The Emergence of Website Privacy Norms, Steven A. Hetcher

The Emergence of Website Privacy Norms

Steven A. Hetcher[*]

May 15, 2001 7 Mich. Telecomm. Tech. L. Rev. 1 (2001)

Cite as: Steven A. Hetcher, The Emergence of Website Privacy Norms,
7 Mich. Telecomm. Tech. L. Rev. 97 (2001),
available at <http://www.mttlr.org/volseven/hetcher.html>.

Comments about this article should be sent to mttlr@umich.edu

I.   INTRODUCTION
II. THE ORIGINAL WEBSITE PRIVACY NORMS
      A. Norms of Unrestrained Data Gathering
      B. Game-Theoretic Structure of the Original Website Personal Data Norms
          1. Purported Website Industry Prisoner's Dilemma
          2. Website Industry Coordination Norms
          3. Web User Collective Action Problem
III. WEBSITE NORM ENTREPRENUERS PROMOTE
      A. Stage One: The Articulation of Aspirational Norms
      B. Stage Two: The FTC's Attempt to Create an Industry-Wide Collective Action Problem
          1. The Issuance of Fair Information Practice Principles
          2. Creating a New Game Through Threats
IV. CONCLUSION

INTRODUCTION
There is a burgeoning privacy crisis due in large part to the explosive growth of the Internet.[1] In large measure, this crisis has emerged in a legal vacuum, as there is little positive law that directly regulates the private collection of personal data.[2] Because of this legal vacuum, informal social norms have the potential to play an especially important role in the regulation of data collection online.[3] This Article studies the emergence of website norms pertaining to data collection that have emerged in the past decade. In particular, the Article focuses on the manner in which the government has sought to regulate online privacy at a distance, purportedly out of respect for the established norm of Internet self-regulation.[4] This case study of the emergence of online norms is of interest in its own right. It is intended, as well, to be instructive regarding the possibilities for more effective regulation of online privacy, on a going forward basis.

The vast majority of commercial websites use their interactions with consumers as the occasion to collect personal data about these consumers.[5] The connection between the collection of personal data and personal privacy is straightforward; the more personal data that websites collect, store, and use, the less privacy that data subjects have. This reduction in privacy may be justified if the data subjects agree to exchange their personal information for something they prefer more.[6] Typically, however, personal data has been taken by websites without the subject's knowledge or consent.[7] Commercial websites behave in this morally dubious, but commercially reasonable manner for two reasons. First, personal data is not owned and hence it is not unlawful to collect it without consent, and second, in the emerging digital economy, personal data is becoming increasingly valuable.[8] Given these facts, it is no surprise that commercial websites collect and use as much personal data as possible, and at a growing rate.[9] Due to a torrent of media exposure, there is a growing public awareness of the data-collection norms of the website industry, and the ramifications of these norms for personal privacy.[10]

Public awareness of this erosion in privacy has precipitated public outrage. Opinion polls show increasing public concern with respect to online privacy.[11] This outrage sets the stage for rapid policy shifts by private industry and lawmakers alike. The United States Congress increasingly has shown an interest in enacting omnibus privacy legislation.[12] The Federal Trade Commission repeatedly has articulated an interest in regulating online data collection.[13] Although increased governmental regulation of online privacy likely will ensue, norms and customs will continue to play a significant role due to the continued strength of the norm favoring Internet self-regulation.[14]

Because of the importance of informal social and industry norms in regulating privacy in cyberspace, this topic presents a natural arena for the application of "law and norms" theory. Laws and norms theory is arguably the most important development in contemporary law and economics.[15] Analytic social norms theory entered the law with the publication in 1991 of Robert Ellickson's book, Order Without Law.[16] Based on empirical studies of ranching and farming communities in Northern California, Ellickson developed the hypothesis that efficient norms will emerge in "close-knit communities."[17] These norms will serve as solutions to the iterated "collective-action problems" faced by the group.[18]

With regard to Ellickson's hypothesis, the Internet may present an especially difficult context for the emergence of efficient norms, however, as online participants would appear to be anything but close-knit.[19] The apparent implication is that website privacy norms are inefficient as they are the product of communities that are not close-knit.[20] Thus, while these norms indeed are emerging rapidly, there is reason to conclude that they are not moving toward greater efficiency. The task at hand, then, is not only to examine how and why website privacy norms are emerging, but also to evaluate and hopefully improve their efficiency.

The concept of "privacy" is itself generally understood in rights-based terms.[21] In an online context, there is frequent discussion of the need for greater "respect" for privacy. Phrased simply, respect is a deontological concept. Despite the rhetorical focus on deontological concepts, the emergence of online privacy norms that has occurred over the last decade is equally well described as a move toward a more efficient regime of regulation of the flow of personal data. One of the goals of the following discussion will be to establish a "compatibility thesis" with regard to privacy and utility.[22] The crucial norms that have emerged in the website industry are both more efficient and more respectful of privacy.

