U.S. Perspectives on Consumer Protection in the Global
Electronic March 25, 1999 Comments of Solveig Singleton ________________________________________________________________________ The FTC's initiation of a proceeding to investigate "consumer protection in the global electronic marketplace," encompassing everything from modifications to treaty law to choice of law is an ambitious one. The FTC might ask whether complex questions of the relations between different courts and foreign governments could best be left to other branches of government with the constitutional responsibility to resolve such questions--such humble offices as that of the President, the Congress, and the federal and state courts. The more ambitious a regulatory program, the grander its scale, the more likely it is to collapse of its own weight--particularly as applied to electronic commerce. FCC Chairman Kennard, informed by the history of the FCC's regulatory ventures, has recently assured us that the FCC will not regulate the Internet. Will the FTC be the first? Without express legislative authority? Furthermore, consumer protection is a rather slippery concept. Some practices--fraud, for example, clearly violate consumer's right. Fraud is to my knowledge not legal anywhere. This does not mean that we can prevent all cases of fraud. Even creating a regulatory apparatus to oversee the creation and operation of every electronic commerce business could not do so--any more than it does for traditional business. And it would make the formation of many start-ups, particularly experimental ventures, small businesses, extremely costly. But other, more dubious concepts also might go by the label of "consumer protection." One of these is privacy. Privacy, as described by the Fourth Amendment, is one important protection against the unique powers of government to march into one's home and make an arrest. It makes little sense, however, to view the free flow of information and opinions about real people and real transactions among businesses as a "consumer protection" issue. What are people being protected from? Well, from having information about what they bought, when and where they bought it, used throughout the economy. But viewing the use of the information in itself as the danger is circular. Consumers do not need to be protected from businesses using information about their purchases, credit history, and so on to cut costs of fraud and default, develop new products, and break into new markets. I discuss the issues of privacy and consumer protection further below. What current protections exist for consumers engaged in electronic commerce with foreign businesses? As noted above, fraud is illegal pretty much anywhere. However, difficulty in pursuing a slippery character across jurisdictions may make these rules harder to enforce in some individual cases. The Internet, by giving consumers a chance to connect with businesses in other countries, businesses the very existence of which consumers might otherwise be unaware, may increase the incidence of this somewhat. But the Internet builds in its own preventatives, as well. One of these preventatives is competition. In the electronic commerce marketplace, businesses online are not just competing with near geographic neighbors. They are competing with all other electronic commerce merchants serving the same market, and all are just a few clicks away on the mouse. This will make it much easier for customers to price-shop--and much harder for businesses to compete on price. Prices will tend to be driven rather ruthlessly towards costs. This will leave e-commerce merchants competing on other grounds--for customer loyalty. In this world of heightened competition, reputation and brand loyalty will mean a good deal. This will mean better service overall. Another built-in Internet safeguard is the easy access it will give consumer to information about products and companies online. I, for example, frequently purchase tropical fish supplies and equipment online. But I would never think of doing so without first asking on one of many tropical fish bulletin boards about the company and the product I am buying. As I visit many of these boards frequently, I know whose advice is most valuable and whose is to be regarded with skepticism. Consumers about to make a big purchase online will generally have the common sense to seek out such advice beforehand. Some will not. This is not a perfect world--and regulatory ventures designed to create one are generally heavy on costs and low on benefits. Under what circumstances should a consumer and a foreign business be able to contractually agree on the governing law? Always. Given that electronic communications do not allow for traditional written signatures, under what circumstances should electronic signatures (or other technological means for a party to express intent to be bound) be legally recognized and binding? This raises the question of whether legislation or regulation is called for to establish uniform procedures for accepting and using digital signatures. Such legislation or regulation would be extremely ill-advised. Digital signatures are a young technology. Considerable experimentation with different signature models will be necessary before the technology matures. It is vital that the private sector lead the way in these experiments. A premature standard could
