TESTIMONY OF
JERRY BERMAN, EXECUTIVE DIRECTOR
OF THE
CENTER FOR DEMOCRACY AND TECHNOLOGY
BEFORE THE
SENATE COMMERCE COMMITTEE

October 3, 2000


A. Introduction

Mr. Chairman, members of the Committee, I am Jerry Berman, Executive Director of the Center for Democracy and Technology. I welcome the opportunity to participate in this hearing on privacy.

The Center for Democracy and Technology is a non-profit public interest organization founded in 1994 to promote democratic values and individual liberties for the digital age. CDT works for practical, real-world solutions that enhance free expression, privacy, universal access and democratic participation. We are guided by our vision of the Internet as a uniquely open, global, decentralized and user-controlled medium. We believe the Internet has unprecedented potential to promote democracy, diversity and human development, by placing powerful information and communications technology in the hands of individuals and communities.

However, this vision of the Internet is neither preordained nor universally desired. For the Internet to serve the civic needs of society, we must embed into its policy, practices and technical framework core principles of a free and open society, including protection of privacy.

History teaches us that sound privacy legislation must arise from a consensus process including all parties interested in the future of the Internet.1 ] It must find the common ground among activists, nonprofit groups, forward-thinking Internet businesses and government policymakers. Over the next several months we look forward to working with the Committee and other interested parties to develop sound privacy legislation.


B. The need for Federal Privacy Laws

Today, the infrastructure of the Internet and the business models emerging to profit from it challenge individuals' expectations of privacy. Daily news reports of consumers' data being used in unanticipated and unwelcome ways proliferate. Individuals who believe they are anonymous find their identities are potentially being recorded and revealed. 2 ] Users of Internet content services find that their listening and reading habits are being monitored without their consent. 3 ] Users of cell phones find their phone numbers being shared with the Web sites they access. 4 ] Individuals who have relied on promises of technical anonymity and pledges of privacy protection find themselves at the mercy of the marketplace as companies change policies,5 ] restructure their operations, merge, or file for bankruptcy.6 ] Individuals who have entrusted their personal information to companies find their data exposed by weaknesses in businesses' security practices.7 ] And on the government side, with programs like Carnivore, with the increasing ability of government to track the location of cell phone users, and with more information being stored on networks, citizens are legitimately worried that their Fourth Amendment rights are eroding. In short: technology is challenging individuals' ability to seek out information and engage in activities without being monitored and identified; business practices are denying individuals' the ability to control how their personal information is collected and used; and, loopholes in existing law are undermining individuals' expectations of confidentiality in personal information they choose to divulge to others for limited purposes.

Some breaches of consumers' privacy occur due to technical weaknesses in the Internet's infrastructure and products. Some are the result of business models that deny consumers the ability to control how, when, and under what circumstances their data is collected and used. Others are the consequence of out-dated laws that have not kept pace with technical changes. In each case the result is the same: As accounts of privacy breaches grow so do consumers' anxiety and distrust.

Addressing the privacy issues caused by the interplay between technical change, emerging business models, and insufficient public policy requires a combination of technical fixes, self-regulatory best practices, and updated laws. While technology and self-regulatory efforts have a role to play, they cannot on their own solve the privacy puzzle. Legislation is needed to ensure certainty for consumers, create a level playing field for businesses, provide clear guidance to the uninformed, regulate government surveillance and data collection, and create a structure for penalizing bad actors.

In the absence of federal action we are certain to see numerous state statutes. While welcomed laboratories for policy experimentation in many instances, conflicting state laws in the online environment pose unique challenges for consumers, businesses, and enforcement authorities. It is in the interest of all stakeholders to develop a consistent framework for privacy protection. A strong federal law can provide the baseline for a cohesive privacy policy for the online environment. Strong federal privacy policy is essential to the continued growth and acceptance of the Internet as a platform for communication, commerce, education, and government services.


