of July 21 OPA Press Briefing
services by Alderson Reporting Company
1 A TELEPHONE NEWS CONFERENCE WAS HELD TUESDAY,
2 JULY 21, 1998 AT 2:30 EDT WITH CHRISTINE VARNEY,
3 SPOKESWOMAN FOR THE ONLINE PRIVACY ALLIANCE AND A
4 GROUP OF ABOUT 20 REPORTERS. THERE WAS NO
5 OPENING COMMENT AND THE QUESTIONS AND ANSWERS
8 QUESTION: Could
9 you explain a little bit what your policy is for
10 children and requiring parental notification?
11 Now I'm aware that you issued sort of a statement
12 of principles but is there something more
13 specific in this new policy?
14 MS. VARNEY: Well, what we've done
15 is the documents that we released on June 21st
16 included our principles for children. Today's
17 documents are a rerelease of the same children's
18 principles, the same privacy principles, the same
19 mission statement and what we've added is the
20 enforcement piece. So the children's principles
21 have not changed and they are still requiring
22 prior parental consent or direct parental
23 notification for kids under 13, depending on the
24 nature of the use of the information.
25 QUESTION: Why did you
1 decide to go ahead and enforce this yourself than
2 to rely instead on either TRUSTe or the Council
3 of Better Business Bureau?
4 MS. VARNEY: Basically, because
5 the Online Privacy Alliance was conceived as sort
6 of a catalyst, a call to action, taking the
7 companies and trade associations that care about
8 these issues and marshalling their thinking and
9 resources and commitment to establishing the
10 right standards for data collection online and
11 the right enforcement principles. You know, what
12 we need here is action, not really reinvention or
13 further institution building, and TRUSTe is
14 already in this space. BBB Online has evidenced
15 an intent to get in. DMA is thinking about how
16 they might do this.
17 So what we've done is laid down the
18 road map. As our companies are committed to
19 participating in the third-party enforcement,
20 what third-party enforcement needs to look like,
21 and for those enterprises that want to get into
22 the space, an outline as to what it needs to look
24 Now, come three, four or five months,
25 if this isn't moving, if TRUSTe, BBB or others
1 aren't really stepping up to the plate in an
2 appropriate way, which I doubt will happen, I
3 think they're very enthusiastic, or if companies
4 are finding that the third-party seal providers
5 aren't meeting the standards that they set, we'll
6 reconsider. But for the moment, we would like
7 the marketplace to work.
8 QUESTION: Christine, how are you --
9 How are you
10 going to bring companies who are not Alliance
11 members now into this system?
12 MS. VARNEY: Well, for one thing, we
13 get more and more companies every day wanting to
14 join and calling me and others with questions
15 about how to join and what does it mean. I think
16 that now that we've got sort of the framework of
17 the principles and policies, our next challenge
18 is the business and consumer outreach. It's
19 really a two-step process.
20 We have to, all of us, reach out to
21 other businesses, our business partners. We have
22 some very big portal companies here in the Online
23 Privacy Alliance, some very big ISPs, OSPs, all
24 of whom have a lot of reach in the industry and
25 we're hoping to leverage their reach to sort of
1 spread the gospel here.
2 Simultaneously, we do need to begin the
3 process of talking to consumers about looking for
4 privacy programs, privacy protection, privacy
5 seals as they go online. So I think our
6 challenge between now and the end of the year is
7 to engage the power we have through our companies
8 and our associations, our trade associations. We
9 have, I think, a dozen or so trade associations
10 that have enormous reach and as they go out and
11 educate their members, we hope to see more
12 universal adoption of these privacy policies.
13 QUESTION: I'm sorry, do you want
14 to go ahead? I'm just wondering what you think
15 of FTC Chairman Pitofsky's proposal he submitted
16 today for legislation in this area, not just the
17 proposal but what you thought of it.
18 MS. VARNEY: Well, as many people on
19 this call know, Chairman Pitofsky was my law
20 school professor and I find him to be a very fair
21 and honest and accurate grader. What Chairman
22 Pitofsky said this morning was that the industry
23 has made enormous strides but the work is
24 incomplete, they have further to go and he is
25 going to be looking again at the end of the year
1 to see where we are.
