Online Privacy Alliance

Statement on Enforcement of Self-Regulation

The members of the Online Privacy Alliance believe that the cornerstone of effective self-regulation for online privacy is robust and ubiquitous enforcement of such self-regulation. Accountability for effective business practices regarding the collection, use, and distribution of individually identifiable information is an essential aspect of online privacy protection. We believe that both the private sector and the government have responsibility to enforce self-regulation. For example, in the private sector, TRUSTe and BBBOnLine have expanded or launched third party privacy seal programs and we believe such programs are essential to building consumer confidence in online privacy. In addition, many companies and associations are implementing self-administered compliance and enforcement programs. In the government, the Federal Trade Commission and the state attorneys general have the authority to prosecute organizations who post deceptive privacy policies, and we believe they should do so.

To be effective, private sector-based self-regulatory enforcement regimes should identify the appropriate mechanisms to ensure compliance (enforcement) and appropriate means of response to consumer complaints (redress). The type of enforcement necessary to protect privacy online will vary by industry sector. For example, sensitive information may require the highest levels of objective assurance that the data is protected.

Mechanisms to ensure compliance include, but are not limited to: making acceptance of and compliance with a code of fair information practices a condition of membership in an industry association; ongoing assessments or audits to verify an organization's compliance with its stated policy; or validation that organizations have adopted and comply with a stated code. Appropriate means of individual redress may include any variety of mechanisms to ensure that consumers have a simple and effective way to have their concerns addressed.

Any effective private sector self-regulatory enforcement mechanism must include the following elements:

an ongoing assessment procedure for determining whether companies comply with their posted privacy policies that may include periodic public disclosure of the assessment methodology and results;

accessible and responsive dispute resolution opportunities for individuals who believe that an organization has not collected, used or distributed their individually identifiable information in accordance with the organization's published privacy policy; and
educational outreach to consumers and businesses regarding the importance of addressing individuals' privacy concerns.

The Online Privacy Alliance is working with groups who are interested in creating or expanding third party enforcement mechanisms. We are also working with organizations and associations to determine the necessary elements of self-administered enforcement programs. We also will explore the role of governments in enforcing self-regulation. We will release our specific recommendations for effective enforcement of self-regulation by September 15, 1998.