a minor under 17 years old for the purpose of soliciting any person to engage in any sexual activity for which the person could be charged with criminal offense under federal or state law. Identifying information includes the name, address, telephone, social security number, or e-mail address of a minor.

Judicial Action

   In June 1998, the U.S. Navy and America Online, Inc. (AOL) separately reached settlements with an 18-year Navy veteran. Timothy McVeigh (no relation to the Oklahoma City bomber) was investigated by the Navy after posting a "user profile" on AOL in which he described his marital status as "gay." AOL, which confirmed to the Navy that McVeigh was the author of the profile, apologized to McVeigh for violating his privacy by disclosing personal information to a third party.

   On April 27, 1998, the U.S. District Court for the Northern District of Florida held that the Internal Revenue Service is subject to the Cable Subscriber Privacy Act, 47 U.S.C. 551. As a result, the court found that the IRS must obtain a court order before gaining access to subscribers' personal information.