Marc Rotenberg, director Electronic Privacy Information Center
on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508
Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime
September 12, 1996
I believe that the Act is a sensible, well considered measure that will establish fair information practices for personal information about kids and curb recent abuses in the direct marketing industry. There are unique problems in the collection and disclosure of data about children that argues in favor of strong privacy protection.
I will makes three points this morning in support of the legislation. The first is that there is already a sufficient record of problems in the marketing industry to warrant Congressional action. While some have said that Congress should wait until the harms are more clearly established, I believe that this is a dangerous and unwise strategy. By acting now, the Congress and the industry can establish sensible codes and clear standards for privacy protection. This has happened in many sectors where privacy is concerned and there is no reason why it could not happen where the information at issue concerns children.
The second is that industry self-regulation, whatever its merits, is simply not well suited to privacy protection where kids are involved. Young people cannot assess risks as adults can, cannot exercise complicated "opt-out" procedures, and should not be expected to monitor compliance. In the most extreme case, where birth records are sold by hospitals, it is of course impossible to expect babies to protect their privacy interests. It is clearly appropriate in such a situation to establish a standard in law to protect the interests of children.
The third point is that it is entirely consistent with the development of privacy legislation to enact a law that focuses on children's information. In fact, the Family Education Records and Privacy Act of 1974 followed a very similar approach in establishing federal privacy safeguards for personal information on kids held by any institution that receives federal funds for education. The law has stood the test of time. The Children's Privacy Act would as well.
Finally, I have a few suggestions for how the bill might be changed to address some of the concerns that have been raised specifically about First Amendment issues, the age identification requirement, possible exemptions, and penalties. With a few small changes, I believe it will be possible to satisfy most of the concerns that have been raised.
With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.
The Center recommended that web sites should fully disclose their privacy polices, sites should get parental consent o collect personally identifiable information about children, and that information collected should be protected from misuse. Federal Trade Commissioner Christine Varney has acknowledged that this is a serious concern and suggested that the FTC may take action in this area.
Not only have companies moved aggressively to collect information about children, literally from the time of birth, but new technologies also make it possible to collect detailed data about a particular child's personal preferences, what he enjoys, or what she fears, in more detail than ever before. Technologies for narrowcasting, such as information provided over the world wide web, will shortly allow advertises to target messages to specific children in real-time.
At the center of the problem is the collection of personal identifiable information --not demographic information, not aggregate data. The National Center for Missing and Exploited Children has made clear how important it is to protect the privacy of this information. In lieu of supporting legislation to restrict the content of information that flows across the World Wide Web, the group urged parents to tell their kids not to give out personal information to strangers on-line.
It is hard to imagine that the current situation will not become significantly worse unless some legal standards are soon established.
A new book tells otherwise. An extensive review of privacy protection in the United States recently published in Data Privacy Law (Michie 1996) by Professor Paul Schwartz of the University of Arkansas School of Law and Professor Joel Reidenberg of the Fordham Law School make clear the problems with current practices in the direct marketing industry. Of the opt-out provision, Schwartz and Reidenberg found:
[O]nly 53 percent of DMA members are reported to the service to screen their mailings. . . . In any case, most Americans are unaware of the name removal options. This ignorance reflects either ineffectiveness or non-compliance even by those DM A members purporting to use the service. (p. 333)Reidenberg and Schwartz also found:
Company codes of practice do not elaborate any remedy for individuals in the event that a company policy has been violated. Unlike the financial services or telecommunications context, strong internal sanction do not appear to be in place against employees who violate company codes. (p. 338)The authors point out that the use of the mail preference service misses a critical aspect of privacy protection. While it may reduce some junk mail that consumers receive, it does nothing to prevent the extensive profiling that companies pursue when data is gathered. Reidenberg and Schwartz concluded that the industry's commitment to opt-out is "ambivalent. While the DMA guidelines call for marketers to offer opt-out, the industry objects to proposals for mandatory opt-out requirement."
