EPIC logo

Testimony and Statement for the Record of

Marc Rotenberg, director Electronic Privacy Information Center

on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508

Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime

September 12, 1996

Electronic Privacy Information Center
666 Pennsylvania Ave., SE
Suite 301
Washington, DC 20003
202 544 9240 (tel)
202 547 5482 (fax)
http://www.epic.org


My name is Marc Rotenberg. I am the director of the Electronic Privacy Information Center (EPIC), a public policy research organization in Washington, DC that focuses on emerging privacy and civil liberties issues. I am also on the faculty at Georgetown University Law Center where I have taught a course on the Law of Information Privacy since 1991. I appreciate the opportunity to appear before the Subcommittee this morning in support of the Children's Privacy Protection and Parental Empowerment Act.

I believe that the Act is a sensible, well considered measure that will establish fair information practices for personal information about kids and curb recent abuses in the direct marketing industry. There are unique problems in the collection and disclosure of data about children that argues in favor of strong privacy protection.

I will makes three points this morning in support of the legislation. The first is that there is already a sufficient record of problems in the marketing industry to warrant Congressional action. While some have said that Congress should wait until the harms are more clearly established, I believe that this is a dangerous and unwise strategy. By acting now, the Congress and the industry can establish sensible codes and clear standards for privacy protection. This has happened in many sectors where privacy is concerned and there is no reason why it could not happen where the information at issue concerns children.

The second is that industry self-regulation, whatever its merits, is simply not well suited to privacy protection where kids are involved. Young people cannot assess risks as adults can, cannot exercise complicated "opt-out" procedures, and should not be expected to monitor compliance. In the most extreme case, where birth records are sold by hospitals, it is of course impossible to expect babies to protect their privacy interests. It is clearly appropriate in such a situation to establish a standard in law to protect the interests of children.

The third point is that it is entirely consistent with the development of privacy legislation to enact a law that focuses on children's information. In fact, the Family Education Records and Privacy Act of 1974 followed a very similar approach in establishing federal privacy safeguards for personal information on kids held by any institution that receives federal funds for education. The law has stood the test of time. The Children's Privacy Act would as well.

Finally, I have a few suggestions for how the bill might be changed to address some of the concerns that have been raised specifically about First Amendment issues, the age identification requirement, possible exemptions, and penalties. With a few small changes, I believe it will be possible to satisfy most of the concerns that have been raised.

GROWING THREAT TO CHILDREN

The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.

With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.

More evidence about the need to act comes from an excellent report by the Center for Media Education that documents new problems on the Internet with the commercialization of personal information. CME found that marketing firms are establishing Internet sites to surreptitiously collect personal data on kids. Unlike the old coupon on the cereal box, web operators are able to gather information on users without the person's knowledge or consent. Where there is some notice of the collection activity, there is oftentimes an inducement, such as a contest or game, to encourage children to give up their name, age and address.

The Center recommended that web sites should fully disclose their privacy polices, sites should get parental consent o collect personally identifiable information about children, and that information collected should be protected from misuse. Federal Trade Commissioner Christine Varney has acknowledged that this is a serious concern and suggested that the FTC may take action in this area.

Not only have companies moved aggressively to collect information about children, literally from the time of birth, but new technologies also make it possible to collect detailed data about a particular child's personal preferences, what he enjoys, or what she fears, in more detail than ever before. Technologies for narrowcasting, such as information provided over the world wide web, will shortly allow advertises to target messages to specific children in real-time.

At the center of the problem is the collection of personal identifiable information --not demographic information, not aggregate data. The National Center for Missing and Exploited Children has made clear how important it is to protect the privacy of this information. In lieu of supporting legislation to restrict the content of information that flows across the World Wide Web, the group urged parents to tell their kids not to give out personal information to strangers on-line.

It is hard to imagine that the current situation will not become significantly worse unless some legal standards are soon established.

INDUSTRY PRIVACY PRACTICES SIMPLY DO NOT WORK

The industry has said that it is not necessary to pass laws to protect privacy. The Direct Marketing Association believes that its self-policing practices have adequately protected consumer and children's privacy. They say that the opt-out procedure, which requires individuals to send a letter to the Mail Preference Service and ask to be removed from mailing lists and then to monitor compliance, is sufficient to protect personal privacy.

