Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress, Hearings Before the Senate Comm. on Commerce, Science, and Transportation, 106th Cong., 2d Sess. (May 2000) (full-text).
The FTC issued this report after a second survey of website privacy policies. As Chairman Pitofsky stated in the report the issue before the Commission was not whether self-regulation succeeded or failed but rather "whether the progress of online implementation of Fair Information Practice Principles continues to suggest that no legislation is warranted."
The Commission concluded that it had the power to bring enforcement actions against companies for "failure[s] to comply with stated information practices" as such failure "may constitute a deceptive practice in certain circumstances." At the same time, the Commission stated that "as a general matter . . . the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites, or portions of their Web sites, not directed to children.
Commissioner Swindle dissented from the majority's recommendation on the basis that a reasonableness standard was "vaguely phrased" and would effectively provide "the Commission (or some other agency) a blank check to resolve the difficult policy issues later. This would constitute a troubling devolution of power from elected officials to unelected bureaucrats." Commissioner Swindle argued that such a standard would legislatively mandate that businesses provide "reasonable security" but give regulators the ability to retrospectively decide "what security is and is not ‘reasonable.’”
Notwithstanding measurable gains since the 1999 Report to Congress (Self-Regulation and Privacy Online: A Report to Congress), a majority of the Commission found that self-regulation alone, without some legislation, is unlikely to provide online consumers with the level of protection they seek and deserve. Accordingly, a majority of the Commission recommended that Congress consider legislation to complement self-regulation that would provide the Commission with the authority needed to require that all websites "take reasonable steps to protect the security of the information they collect from consumers."