The compatibility between efficiency and privacy has been possible because respect for data privacy has been cashed out in terms of autonomy. Respect for privacy does not require minimizing the amount of personal data that is collected and processed.[23] Rather, it requires that data collection and processing not violate the autonomy of the data subject. Data collection that is respectful of autonomy is accomplished through the mechanism of consent.[24] When data subjects consent to the use and collection of their data by websites, then the websites are collecting data in a manner that respects the autonomy of the data subjects. These exchanges of data for valuable consideration are also productive of social utility because through exchange each party is able to receive something it prefers more by trading away something it prefers less.

Part II of the Article will first look at the original privacy norms that emerged at the Web's inception in the early 1990s.[25] Two groups have been the main contributors to the emergence of these norms; the thousands of commercial websites on the early Web, on the one hand, and the millions of users of the early Web, on the other hand. The main structural feature of these norms was that websites benefitted through the largely unrestricted collection of personal data while consumers suffered injury due to the degradation of their personal privacy from this data collection. In other words, degradation of consumer privacy resulted as a third-party externality of free-market data-collection norms of the website industry.[26] Broadly speaking, then, these injuries occurred in a tort context as the injurers and victims were not in a bargaining relationship with regard to the injurer's procurement of the victim's personal data.[27]

Next, Part II will examine the strategic structure of the relationships between websites and consumers that allowed these highly exploitative norms to flourish. Analysis will indicate that consumers faced a large-scale collective action problem. There is a collective good that consumers potentially could have achieved, namely, the abatement of disrespectful data-collection practices by websites. Web users would have great difficulty in organizing to secure this collective good, however, due to their large numbers and lack of repeat play and overlapping relationships.[28]

Reacting to this sub-optimal but stable social situation, "norm entrepreneurs" entered the picture.[29] Three main types of norm entrepreneurs have been involved: public-interest advocates, website industry advocates, and governmental actors, particularly the Federal Trade Commission ("FTC"). Part II will examine how new, more respectful website privacy norms recently have begun to emerge, due largely to the efforts of these norm entrepreneurs.

The following study of the impact of norm entrepreneurs on website privacy norms will reveal a highly significant event. In the short history of the Internet, there has been a major shift-a "norm-cascade"-toward more respectful privacy norms.[30] The transition has been from a wild-west world in which websites did almost whatever they wanted with impunity, to a world in which a significant percentage of websites are explicitly addressing privacy concerns.

Part III models the norm cascade toward greater respect for online privacy in two stages. In the first stage, the privacy advocacy community and the website industry are described as battling to define the appropriate set of aspirational norms that should govern website/consumer interactions.[31] The privacy advocacy community began to form in the 1960s to fight against wide-scale personal data collection and aggregation by agencies of the U.S. government, newly armed with mainframe computers.[32] Norms of data privacy that emerged out of this process subsequently have been adapted to an online context by Internet rights advocacy groups. In response, the Website industry developed its own set of suggested online privacy norms, which it promotes as alternatives to those offered by the public-interest, advocacy community.

In the second stage of the emergence account, the FTC is described as first developing its own set of aspirational privacy norms, which it labels the "fair information practice principles." These principles represent a compromise between the demanding norms proposed by the advocacy community and the more permissive norms proposed by the website industry. While the FTC invokes the rhetoric of fairness, its proposed principles are best understood as promoting consensual data exchanges between websites and consumers.

Having specified its own set of aspirational norms, the FTC next sought to educate the public so that it would demand behavior on the part of websites consistent with these norms. The FTC then issued a threat to promote Congressional action in order to incentivize the website industry to bring its behavior in line with the FTC's norms. Initially, the FTC's threat was more effective on the larger and more established websites. Subsequently, however, these larger sites found it in their interest to themselves introduce threats to bring about compliance on the part of smaller sites. For example, large firms such as IBM and Disney have threatened to withdraw advertising from affiliated sites that fail to provide a minimal threshold of privacy protection.[33] The result of this network of threats by the FTC and large websites was the creation of a new equilibrium in which there was no longer a uniform norm of disrespect for privacy as existed in Stage One, but instead a bi-normative world in which numerous sites conformed to disrespectful practices while other sites conformed to more respectful practices. In this bi-normative world, an increasing number of sites provided "privacy policies" that could be linked to, from the site's home page.[34] Some sites, however, went farther by adopting privacy specialists within the firm. In fact, as growing numbers of Fortune 500 companies are creating a new position in the executive suite: the Chief Privacy Officer.[35]

Taken together, the two stages described above produced a regime of data-gathering based to a greater extent on exchange relationships. Privacy policies put consumers on notice of the data practices of websites. This puts consumers in a position to choose whether or not to take part in the data exchange, depending on the conditions of the bargain. The current situation is far from ideal, however, as many websites have failed to adopt more respectful privacy practices. Worse yet, other firms have endorsed such practices in word but not in deed, by posting privacy policies on their sites but regularly violating the terms of these policies.[36] This may be worse than providing no privacy assurances at all, as users are lulled by a false sense of security. Still other websites offer privacy policies that are so unclear in their meaning or complex in their provisions that there may be no practical sense in which consumers consent to these provisions. Nevertheless, on the whole, improvements in the moral quality of the interaction between consumers and websites have been made. Most important is the fact that overall an aspirational grundnorm of respect for website data privacy has begun to emerge in American culture generally. Only time will tell whether this grundnorm can become more adequately instantiated in actual online practices.