C. Principles to guide privacy legislation

CDT believes that four principles should guide the development of privacy policy for the Internet. Clearly we should judge legislation by how well it protects privacy. But, there are other important considerations that must guide the legislative process as well.


D. Law and code must work together

To advance individual privacy online we must ensure that both the canon and code of the Internet protect individuals' expectations of privacy. Sensible laws that place individuals in control of their personal information and establish predictable rules to govern the practices of businesses entrusted with individuals' information must be put in place. But the code -- the technical architecture of the Internet -- must also provide privacy protection. Legal rules must respect, build upon, and work in concert with the open, decentralized nature of the Internet. Sound privacy law will harness the power of technology and the competitive nature of the marketplace to advance privacy. As in all legislative efforts, we must seek to advance our goal, privacy protection, and do no harm.


E. Privacy expectations must be protected

Privacy rules must protect individuals' expectations of autonomy, fairness, and confidentiality. Policy efforts should ensure that those expectations are respected online as well as offline, by government as well as business. 8 ] By autonomy, we mean the individual's ability to browse, seek out information, and engage in a range of activities without being monitored and identified at every step. Fairness requires policies that provide individuals with control over information that they provide to the government and the private sector. In terms of confidentiality, we need to continue to ensure strong protection for e-mail and other electronic communications. The overwhelming passage of HR 5018 by the House Judiciary Committee last week is the start of a long over due effort to strengthen the privacy protections governing law enforcement surveillance.9 ] The proposals sponsored by members of this committee are important efforts to address the privacy issues facing individuals in the commercial marketplace. As Congress moves to protect the privacy of individuals it must continue to address both government and private sector activities.


F. Technology and business model neutrality should be sought

Privacy rules should be neutral as to technology and business model. In short, we should address privacy protection, not the technology or business model of the day. Businesses, non-profits, and governments are using advances in technology in multiple, ever changing ways. Policy that focuses on a specific business model, a narrow segment of industry, or a specific technical means of collecting information runs the risk of creating ineffective and quickly out-of-date rules. If we address privacy one technology and one business model at a time, we will be outpaced before we start. If legislation ties privacy protection to a specific business or technology the likely result is a patchwork of conflicting and confusing laws that do not protect individual privacy or engender trust, but instead create unwanted uncertainty for all as technologies converge and business models shift. Legislation should seek to establish baseline rules that are flexible enough to address the various technical advances and business models that the future will bring.


G. Predictable and consistent rules should be sought

Legislation should produce predictable, consistent rules and minimize the burdens placed on good actors. In its landmark Internet free speech decision, the Supreme Court described the benefits of the Internet's architecture and economics for the exchange of ideas and information. These same traits -- open, decentralized, global, no gatekeepers -- today, support a wide diversity of online businesses. Many promising businesses start with extremely limited resources and staff. In a marketplace comprised equally of industry giants and "mom and pop" stores, it is critical that rules are clear, predictable, and impose minimal compliance costs on those who play by them. Federal legislation should seek to set a high standard of privacy protection and articulate clear rules. If federal legislation fails to adequately protect privacy there is no doubt that states will take action to do so. The Internet environment raises complex jurisdictional questions. Individuals, enforcement agencies, and businesses will all benefit from clear consistent rules. A hapless patchwork of policies in this border-less medium will confuse consumers, frustrate businesses, complicate enforcement and in the end fail to provide strong privacy protection.


H. Substance of a Sound Internet Privacy Law

As outlined above, a sound privacy law must protect individuals' long-held expectations of autonomy, fairness, and confidentiality. 10 ] To a large extent, these expectations can be protected in the private sector by adherence to Fair Information Practice Principles. 11 ] If fully implemented these principles would require businesses to:

In addition, there is a growing consensus that privacy protections must address the unique transparency problems that face consumers and businesses operating online. In the online environment, multiple businesses may be engaged in the production and delivery of the content and services found at a single Web site. While visitors are likely to be aware of the name of the Web site they are visiting, the various companies providing content and services may be invisible to all but the savvy consumer. When these invisible players collect information about or from the visitor, privacy rules must apply. Privacy legislation must foster transparency. It must require that consumers have actual notice of all entities with which they are dealing and that those entities are held to a consistent set of privacy rules. Consumers cannot be expected to "vote for privacy with their feet," as many have suggested they do, if they do not know where they stand or with whom they are dealing.

