Report: Many Failures: A Brief History of Privacy Self-Regulation | Section: Industry-Supported Self-Regulatory Programs for Privacy

You are reading section II., Industry-supported self-regulatory programs for privacy, of the report Many Failures: A Brief History of Privacy Self-Regulation.

Report Links:


 II.  Industry-Supported Self-Regulatory Programs for Privacy

This section offers a historical review of privacy self-regulation that occurred in the years just before and just after 2000. For a variety of reasons, it is not necessarily fully comprehensive. Some self-regulatory efforts may have disappeared without a trace. Activities within existing trade associations are difficult or impossible to assess from evidence available to those outside the associations. However, this discussion captures the leading organizations of the time. [13]

This review does not generally attempt to complete a comprehensive analysis of the quality of each self-regulatory effort. The standards promulgated by the self-regulatory programs were often general and quickly became outdated because of technology and other changes. It appears that audits or reviews of compliance with self-regulatory standards were often not attempted, not completed, not credible, or not transparent. Finding original documents is often difficult or impossible now. However, there is enough available information to describe the programs, their rise, their activities, and in some cases, their demise.

Individual Reference Services Group

The creation of the Individual Reference Services Group (IRSG) was announced in June 1997 at a workshop held by the Federal Trade Commission. [14] According to a document filed with the FTC, the group consisted of companies that offered individual reference services that provided information that identifies or locates individuals. [15] The IRSG reported fourteen “leading information industry companies” as members, including US, Acxiom, Equifax, Experian, Trans Union, and Lexis-Nexis. [16]

The IRSG described its self-regulatory activities in this manner:

The core of the IRSG’s self-regulatory effort is the self-imposed restriction on use and dissemination of non-public information about individuals in their personal (not business) capacity. In addition, IRSG members who supply non-public information to other individual reference services will provide such information only to companies that adopt or comply with the principles. The principles define the measures that IRSG members will take to protect against the misuse of this type of information. The restrictions on the use of non-public information are based on three possible types of distribution that the services provide. [17]

A principal purpose of the IRSG plan appeared to be to avoid any real regulation. It was successful in achieving that goal. In its 1999 report to Congress, the FTC recommended that the industry be left to regulate itself despite some significant shortcomings:

A. Recommendations Regarding the IRSG Principles

The Commission recommends that the IRSG Group be given the opportunity to demonstrate the viability of the IRSG Principles.

The present challenge is to protect consumers from threats to their psychological, financial, and physical well-being while preserving the free flow of truthful information and other important benefits of individual reference services. The Commission commends the initiative and concern on the part of the industry members who drafted and agreed to the IRSG Principles, an innovative and far- reaching self-regulatory program. The Principles address most concerns associated with the increased availability of non-public information through individual reference services. With the promising compliance assurance program, the Principles should substantially lessen the risk that information made available through the services is misused, and should address consumers’ concerns about the privacy of non-public information in the services’ databases. Therefore, the Commission recommends that the IRSG Group be given the opportunity to demonstrate the viability of the IRSG Principles. ***

The Commission looks to industry members to determine whether errors in the transmission, transcription, or compilation of public records and other publicly available information are sufficiently infrequent as to warrant no further controls. While the Commission believes the IRSG Principles address most areas of concern, certain issues remain unresolved. Most notably, the Principles fail to provide individuals with a means to access the public records and other publicly available information that individual reference services maintain about them. Thus, individuals cannot determine whether their records reflect inaccuracies caused during the transmission, transcription, or compilation of such information. The Commission believes that this shortcoming may be significant, yet recognizes that the precise extent of these types of inaccuracies and associated harm has not been established. An objective analysis could help resolve this issue. The IRSG Group has acknowledged the Commission’s position, and has demonstrated its awareness of this problem by (1) stating that it will seriously consider conducting a study of this issue and (2) agreeing to revisit the issue in eighteen months. The Commission looks to industry members to undertake the necessary measures to establish whether inaccuracies and associated harm resulting from errors in the transmission, transcription, or compilation of public records and other publicly available information are sufficiently infrequent as to warrant no further controls. [18]