It is important that the policy community better understand the mechanics whereby more respectful website privacy norms have emerged. If better norms are already emerging through informal social processes and minimalist governmental guidance, there may not be a need for sweeping legislation of the sort currently being proposed by the FTC, as well as by many privacy advocates who suggest that the United States adopt the comprehensive European model of privacy regulation, despite its evident tension with sacred free speech principles.[37]

II. THE ORIGINAL WEBSITE PRIVACY NORMS

The first subpart below describes the original privacy-related norms that emerged in the unrestrained environment of the early Internet. The second subpart utilizes informal game theory in order to analyze these norms in terms of their strategic structures.

A. Norms of Unrestrained Data Gathering

The first message sent across the Internet occurred one month after the moon landing in late 1969.[38] In theory, from that moment onward, the Internet could have been used by one person to impermissibly gather personal data about another person. There is nothing in the historical record to suggest, however, that the invasion of data privacy was a problem in this early stage of the Internet's development. One reason may be that, in this early period, the Internet was mainly used by academic researchers working in shared disciplines.[39] Such groups tend to have fairly small numbers and overlapping, multiple interactions. In Ellickson's terms, these were close-knit communities in which there would have been internal incentives to deter opportunistic behavior.[40]

It took the occurrence of two events in the 1990s in order to set in motion the series of developments that would lead to the current privacy crisis. The first was the invention of the World Wide Web in the early 1990s by Tim Berners-Lee.[41] Once the core features of the Web were in place, the Internet became dramatically easier to use, and a vast flowering of websites spurted up spontaneously and rapidly. These were not electronic-commerce sites, however, as the National Science Foundation did not then permit commercial use of the Internet.[42] The Web was not available for consumers until the Bush Administration zoned cyberspace for commercial use.[43] The commercialization of cyberspace is the second event that precipitated the privacy crisis, as commercial websites have been the main users of personal data collected under questionable circumstances.

Early commercial website norms facilitated data collection in two ways. First, many websites explicitly requested user information. Second, many websites collected data that was produced as a byproduct of website/consumer interactions, such as when consumers provided their credit card numbers or mailing addresses to sites. With the introduction of these online techniques of data-collection, the commodification of personal data entered a phase of rapid acceleration, as each of these initial means of data collection was soon improved upon by websites.[44]
Regarding explicit requests for data, websites soon began conditioning access to their sites, or to prized pages within their sites, on the provision by website visitors of some personal data. For example, one who wanted to receive the New York Times online had to fill out a detailed data questionnaire first. Alternatively, users might receive discounts, coupons, or free entry in contests as an inducement for the provision of information.

Regarding the collection of data without consumer notice, websites soon began to deploy sophisticated technological means of data gathering, such as cookies.[45] Cookie technology allows a website's server to place information about a consumer's visits to the site on the user's computer in a text file that only the website's server can read. In the early period especially, because cookies were planted secretly and subsequently operated seamlessly, Web users were typically unaware of the fact that data about them was being gathered.[46] In other words, there was no bargain between the parties; the data was simply spirited away.[47]

When using cookies, a Website assigns each consumer a unique identifier,[48] so that the consumer may be recognized in subsequent visits to the site.[49] In this manner, the site engages in "passive tracking" of the consumer.[50] On each return visit, the site can call up user-specific information, which typically will include the consumer's preferences or interests, as indicated by pages the consumer accessed in prior visits, items the consumer clicked on while at the site, or information downloaded.[51] Cookies make it easier for firms to engage in highly targeted marketing.[52] Cookie technology has proven to be extremely valuable to online companies because it not only enables merchants to target products and services that are increasingly tailored to consumer preferences but it also permits other companies to boost their revenues by selling more highly-valued advertising space on their web sites.[53] As Michael Froomkin says, cookies are the tip of the iceberg.[54] Once firms collect personal data, they may then aggregate it, or sell it to others who aggregate it, into databases containing profiles of named individuals. For example, a firm named Acxiom currently holds personal and financial information about nearly all U.S., U.K., and Australian consumers.[55] The personal-data norms of the early website industry are characterized in the following list.

Personal-Data Norms of the Early Website Industry

1. Websites may freely gather as much personal data as desirable from consumers.
2. Websites need not ask permission to gather personal data.
3. Websites need not inform consumers of their data-gathering practices.
4. Websites may use personal data in any manner they prefer, such as selling or licensing it to third parties.
5. Websites need not allow consumers access to their data.
6. Websites need not provide security for personal data in their possession.

The most striking feature of these early website personal-data norms is that they were completely geared toward serving the interests of the website industry. They reflect the fact that most websites felt neither legal nor social pressure to respect the data privacy of the visitors to their sites.[56] There was no legal pressure because there were no laws on the books that clearly prescribed the above practices and there was little social pressure because most people had little or no awareness that these practices were taking place.[57] In other words, these norms did not reflect any informal bargaining taking place between websites and consumers.