A privacy law that puts consumers in control of their information through the implementation of the fair information practice principles outlined above can promote privacy-enhancing technology, provide flexibility to address various business models and technical advancements, and create a blueprint for clear, consistent rules.


I. The Current Proposals

While the proposals before this Committee -- the Consumer Internet Privacy Enhancement Act (S. 2928 Senator McCain), the Consumer Privacy Protection Act (S. 2606, Senator Hollings), and the Online Privacy Protection Act (S. 809 Senators Burns and Wyden) -- have many common elements, they diverge in important ways. Each proposal requires businesses to provide "clear and conspicuous notice" of their information practices to consumers. Each provides consumers with some opportunity to control how information about them is disclosed or used. Two provide consumers with a right of access and correction. And all three require businesses to provide "reasonable" security. Two recognize that consumers' privacy concerns transcend the online-offline distinction and, to varying degrees, begin to tackle offline privacy issues as well. All three look to the Federal Trade Commission and State Attorney Generals as primary enforcers of the rules. But one provides individuals the right to independently enforce the rules. None of the proposals requires businesses to limit the information they collect to that necessary to support the consumer's transaction.

We congratulate you, Mr. Chairman, and other Senators who have worked on these bills. Components of each proposal can be used to provide the structure for sound privacy legislation. However, several important issues need further vetting and clarification before being enacted into law. We need to engage in a consultative and consensus-building process that addresses some of the hard issues that remain. The comments below are intended to aid the committee in developing a consensus proposal to advance privacy.


J. Requirements for Meaningful Notice

Each proposal requires Web sites and Internet Service Providers to provide individuals with notice of how they use personal information. The difficulties of locating and understanding privacy notices were well discussed at this Committee's last hearing and I will not revisit them here. As CDT, the Federal Trade Commission and the Chairman himself noted during the last hearing, notices are frequently buried and contain confusing if not contradictory statements about how information will be used.

In addition to requiring "clear and conspicuous notice," the Consumer Privacy Protection Act (S. 2606) states that notice should be provided "in a manner reasonably calculated to provide actual notice to any user or prospective user."12 ] As the Network Advertising Initiative principles to some extent recognize, notices will be more effective in informing consumers of their rights if they are provided at the point of data collection. A requirement that notices be displayed contemporaneously with data collection and that the ability to control reuse and disclosure be provided prior to the submission of data will increase the odds that consumers actually receive notices and can avail themselves of the opportunity to control secondary uses of information.

The Consumer Privacy Protection Act (S. 2606) contains another equally important provision we believe is likely to advance the transparency of businesses information practices on the Web. Section 707 directs the National Institute of Standards to encourage and support the development of software programs that provide individuals with automated control over their personal information. The World Wide Web Consortium's Platform for Privacy Preferences (P3P) is specifically singled out for support. This section highlights the importance of supporting technologies that provide individuals with timely, specific information to aid them in making informed privacy decisions. Technical specifications that aid consumers and businesses in applying privacy rules in the online environment deserve the attention and support of legislative and regulatory bodies. Technology should be developed that provides consumers with information about the businesses with which they interact. Steps to improve the information available to individuals about businesses' data collection practices on a real-time basis should be championed.

P3P and other technologies and services that increase the transparency of the Web experience by providing information to individuals and allowing them to decide whether to move forward with or avoid interactions are critical to privacy protection. They offer an important opportunity to build greater technical support for privacy-informed Web users and support Web sites and businesses seeking to incorporate privacy protections into the Web's infrastructure. Building privacy into the Internet infrastructure provides an avenue for advancing privacy consistent with the Web experience and supportive of individual autonomy.