The implications of the Reidenberg/Schwartz study for this Committee are critical: Industry self-regulation has not succeeded in establishing adequate privacy safeguards and the opt- out proposal specifically does nothing to stop the collection of data about children and the subsequent profiling.
But it is not just legal scholars that have reached this conclusion. USA Today put the point well in an editorial last year. The newspaper wrote:
While voluntary compliance might be preferable in an ideal world, it is not likely to work in the real world. The result is that the absence of government prodding has resulted in too many companies doing too little to protect consumers privacy rights. " (October 25, 1995.)Even The Economist, a British magazine that virtually always defers to the private sector over government, has recognized the special need to legislate in the privacy arena. As they said earlier this year:
Enforcing the consent rule will be difficult. But it is worth a try. It would give information gatherers a push in the rights direction. Companies would collect and resell information more discriminately. And people who cherish their digital privacy would have the means to protect it -- which is as it should be." (February 10, 1996.)The positions of USA Today and The Economist also mirror public opinion polls which routinely find that approximately 9 out of 10 American believe that personal information should not be sold by marketing companies with explicit permission. (Time/CNN 1991, Yankelovich 1995).
To the best of my knowledge, the question has never been asked in a public opinion poll whether a law should require that marketing firms obtain permission form parents before selling data on children. Based on these other polls, my guess is that the number in support would approach 95%.
Perhaps the clearest precedent for the Children's Privacy Protection and Parental Empowerment of 1996 is the landmark federal privacy legislation that established safeguards for educational records. The Family Educational Right to Privacy Act of 1974, sometimes called the "Buckley Amendment," set out extensive privacy requirements for educational institutions receiving federal aid.
Let me read for you just few of the key provisions:
No funds shall be made available under any applicable program to any educational agency or institution which has a policy of denying, or which effectively prevents, the parent of students who are or have been in attendance at a school of such agency or at such institution, as the case may be, the right to inspect and review the educational records of their children. . . .Of course, FERPA acknowledges several exceptions to these general principles, and the key terms are carefully tailored to the specific needs of educational records. But certain points about this well established precedent are clear:
20 USC ��1232g(a)(1)(A)
No funds shall be made available under any applicable program to any education agency or institution unless the parents of student who are or have been in attendance at a school of such agency or at such institution are provided an opportunity for a hearing by such agency or institution, in accordance with regulations of the Secretary, to challenge the content of such student's education records, in order to ensure that the records are not inaccurate, misleading, or otherwise in violation of the privacy or other rights of students, and to provide an opportunity for the correction or deletion of any such inaccurate, misleading, or otherwise inappropriate data contained therein and to insert into such records a written explanation of the parents respecting the content of such records.
20 USC � 1232g(a)(2)
No funds shall be made available under any applicable program to any education agency or institution which has a policy or practice or permitting the release of educational records (or personally identifiable information contained therein other than directory information, as defined in paragraph (5) of subsection (a)) of students without the written consent of their parents to any individual, agency, or organization, . ..
20 USC � 1232g(b)(1)
No funds shall be made available under any applicable program to any education agency or institution which has a policy or practice of releasing, or providing access to, any personally identifiable information in education records other than directory information, . . .
20 USC � 1232g(b)(2)
As for the positive consequences of the bill for the industry, the bill should cause list brokers to be more selective in the collection of personal information and more open with parents about data collection practices. Such a process will establish consumer confidence as well as protecting the rights of children.
Of course, if incidents do arise where an institution that has received this special status is responsible for a privacy harm to a child, then we would immediately urge the Congress to reconsider the exception and look at amendments to the Act.
I can only ask whether the industry is really prepared to require a dead child before it will consider passage of this sensible legislation. I don't make this point lightly. Privacy legislation to protect the disclosure of motor vehicle records came about only after the tragic murder of Rebecca Schaeffer. It would be more than a tragedy if it took a similar incident before this measure was passed.
This concludes my testimony. I would be pleased to answer your questions.