The fact that they emerged in a context in which there was a lack of bargaining is the most salient feature of the personal-data norms of the early website industry. Despite a lack of bargaining, there may be reason to think these norms were efficient. They are potentially justifiable from an economic perspective, as websites take something from the public domain that was under utilized, and put it to productive use. Like campers in a wooded area who collect fallen branches for use in their campfires, websites, on this view, are simply making use of a common resource that would otherwise be left lying in an unproductive state. After all, great quantities of personal data are produced as a by-product of other online activities. If not collected, this data would simply go unused. In fact, the economic argument in favor of shared use of personal information is stronger than it is for downed wood. Personal data is a "non-rival" good in the classic economic sense of the term; collection and use of personal data by one website does not diminish the amount available, either for other websites or for the data subject herself to use.[58] Because data is non-rival, arguably it should be left unregulated so that the greatest number of users will have free access to its use.

In this regard, note the important difference between personal data and creative expression of the sort protected by copyright law. Creative expression-original works of authorship-received legal protection, pursuant to Article I of the U.S. Constitution, in order to create incentives for authors to produce works.[59] Such an incentive is not necessary for the production of personal data, however, as it is produced as a by-product of living a life. Thus, there would appear to be a presumption in favor of treating personal data as a public good available to all.

There is an important disanalogy, however, between personal data and other shared goods such as fallen branches in a national forest. No one need suffer an injury when downed wood is burned, whereas data subjects often suffer significant harm when their personal information is used by others. Commentators have noted a wide variety of harms that may arise due to improper online data collection and use.

One type of harm is "identity theft." Identity theft occurs when one person intentionally assumes another person's online identity. Thus far, identity thieves have typically gone on shopping sprees at the expense of their victims, but the possibilities for abuse through identity theft will grow as the functionality of the Internet expands.[60] Another type of harm that has received a good deal of attention is predation on children. Prior to recent legislation, children were especially vulnerable to questionable website practices.[61] A wide variety of detailed personal information has been collected online from children through various stratagems, such as encouraging a child to register for a contest, enroll in an electronic "pen pal" program, complete a survey, sign up for informational updates, or play a game.[62] Still other sites used "imaginary" characters to request information from children, or had them sign a "guest book."[63] Data-gathering norms of the early website industry, however, did not distinguish children from adults. All visitors were equally disrespected.

Alternatively, harms may result as the foreseen but unintended consequences of mundane business operations, such as when firms use private medical information of potential employees in making hiring decisions. For example, one-third of Fortune 500 companies use personal medical information in hiring, promotion, or termination decisions.[64] This has the significant policy consequence that may people are failing to seek medical diagnosis and treatment.[65]

Some commentators have used the fact that personal data has a public-goods structure to argue that website/consumer interactions will be inefficient.[66] The mere fact that websites need not internalize the costs they create for third-party Web users does not, by definition, mean that the resulting website privacy norms are inefficient. The determinative factor will be a Kaldor-Hicks test.[67] This test makes a hypothetical comparison of whether the websites' benefits from the activity could in principle more than compensate Web users for their losses. As a practical matter, this determination is often exceedingly difficult to make with any degree of certainty.

In the eyes of many privacy advocates, the calculation is not even close, as the loss to individual privacy is thought to be so grievous and fundamental as to outweigh any claim based merely on the prospect of more efficient electronic commerce. The website industry sometimes makes pronouncements to the effect that the benefits to industry, and therefore to consumers indirectly, are great, while privacy-related harms, although not insignificant, are nevertheless relatively small and greatly exaggerated. The fact that the website industry makes this claim cannot be taken as evidence of the industry's true estimation of the likely result of a Kaldor-Hicks test, however, as industry speakers can be expected to seek to maximize profit, not candor. Due to the lack of a parallel profit motive, there may be less reason for cynicism with regard to the distance between the expressed views and the actual views held by public-interest privacy advocates. Accordingly, there is some reason to suppose that a Kaldor-Hicks test may favor consumers over websites.

Some consumers, however, may be in a position on their own to sanction misuses of their personal data.[68] If it is the sort of site that one might visit on a repeated basis, then users can sanction these sites by withholding their visits and instead visit competing websites. In addition, disaffected users may sanction sites through negative gossip or criticism. Consumers also may adopt self-help measures such as supplying false information to the site.[69] Under typical circumstances, this behavior would be ruled out by a widely shared norm against deception and lying. But there is a competing norm of turnabout-is-fair-play, which may prove dispositive for numerous people who might otherwise not be given to deception.[70]

The problem, however, is that all of these self-help measures assume that consumers have knowledge of the data extraction practices of offending websites. It is precisely for this reason that websites have generally sought at all costs to avoid explicit disclosure of their personal-data practices. Even when the consumer is aware that personal data is being collected, there is still the potential for abuse because consumers may be unaware of the uses to which their data is being put. For example, a user might be passively aware that personal data, such as credit card number or mailing address, are being collected, but have no idea that this data is then being used by a website for purposes other than processing payment or mailing a product. In particular, many sites furtively sell data to third parties.[71]

The website industry did not trumpet the fact that the website industry data-collection norms above characterized its behavior with regard to the collection of personal data. The industry maintained these norms because it was profit maximizing and legal for individual websites to conform to them, not because the managers of the various online firms, acting as a coherent group, wished to establish justified norms of obligatory behavior for their industry. Thus, it served the website industry's interests that these norms in general remained unarticulated. This highlights the fact that norms, at their core, are patterns of behavior as opposed to rules, statements, or other linguistic entities.[72]

The early website norms are fairly described as "permissive norms." They create normative freedom for their conformers rather than obligations or constraints.[73] This is noteworthy as norms theorists often write as if norms by definition express obligatory behavior.[74] One illuminating way to conceive of the project of privacy norm reformers, then, is that their goal is to shift website norms from permissive norms to obligatory norms.