We recommend including the concept of "actual notice" and support for privacy-enhancing technologies in privacy legislation as the Committee moves forward.


K. Moving from defaults to informed decisions

The proposals under consideration differ broadly in their approach to establishing consumers' control over personal information. The Online Privacy Protection Act (S. 809) provides individuals with a limited right to "consent to or limit" the disclosure of personally identifiable information. 13 ] The Consumer Internet Privacy Enhancement Act (S. 2928) provides consumers a slightly broader right to opt-out of having personally identifiable information "used for marketing purposes" or disclosed to third parties.14 ] The Consumer Privacy Protection Act (S. 2606) requires businesses to: a) obtain the permission, "opt-in," of consumers prior to using or disclosing personally identifiable information for purposes not tied to the consumer initiated interaction15 ] v; and, b) provide consumers with the opportunity to "opt-out" of the collection and use of non-personally identifiable information for purposes not tied to the operation of the business. 16 ]

The clash over opt-in and opt-out is important both theoretically and in practice. As a general rule a privacy law should establish consumer sovereignty over personal information. An opt-in provision is most certain to accomplish this. However, much of the battle over opt-out and opt-in is grounded in the large transaction costs of the offline environment -- the consumer won't take the time, money, and energy to reply. It is a battle over defaults.

Privacy protection should aim for informed decisions not defaults. The interactive online environment offers an opportunity to maximize informed decision making and minimize our reliance on defaults -- yes an opportunity to move beyond the default of opt-out or opt-in toward an environment where individuals choose how information is used and transaction costs are negligible. To move toward informed decisions and away from defaults a privacy law should require consumers consent for the reuse of data, but it should couple it a requirement that consent mechanisms and tools necessary to make informed decisions are provided in a timely manner and are easy to use.

Thus a rule that requires businesses seeking to use or disclose data for purposes other than the transaction initiated by the consumer to: a) provide a meaningful notice and a consent mechanism prior to the collection of personal information as directed under S. 2606;17 ] and, b) requires that such mechanism be in the language of S. 809 and S. 2928 "meaningful and simple", "easy to use", "easily accessible," and "available online," will best protect consumer privacy and potentially move us out of the opt-in v. opt-out paradigm by exploiting the Web's interactive capacity.

While some businesses have adopted opt-in as not only feasible but desirable, others continue to argue that opt-in is burdensome and impractical. It is time to examine these concerns in detail. As a start, what we need from those businesses is a memo specifically explaining the barriers that prevent them from implementing opt-in, and for what data practices. We need to have a fact-based, case-specific exploration of this issue, one that takes into account the speed, interactivity, and flexibility of the Internet. The companies objecting to opt-in should put facts out for all to engage with.


L. Access and correction

In April the Federal Advisory Committee on Online Access and Security delivered its report to the Federal Trade Commission.18 ] The report states, "Both consumers and Web site have an interest in the accuracy of information, and sharing it with the consumer is a useful safeguard against errors or fraud in the order process. The same interest in preventing errors may lead commercial Web sites to provide their customers with access to other personal information that the Web site has maintained about the customer. Similarly, banks and consumers both benefit from the transmission of detailed credit card statements each month. Among other things, providing an opportunity to review each transaction protects both parties against fraud."19 ] While the report goes on to detail divergent views on the appropriate scope of access that should be provided to consumers, the general principle that access can enhance both consumer privacy and business practice illustrates the importance of access.

Of the current proposals two (S. 809 and S. 2606) require businesses to provide consumers with access to personally identifiable information maintained by the business. S. 809 provides consumers access to data only if that data has been collected online and disclosed to third parties,20 ] while S. 2606 provides consumers with access to all personally identifiable information that was collected online and is maintained by the business.21 ] S. 2928 does not require businesses to provide consumer with access to information, but directs the National Research Council to study questions of access in addition to other privacy issues and report back to congress.22 ] S. 2606 is alone in providing consumers the right to correct, delete or amend personal information held by businesses. 23 ]

Access is a fundamental component of privacy protection. Self-regulatory programs such as BBB Online and TrustE require businesses to provide consumers with reasonable access to personal information and correction rights. Privacy laws in the US and other countries uniformly require that individuals be afforded the ability to review and correct personal information.