2 He actually did not call for
3 legislation. My understanding is that he said if
4 legislation were needed, they would recommend a
5 very narrow and tailored approach, focusing on
6 the principles that we as the Alliance have
7 focused on. But I think the chairman is
8 withholding judgment as to whether or not
9 legislation is needed at this time.
10 QUESTION: Christine,
11 I'm unclear as to how you see
12 this group coexisting with the other seal
13 programs and whether the existence of several
14 different stamps of approval isn't going to
15 confuse consumers who will have to decide which
16 site offers which benefits.
17 MS. VARNEY: Right. First of all, the
18 Online Privacy Alliance is not itself at this
19 point in time envisioning that it will run or
20 offer a seal program, so there are really only,
21 as we see at the moment, excluding what an
22 association may or may not do, there are only two
23 potential entrants in the seal program in a
24 large, ubiquitous potential way and that is
25 TRUSTe and BBB Online.
1 I'm not sure that two seal providers
2 creates confusion in the marketplace. Perhaps
3 200 does, but where does the line fall between 2
4 and 200? I don't think we can answer right now.
5 Individual consumers who go online to
6 shop for retail goods are very different from
7 CIOs and corporations who are looking to use
8 enhanced DDI to place orders for information.
9 And maybe they don't need the same seal. So I
10 think one of the things that we all want to wait
11 and see, I mean, this is a medium in its
12 infancy. And we do want to wait and see how the
13 market develops. We want ubiquitous signals to
14 consumers but we want to recognize the vast
15 diversity the Internet brings to the marketplace
16 and be able to be flexible.
18 I'm curious to see whether
19 the Alliance criteria, as outlined now with your
20 enforcement decision, does that mean that you meet the
21 EU data directive criteria, do you think?
22 MS. VARNEY: Well, as you all know, I'm
23 sure, the EU directive requires member states to
24 adopt data protection regimes consistent with the
25 EU's standards by October 28th. And in those
1 standards is a requirement that data not be
2 shipped out of a European state to what is called
3 a noncomplying or an inadequate state.
4 The question of whether the U.S. has
5 adequate data protection laws vis-a-vis the EU is
6 one that is currently hotly, vigorously discussed
7 between the European governments, the EC and the
8 U.S. Government as well as business to business.
9 It is my own -- it has always been and it
10 continues to be my belief that the U.S. has a
11 very different historical approach to privacy
12 than the Europeans. And what the Europeans, I
13 think, at the end of the day are very concerned
14 about is protecting the data of their citizens as
15 they move around the globe.
16 I think these standards do that, and I
17 think they do it in an incredibly efficient and
18 effective way, far more efficient, I believe,
19 than any centralized privacy bureaucracy in the
20 U.S. might be able to do. So I believe they do.
21 I'll be talking with the Europeans in the coming
22 days about where we are and we'll see what they
25 I was expecting today, at
1 least when I hear the word enforcement, I think
2 of enforcement that includes penalties. I'm
3 looking through your guidelines and I don't
4 really see a whole lot that's going to deter a
5 bad actor from continuing to be a bad actor. Can
6 you tell me, if I'm somebody who thinks his
7 business model includes violating the privacy of
8 other people, how these standards are going to
9 stop me?
10 MS. VARNEY: Sure. A couple of things
11 you need to keep in mind as you look at this.
12 When we talk about enforcement of
13 self-regulation, you need to remember there are
14 two pieces. There is the existing government
15 authority to prosecute bad actors. The Federal
16 Trade Commission, the states' attorneys general
17 all have deception authority.
18 So a bad actor who is engaged in the
19 collection of information from individuals
20 through deceit, through fraud, through any kinds
21 of devious means and the use of it in deceptive
22 ways is currently subject to prosecution by the
23 FTC, the 50 states' attorneys general and,
24 depending on the circumstances, the Department of
25 Justice. And we really -- we support vigorous
1 enforcement of the existing law.
2 The Alliance document on
3 self-enforcement then looks to how do we create
4 an atmosphere of trust on the Internet. And what
5 we're talking about is for the good actors. For
6 the companies that want to do right on the
7 Internet, that want to gain consumer trust and
8 confidence, that want to grow the net, how can
9 they do that. And we think they can do that
10 through practicing good privacy policies and
11 certifying they do through this kind of a seal
12 program or idea.