The courts can be trusted to decide when and under what circumstances digital signatures should be accepted, looking to the business community for guidance. This worked well with signatures transmitted by telegraphs,(1) telephones,(2) telexes,(3) faxes,(4) or photocopies of signatures,(5) or audio recordings.(6) In 1869, one court explained that telegraphed contract was valid, saying "It makes no difference whether that operator writes the offer or the acceptance . . . with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office."(7) As long as the technology is reliable, there is no reason a court would not say the same of digital signatures. The technology and business custom must lead, and the courts will then follow. To what extent are businesses required to provide disclosures to consumers? To what extent should they be? Business should not be required to disclose the uses of information they collect through their web sites or other transactions. Some will chose to, as some groups of consumers value this information. Others will not. See discussion of privacy above. To what extent do/will industry-led self-regulatory programs provide effective protection for consumers in the global electronic marketplace? Self-regulation of the Internet has emerged in a number of contexts, including privacy. Internet filtering technology is also a species of "self-regulation." And then there is self-regulation of kind less trumpeted by pundits, but important and interesting none-the-less, such as the blacklisting of domains suspected of being spammer havens. In meat space, self-regulation of a number of different types has grown up. These include:
Many of these systems of "self-regulation" arrived in response to varying degrees of government pressure, including the MPAA ratings and certainly proposals for "self-regulation" on privacy. The blacklisting of spammer ISPs by anti-spam groups like the Open Relay Blocking System and the MAPS Realtime Blackhole list, is a fairly good example of purely private, market driven conduct. From the standpoint of legislators or regulators, self-regulation foisted on the market by government is less costly than traditional command and control regulation. First, it is less costly to the economy. Command and control rules are for obvious reasons unsuited to the rapid changes of technology in the innovation age. Second, self-regulation is less costly to the government, because authorities need not drastically expand their enforcement mechanisms. More cynically, a push for self-regulation lets regulators avoid some of the cumbersome process of proposing particular rules, submitting them to public comment, and considering their costs and benefits From the standpoint of participants in markets, either industry or consumers, self-regulation might arise as a natural outgrowth of consumer demand. This "bottom-up" process is truly voluntary and likely to be highly decentralized. Kosher food labels are a good example, offering consumers a choice of many different standards--in response to the incredible diversity in consumer demand, the market offers many competing forms of self-regulation, not just a single standard. In the health and safety context, self-regulation might be more likely to look to a single standard, as with the Underwriters Laboratories--but even UL has a number of smaller competitors. But in most cases no third party standard at all is necessary for "self-regulation." That is, true market-based self-regulation blurs into no regulation at all, with each company "regulating" itself according to internal standards of customer or client service and no third party oversight. Bad service is checked by competition. Especially in the privacy context, "self-regulation" in response to government pressure is viewed as an alternative to top-down regulation. But in fact such a system of self-regulation could easily share most of the drawbacks of top-down regulation. One characteristic of demands made on e-commerce merchants respecting privacy "self-regulation" has been that the goals of the regulation are assumed to be known. Regulators have insisted that a system of self-regulation must ensure that customers have notice of how their data is being used, that they have a choice about whether it is not be collected or not, and so on. From time to time, regulators have worked themselves into a state of high indignation over the question of whether or not these goals are being met. In the real world, however, no one really knows what state of affairs "ought" to obtain with respect to privacy. There is a great deal of hand waving about privacy being important to human dignity and autonomy. But the question of when human beings will need to reveal information to gain trust, will be willing to offer trust without information, and will need to respect confidentiality to gain trust is a bafflingly complex question. It depends largely on individual preferences and needs. It may be resolved differently in different contexts from year to year--or even from minute to minute. Furthermore, the default rules for how human beings exchange information about one another favor the freedom of information--with privacy being by special arrangement. Generally, human beings are free to make observations about other human beings, and record and report these. The degree to which the "ought" of privacy is an unknown is illustrated by this tale of Al Gore, who has vigorously advocated for new regulations to protect the privacy of children online. Yet for weeks after Gore announced his "Electronic Bill of Rights," emphasizing privacy (from marketing, not from wiretapping or key escrow), the White House's Web site for children asked children who wanted to write to the Vice President for their names, ages, schools and