Access can be conceived of as a due process protection -- if a business is using data to make decisions about a consumer than surely that consumer has an interest in knowing what data is being used and ensuring its accuracy. The importance of access is becoming more and more clear, with dynamic pricing and the possibility of online redlining. By ensuring that consumers are fully aware of the data that businesses collect and use, access enables consumers to play an active role in protecting their own data. Access serves as a check on overreaching data collection by businesses. Access enables a private force of individual citizens to police the privacy policies of businesses at no cost to the public coffers. Access allows consumers to ensure that data about them is accurate, and perhaps, that it is used in ways that advance their interests. No government agency or self-regulatory entity has the resources to review every file held by a business to ensure compliance with privacy standards. On the other hand, individual consumers have an interest in protecting their own privacy and ensuring that with respect to their data a company is doing as it has promised. Providing consumers with access to information about them held by online businesses buttresses accountability and trust by building in a low cost method of oversight.

There may, however, be instances where we set limitations on access. Throughout history, privacy and other important values have coexisted. Similarly, the principle of consumer access coexists with other important public policy considerations. At times, values conflict. It is important that limitations on access, like other important values, be clearly articulated, narrowly drawn, and directly related to the advancement of a specific public policy goal. This approach is similar to that taken in First Amendment jurisprudence -- even where a compelling interest is articulated, it must be advanced in the least restrictive manner possible. In essence, if a compelling public policy interest is in conflict with access, then it must be advanced in a manner that least interferes with the individual's ability to access her information.

The FTC's Advisory Committee on Online Access and Security (ACOAS) provided several options for providing consumers with access to information. While the Committee took no position on legislation, its options for providing access are informative. The "default to consumer access" approach articulated in the Report creates a clear presumption in favor of consumer access and allows for consideration of competing public policy interests. This is consistent with existing privacy laws, creates a clear rule that can be understood by consumers and implemented by businesses, and fosters individual privacy by providing individual's with access to information that others hold about them. As the Committee works to craft a consensus bill we would urge them to use this model. Access should not be pushed off for future study. It is a critical component of oversight, accountability and enforcement in the global, diverse online environment.


M. Reliability, integrity, and security

Each of the proposals under consideration requires businesses to protect the personal information they handle. The language of the bills varies but the intent is the same.

In its May report to the Federal Trade Commission, the Federal Advisory Committee on Online Access and Security emphasized the complexity of security.24 ] The report stated that:

Security is contextual: to achieve appropriate security, security professionals typically vary the level of protection based on the value of the information on the systems, the cost of particular security measures and the costs of a security failure in terms of both liability and public confidence.

To complicate matters, both computer systems and methods of violating computer security are evolving at a rapid clip, with the result that computer security is more a process than a state. Security that was adequate yesterday is inadequate today. Anyone who sets detailed computer security standards -- whether for a company, an industry, or a government body -- must be prepared to revisit and revise those standards on a constant basis.

When companies address this problem, they should develop a program that is a continuous life cycle designed to meet the needs of the particular organization or industry. The cycle should begin with an assessment of risk; the establishment and implementation of a security architecture and management of policies and procedures based on the identified risk; training programs; regular audits and continuous monitoring; and periodic reassessment of risk. These essential elements can be designed to meet the unique requirements of organizations regardless of size.

Despite the complexities of security, the ACOAS report concluded by recommending that:

In addition, the ACOAS report urged that security be viewed as a process not a particular set of tools, technologies, or procedures that must be followed. As the report states, "If a bright line rule is adopted, there is little doubt that the pace of technical change will leave the adequacy of regulation in the dust, and what was intended to be a regulatory floor will become a ceiling in practice."