One of the IRSG principles called for an annual “assurance review” for compliance with IRSG standards. [19] The IRSG also required that a summary of the report and any subsequent actions taken be publicly available. While the IRSG website contains some evidence that at least some IRSG members conducted reviews, the IRSG did not make the reports public on its website so it is not possible to determine whether the reviews were properly conducted, comprehensive, or otherwise meaningful. [20]

Once the threat of regulation evaporated or diminished, the IRSG continued in existence for a few years. In September 2001, approximately four years after it was established, the IRSG announced its termination. [21] The stated reason was that legislation made the self-regulatory principles no longer necessary.

“We are operating in a much different regulatory environment than we were when the IRSG was created in 1997,” said Ron Plesser with Piper Marbury Rudnick & Wolfe LLP, whose firm represents the IRSG. “It doesn’t make sense to maintain a self-regulatory program when this information is now regulated under the Gramm-Leach-Bliley Act.” [22]

However, the legislation cited as the reason for termination (The Gramm-Leach-Bliley Act) did not in fact regulate IRSG members. The Gramm-Leach-Bliley (GLB) Act provided that each financial institution has an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” [23] A financial institution is a company that offers financial products or services to individuals, like loans, financial or investment advice, or insurance. [24] The IRSG companies – companies that provide information that identifies or locates individuals – are not financial institutions under GLB. It is also noteworthy that GLB became law almost two years before it was cited as the reason for the end of the IRSG. GLB was a fig leaf that covered the lack of continuing industry support for the IRSG.

Why did the IRSG issue a deceptive statement about the reason for its termination? According to reports current at the time, the members of IRSG lost interest in supporting an expensive self- regulatory organization because they no longer felt threatened by legislation or regulatory activities.

The website is now owned by a link farm. [25]

The Privacy Leadership Initiative

A group of industry executives with members including IBM, Procter & Gamble, Ford, Compaq, and AT&T established the Privacy Leadership Initiative (PLI) in June 2000. [26] PLI promptly began an ad campaign in national publications to promote industry self-regulation of online consumer privacy. According to a contemporary news account, the PLI initiative “follows a recent Federal Trade Commission recommendation that Congress establish legislation to protect online consumer privacy.” [27]

A description of the PLI from its website in 2001 stated:

The Privacy Leadership Initiative was formed by leaders of a number of different companies and associations who believe that individuals should have a say in how and when their personal information can be used to their benefit.

The purpose of the PLI is to create a climate of trust which will accelerate acceptance of the Internet and the emerging Information Economy, both online and off-line, as a safe and secure marketplace. There, individuals can see the value they receive in return for sharing personally identifiable information and will understand the steps they can take to protect themselves. As a result of sharing, individuals will have the power to enhance the quality of their lives through personalized information, products and services. [28]

Another statement from the PLI website provides a more expansive statement of the origin and purpose of the organization:

Why We Formed

The PLI was formed to provide consumers with increased knowledge and resources to help them make informed choices about sharing their personal information. We also help businesses, both large and small — in all industries — develop and maintain good privacy practices. Trust and choice are the foundation of good privacy practices, yet research shows that there is currently a lack of trust between consumers and businesses. Individuals must trust responsible businesses to use personal information in ways that benefit them — such as better, less expensive and personalized products and services — while also providing them with choices about how much personal information is gathered and by whom. Through the establishment of a common understanding about the benefits of exchanging personal information and how it can be safeguarded, the PLI will begin to restore consumer confidence.