addresses. Without asking for parental permission, or any posted privacy policy. Only after the contradiction became, embarrassingly, the focus of the news media did a privacy policy appear on the site. But this illustrates that what privacy advocates are demanding is something new, something unprecedented, something different--and rather silly. The person who designed the White House for Kids Web Site was probably not an evil person. It did not even cross his or her mind that asking someone for information about himself without elaborate notice and consent procedures was "wrong." When regulators insist that a system of "self-regulation" must conform to certain fixed, top-down goals, they are clearly not talking about self-regulation that arises from market forces. In a market, goals are evolving, varied, and diverse. In the world of business ethics and customer relations, preferences about privacy and trust are evolving, varied and diverse. If advocates of self-regulation expect the system to produce an outcome that guarantees certain fixed goals, they are doomed to disappointment--and thence to top-down regulation. True self-regulation means choice, variety, and experimentation. Or else it has all the same defects as the Communications Decency Act and the Comics Code--a top-down imposition of the values of some upon all. Self-regulation may seem to participants in the marketplace like a fairly good alternative to command and control regulation. Note, however, that self-regulation with a heavy element of government involvement in goal-setting and enforcement may have many of the same drawbacks as command-and-control--without the checks on bureaucratic power that are provided by the Administrative Procedures Act, formal rulemaking processes, or public accountability more generally. In particular, self-regulation in the privacy context threatens to evolve into a system where government makes vague rhetorical demands with no clear content or deadlines. Official involvement looms at every stage, and may be wildly unpredictable. We lose the benefits of a bottom-up learning process that occurs through the market, but also lose the benefits of certainty and accountability that come with formal rulemaking procedures. Another element missing from the equation when government pressure forces markets towards "self-regulation" is cost-benefit analysis. Even in formal rulemaking proceedings, agencies are notoriously oblivious to the need to perform such studies. The problem is exacerbated a thousand-fold when agencies pressure the market to regulate itself. In the privacy debate, for example, little or no attention has been paid to
Cost-benefit analysis in the privacy context seems to be confined to repeated assertions on the part of the FTC that consumers will not develop trust in electronic commerce without privacy regulation. There is something fishy about this picture, for electronic commerce is clearly exploding. Might it be that answers to consumer surveys are misleading in some way? (I take this question up again further below). The previous discussion shows that self-regulation with substantial government involvement is substantially different from a market process.
We should, therefore, avoid "self-regulation" imposed from the top down like the plague; it has many of the drawbacks of command and control regulation, without accountability. But on the privacy front, we seem to be moving inexorably towards the command and control model, on the theory that self-regulation is not enough or is not working. But this is not because there is any real problem with true self-regulation! The problem is that regulatory expectations of what self-regulation is supposed to accomplish have become utterly divorced from reality. When something makes us unhappy, it's worth asking, were our expectations reasonable? When we describe imperfections in a market, what ideal process are we comparing it too? Forestalling disappointment with respect to privacy issues means, not moving towards command and control, but understanding how self-regulation is likely to work. I sketch this out below. What is a market? A market is a device for processing information. The economist Bastiat once commented that it is a miracle that Paris got fed every morning. In order for that to happen, Parisians' diverse tastes in breakfast foods must somehow become known to myriad bakers, café's, butchers, and grocers. Parisian consumers must obtain the knowledge that bread is available at the bakery, not at the tailors. The local needs of bakers and grocers must somehow be known to farmers and middlemen scattered around the countryside. Through the price system and other mechanisms, markets harness local knowledge and subjective tastes, setting in motion a process that results in the populace of Paris' being fed--all without any central planning or direction. This is utterly extraordinary. Indeed, as we learn from our experience with communist economies and as economist Ludwig Von Mises and F.A. Hayek predicted decades ago, central planning cannot even begin to coordinate the distribution of resources as effectively as the chaotic, decentralized market. Understanding that a market is a bottom-up learning process helps us to accept as inescapable realities several features of self-regulation. First, establishing a system of self-regulation will take time. We should not forget that electronic commerce is still in its infancy. Second, the goals of a system of self-regulation will evolve and change over time, and will vary widely across the e-commerce marketplace. Entrepreneurs will make informed guesses about privacy policies will allay their customer's fears (if any) of doing business online. Some entrepreneurs will get it wrong, and lose ground; others will get it right, succeed, and be imitated by late-comers. But entrepreneurs must be permitted to take their cues from the results of engaging in the marketplace, not from top-down commands. One grave mistake made in the privacy arena is to dictate regulatory goals in response to surveys of consumer's views on privacy. Economists are extremely suspicious of using surveys to determine customer preferences, because no money is at stake. In markets, what counts are actions, not words. True preferences are revealed by actions. For example:
