In 2000, the FTC undertook a survey to assess how effective the e-commerce industry’s self-regulation had been at addressing the privacy concerns of consumers. Unfortunately, the survey did not measure improvements in consumer confidence or any actual consumer behavior, but instead measured how many sites had posted privacy policies and whether these policies followed the government’s recommended standards. Since the ultimate measure of the effectiveness of self-regulation was the presence of a disclosure which included all of a government-endorsed set of “fair information practice principles,” it is unsurprising that the FTC concluded that self-regulation had failed.

It is questionable whether the FTC had adequate time to review the relevant information before preparing their report. The raw survey data were collected in February and March 2000, leaving little time to crunch the numbers and consider their implications before the report was delivered in May 2000. Another important source of information, the final report of the Advisory Committee on Online Access and Security, was also delivered in May 2000, and presumably was not consulted at all.

Finally, the survey was conducted by FTC staff, who were required to make judgment calls about the content of privacy policies. As employees of the FTC, these staff members had a vested interest in the outcome of a survey which could have led to legislation that would have increased the scope of the FTC’s authority. The survey should have been outsourced to a third party.

The FTC recommended that Congress pass legislation requiring that “all consumer-oriented commercial Web sites that collect personal identifying information from or about consumers” implement privacy policies which meet a set of standards to be determined by the government and authorizing the government to enforce those standards. Such legislation would be expensive but ineffectual, since posted privacy policies do little to build consumer trust, and this credibility gap would be widened even further by the proposed legislation.

As the FTC points out, 64% of consumers say “that they do not trust even those sites with posted privacy policies.” If every consumer-oriented commercial Web site were to have a similar privacy policy, as required by the recommended legislation, it is likely that this level of trust would fall even further, since consumers would know that sites were just posting the policies to comply with federal law. In fact, it is likely that most consumers would ignore the policies entirely, just as they currently ignore other kinds of ubiquitous legalese such as shrink-wrap licenses.

Furthermore, given the incredible expense of policing all consumer-oriented commercial Web sites, including the litigation that would likely be involved in determining such fine points as “reasonable access” and “adequate security”, and the limited budgets of government agencies, it is likely that these policies would be largely unenforced. This would further damage the credibility of these policies, making them yet more irrelevant to consumers, and possibly even decreasing consumer confidence in online commerce.

The FTC’s proposed legislation would be a disaster. But the best practices which it is attempting to promote are sound. Rather than recommending that Congress mandate these practices, the FTC should recommend that Congress approve funds for public education campaigns which would inform consumers about these practices, including why it is in consumers’ best interests to patronize sites that follow them. Not only would this be far cheaper than the endless task of reviewing and enforcing web site privacy policies, it would push onto the market the difficult tasks of further articulating these best practices and discovering the best ways to implement them. As a better-educated consumer population “voted with their mice” for merchants that successfully implemented these practices, other sites would quickly fall into line, at no cost to taxpayers.

One might argue that while this approach would provide incentives for online merchants to claim adherence to best practices, it would not ensure that their actual behavior followed their stated policies, and thus the problem of enforcement noted above would still exist. But determining whether a site is deceiving its customers about its privacy practices is an easier task than determining whether those practices meet a vaguely defined set of criteria, and furthermore the FTC already has the authority to go after firms which engage in such deception. Firms competing on the basis of privacy practices would also have incentives to bring specific cases of deception by their competitors to the attention of the FTC. Still, the problem of enforcement is real, so the FTC should also ask Congress for extra funds to exercise its existing authority in this area. By educating consumers, leveraging the power of the market, and using existing laws, the FTC can achieve its goals without broad-ranging and expensive legislation.