The U.S. Privacy Year in Review:

Public Opinion, the States, and the Nation

I. Public Opinion Trends

According to Alan Westin, the American public has become increasingly concerned with privacy issues. In a November 1996 national survey conducted by Opinion Research Corporation (ORC), with Westin serving as academic advisor:

" 89% of adult Americans were "concerned about threats to personal privacy", up from 82% in 1995.

" 55.5% were "very concerned," up from 47% in 1995.

" 83% believed "consumers have lost all control" over how companies collect and use their information, up from 80% in 1995.

" 72% agree "if privacy is to be preserved, the use of computers must be sharply restricted in the future," up from 67% in 1994.

Women More Concerned Than Men
The ORC survey also showed that women as a sub-category are more concerned about privacy issues than men.

" 58% of women were "very concerned" about privacy threats, compared to 44% of men.

" 69% of women polled felt that "technology [is] almost out of control," while 57% of men agree.

" 53% of women favored sharply restricting computers in order to preserve privacy, while only 40% of men felt this way.

Factors That Influence Public Concern
Westin explained that the increase in public privacy concerns cannot be traced to a single dramatic event. Instead, a variety of factors are influencing American public opinion.

" A continuing distrust of institutions.

" A widespread fear of technology abuses.

" The perception that there has been a "loss of control" over consumers' personal information.

" The influence of alarmist mass media reports.

" Actual negative experiences of consumers and their acquaintances.

" Most significantly, the public perceives that the law and organizational practices are inadequate in many consumer areas.

Privacy Pragmatists
While obviously concerned, Westin stated that the American public takes a generally pragmatic view of the commercial use of their information. When asked whether they approve of companies they patronize sending them offers based on a customer profile, 65-70% of respondents said yes. Of the 25-30% who said no, 75% of this group said it would be okay to send materials if the firm had notice and opt-out provisions in place. This pattern was consistent when applied to various major industries including telephone companies, credit card firms, and retailers.

The pragmatism of the American public holds true for regulatory issues. Two-thirds (67%) of the public favor the present mixture of law, litigation, and self-regulation for privacy protection, compared to only 28% who would prefer an EU-style federal regulatory agency with authority over the private sector. While the public is generally against omnibus legislation, there is strong support for sectoral laws.

Privacy Expectations Online
In the first statistically representative survey of online and Internet users conducted for Privacy & American Business by Louis Harris, 58% of U.S. computer users (100 million people) said that Congress should pass privacy laws now for the Internet. Other important findings Westin discussed include:

" A very low number of users report having encountered an actual invasion of their privacy (5% using online services, 7% using the Internet).

" But, majorities of users are concerned with the confidentiality of their e-mail, the tracking of their online movements, the collection of profiles, spamming, and especially the privacy of children.

" Additionally, users express limited confidence in online marketers and service providers.

Emerging Trends
Westin outlined the four major privacy trends developing as a result of the public's privacy concerns:

" Privacy hearings are getting great press at the state and federal level. Republicans and Democrats both in the states and nationally are joining forces, as consumer privacy legislation is seen as a "winner."

" The privacy and safety of children online is the hot button issue. But other concerns, such as spamming, are rising.

" Public concerns are increasingly driving legislation in the areas of health, genetics, public records, and insurance.

" Self-regulation and technological-tool solutions must prove their case, and will need public education efforts to gain acceptance and support.

II. The States and Consumer Privacy in 1997

According to Westin, the legislative response to the public's privacy concerns in the states has been dramatic. So far, 133,212 bills have been filed in the 50 states and in the District of Columbia in 1997. Of these, 8,485 were related to privacy concerns, a notable increase from the 6,629 state "privacy" bills in 1993. Of these privacy bills 1,799 were enacted into law by mid-October 1997. For 1998, 408 privacy bills have been prefiled already.

Westin explained that state privacy legislation on public records has gone beyond the restriction of drivers' information(driven by the states' responses to the Federal Driver's Privacy Protection Act). All personal information collection by government agencies is now under scrutiny. In some sectors, business may soon no longer be able to consider all factors in risk assessment, as lawmakers seek to limit how many bodies of public information are collected and used.

The Top Ten Consumer Laws with Privacy Provisions

*Industry Sector Number of Laws Enacted
Medical records
Public records
Insurance records
Financial Institutions
Health privacy/genetic
Credit reporting
AIDS/STD privacy
Mailing lists

Westin emphasized that state privacy laws are garnering bipartisan support, with Governors from both parties signing privacy protection bills in large numbers, and only four vetoes in 1997.

*Figures supplied by StateNet III.