What We’re Doing

Given that privacy is a question of trust and behavior, the PLI is developing an “etiquette”–model practices for the exchange of personal information between businesses and consumers. We will help create this code of conduct by engaging in a multi-year, multi-level effort to educate consumers and businesses. Specifically, the PLI will:

1. Conduct original research to measure and track attitudes and behavior changes among consumers and to better understand how the flow of information affects the economy and people’s lives on a day-to-day basis;
2. Compile and refine existing privacy guidelines and create The Privacy Manager’s Resource Center, a new service for that assists businesses in developing their privacy programs

3. Design an interactive Web site — — to make privacy simpler for consumers, businesses, trade groups, journalists, academics, policymakers and all other interested parties; and

4. Educate consumers about technology and tools that protect their interests without diminishing the benefits of exchanging personal preferences with responsible companies.
Whether online or off, the flow of information is critical to the growth and success of our economy. Members of the PLI recognize that businesses must take an active role in ensuring that privacy practices evolve to meet consumer needs. While there is no simple answer for an issue this complex, for PLI members that means understanding what individuals want, tackling those challenges and initiating change, while being accountable and building confidence. These are the keys to creating a climate of trust between responsible businesses and consumers. [29]

Other accounts from the time support the notion that PLI was intended to promote self- regulation. A 2001 story on Internet privacy from a publication of the Wharton School at the University of Pennsylvania focused on the self-regulation goal:

While Congress debates legislation on Capitol Hill, the business community is actively promoting other options. Chief among these is self-regulation.

Earlier this month, for example, the Privacy Leadership Initiative (PLI) – a group of executives from such companies as AT&T, Dell Computer, Ford, IBM and Procter & Gamble – announced a $30-$40 million campaign aimed at showing consumers how they can use technology to better protect their privacy online. [30]

By the middle of 2002, the threat of regulation has diminished enough so that PLI “transitioned” its activities to others. The BBBOnLine, a program of the Better Business Bureau system, [31] took over the PLI website ( The BBBOnline privacy program, which lasted longer than the PLI, is no longer operational, and its details are discussed elsewhere in this paper.

By the middle of September 2002, the transition of the website to BBBOnLine appeared to be complete. [32] However, by January 2008, the website had changed entirely, offering visitors an answer to the question Can microwave popcorn cause lung disease? [33] By the beginning of 2011, the website was controlled by Media Insights, a creator of “content-rich Internet publications.” [34] Other Media Insights websites include, and [35] It is an ignominious end point.

The Online Privacy Alliance

The Online Privacy Alliance36 was created in 1998 by former Federal Trade Commissioner Christine Varney. [37] OPA’s earliest available webpage described the organization as a cross- industry coalition of more than 60 global corporations and associations. [38]

The first paragraph of the background page on its website stated clearly its interest in promoting self-regulation:

Businesses, consumers, reporters and policy makers at home and abroad are watching closely to see how well the private sector fulfills its commitment to create a credible system of self-regulation that protects privacy online. One of the most important signs that self-regulation works is the growing number of web sites posting privacy policies. [39]

In July 1998, OPA released a paper describing Effective Enforcement of Self-regulation. [40] In November 1999, a representative of the OPA appeared at an FTC workshop on online profiling and participated in a session on the role of self-regulation. [41] OPA self-regulatory principles were cited by industry representatives before the FTC and elsewhere. [42]

It is difficult to chart with precision the deterioration of the OPA. By all appearances, the OPA is defunct. It no longer accepts members, and the primary evidence of its activity is continuing small changes to their website. A review of webpages available at the Internet Archive shows a decline of original OPA activities starting in the early 2000s. For example, the first webpage available for 2004 prominently lists OPA news, but the first item shown is dated March 2002 and the next most recent item is dated November 2001. [43] The OPA news on the first webpage available for 2005 shows four press stories from 2004, but the most recent OPA item was still November 2001. [44] By 2008, The OPA news on the first webpage available for that year shows 2 news stories from 2006, and no reported OPA activity more recent than 2001. [45] There is little or no evidence after 2001 of OPA activities or participation at the Federal Trade Commission. [46]

The threat that fostered the creation of the OPA apparently had disappeared. Wikipedia categorizes OPA under defunct privacy organizations. [47]

The OPA website continues to exist and appears to have been reformatted and updated at some time after 2008. The website has some links to recent new items, but a More OPA News link at the bottom connects to a webpage that shows no item more recent than 2001. [48] The main OPA webpage also includes links to old OPA documents such as Guidelines for Online Privacy Policies (approximately 533 words) and Guidelines for Effective Enforcement of Self-Regulation (approximately 1269 words). The website continues to offer old items, such as an OPA Commentary to the Mission Statement and Guidelines dated November 19, 1998. [49]

The list of members on its website as recently as May 2011 included at least one company (Cendant) that no longer existed at that time. [50] The membership page was not dated, and members number approximately 30, or less than half the number reported in 1998. The website now reports that membership is “closed”.

