X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The phenomenal growth of the Internet in virtually all areas of business has brought new opportunities on an unprecedented scale. The promise of globalization has a home on the Internet, where businesses of all shapes and sizes can compete and succeed. How do the winners win? What are the keys to the virtual kingdom? And can governments play a useful role in e-commerce, or will bureaucratic intervention spoil the party for everyone? THE CHALLENGE OF ATTRACTING A CONSUMER No business succeeds without customers, and e-commerce is no exception. How to accustom customers with a Web-based business is a pressing issue for many companies. For many customers, all of their instincts cry out against it. The consumer cannot visit the store, talk to the staff or handle the merchandise. Consumers demand to know whether the e-commerce business is legitimate, or a fly-by-night. More pointedly, why should the consumer pay money to, let alone share private information with, a business that consists merely of pixels on a screen? This natural aversion affects many customers’ willingness to use available, useful technology. Take as an example “cookies,” which Web sites use to “get to know” a visitor similar to how a store clerk can anticipate a regular customer’s preferences and thereby enhance the service provided. ( SeeMicrosoft, “Anonymous,” Sept. 27, 2000, http://www.microsoft.com/ issues/essays/09-27privacy.asp.) Optimists would say that cookies are useful software techniques to make Web browsing and interacting easier for customers. But while a customer might be willing to talk to a sales clerk about what she is looking for, she does not expect the sales clerk to turn around and sell her name and address — and her preferences — to the marketing world. Perhaps this explains why, according to one survey, almost 9 out of 10 consumer respondents expressed no interest in software features that automatically share data about them with Web sites. (“Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy,” AT&T Labs Research Technical Report TR 99.4.3, http://www.research.att.com/ resources/trs/TRs/99/99.4/99.4.1.abs.html.) The National Consumers League conducted a survey that found more Americans are worried about their privacy than health care, crime and taxes. Their Web site, http://nclnet.org, has details. More recently, the Pew Internet & American Life Project issued a report entitled “Trust and Privacy Online: Why Americans Want to Rewrite the Rules” that reached similar conclusions. Seehttp://www.pewinternet.org for the full text. Similarly, a customer may be interested in learning when a bricks-and-mortar store is having a sale, and may therefore want to sign up for the store’s mailing list. In making that decision, the customer is probably aware that he may end up getting solicited for additional business from the store, and weigh the advantages of learning about discounts early against the nuisance of receiving bulk mail. Certain customers may even give out their telephone number so that the salesperson can call them when a particular item of interest comes in. In the non-virtual world, individuals achieve a “comfort level” of how much of their private information to share, and under what circumstances. ENTER THE WEB In the world of e-commerce, on the other hand, consumers have a heightened concern about privacy because there are no traditional touchstones to determine whether it is safe to share personal information. In person, we can act cautiously and only speak with someone in private; we can fold a piece of paper so as not to inadvertently reveal information. Compare that to the Internet: how do we know who is really reading our e-mail, or monitoring our mouse-clicks? How does the customer determine when it is necessary to “whisper” and how, so to speak, is the customer supposed to “fold” a Web page? In cyberspace, consumers know that what might have been private information can be (and has been) copied perfectly and transmitted instantaneously around the world. As it has become so easy to distribute private information, the stakes get much higher, and the risk of trusting the wrong person can be even more disastrous. The customer who worries about these things is not simply being too cautious. A few very public examples establish ample bases for concern: – Posing as an eBay user, and in violation of eBay’s Terms of Service, competitor ReverseAuction harvested actual eBay members’ personal information and sent them e-mails falsely claiming that their eBay account was expiring in hopes that the customers would then register with ReverseAuction instead. The FTC obtained a Consent Agreement and Final Order in which ReverseAuction promised to stop these actions, and further promised to post (and comply with) its own privacy policy on its Web page. http://www.ftc.gov/ os/2000/01/reverseconsent.htm – A very popular software company, RealNetworks, promised users who downloaded its product that they would not collect unique identifying information about them. Sadly, users discovered that RealNetworks was actually tracking quite a bit of information about them — indeed, it was doing precisely what it had promised it wouldn’t do. – A fleetingly popular Web site, Toysmart, promised that it would keep private all the information about users who bought toys online with them. Toysmart went the way of many dot-com ventures, and declared bankruptcy. In the bankruptcy proceedings, the trustee representing the interests of Toysmart took the position that the database of customers’ personal information collected by the company — under its solemn promise of privacy — was actually the property of the debtor and could be sold to a third-party to satisfy the claims of the creditors. Fortunately, this outcome was averted when an interested company offered to pay money into the bankrupt estate in exchange for the destruction of the subject database. Each of these episodes has contributed to consumer resistance to e-commerce. In recent months, two schools of thought have developed alternate approaches for overcoming this barrier by enhancing privacy safeguards: (1) e-merchants will create a customer-friendly e-commerce experience in which the key privacy decisions are made by the consumer; or (2) the government will impose legislative and regulatory solutions that purport to “protect” consumers online. These different solutions involve dramatically different conceptions of what is best for consumers, and how e-commerce will work best. WHAT THE E-COMMERCE COMMUNITY IS DOING ON ITS OWN The emerging best