The security study in S. 2928 and the Internet security initiatives under S. 2606, would provide further opportunities to explore best practices and models for ensuring security. In particular, S. 2606's focus on collaboration between all Internet stakeholders and information generation and dissemination could buttress ongoing efforts to improve network security.

As the Committee moves forward we suggest that security be addressed in privacy legislation. The ACOAS recommendation should be considered for inclusion in privacy legislative language or report language. It is our opinion that a light touch that requires security to be provided but does not dictate its form is best. As noted by the ACOAS, and it appears by the sponsors of the various bills under consideration, security is a process. Consumers and businesses will be best served by a rule that establishes a general standard but allows for context-specific determinations. As the state of the Internet and security evolves and changes, so will the appropriate standard of care. Such an approach allows for an assessment of security tied directly to considerations of circumstance and knowledge and informed by the security practices of others similarly situated at a certain date and time. A similar approach is found in other areas, such as medical treatment, where the law creates an ongoing duty to remain current with advances in a field. Rather than creating an elaborate rulebook this approach judges entities based on accepted professional standards and the specifics on the case. This approach will encourage increasingly strong security practices.


N. Enforcement

Each of the proposals places the Federal Trade Commission and the State Attorney Generals in the role of primary enforcers. S. 2606 provides aggrieved citizens with a private right of action. Most US privacy laws are enforced through private law suits. The recently passed Children's Online Privacy Protection Act is the exception. Like the current proposals, it relies on the FTC and State AGs for enforcement.

We believe the question of how best to ensure compliance with privacy laws and identify and punish bad actors remains in need of further study. A review of existing privacy laws reveals little in the way of enforcement actions. However, studies such as those conducted by the Health Care Privacy Project, which found many health Web sites breaking their privacy policies, recent sweeps by the Federal Trade Commission documenting low levels of compliance with the Children's Online Privacy Protection Act, and daily news stories documenting privacy abuses, suggest that existing privacy laws are violated.

As the Committee moves forward we suggest that it consider additional methods of ensuring compliance. For example, oversight and enforcement can be buttressed, as discussed above, by providing individuals with the ability to view data businesses hold about them. In addition, the requirement that businesses notify consumers of privacy breaches under Section 102 (f) of S. 2606 would provide consumers, or others charged with oversight and enforcement, information necessary to protect their rights. As oversight and enforcement options are examined the "mom and pop" stores operating online must be accounted for. While lengthy and expensive auditing requirements may be appropriate for large data intensive businesses, if part of a general compliance scheme they could place insurmountable barriers to new and small businesses that have done nothing wrong. As stated above it is critical that privacy rules place minimal burdens on those who follow the rules. We look forward to working with the Committee on this important issue.


O. Limiting the collection of personal information

None of the current proposals directly require businesses to limit the information they collect to that which is necessary to support the transaction. However, by focusing regulatory requirements on businesses that are collecting personal information and using it for unrelated purposes each creates incentives for businesses to do so. New businesses are emerging everyday with the goal of minimizing the exposure of personally identifiable information. A sound privacy law will provide incentives for such businesses.


P. Conclusion -- A Proposal and A Call for a Process

We are approaching the end game in a long-running debate. Key members of industry, privacy advocates and policy makers have concluded that the current system of privacy protection on the Internet has failed. Consensus that legislation is one of the essential linchpins of consumer privacy protection on the Internet has emerged. It is time to leave behind the either-or debates of self-regulation vs. legislation and address the hard issues of implementing fair information practices with detailed and nuanced solutions that map onto the global, decentralized, user-controlled and market-driven Internet.

The privacy issue must not be left to meander through Congress for the next two years, to be resolved in end-of-the-session horse-trading. Nor should it be left to the states to sort out 50 different sets of rules. As information becomes the backbone of our economy concerns about the privacy of personal information will continue to intensify. The time to build privacy into the infrastructure through laws, code, and self-regulatory activities, is now. In doing so, congress should stick to fair information practice principles, seek technology and business model neutrality, minimize regulatory burdens and maximize predictability. Industry should use technology to aid transparency, educate users, and enable individuals to exercise more nuanced control over data flow. Only through a balanced mix of baseline legislation, self-regulation and privacy enhancing technologies will privacy be protected on the Internet.