The Network Advertising Initiative [51] (1999-2007 version)

The network advertising industry announced the formation of the Network Advertising Initiative at an FTC workshop in 1999. NAI issued its standards, a 21-page document, the next year. [52] The core concept – the opt-out cookie – has been criticized as a technical and policy failure, and it remains highly controversial. [53] The NAI is of particular note because the Federal Trade Commission voted on its creation.

When it began, NAI membership consisted of 12 companies, which was a fraction of the industry engaging in behavioral ad targeting. By 2002, membership hit a low of two companies. [54] This was a significant lack of participation by the industry. When the NAI created a category of associate members who were not required to be in full compliance with the NAI standards, membership increased, with associate members outnumbering regular members by 2006. Eventually, NAI eliminated the associate membership category. [55]

The NAI delegated enforcement of its standards to TRUSTe, an unusual action given that TRUSTe was a member of NAI for one year. [56] Over several years, the scope of TRUSTe public reporting on NAI complaints decreased consistently until 2006, when separate reporting about NAI by TRUSTe stopped altogether. [57] There is no evidence that the audits of NAI members that were required by NAI principles were conducted. No information about audits of members was ever made public. [58]

Much of the pressure that produced the NAI came from the Federal Trade Commission. Industry reacted in 1999 to an FTC behavioral advertising workshop, and the NAI self-regulatory principles were drafted with the support of the FTC. [59] Pressure from the FTC diminished or disappeared quickly, and by 2002, only two NAI members remained. When the FTC again showed interest in online behavioral advertising in 2008, the NAI began to take steps to fix the problems that had developed with its 2000 principles. [60] One of those steps was “promoting more robust self-regulation by today opening a 45-day public comment period concurrent with the release of a new draft 2008 NAI Principles.” [61] NAI never sought public comment on the original principles.

Because we remain in a period of renewed Federal Trade Commission and congressional interest in privacy, it is too soon to evaluate the new NAI efforts. Only when the pressure for better privacy rules has faded will it be possible to evaluate the new NAI activities fairly.

There were substantive problems with the original NAI principles as well. The conclusion of the World Privacy Forum Report summarizes the NAI failures:

The NAI has failed. The agreement is foundationally flawed in its approach to what online means and in its choice of the opt-out cookie as a core feature. The NAI opt-out does not work consistently and fails to work at all far too often. Further, the opt-out is counter-intuitive, difficult to accomplish, easily deleted by consumers, and easily circumvented. The NAI opt-out was never a great idea, and time has shown both that consumers have not embraced it and that companies can easily evade its purpose. The original NAI agreement has increasingly limited applicability to today’s tracking and identification techniques. Secret cache cookies, Flash cookies, cookie re-setting techniques, hidden UserData files, Silverlight cookies and other technologies and techniques can be used to circumvent the narrow confines of the NAI agreement. Some of these techniques, Flash cookies in particular, are in widespread use already. These persistent identifiers are not transparent to consumers. The very point of the NAI self- regulation was to make the invisible visible to consumers so there would be a fair balance between consumer interests and industry interests. NAI has not maintained transparency as promised.