practices by e-commerce sites proceed from the recognition that the essential character of the Web is that the consumer is in charge. The user can choose to go wherever she likes, whenever she likes. The user runs the Web — the Web does not run the user. What flows from that concept is that the user must be provided with whatever information the user desires to make fully-informed decisions in connection with her Web-based experiences. In a very real way, every user can customize her own Web experience, and this new form of individualized mass medium is the antithesis of a “one size fits all” solution. Instead, a premium is placed on user autonomy, and the proper exercise of that autonomy necessitates providing the user with access to an unprecedented amount of information as well as the tools for coping with it. Early indications appear to show that Web-based businesses that offer users more information, options and disclosures will be more accepted by consumers and more likely to succeed than other sites. Seehttp://energycommerce.house.gov/ 107/hearings/05082001Hearing209/ Westin309.htm. In the off-line world, a company’s brand can be destroyed by offering shoddy merchandise and breaching the consumer’s reliance on the value of the seller’s good name. The online world has come to understand that the value of an online “brand” is related to the trustworthiness of the company on privacy issues. See also, http://www.truste.org/ partners/newsletter/spring99.html#04. Sophisticated e-commerce sites have therefore decided to disclose their pertinent practices and allow the user to make the decision whether to accept, reject or inquire further. Whether this will be sufficient to comfort finicky consumers is still unclear. If not, the next step would be the so-called “opt-in” solution, where consumers must take affirmative steps before any personal information can be used by online businesses. PRIVACY POLICIES The reputable Web business now spells out what it does with users’ information. Privacy Policies allow a user to see what information is collected, how it is handled and where it goes. Indeed, Web businesses such as Amazon.com have been increasingly forthright in disclosing when user information is not kept confidential, allowing the users to “vote with their clicks” to modify their preferences and determine when they want to make use of the time-saving features. Of course, the Web also affords consumers the opportunity to go elsewhere if they prefer dealing with businesses that have different privacy practices. It will be instructive to see whether the privacy policy changes announced by e-commerce giant Amazon.com will erode their substantial consumer base. This focus on privacy has also driven the creation of a new form of business — third parties that attest to the good practices of a Web site. Such companies provide a seal placed on the Web site that constitutes assurance to a user that the Web site keeps their privacy promises. Among the leaders in this field is TRUSTe (http://www.truste.org), which pools resources for Web publishers and consumers in a very user-friendly site. TRUSTe operates by checking on the privacy promises of its members, and confirming what they say is true. This kind of seal (also known as a trust-mark) can be enormously valuable, permitting the transfer of customer confidence in TRUSTe’s brand to an e-business with no track record. Of course, for TRUSTe to work in the long run, it must actually perform its self-assigned role and alert the public when one of its members breaks its word. TRUSTe was, in fact, sorely tested by one of its most prominent members. Having promised users who downloaded the RealAudio Player that it was gathering no information about them, RealNetworks turned out to be keeping precise track (by use of unique identifiers) of what users of its media player were doing. According to reports, the Real Player software was actually maintaining a list of what the user downloaded and what the user played on their own PC. When connected to the Web, the Real Audio Player could transmit the information that it collected back to RealNetworks, which could then have used it for a variety of purposes. RealNetworks had held itself out as a model citizen in privacy matters, and TRUSTe had expressly warned that they would withdraw their seal from members who misled consumers. When RealNetworks was caught violating its promise, TRUSTe had to make a hard call — how to deal with an entity as big as RealNetworks, which had been such an active participant in online privacy matters, but which was now revealed to be engaging in behavior that was anathema. RealNetworks confessed publicly and vowed to reform itself. It described extensive steps that it was taking to be sure that it did not repeat its mistakes. How TRUSTe responded is a model for how self-regulation can work effectively. TRUSTe went through a very public analysis of its options, including terminating RealNetworks from the TRUSTe program and withdrawing its seal. In the end, however, TRUSTe concluded that it would not withdraw its seal from RealNetworks. Instead, it expressed its determination to remain engaged with the company to help it “rehabilitate.” (http://www.truste.org/ newsletter/fall99.html) Explaining its analysis publicly and candidly conceding the difficulty of the decision enhanced TRUSTe’s own credibility, as did its treating the Web community as common stakeholders in its effort to promote the greater good of privacy protections. Indeed, by calling attention to its own member’s transgressions and engaging in a very open discussion of these unprecedented questions, TRUSTe came through the process with greater stature than before. Other companies that offer similar trust-mark services include BBBOnline, PricewaterhouseCoopers and WebTrust (licensed by the American Institute of Certified Public Accountants). There are plenty of critics watching Real.com very closely to see if they live up to their new commitments. One imagines that TRUSTe is in the virtual front row. Web users have encountered other problems that make them leery of trusting online entities as well. Some of the most well-publicized include credit-card theft (where hackers actually made off with databases containing valid credit card numbers), identity theft (where criminals got access to personal information and used it to obtain credit by impersonating the victim) and the ever-popular bogus stock tips. Taken together, these horror stories result in an environment where it is harder than ever to earn the trust of a new customer. No system — whether