13 Well, this is a discussion that I think
14 you and I have had in the past. It has always
15 been my view that passing a law does not stop bad
16 actors. You know, we passed the Telemarketing
17 Fraud Act in '94, when telemarketing fraud was
18 estimated to be at $40 billion a year. Today
19 it's estimated to be at 60 billion. So passing
20 the law doesn't stop the act. It merely gives
21 you tools to prosecute the bad guys and I believe
22 we have the tools already to prosecute the bad
24 QUESTION: I guess the question,
25 though, is --
1 QUESTION: What is everybody
2 complaining about, then? If we already have the
3 tools and it's not being done, why is this a
4 major issue with Congress? In other words, it
5 doesn't seem to resolve that problem, as you've
6 just portrayed it.
7 In other words, you've just said that --
8 MS. VARNEY: No, I understand the
9 question. I think that there is a real
10 divergence of opinion in the Congress about
11 what's the right role of government across the
12 board in E-commerce. There are differences of
13 opinion on encryption; there are differences of
14 opinion on pornography; there are differences of
15 opinion on Internet taxation. I mean, you're
16 dealing with 535 individuals who all have
17 different experiences and expectations. So I
18 think there are many in Congress who agree that
19 the government currently does have the authority
20 to prosecute any bad actors and that what we need
21 to see is if the marketplace for self-regulation
22 will push privacy out or whether we will need
23 government action down the road.
24 QUESTION: Christine,
25 what are you telling -- there was some mention in
1 your press release that you've been talking to
2 Ira Magaziner and Becky Burr on what they should
3 say in their reports. What are you saying? What
4 should happen?
5 MS. VARNEY: I'm sorry, what are
6 you referencing that I've been saying?
7 QUESTION: There was some reference in
8 your release today to the effect that you've been
9 talking to the Administration about what should
10 be done this year. And I assume that's to Becky
11 Burr for the Department of Commerce report and to
12 Ira Magaziner for his report that's due. What
13 are you saying at this point that they should be
14 recommending or that should happen in terms of
15 what the government should do?
16 MS. VARNEY: I really have not done
17 either. What I did was I gave the
18 Department of Commerce staff and the White House
19 staff a copy of the effective enforcement of
20 self-regulation. I have not advocated one way or
21 another what should be in the report.
23 Can I just follow up one more time
24 with the issue of children?
25 MS. VARNEY: Sure.
1 QUESTION: I just pulled your statement
2 on children's online privacy act activities.
3 MS. VARNEY: Right.
4 QUESTION: And my question is, so what
5 you're essentially saying is that if a site
6 doesn't have the stamp of approval that kids
7 shouldn't be on those sites because they may be
8 collecting information, in other words, you have
9 a list of criteria here or some principles, and
10 I'm assuming that with respect to children, that
11 the sites would have to not do these things.
12 MS. VARNEY: That's right.
13 QUESTION: So that's basically what your
14 solution is?
15 MS. VARNEY: That's right. What we've
16 done is work with the largest companies in the
17 children's space, America Online, Disney, Time
18 Warner, Viacom, I know AT&T has a kids service, I
19 think IBM even has some kids stuff on their ISP.
20 So we've worked with the biggest providers of
21 children's content on the Internet to come up
22 with these standards. And I wouldn't want to
23 speak for CME or Dr. Kathryn Montgomery but my
24 meetings with them, I believe they generally
25 think we get it about right on what the
1 principles ought to be when engaging
2 interactively with kids online in data
4 So what we are absolutely saying is if
5 you are targeted to kids, these are the rules of
6 the road and you will not get a privacy seal if
7 you cannot prove that you are adhering to these
8 standards. And I am a parent. I have an
9 8-year-old and an 11-year-old. There is no way I
10 would let them near a site that wasn't adhering
11 to these standards.