B. Game-Theoretic Structure of the Original Website Personal Data Norms

The purpose of informal game theory is to model the strategic structure of social situations. The most famous and perhaps pervasive strategic structure of interest to social scientists and policymakers has been the structure variously known as the Prisoner's Dilemma, collective action problem, public good problem, or tragedy of the commons.[75] As the following discussion will demonstrate, the collective action problem is applicable to the topic of online privacy.

Much less understood than the collective action problem is the coordination game.[76] While political scientists, economists, and philosophers have been developing a deeper understanding of the coordination game for a generation, legal theorists have only recently come to appreciate its significance.[77] The following discussion will demonstrate that coordination games have an important role to play in modeling the strategic structure of some of the social situations that undergird the online privacy debate.

This sub-part has three sections, each of which will explore a strategic situation of concern to the privacy debate. Once these distinct strategic structures are understood, it will be easier to proceed on a path toward more respectful and efficient online personal-data norms. The first section considers whether the original permissive norms of the website industry can be accurately modeled as failed solutions to an iterated collective action problem. This question arises because the FTC has made remarks which suggest that it intuitively views the situation in these terms. I argue in the second section, however, that this characterization is incorrect. Instead, the original, permissive norms of the website industry are best modeled as a multi-party coordination game. Getting clear on this distinction matters tremendously because it affects how various norm entrepreneurs should approach the task of bringing about more respectful practices in the website industry. The third section demonstrates that there is a significant collective action problem. It is website users, not the websites, however, who face a collective action problem. Their collective action problem arises with regard to organizing themselves to demand more respectful privacy norms.

1. Purported Website Industry Prisoner's Dilemma

The FTC contends that it would be in the interest of the website industry to provide better privacy protection for consumers. The idea is that by showing more respect for the data privacy of consumers, websites will gain their trust and confidence. This in turn will lead to substantial growth in electronic commerce as trusting consumers will be more inclined to use the Internet to conduct their business. In its 1999 Report to Congress, the FTC stated that, "The Commission's efforts have been based on the belief that greater protection of personal privacy on the Web will not only benefit consumers, but also benefit industry by increasing consumer confidence and ultimately their participation in the online marketplace."[78] In his recent testimony before Congress, Marc Rotenberg of the Electronic Information Privacy Center ("EPIC") made a similar assertion: "Users of web-based services and operators of web-based services have a common interest in promoting good privacy practices. Strong privacy standards provide assurance that personal information will not be misused, and should encourage the development of on-line commerce."[79]

As these remarks indicate, both the FTC and EPIC think that it would be in the interest of the website industry to be more solicitous of the privacy concerns of consumers, in order to bring about greater user trust, which in turn will lead to a more robust online marketplace. This shared assumption by these leading online policy makers is crucial because of the policy implications which the FTC appears to think flow from it. Specifically, if it is in the industry's interest to respect privacy, bringing about more respectful practices will be a task of creating recognition across the website industry of the importance of privacy for consumers and why it is in the industry's interest to be solicitous of this concern of consumers. Not surprisingly, then, the FTC has sought to promote more respectful industry practices by means of educating the website industry. The FTC has held a number of workshops and related events with the goal of raising industry consciousness of the importance of data privacy.[80]

The problem with the FTC's education program, however, is that it implicitly treats the website industry as if it were a unitary actor capable of behaving in a concerted fashion so as to promote its collective goals. In its belief that its education program could achieve this result, the FTC unwittingly falls prey to the so-called fallacy of composition.[81] This is the fallacy of thinking that because a group, considered as a whole, would benefit from some particular political outcome, that therefore it is in the interest of each of the particular members of that group to do its part to help bring about this political outcome. It is simply false to assume that a typical website would have such an interest.[82]

The benefit of a particular website's individual contribution to the collective good, for all but the largest sites, will be marginal. Whether the collective good comes about almost surely will not depend on the additional contribution of the particular site. Thus, from a narrowly rational, economic perspective, the site is better off to free ride on the contributions of the other sites. Either enough other sites cooperate and the collective good is provided, or enough other sites do not cooperate, and the collective good is not provided. Either way, the behavior of the particular website will have but a marginal impact. Thus, it might as well refrain from incurring the expense of cooperating, that is, it might as well free ride.

The problem is that all the other websites are similarly situated. Each will have a dominating preference to free ride. The result is that all will free ride and the collective good will not be produced.
The strategic structure of this situation may be represented as follows:

Figure 1: Website Industry Collective Action Problem

Figure 1 displays the strategic relationship between a particular firm, call it Website A, and all other websites (as based on the FTC's assumption described at the outset of this section). As indicated by the cardinal payoffs in the southwest cell, A's first preference is that other firms "Respect Privacy," so that it will be able to free ride on this set of practices and "Disrespect Privacy." For the time being, "Disrespect Privacy" should just be taken to mean that the site will conform to the set of personal-data norms of the early website industry listed above, and "Respect Privacy" should be taken to mean that the site will refrain from conforming to these norms. Part Two below will provide greater content to the notion of respecting consumer data privacy.