A new book tells otherwise. An extensive review of privacy protection in the United States recently published in Data Privacy Law (Michie 1996) by Professor Paul Schwartz of the University of Arkansas School of Law and Professor Joel Reidenberg of the Fordham Law School make clear the problems with current practices in the direct marketing industry. Of the opt-out provision, Schwartz and Reidenberg found:

[O]nly 53 percent of DMA members are reported to the service to screen their mailings. . . . In any case, most Americans are unaware of the name removal options. This ignorance reflects either ineffectiveness or non-compliance even by those DM A members purporting to use the service. (p. 333)

Reidenberg and Schwartz also found:

Company codes of practice do not elaborate any remedy for individuals in the event that a company policy has been violated. Unlike the financial services or telecommunications context, strong internal sanction do not appear to be in place against employees who violate company codes. (p. 338)

The authors point out that the use of the mail preference service misses a critical aspect of privacy protection. While it may reduce some junk mail that consumers receive, it does nothing to prevent the extensive profiling that companies pursue when data is gathered. Reidenberg and Schwartz concluded that the industry's commitment to opt-out is "ambivalent. While the DMA guidelines call for marketers to offer opt-out, the industry objects to proposals for mandatory opt-out requirement."

The implications of the Reidenberg/Schwartz study for this Committee are critical: Industry self-regulation has not succeeded in establishing adequate privacy safeguards and the opt- out proposal specifically does nothing to stop the collection of data about children and the subsequent profiling.

But it is not just legal scholars that have reached this conclusion. USA Today put the point well in an editorial last year. The newspaper wrote:

While voluntary compliance might be preferable in an ideal world, it is not likely to work in the real world. The result is that the absence of government prodding has resulted in too many companies doing too little to protect consumers privacy rights. " (October 25, 1995.)

Even The Economist, a British magazine that virtually always defers to the private sector over government, has recognized the special need to legislate in the privacy arena. As they said earlier this year:

Enforcing the consent rule will be difficult. But it is worth a try. It would give information gatherers a push in the rights direction. Companies would collect and resell information more discriminately. And people who cherish their digital privacy would have the means to protect it -- which is as it should be." (February 10, 1996.)

The positions of USA Today and The Economist also mirror public opinion polls which routinely find that approximately 9 out of 10 American believe that personal information should not be sold by marketing companies with explicit permission. (Time/CNN 1991, Yankelovich 1995).

To the best of my knowledge, the question has never been asked in a public opinion poll whether a law should require that marketing firms obtain permission form parents before selling data on children. Based on these other polls, my guess is that the number in support would approach 95%.

SECTORAL DEVELOPMENT OF PRIVACY LAW

My third point today is that it is entirely consistent with the development of privacy law to pass a measure that protects certain classes of data. This approach, which has come to be known as the "sectoral approach," began with the enactment of the Fair Credit Reporting Act of 1970 following concerns about abuse in the credit reporting industry. Subsequent federal acts protected banks records (Right to Financial Privacy Act of 1978), cable subscriber records (Cable Act of 1984), electronic mail (Electronic Communications Privacy Act of 1986), and video rental records (Video Privacy Protection Act of 1988).

Perhaps the clearest precedent for the Children's Privacy Protection and Parental Empowerment of 1996 is the landmark federal privacy legislation that established safeguards for educational records. The Family Educational Right to Privacy Act of 1974, sometimes called the "Buckley Amendment," set out extensive privacy requirements for educational institutions receiving federal aid.

Let me read for you just few of the key provisions:

No funds shall be made available under any applicable program to any educational agency or institution which has a policy of denying, or which effectively prevents, the parent of students who are or have been in attendance at a school of such agency or at such institution, as the case may be, the right to inspect and review the educational records of their children. . . .

20 USC 1232g(a)(1)(A)

No funds shall be made available under any applicable program to any education agency or institution unless the parents of student who are or have been in attendance at a school of such agency or at such institution are provided an opportunity for a hearing by such agency or institution, in accordance with regulations of the Secretary, to challenge the content of such student's education records, in order to ensure that the records are not inaccurate, misleading, or otherwise in violation of the privacy or other rights of students, and to provide an opportunity for the correction or deletion of any such inaccurate, misleading, or otherwise inappropriate data contained therein and to insert into such records a written explanation of the parents respecting the content of such records.

20 USC 1232g(a)(2)

No funds shall be made available under any applicable program to any education agency or institution which has a policy or practice or permitting the release of educational records (or personally identifiable information contained therein other than directory information, as defined in paragraph (5) of subsection (a)) of students without the written consent of their parents to any individual, agency, or organization, . ..