13 I had a quick clarification and a
14 question. On the enforcement principles, it's
15 not requiring, in all cases, that there be
16 outside monitoring, right? It refers to
18 MS. VARNEY: What we did on the
19 enforcement piece is set up basically the three
20 criteria that we think you need to have to run a
21 self-enforcement program. In the first, you need
22 to have verification and monitoring. The
23 self-assessment program has to set up a system
24 whereby a company can prove or the seal provider
25 can assess that a company does indeed have
1 privacy policies that are consistent with the
2 Online Privacy Alliance guidelines, that they're
3 published, that they're easily accessible and
4 they have to have -- the seal provider has to
5 have a method to monitor that these practices are
6 being adhered to.
7 Once you can establish that the company
8 or the organization has good privacy policies and
9 they're adhering to them, the next thing a seal
10 provider needs to be able to do is provide some
11 way to resolve consumer complaints and disputes
12 so that if you're an individual who believes a
14 they've established and you've not been able to
15 get satisfaction from the company, you have a
16 place to go, you have an independent trusted
17 third party who can mediate the dispute and come
18 to resolution. And then the third piece is
19 education and outreach.
20 QUESTION: So the self-assessment is
21 only under the rubric of an outside field
23 MS. VARNEY: In this context, yes.
24 What we would envision is that the seal program
25 would decide and would write and publish criteria
1 if a company -- if they are going to allow
2 self-assessment, it would be pursuant to a
3 standard methodology that they've articulated and
4 adopted and they'll have a mechanism for
5 validating. Or they can do it themselves. It's
6 really up to the seal program. What we've tried
7 to do is put a road map together.
8 QUESTION: Gotcha. My broader question
9 was whether the Alliance opposes all legislative
10 efforts in this arena regarding adults.
11 MS. VARNEY: Well, the Alliance came
12 together in a fundamental belief that we had to
13 grow consumer confidence in the medium and the
14 way to do this was to self-regulate. In many of
15 the companies' experience around the table,
16 legislation is a fairly blunt instrument that
17 doesn't always accomplish its goals. And we're
18 all agreed on the goal. The goal is privacy
19 promotion, protection to grow the medium and we
20 think this is the way to do it. So yeah, we're
21 big supporters of self-regulation.
22 QUESTION: Okay. Thank you.
24 This seal thing, is it a little logo on Web sites
25 or is there a way that you can actually enforce
1 it in a way that you can have browsers figure in
2 a way that you could stop people actually going
3 into a site that does not have the seal or
4 something like that?
5 MS. VARNEY: That's a technology
6 question that I would have to defer to the
7 technologists. It's totally conceivable you
8 could program a hard drive or a browser or you
9 could get a filter. There is all kinds of
10 technological solutions for families or
11 individuals who only want to go to sites that
12 participate in the program. I certainly wouldn't
13 imagine it as a government mandate. It would
14 have to be an individual choice employing
15 technological tools.
16 QUESTION: Obviously there is only two
17 browsers around so it would be conceivable that
18 you have a little sort of something you can
19 figure in your browser so you can make sure that
20 your kids will not, yeah, be using sites without
21 the seal, for instance? Is anything being done
23 MS. VARNEY: I think that you would be
24 best to direct those questions to Netscape and
25 Microsoft individually as companies, perhaps AOL,
1 and see what they're doing. For example, I know
2 I'm an AOL parent and I know right now I can
3 program the areas where my children are allowed
4 to go and I believe I'm giving out personal
5 identifiable information is one of the criteria
6 that I can use to prohibit my kids from going to
7 places that ask for that without my consent. So
8 I think AOL is sort of doing it a little bit
9 right now but I would suggest you talk to them or
10 Microsoft or Netscape.
12 You may have covered this. I may have missed
13 it. What was the vibe you got back from the
14 White House on your proposal?
15 MS. VARNEY: Well, actually, as I said,
16 I simply gave them a copy of where we are and
17 didn't really get into a discussion with them.
18 I'm not sure that they've had a chance to go over
19 it, although I see a wire report that Ira
20 Magaziner is saying that he thinks it's heading
21 in the right direction. So I would suggest that
22 you guys check with the White House directly.