In the circumstance in which A free rides on the respectful behavior of the other sites, A receives the highest payoff, 4.[83] According to the FTC, when other firms respect privacy, consumers will be less fearful of the Internet and consequently more prone to participate in electronic commerce. This will make it easier for website A to benefit from its own disrespectful practices, as consumers will be less leery of providing personal data to the site, based on their generally positive experiences with other sites.

The problem is that the same strategic situation pertains for the other websites as well. Each website would like all the other sites to be respectful so that it alone can take advantage of the more trusting consumers. Because defection is the dominant strategy for all, however, the southeast cell will be the result. Note that in the southeast cell, each site receives 2, its second lowest payoff. If, however, the website industry were to be successful in solving its collective action problem, the situation as characterized in the northwest cell would obtain instead. In this situation, each site would receive 3, its second highest payoff.

Note the distressing result that while all parties would do better by cooperating and thus ending up in the northwest cell, nevertheless, due to the fact that each is compelled by narrow self-interest to perform the non-cooperative action, the mutually dispreferred group outcome as represented in the southeast cell is the actual result.[84] We see then that individually maximizing behavior leads to a collectively suboptimal result; the classic collective action problem.

Uncovering this strategic structure inherent in the relationship among websites has important policy implications. Recall that one of the FTC's initiatives in order to promote online privacy was to educate the website industry about the connection between treating consumers with respect and the expansion of electronic commerce. In light of the preceding discussion, however, it is clear that things are not so simple; educating the industry participants, as to their collective interest will in no way address the collective action problem faced by each of the particular members of the industry with regard to the supply of this collective good. Education may enhance the appreciation of each of the members as to the value of the potential collective good available to the group, but it will not change the incentives of individual members so as to bring the group any closer to realizing the collective good.

It will be difficult for the website industry to solve this collective action problem on its own. According to Ellickson's hypothesis, close-knit communities may produce solutions to collective action problems, as they provide opportunities for repeat play and multiplex relationships among "neighbors."[85] When there is repeated interaction, parties may have an incentive to reach a mutually preferable manner of interaction because they will take their long-term interests into account, and these will often favor cooperation in current games in order to foster cooperation in future games. In the present context, this would mean individual websites not defecting on the cooperative behavior necessary to bring about a higher level of consumer trust in online commerce.

It may not be possible to apply Ellickson's hypothesis in the present context, however, as it is unclear whether the notions of "close-knittedness" or "neighbor" have any reference in cyberspace. Ellickson provides an extended discussion of land-use practices of the close-knit ranching and farming community that inhabits Shasta County in Northern California. This community's norms concern issues such as liability for damage done by cattle and allocation of the costs of fencing, so as to avoid damage from cattle. This discussion implicitly assumes that the space in which interaction was taking place was physical space, not virtual space. What allows the ranchers and farmers to be close-knit was their physical proximity, as the subtitle of Ellickson's book-"How Neighbors Settle Disputes"-indicates.[86]

If the notion of close-knitedness is to have meaning online, then the term must be cashed out in non-geographical terms. The Internet promotes communication, par excellence, and thus is a boon to the formation and maintenance of social relationships. There is no reason those online relationships cannot involve repeat play and be overlapping, and there is no reason they cannot involve sanctions. Thus, the core preconditions for Ellickson's hypothesis may in principle be satisfied. More research is needed on the extent to which mechanisms such as hyperlinking may provide the foundation for close-knit communities in cyberspace. Despite the potential significance of this suggestion for our understanding of cyberspace generally, the implication for website privacy norms is untoward, as the relevant relationships at issue-those between websites and other websites, websites and users, and users and other users-are typically not close-knit. It is simply not the case that all the numerous sites on the Internet have repeated and overlapping interactions with one another.[87] The unavoidable conclusion appears to be that the website industry will not be able to solve its collective action problem on its own.

The collective action problem is a classical justification for governmental intervention.[88] Websites could simply be required to adopt more respectful practices.[89] This would have the effect of forcing websites to produce the cooperative outcome represented in the northwest cell in Figure 1. It is doubtful, however, whether the FTC has the authority to demand that websites change their behavior.[90] Even if the FTC had the authority, if one takes their remarks at face value, this is not authority they would care to exercise in this manner. As discussed earlier, the FTC has all along avowed an interest in promoting industry self-regulation to the extent possible.[91] If the agency is to remain faithful to this goal, it must somehow indirectly encourage websites to solve their industry-wide collective action problem. Collective action problems, however, are notoriously difficult to solve. Thus, the FTC would face an especially daunting task in seeking to do so in an indirect manner.

2. Website Industry Coordination Norms

As noted at the outset of the previous section, the analysis of that section was based on the assumption of the FTC that the website industry has an overriding interest in bringing about more respectful privacy norms, if only the constituent websites could coordinate their efforts to bring about the cooperative result. It is more plausible to suppose, however, that the benefit of increased electronic commerce is not worth the high cost that providing respect for privacy might impose on websites.