Talk is cheap. Surveys do not reveal customers' real attitudes nearly as well as actions. If concerns about privacy emerge in an ephemeral manner in response to a prompting from a survey, and are never acted upon, they are not worth transforming into regulatory goals. If, by contrast, concerns about privacy do affect consumer behavior, then they will emerge in the market with no need for regulation. True systems of self-regulation are not enforced in a top-down manner. To state the blindingly obvious, these systems are voluntary. Companies opt to abide by the standards--or they do not. Some food companies might choose to qualify for a kosher food stamp shaped like the state of Texas, others will not. When life or limb is at stake, as with electrical appliance safety, a system of self-regulation might become more standardized and compliance expected across the board. But generally, those who expect self-regulation to produce uniform enforcement across the electronic marketplace are not talking about self-regulation at all--they are talking about thinly masked government action. This leads us to confront the possibility that comprehensive self-regulation on privacy will not take the marketplace by storm, just as web site rating has not taken the Web by storm. Unlike UL ratings, questions about the content of speech--whether it is offensive or not respectful of privacy--are not life-or-death safety questions that invoke in all insurers a similar eagerness to avoid liability. Rather, questions about how much one cares about confidentiality or offensiveness are complex ethical preferences. Thus a market-based system of "self-regulation" is unlikely to look much like the UL system, where one standard is dominant. This suggests that both in the privacy context and the free speech context there will be many competing standards set by different third parties. Indeed, in the privacy context, one might ask whether there is any reason for third-party supervised "self-regulation" to emerge at all. Why would there not be as many different privacy policies as there are e-commerce companies? A system of privacy "self-regulation" imposed on the market by regulators might well tend to collapse over time (rather as the Comics Code has) simply because there is no need for third-party ratings. Businesses' individual concern to gain a loyal consumer following might be more than enough. And no third-party rating system might be able to capture the extraordinary variety of patterns of customer preferences that will emerge. What developments will hinder the growth of electronic commerce? There are undoubtably many answer to this question, but electronic commerce merchants, each operating in his or her own context, are no doubt much better equipped to answer them than I or the FTC. One thing will hinder electronic commerce for certain--that is, Regulation. 1. Trevor v. Wood, 36 N.Y. 307 (1867); Howley v. Whipple, 48 N.H. 487 (1869); La Mar Hosiery Mills, Inc. v. Credit & Commodity Corp., 216 N.Y.S.2d 186 (1961)(deeming "[t]he telegram with the typed signature of defendant's name [to have] emanated from the defendant which is responsible for it."). 2. Selma Sav. Bank v. Webster County Bank, 206 S.W. 870, 874 (Ky. 1918) (contract is formed when message is transmitted to telegraph operator by telephone). 3. A telex is a communication system consisting of teletypewriters connected to a telephonic network which sends and receives signals. Teletypewriters are electromechanical typewriters that transmit or receive messages coded in electrical signals carried by telephone or telegraph wires. See Apex Oil Co. v. Vanguard Oil & Service Co., 760 F.2d 417 (2d Cir. 1985) (telex); Joseph Denuzio Fruit Co. v. Crane, 79 F. Supp. 117 (S.D. Cal. 1948), vacated, 89 F. Supp. 962 (S.D. Cal. 1950), reinstated, 188 F.2d 569 (9th Cir.), cert. denied, 342 U.S. 820 (1951); Klein v. PepsiCo, Inc., 845 F.2d 76 (4th Cir. 1988). 4. Hessenthaler v. Farzin, 564 A.2d 990 (Pa. Super. 1989); Bazak Intl. Corp. v. Mast Industries, 535 N.E.2d 633 (N.Y. 1989); Beatty v. First Exploration Fund 1987 & Co., 25 B.C.L.R.2d 377 (1988). 5. Beatty v. First Exploration Fund 1987 & Co., 25 B.C.L.R.2d 377 (1988) (comparing telefacsimiles and photocopies). 6. A tape recording of an oral agreement satisfies the writing requirement of the statue of frauds, since it has been reduced to tangible form. Ellis Canning Co. v. Bernstein, 348 F. Supp. 1212, 1228 (D. Colo. 1972). Ellis Canning Co. v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972); see also Londono v. Gainsville, 768 F.2d 1223, 1227-28 n.4 (11th Cir. 1985). Another court, however, found that a tape will not do, absent evidence that both parties intended to authenticate the record. Swink & Co. v. Carroll McEntee & McGinley, Inc., 584 S.W.2d 393 (Ark. 1979). 7. Howley v. Whipple, 48 N.H. 487, 488 (1869). |