23 Jeri Clausing's story at Cyber Times,
24 she's got a quote from Ira that says, quote, I
25 think the enforcement mechanisms that they -- I
1 assume that's the Online Privacy Alliance -- are
2 putting in place are what we have been calling
3 for, end quote, says Ira C. Magaziner. Next
4 quote, now we need to -- what we need to do now
5 is monitor it to see what really happens, end
8 One of the things that has been sorely lacking is
9 consumer education and outreach. Can we expect
10 to see a more concerted effort from the
12 MS. VARNEY: Yes, I think you can. I
13 think you're going to -- again, it's sort of like
14 what have you done for me lately? First we get
15 the principles and everybody yells there is no
16 enforcement. Then we get the enforcement,
17 everybody yells there's no outreach. The next
18 piece we'll be working on is the business
19 outreach because we do want to get businesses up
20 to speed and get the privacy seal programs, make
21 sure they're launched and start to see them.
22 Then we will turn to, I hope, massive consumer
23 outreach about the importance of looking for
24 privacy policies before you give over any
1 QUESTION: Will any efforts be done
2 under the name Privacy Alliance or will it be
3 done by the various companies independently?
4 MS. VARNEY: And the trade
5 associations. My guess is you'll probably see
6 all three; the Online Privacy Alliance will do
7 some, the companies will do some and probably the
8 trade associations will do some. That's not done
9 yet but that's sort of the next thing we'll be
10 working on.
12 We talked before about this. I just
13 wanted to see what your latest information from
14 the Hill and from other legal authorities is. In
15 the past, it's been positive that if a large
16 proportion of industry or even a significant
17 proportion gets together and sets down
18 self-regulatory rules, those can be considered
19 binding on the entire industry. Do you have any
20 thoughts on this? Is your proposal the sort of
21 thing that could be considered, if you will,
22 binding on everyone in the industry?
23 MS. VARNEY: No, I don't think so.
24 There was a question for those of you at the
25 hearing this morning about can the standards of
1 the Online Privacy Alliance become the de facto
2 standards for data collection on the Internet.
3 And the real, I think, legal answer on
4 that is no. I don't know of any authority that
5 you could take and say, these are the standards
6 for doing business online and anybody who doesn't
7 adhere to them has got an exposure for breach of
8 any existing law.
9 I do think what happens, though, is you
10 begin to create an industry standard for fair
11 practices so that as you see bad actors engaged
12 in deceit and fraud and deception, you have a
13 better gauge as to what is a fair information
14 practice and what is not. But there is such a
15 diversity of companies and sectors of the
16 economy, things that work in one sector may or
17 may not work in another.
18 For example, the degree of anonymity
19 and access to data that you may want if you're a
20 clinical trial patient for a new vaccine is very
21 different, I suspect, than the amount of access
22 you want if you routinely buy your kids' clothes
23 at L.L. Beane and you can't remember sort of what
24 you bought and what size they are. So I think
25 we've got to be very careful about establishing
1 one-size-fits-all universal standards. And it's
2 consistent with the U.S. experience. We really
3 do have sectorial approaches to privacy. We have
4 a set of expectations when we're dealing with
5 financial information, we have a set of
6 expectations when we're dealing with medical
7 information and we have a set of expectations
8 when we're dealing with retail information, and
9 we need to allow that flexibility in the
10 information age.
11 MS. RUBIN: Are there any other
14 You spoke earlier about a
15 historical difference in attitudes between the
16 U.S. And the EU --
17 MS. VARNEY: The question was the
18 historical differences between the U.S. and EU on
19 privacy. And it's merely -- this is my personal
20 opinion. This is not an Alliance position at all
21 because they haven't considered it, but as a
22 student of history and a granddaughter of Western
23 European immigrants, in many, many countries in
24 Western Europe, until very recently, when you
25 were born, you went on the government rolls and
1 you went on for many purposes. There is no such
2 thing or there was no such thing as voter
3 registration in most of Western Europe. When you
4 were born, you were put on the rolls, you were
5 entitled to vote.
6 In many countries, Ireland, where my
7 family comes from, you were put on the rolls for
8 purposes of both the church and the state's
9 needs. In many countries more recently you're
10 put on the rolls at birth because there is
11 nationalized health care. So the Europeans have
12 had a very long tradition -- a longer tradition
13 of regulating the private sector's collection and
14 use of data on individuals and not as long or
15 historically deep a concern about the state's
16 collection and use of information about
18 In the United States, our concerns have
19 been precisely the opposite. 90 percent of all
20 federal law that we have on the books about data
21 collection and protection goes to the U.S.