The most significant cost for many sites of course will be the fact that consumer personal data will no longer be theirs to use and manipulate at will for free. In addition, for small sites, the very act of creating privacy policies imposes a cost that may be significant.[92] For large sites, these development costs are of marginal importance. But sites of successful or well-funded companies face a much larger cost: the increased exposure to litigation they face as a result of making explicit representations to site visitors regarding the site's data-collection practices.[93] Even if there is some marginal increase in their online traffic due to heightened consumer trust, it is more plausible to think that most sites would forego this benefit in order to avoid exposure to legal liability. Thus, the problem the FTC has in seeking to foster respect for privacy by self-regulatory means is not best modeled as the problem of helping an industry group that is not close-knit procure a collective good. Instead, as the following discussion demonstrates, the strategic structure faced by the website industry is actually that of a coordination norm.

A coordination norm is a practice in which each conformer receives a "coordination benefit" for conforming to the norm. A coordination benefit is the added benefit an actor receives for conformity, given the conformity of other participants.[94] To take a simple example, if the norm is to walk on the right side of the sidewalk, such as it is in America, then a particular conformer to this norm receives a benefit when others conform to the norm as well, as she is less likely to be involved in a pedestrian collision.

A coordination norm may be "an equilibrium," a "coordination equilibrium" or a "proper coordination equilibrium."[95] An equilibrium is a combination of choices in which each actor has done as well as the actor can, given the choices of the other actors. No actor will regret its choice given the choices of the others. A coordination equilibrium is a combination of choices such that no one would have been better off had any one actor, either the actor or someone else, behaved differently. A proper coordination equilibrium is a combination of choices such that no one would have been as well off had any one actor behaved differently, either the actor or someone else.[96]

Details aside, the crucial feature of coordination norms is that actors conform to them because it is in their direct interest to do so. This contrasts with collective action problems in which each actor's direct preference is not to conform but instead to defect, or free ride. With collective action problems, conformity will be forthcoming only if the participants are able to incentivize one another to conform due to the possibility of repeat play that results as a by-product of the overlapping social relationships of close-knit communities. With coordination norms, by contrast, actors want to conform, given the conformity of others. Hence, efficient coordination norms may emerge in communities that are not close-knit.[97]

The present concern, then, is whether personal-data practices are best modeled as coordination norms. The core feature of a coordination norm is that an actor receives a coordination benefit from performing the conforming action, given the conformity of others. This condition is met with regard to the permissive, data-collection practices of the early website industry. As already noted, particular websites have a direct interest in not showing respect for consumers. By this means, they gain use of valuable user data at less expense and effort and they avoid the worry of exposing themselves to legal liability by making explicit representations to consumers as to how their data will be used.

In addition, it is plausible to suppose that websites prefer that other websites also fail to show respect for consumer privacy. First, websites will be able to more successfully collect data when consumers are left in the dark. Thus, all websites will be hurt to the extent that some particular website takes it upon itself to be more forthcoming in telling consumers about its data gathering activities. The greater the public awareness of website data-gathering activities in general, the more likely it is for consumers to be wary of the activities of any particular website, and the more the site will be made to feel public pressure to alter its practices in the direction of greater respect.

The second reason why websites prefer that other websites conform to disrespectful privacy norms is that in privacy law, reasonable expectations of privacy matter.[98] An action in tort for invasion of privacy may be brought in civil litigation by aggrieved parties.[99] In such cases, a central consideration is whether the plaintiff had a reasonable expectation of privacy. If most websites are collecting data at will, with no safeguards and no notice, then the website-defendant will have a colorable defense based on the claim that the plaintiff did not have a reasonable expectation of privacy.[100]

For both of the above reasons, then, it is to be expected that industry insiders will discretely promote disrespectful norms among their number on whatever occasions present themselves, such as through trade association meetings and the like, as doing so strengthens the norm and consequently solidifies their safe harbor.[101] This means that these disrespectful website coordination norms will tend to be stable. Particular websites will have no internal motivation to change their behavior, and further, each site will have an incentive to motivate the other sites to continue their disrespectful behavior.

The original website data collection norms appear then to be a proper coordination equilibria, as it is the case with each particular website that it would not have been as well off had either it or some other website acted differently by not conforming to the disrespectful privacy practices. This situation is represented in the following payoff matrix.

Figure 2: Website Industry Coordination Game

The payoff matrix in Figure 2 displays the outcomes received by websites depending on whether each of them, as well as the other websites, participate in personal data collection practices that either "Respect Privacy" of Web users, on the one hand, or "Disrespect Privacy" of Web users, on the other hand. Note that the payoff to a typical website, call it Website A, is affected by whether other websites respect privacy or disrespect privacy. The dominating preference is to disrespect privacy. Website A prefers to disrespect privacy regardless of what other sites are doing. Thus, A's payoffs are higher in either of the southern cells as compared to either of the northern cells. But A receives a coordination benefit when other sites also disrespect privacy. Thus, the payoff for A is higher in the southeast cell as compared to the southwest cell. A least prefers the situation represented in the northeast cell in which it respects privacy and other sites disrespect privacy. In this situation, there will be no noticeable increase in electronic commerce and yet A has lost all the benefits from the free receipt of user data.