Each of the bills before the Committee represents a good start, but critical issues remain to be resolved. We need to have a process based on consultation and consensus in order to produce workable privacy legislation.



Notes. Links will open in a new browser window.

1. I have been involved in all of the major privacy debates at the federal level over the past twenty years, including the Electronic Communications Privacy Act, the cable privacy provisions, the video rental privacy law, and the Privacy Protection Act, and I have found that the only way to achieve sound legislation is with a consultative, consensus-building approach.

2. A. Petersen, "A privacy firestorm at DoubleClick," Wall Street Journal (February 23, 2000), � B p. 1; A. Petersen, "DoubleClick reverses course after privacy outcry," Wall Street Journal (March 3, 2000), � B p. 1; G.R. Simpson "Intuit acts to curb leaks on web site," Wall Street Journal (March 2, 2000), �A p. 3; G.R. Simpson, "Alta vista, Kozmo distance themselves from DoubleClick over privacy worries," Wall Street Journal (March 1, 2000), �A p. 3.

3. C. Macavinta, "RealNetworks changes privacy policy under scrutiny," CNET News.com (November 1, 1999) http://news.cnet.com/news/0-1005-200-1426044.html

4. v J. Borland, "Wireless Web privacy hole still wide open," CNET News.com (August 17, 2000) http://news.cnet.com/news//0-1004-200-2546734.html

5. N. Wingfield, "Amazon explains when it may share data on clients in new privacy policy," (September 1, 2000) �b p. 7,

6. G. Sandoval, "Failed dot-coms may be selling your private information," CNET News.com, (June 29, 2000) http://news.cnet.com/news/0-1007-200-2176430.html

7. A. Barnett, "New blow to internet banking security," The Guardian (September 24, 2000) http://www.guardian.co.uk/internetnews/story/0,7369,372676,00.html

8. For a fuller exploration of these issues see, e.g., Testimony of Deirdre Mulligan, Staff Counsel of the Center For Democracy & Technology, Before the Subcommittee on Communications of the Senate Committee on Commerce, Science, and Transportation, July 27, 1999.

9. For an overview of the privacy enhancements of the bill see, CDT POLICY POST Volume 6, Number 17 September 27, 2000.

10. For a fuller exploration of these issues see, e.g., Testimony of Deirdre Mulligan, Staff Counsel of the Center For Democracy & Technology, Before the Subcommittee on Communications of the Senate Committee on Commerce, Science, and Transportation, July 27, 1999.

11. Report of the Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, U.S. Dept. of Health, Education & Welfare, July 1973.

12. Section 102 (a)

13. Section 2 (b)(1)(A)(ii)

14. Section 2 (a)(2)

15. See Section 102 (b) (establishing general consent requirement) and 104 (a)(2) (exempting the collection and use of data for the purpose of the transaction for which the data was provided by the consumer.

16. See Section 103 (b) (establishing general consent requirement) and 104 (a)(2) (exempting the collection and use of data for the purpose of the transaction for which the data was provided by the consumer.

17. S. 2606 Section 102 (a) and (b).

18. Final Report of the Federal Trade Commission Advisory Committee on Online Access and Security, May 15, 2000. http://www.ftc.gov/acoas/papers/finalreport.htm

19. Id. at 4.

20. See Section 2(b)(B)(ii) (providing consumers access to personal information disclosed to third parties) and Section 8((8) (defining personal information to information "collected online")

21. Section 102 (c) (requiring reasonable access to data collected after enactment of the title) and Section 901 (1)(6) (defining personally identifiable information as information "collected online")

22. Section 5 (b)(4)

23. Section 102 (c)(2)

24. Final Report of the Federal Trade Commission Advisory Committee on Online Access and Security, May 15, 2000. http://www.ftc.gov/acoas/papers/finalreport.htm