22 Government's rights, responsibilities,
23 obligations and limitations on the collection and
24 use of individual data and we have not been as
25 concerned about the private sector collection and
1 use of data. So it's merely -- it's two
2 different cultural perspectives that we're
3 finding converging in this increasingly small
4 global world. And I don't think they're
5 necessarily inconsistent and I think we probably
6 both have something we can learn from each other
8 MS. RUBIN: Any other questions?
9 QUESTION: Just a quick follow-up,
11 Did I hear the tail end of a remark earlier when
12 you said that there seemed to be two main
13 organizations that right now, anyway, are likely
14 to play a role in this, TRUSTe and BBB?
15 MS. VARNEY: Yes.
16 QUESTION: I'm looking at your press
17 release here and it says seal program, licensee
18 program or membership association and so on.
19 Fundamentally, does this probably come down to
20 some sort of seal program with at least two or
21 more seals?
22 MS. VARNEY: At the moment, it would
23 appear so without prejudging what any of the
24 trade associations may or may not do. I'm not
25 clear what the DMA or the IRSG, what they will
1 do, whether or not they're even considering
2 creating their own seal for their own members or
3 cobranding or what they're doing. The two that I
4 know of at the moment, and if anybody knows of
5 other ones, I'm happy to learn of them, are
6 TRUSTe and BBB Online.
7 QUESTION: There is an accounting
8 association that's been trying to get something
9 off the ground for a while.
10 MS. VARNEY: Yes, actually they've been
11 working with us. As I understand what they're
12 doing, it's slightly different. They, as I
13 understand it but I would encourage you to
14 contact them, are thinking about themselves as
15 the auditors who could go in under contract to a
16 company or to a third-party seal program to audit
17 privacy policies. I don't think they, at least
18 as far as I know, consider themselves to be in
19 the seal business. That could change over time,
22 Will the Privacy Alliance specifically
23 endorse the seals or will it -- if any other
24 seals arise, will it take a look at them and
25 either endorse them or not endorse them if they
1 turn out to be something that are not entirely
3 MS. VARNEY: How about a stay tuned on
4 that because what we would like to do is see the
5 market get up and running, see if the companies
6 that are members of the Online Privacy Alliance
7 are satisfied with the choices they've got and
8 then we'll make a determination about what we
9 need to do, if anything, in terms of evaluating
10 the seal programs.
11 QUESTION: And when will things get
12 going, up and running?
13 MS. VARNEY: I think you should talk to
14 TRUSTe and BBB Online. My understanding is
15 shortly. TRUSTe is already up. I think they are
16 considering some changes to their policies and
17 procedures that would bring them into the
18 conformance with the Online Privacy Alliance
19 standards and I think BBB Online has already
20 begun work. So we'll see.
21 QUESTION: You
22 had criticized industry self-regulatory efforts.
23 Is this evidence that they're working again?
24 MS. VARNEY: I'm sorry, what was the
1 QUESTION: I was under the impression
2 that you had criticized industry's lack of
3 self-regulation on the Internet, and is today's
4 announcement an indication that they're working
5 harder or better?
6 MS. VARNEY: Well, what I actually said
7 last February at the Computers, Freedom and Privacy
8 meeting in Austin, Texas was -- and I think I
9 shocked lots of my friends. I said, look, for
10 self-regulation to work, it has to exist. And in
11 February, I think the efforts were still nascent,
12 incipient. And now the industry really has
13 worked very hard, I think since about March or
14 April to get to where they are today. And I
15 think they've done a terrific job. And my view
16 is that the amount of work and effort that
17 they've put in today is what they're going to
18 continue to carry this forward and spread it
20 So I issued a clarion call in February
21 and they answered.
22 QUESTION: And you think, then, this is
23 enough for now?
24 MS. VARNEY: I think we are definitely
25 on the right track. Absolutely.
1 QUESTION: But not finished?
2 MS. VARNEY: Not finished. It's all a
3 work in progress.
4 MS. RUBIN: One last question?
5 MS. VARNEY: Great, no last questions.
6 Thanks everybody.
7 (Whereupon, at 3:15 p.m., the
8 conference concluded.)