government-imposed or market-driven — can totally eliminate bad behavior. The challenge is how best to address those occasions where missteps occur. The open question is whether the government will feel the need to step into this field. EXISTING LAWS These forms of self-regulation are all being undertaken against the backdrop of substantial legal protections. Existing consumer protection laws have been supplemented by laws that protect the privacy rights of users. For instance, the Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338, Nov. 12, 1999, has imposed sweeping restrictions on the sharing of private financial information, giving enforcement authority to the Federal Trade Commission to protect consumer financial information, 16 C.F.R. � 313, May 16, 2000. Both the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. � 1301, et seq. (“HIPAA”) and the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. �1301, (“COPPA”) have also become law in the past year or so. Even the under-utilized Computer Fraud and Abuse Act, 18 U.S.C.A. �1030 (“CFAA”), is now emerging as a potent legal mechanism for enforcing a user’s right to privacy by creating a civil remedy, as well as a criminal penalty, for losses sustained when someone deliberately accesses personal information stored on a computer. Recent court decisions have recognized that the CFAA can apply even where a defendant has merely accessed private information, finding that unauthorized access constitutes a “loss” in that the data’s integrity has been diminished. See, for example, the decision of the U.S. District Court for the Western District of Washington in the case of Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000). INTERNET SPEED MATTERS Faced with these and similar risks of online misadventures, what is the best way to protect online consumers’ privacy? One path would be to have the Government continue its efforts to legislate solutions, albeit one issue, or one industry at a time. The risks of that approach — inconsistency, uncertainty and relative inflexibility — make real benefits to the consumer uncertain. Another path is to encourage the development of technology solutions that consumers can use to suit their own preferences. Given how fast the Web moves, a governmental solution would be dead on arrival. Relying on the legislative and administrative processes to keep up with Internet-speed developments is a fool’s errand. One size does not fit all on the Web, and indeed the entire medium is optimized so that each user can accommodate his or her own risk tolerances. While Congress may believe — paternalistically, we believe — that no user would ever want to share certain information, the reality is that each individual user should be free to make such decisions for themselves. Technology tools can accomplish this. Widely available, personally customizable software could empower the consumer with control over who sees what and when. Prior technology may have been more cumbersome, but current and soon-to-be-delivered solutions will put users in control of their personal data as never before. NEW TECHNOLOGY MAY HELP New technology that offers users the ability to control personal data include Microsoft’s .Net foundation services (code-named “Hailstorm”) and its new version of Internet Explorer. Each of these products is designed to put the consumer in control of their personal information, with privacy and security being the fundamental design points. Hailstorm is designed to allow end users control over how and with whom their personal information is shared. The Hailstorm model is built upon the fair information practices, including: 1. Notice: Consumer notice of how information will be used; 2. Choice: Regarding collection and distribution of personal information; 3. Access: To all information held by the consumer on the consumer; and 4. Security: The peace of mind to know that protections are built in to protect from unauthorized third parties accessing information without the consumer’s consent. The Hailstorm Web site, http://www.microsoft.com/ net/hailstorm.asp, has more details. Similarly, Microsoft’s new version of Internet Explorer (IE 6) will support key features of Platform for Privacy Preferences (P3P), a newly developed, user-friendly privacy standard developed by the World Wide Web Consortium. The P3P spec allows consumers to simply state their privacy preferences and will allow consumers to easily manage and restrict the placement of third-party cookies on their machines. Web sites must clearly describe how they will use customer data in order to be compliant. P3P-enabled Internet browsers will notify users of Web sites that do not meet their preferences. ADDRESSING PRIVACY ISSUES KEY TO SUCCESSFUL E-COMMERCE In a virtual world, businesses must earn the confidence of customers before earning their business. Assuring users that their privacy will be respected in accordance with their wishes is an essential element in gaining the trust necessary to make e-commerce work. The Web moves at such speed, and the opportunities for metamorphosis are so enormous, that only a technological solution evolving along with the environment can accomplish this objective. There are many legal safeguards in place for misuse of private information, and it would be a mistake for government to enact proscriptive privacy laws that might hinder the development of technological solutions. Instead, the best solution is to leverage the very nature of the Internet: respect for the autonomy of each and every user. There is no reason why users cannot control how much of their private information is shared and what remains private. The technologies to promote individual autonomy exist today, and more are coming. As consumers realize that they hold the keys to their own privacy, e-commerce will be more likely to fulfill its promise. Jeremy D. Mishkin is a partner in the Litigation Department of Montgomery, McCracken, Walker & Rhoadsin Philadelphia. He is also Managing Partner of the Firm. His practice emphasizes complex commercial matters, technology, the Internet and First Amendment/Media Law issues. Peter Breslauer, a partner in the Litigation Department of the firm, specializes in complex commercial litigation, including the defense of class action, antitrust, products liability and intellectual property cases. Christina D. Frangiosa, an associate in the Litigation Department of the firm, focuses her practice on matters involving high technology, intellectual property, computers and the Internet, and media law.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.