The behavioral targeting industry did not embrace its own self-regulation. At no time does it appear that a majority of behavioral targeters belong to NAI. For two years, the NAI had only two members. In 2007 with the scheduling of the FTC’s new Town Hall meeting on the subject, several companies joined NAI or announced an intention to join. Basically, the industry appears interested in supporting or giving the appearance of supporting self-regulation only when alternatives are under consideration. Enforcement of the NAI has been similarly troubled. The organization tasked with enforcing the NAI was allowed to become a member of the NAI for one year. This decision reveals poor judgment on the part of the NAI and on the part of TRUSTe, the NAI enforcement organization. Further, the reporting of enforcement has been increasingly opaque as TRUSTe takes systematic steps away from transparent reporting on the NAI. If the enforcement of the NAI is neither independent nor transparent, then how can anyone determine if the NAI is an effective self-regulatory scheme? The result of all of these and other deficiencies is that the protections promised to consumers have not been realized. The NAI self-regulatory agreement has failed to meet the goals it has stated, and it has failed to meet the expectations and goals the FTC laid out for it. The NAI has failed to deliver on its promises to consumers. [62]

The NAI self-regulatory effort that began in 1999 was a demonstrable failure within a few years.

BBBOnline Privacy Program

The BBBOnline Privacy Program began in 1998, in response to “the need identified by the Clinton Administration and businesses for a major self-regulation initiative to protect consumer privacy on the Net and to respond to the European privacy initiatives.” [63] Founding sponsors included leading businesses, such as AT&T, GTE, Hewlett-Packard, IBM, Procter & Gamble, Sony Electronics, Visa, and Xerox. [64] The program was operated by the Council of Better Business Bureaus through its subsidiary, BBBOnLine. There may have been some consumer group participation in the development of the BBBOnLine privacy program.

The BBBOnline Privacy Program was much more extensive than many other efforts at the time. It included “verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component.” [65] To qualify, a company had to post a privacy notice telling consumers what personal information is being collected, how it will be used, choices they have in terms of use. Participants also had to verify security measures taken to protect their information, abide by their posted privacy policies, and agree to an independent verification by BBBOnLine. Companies had to participate in the programs’ dispute resolution service, [66] a service that operated under a 17-page set of detailed procedures. [67] The dispute resolution service also reported publicly statistics about its operations. [68] As noted above, the BBBOnLine Privacy Program took over the Privacy Leadership Initiative website ( when PLI ended operations in 2002. The BBBOnline Privacy Program was considerably more robust than most, if not all, of the contemporary privacy-self- regulatory activities.

It is difficult to determine how many companies participated in the BBBOnline privacy program. A 2000 Federal Trade Commission report on online privacy said that “[o]ver 450 sites representing 244 companies have been licensed to post the BBBOnLine Privacy Seal since the program was launched” in March 1999. [69] Whether the numbers increased in subsequent years is unknown, but the number reported in 2000 clearly represent a tiny fraction of websites and companies. It may be that the more rigorous requirements that BBBOnline asked its members to meet was a factor in dissuading many companies from participating.

BBBOnline stopped accepting applications for its privacy program sometime in 2007. [70] The specific reasons the program terminated are not clear, but it seems likely that it was the result of lack of support, participation, and interest. Self-regulation for the purpose of avoiding real regulation is one thing, but the active and substantial self-regulation offered by BBBOnline may have been too much for many potential participants. BBBOnline continues to operate other programs, including an EU Safe Harbor dispute resolution service, [71] but there is no evidence on its website of the original BBBOnline privacy program. Interestingly, some companies continue to cite the now-defunct BBBOnline privacy program in their privacy policies. [72]






[13] Also, privacy seal programs arose during the period of this review, but some disappeared entirely. None beyond BBBOnline and TRUSTe developed sufficient credibility, reliability, or public recognition to warrant investigation in this report.

[14] Federal Trade Commission, Individual Reference Services, A Report to Congress (1997), (last visited 9/20/11).

[15] Individual Reference Services Group, Industry Principles — Commentary (Dec. 15, 1997), (last visited 9/20/11).

[16] (last visited 9/20/11).

[17] Id.

[18] Federal Trade Commission, Individual Reference Services, A Report to Congress (1997) (Commission Recommendations), (last visited 9/20/11).

[19] (last visited 9/20/11).

[20] See–2000.htm (last visited 9/20/11). Whether the reports were made public in other ways has not been explored.

[21] (last visited 9/20/11).

[22] Id.