20 USC 1232g(b)(1)

No funds shall be made available under any applicable program to any education agency or institution which has a policy or practice of releasing, or providing access to, any personally identifiable information in education records other than directory information, . . .

20 USC 1232g(b)(2)

Of course, FERPA acknowledges several exceptions to these general principles, and the key terms are carefully tailored to the specific needs of educational records. But certain points about this well established precedent are clear:

Returning to the bill before this committee, the CPPPEA largely applies the FERPA approach to the protection of information about children with certain additional provisions that respond to special problems that are already well documented. The approach is a sensible one, and FERPA has stood the test of time. No universities have been shut down because of the Act, but the privacy of children's educational records is more secure because Congress did not fail to act when it had the opportunity to create privacy protection for young people.

PROPOSED CHANGES

EPIC supports the Children's Privacy Protection and Parental Empowerment Act of 1996, and we commend Rep. Bob Franks of New Jersey and the other sponsors of the bill for taking action in this area. There is one change that we would like to see, and then there are several possible changes that might address some of the concerns that have been raised by others.

1. First Amendment Issues

We are specifically concerned about the provision that would penalize the knowing distribution or receipt of "any personal information about a child, knowing or having reason to believe that this information will be used to abuse the child or physically harm the child." While we share the view of the bill's sponsors that such activity raises great concern, the provision as drafted may fail a First Amendment challenge because it does not appear to satisfy the Supreme Court's requirement that speech which is criminally liable must both urge a lawless act and the incitement of that act must be likely. Brandenburg v. Ohio, 395 U.S. 444 (1969). We would appreciate the views of other civil liberties organizations on this point.

2. Age Identification Requirement

Some questions have also been raised by other organizations about the age identification requirement. Some organizations believe that this provision will force list brokers to collect more age-specified data so that they can be assured that they comply with the Act. This is clearly not the intent of the bill. The bill operates so that personal information is only covered for an individual "identified as a child," where a child is defined as a person under the age of 16. I believe that in practice this would mean that if a list broker asks for age-specific information and learns that the person is under 16, or uses other techniques to enhance the data so that the person is readily identified as a child, then the requirements of the bill would apply. Beyond these two circumstances, it is not clear to me that the bill would have further application. I do not believe that list brokers will have a proactive duty to run lists against names of children.

As for the positive consequences of the bill for the industry, the bill should cause list brokers to be more selective in the collection of personal information and more open with parents about data collection practices. Such a process will establish consumer confidence as well as protecting the rights of children.

3. Exceptions

We also recognize that there are some proposals to create exceptions in the coverage of the bill for certain organizations. We do not necessarily oppose these exceptions, but we do urge the Subcommittee to look carefully at the breadth of the exceptions proposed. Statutory exceptions work best when they are narrowly tailored to specific circumstances. We would also like to see those groups that are seeking to avoid federal coverage establish clear privacy policies that describe how they will protect the information on children and make these policies readily known to the public.

Of course, if incidents do arise where an institution that has received this special status is responsible for a privacy harm to a child, then we would immediately urge the Congress to reconsider the exception and look at amendments to the Act.

4. Criminal Penalties

We also recognize also that a privacy bill which provides for criminal sanctions would go further than other bills of this type. (Though, in fact, the Privacy Act of 1974 established criminal penalties for certain types of violations). If the Committee decides to revisit the issue of criminal penalties, then I would recommend that you increase the civil relief from at least $1,000 to at least $5,000. The reason for this is that a reoccurring problem with well intended privacy legislation is that in the absence of a clear penalty or a strong civil inducement to file suit, statues are ignored, bad practices develop, and the rights that should be protected in theory and ignored in practice.

CONCLUSION

The industry has argued that it is not necessary to pass this bill at this time because there has been no clear tie between marketing practices and specific harm to a child. They say this even after it has become known that the marketing industry has used prison inmates to process personal information that should be safeguarded and after a reporter obtained a list of families with young children using the name of the murderer of Polly Klaas.

I can only ask whether the industry is really prepared to require a dead child before it will consider passage of this sensible legislation. I don't make this point lightly. Privacy legislation to protect the disclosure of motor vehicle records came about only after the tragic murder of Rebecca Schaeffer. It would be more than a tragedy if it took a similar incident before this measure was passed.

This concludes my testimony. I would be pleased to answer your questions.