Consumer Privacy in Washington: 1996-1998
In his overview of privacy developments in Washington, Bob Belair explained that privacy is now a key bipartisan issue. Following the Clinton Administration and the FTC's lead , both parties have rejected the idea of omnibus legislation and the creation of a privacy agency. Belair added that there is wide support for industry self-regulation and sectoral approach to privacy legislation in D.C.

Congressional Activity
Congress received the Department of Health and Human Services report on privacy and medical records in September and the FTC report on identification and location information services in December. Belair expects to see congressional efforts on financial services as soon as key Republicans arrive at a consensus on the adoption of some form of children's privacy protection legislation. He also pointed out that Congress is leaning more towards self-regulation of the direct-marketing industry than legislative action.

According to Belair, the debate over encryption regulation is still an intense one. The Clinton Administration, with the backing of Silicon Valley, would like to loosen export controls in the interest of expanding trade and the smooth flow of data globally. However, the national security issues posed by the export of encryption technology and FBI opposition have not been adequately resolved to the Administration's or Congress' liking

Key Privacy Questions For 1998
Belair outlined the important privacy issues and questions that are likely to develop in 1998.

" What privacy constituencies will emerge?

" Will self-regulatory initiatives be perceived as successful and, if not, will this open the "flood gates" for legislation?

" Will Congress embrace the doctrine of preemption and/or tie preemption to State Attorney General enforcement?

" Will the Clinton Administration and the privacy-sensitive business community avoid a collision with the EU Data Directive?

IV. Consumer Privacy and the Courts 1995-1997

In all consumer privacy sectors, Privacy & American Business has identified over 100 published court decisions over the past two years. According to Belair, most of these decisions routinely applied privacy statutes, but about a dozen make new laws or provide important guidance. Generally, most of the recent decisions resist imposing privacy restrictions on the use of personal data for consumer purposes.

Specifically, Belair stated that Courts have:

" Rejected the application of tort law to mailing lists.

" Narrowly applied the FCRA.

" Strengthened medical privacy safeguards.

" Held that telephone numbers are not protected.

" Resisted imposing regulations on the Internet.

" Resisted access restrictions on public records but found that computerized records do pose a sharp privacy threat.

Developments In the Courts By Sector
Belair gave a summary of privacy activity in the courts on a sector by sector basis.

Financial Reporting

" Several courts have narrowed the circumstances under which identification information is a consumer report.

" The 9th Circuit held that FCRA's accuracy requirements may be violated even if the inaccurate report is never used.

" A Nebraska court awarded First National Bank of Omaha over $23 million against TransUnion for alleged breached of contract in selling bank customer data.

" A federal District Court opinion upheld an IRS reporting statute but emphasized that financial privacy requires some "serious regard."

Direct Marketing

" A Virginia court rejected a claim that the sale of subscriber information is actionable, in Avrahami v. U.S. News & World Report.

" The D.C. Circuit held that the FTC did not demonstrate that TransUnion target-marketing lists were consumer reports. The TransUnion v. FTC decision also rejected the theory that all information that "mingles' in a consumer report is subject to the FCRA.

Medical Privacy

" The third circuit held that insurance companies are under no duty to disclose results of medical tests to an insurance applicant.

" The U.S. Supreme Court endorsed a psychotherapist-patient privilege.

" A California court found an occupational therapist liable for disclosures.

Telecommunications Privacy

" The 9th Circuit upheld the FCC's Caller ID rule--that there is not a Constitutional right to privacy in the telephone number.

Online Services

" The 5th Circuit held that the Electronic Communications Protection Act (ECPA) interception provision does not apply to stored e-mail.

" A Federal District Court held that there is no Constitutional right to sending unsolicited, commercial e-mail.

" In ACLU v. Reno, the U.S. Supreme Court struck down the Communications Decency Act on 1st Amendment grounds.

Public Record Privacy

" A federal District Court struck down a California statute which prohibited commercial access to names of arrestees.

" A federal District Court struck down a Kentucky statute restricting access to accident reports.

" An Arizona Court upheld restrictions on access to voter data.

" Oklahoma and South Carolina Federal District Court decisions struck down the Federal Driver's Privacy Protection Act on the grounds that it violated the 10th Amendment.

Global Privacy

" A 1995 Texas Supreme Court case ruled that a German data privacy law takes precedence over a Texas discovery law and declined to require production of a company telephone directory.

Computerized vs. Manual Records

" A 1995 USSC opinion emphasized that automation changes and increases the privacy risks associated with personal information.

" A 1995 New Jersey opinion reasoned that "traditional rules and practices geared towards paper records might not be appropriate for computer records."