[23] 15 U.S.C. § 6801(a).

[24] 15 U.S.C. § 6809(3). See also Federal Trade Commission, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act (2002), gramm-leach-bliley-act (last visited 9/20/11).

[25] See (last visited 9/20/11).

[26] See Marcia Savage, New Industry Alliance Addresses Online Privacy, Computer Reseller News (06/19/00), (last visited 9/20/11).

[27] Id.

[28] (last visited 9/20/11).

[29] (last visited 9/20/11).

[30] Up for Sale: How Best to Protect Privacy on the Internet, Knowledge@Wharton (March 19, 2001), (last visited 9/20/11).

[31] Press Release, Privacy Leadership Initiative Transfers Initiatives to Established Business Groups (July 1, 2002), (last visited 9/20/11).

[32] (last visited 9/20/11).

[33] (last visited 9/20/11).

[34] (last visited 9/20/11).

[35] Id.

[36] The main webpages for the organization are at However, for a brief period starting in 2005, the Internet Archive shows that the organization also maintained webpages at The first pages reported by the Internet Archive for are dated December 2, 1998.

[37] (last visited 9/20/11).

[38] Id.

[39] (last visited 2/8/11).

[40] (last visited 9/20/11).

[41] (last visited 9/20/11).

[42] See, e.g., Statement of Mark Uncapher, Vice President and Counsel, Information Technology Association of America, before the Federal Trade Commission Public Workshop on Online Profiling (October 18, 1999), (last visited 9/20/11).

[43] (last visited 9/20/11).

[44] (last visited 9/20/11).

[45] (last visited 9/20/11).

[46] (last visited 9/20/11)

[47] (last visited 9/20/11).

[48] (last visited 9/20/11).

[49] (last visited 9/20/11).

[50] (last visited 9/20/11)

[51] This summary is adapted from a comprehensive review of the Network Advertising Initiative (NAI) published by the World Privacy Forum in 2007. The WPF report is THE NETWORK ADVERTISING INITIATIVE: Failing at Consumer Protection and at Self-Regulation. The WPF report contains citations and support for the conclusions presented here. (last visited 9/20/11).

[52] Id. at 7-8.

[53] Id. at 14-16.

[54] Id at 28-29.

[55] Id. at 29-30.

[56] Id. at 25.

[57] Id. at 33-36.

[58] Id. at 37.

[59] Id. at 9.

[60] See, e.g., Network Advertising Initiative, Written Comments in Response to the Federal Trade Commission Staff’s Proposed Behavioral Advertising Principles (April 2008), (last visited 9/20/11).

[61] Id.

[62] World Privacy Forum NAI Report at 39.

[63] New Release, Better Business Bureau, BBBOnLine Privacy Program Created to Enhance User Trust on the Internet (June 22, 1998), on-the-internet-163 (last visited 2/10/11).

[64] Id.

[65] The earliest web presence for the BBB Online Privacy Program appeared at the end of 2000. (last visited 9/20/11).

[66] (last visited 9/20/11).

[67] (last visited 9/20/11).

[68] See, e.g., (last visited 9/20/11). While the BBBOnline privacy program dispute procedures were better and more transparent than other comparable procedures, the BBBOnline dispute resolution service was controversial in various ways. In 2000, for example, questions were raised when the BBBOnline Privacy Program, under pressure from the subject of a complaint, vacated an earlier decision and substituted a decision more favorable to the complaint subject.

[69] Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report To Congress 6 (2000), (last visited 9/20/11).

[70] (last visited 2/10/11).

[71] (last visited 9/20/11). It is not clear if BBBOnline has actually handled any US-EU Safe Harbor complaints.

[72] See, e.g., the Equifax Online Privacy Policy & Fair Information Principles, (last visited 9/20/11); Good Feet, (last visited 9/20/11).



Roadmap: Many Failures – A Brief History of Privacy Self-Regulation in the United States: II. Discussion: Industry-Supported Self-Regulatory Programs for Privacy


Report home | Read the report (PDF) | Previous section | Next section