Like A, other sites prefer to disrespect privacy, so their highest payouts come in the eastern cells. They prefer, however, that A also disrespect privacy, due to the coordination benefit of keeping consumers in the dark. Thus, the other sites do better in the southeast as compared to the northeast cell. If the other sites are respecting privacy, however, then they will likely prefer that A do so as well, so that A is not at a competitive advantage. Thus, their payoff is higher in the northwest as compared to the southwest cell.

Note that the outcome as represented in the southeast cell in which all websites are disrespecting privacy is a stable equilibrium. No website has any incentive to change its behavior, nor does any website have any incentive to get another website to change its behavior. Just the opposite, each website has an incentive to encourage each other website not to change its behavior. As should be obvious, this is not a happy outcome, from the perspective of consumers or the FTC.

3. Web User Collective Action Problem

Note that the data-collection coordination norms of the website industry discussed in the previous section may function efficiently from a point of view internal to the conformers themselves. The harm resulting from these practices-the degradation of personal privacy-is successfully externalized onto the Web-surfing public.[102] Because these data-collection practices are bad for consumers as a group, there is the potential for this group to secure an important collective good, the abatement of these practices. As the current section demonstrates, however, there is a severe practical problem in consumers securing this good.[103] Consumers will face a collective action problem in seeking as a group to bring about the collective good of more respectful website privacy practices. Thus, when the analysis of this subsection is combined with that of the previous two subsections, the surprising result is reached that while the website industry does not face a collective action problem, the users of their websites do.

As discussed earlier in the context of website practices, standard game theory teaches that groups will stand their best chance of pursuing collective goods when their membership is close-knit such that members have repeated interactions across a number of dimensions.[104] This is more likely for smaller groups than larger groups, for groups that are close to one another in geographical space, and for groups that share similar interests, preferences, and histories. For example, the civil rights protestors who fought for months and ultimately prevailed in integrating Nashville's downtown restaurants in 1960 were African-American students of Fisk University, who had together participated in extensive group training in Gandhian methods of passive resistance.[105]

The Internet, however, makes collective action of this sort difficult. In theory, privacy militants might electronically enter previously targeted sites and all request downloads at the same time, such that the site's servers might be overwhelmed.[106] Clearly, this technique would require a good deal of coordination and effort among a large number of people. Thus, while possible in theory, such collective action is unlikely in practice.[107] Visitors to a website are the opposite of close-knit-they are globally interspersed strangers. Thus, a solution to the Prisoner's Dilemma of the sort outlined by Ellickson is unlikely, due to the larger numbers of web users who lack overlapping or close-knit relationships. Accordingly, we can predict that extant website practices will represent a failure by consumers to solve collective action problems regarding the abatement of the degradation of their data privacy.

Moreover, the mere existence of a collective action problem does not imply that a norm, or set of norms, has been identified to deliver the potential collective good. A particular consumer who wanted to do her part to bring about the collective good of greater respect for consumers would not know where to start. There are no previously identified norms of behavior which, if conformed to by consumers, would help force websites into more respectful behavior. Because there is no cooperative norm under way, there is no form of cooperative behavior to internalize,[108] no issue of loss of esteem for failing to be cooperative,[109] and no concern to signal to others that one is a cooperative online activist.[110] It seems unlikely, then, that better website practices will emerge as a result of consumer collective action along the lines of any of the other leading models for solving collective action problems.

It will be useful to summarize the discussion of this first Part in order to see how this last finding regarding the dismal prospects for consumer collective action fits in with the earlier findings. The key fact on which the whole analysis thus far is predicated, is that the original data-collection norms adopted by the website industry demonstrated a good deal of disrespect for consumer privacy. Essentially, the vast majority of websites did whatever they wanted with regard to the use of personal information on consumers, with complete disregard for the impact of these activities on the privacy interests of these consumers. Despite growing complaints about this significant threat to individual privacy, the government was reticent to directly regulate this activity, apparently in response to the widespread norm that, as much as possible, the Internet should be left free to self-regulate.

Internet self-regulation, at least in the context of website practices with regard to the personal data of consumers, has been widely regarded as a failure.[111] In the above discussion, informal game theory was utilized in order to better understand why self-regulation has failed to produce a set of online practices that better respected consumer privacy. Generally speaking, self-regulation failed due to the strategic structure of the underlying social situations that obtained regarding the relationships between consumers and websites, on the one hand, and websites with one another on the other hand. Specifically, websites are in a coordination game with one another, not an iterated collective action problem. Thus, efforts to educate websites on the importance of privacy to consumers, and on the connection between allaying consumer privacy fears and the promotion of consumer confidence, will not work to change website behavior in the manner desired by the FTC. Nor will consumers be able to band together to demand more respectful privacy practices on the part of websites due to the large-scale collective action problem they face.
A number of commentators concluded that the failure of self-regulation to overcome these hurdles mandated that the government step in and take a direct role in requiring more respectful informational practices on the part of websites. In the discussion in Part II below, however, it will be shown that direct government regulation of website practices has in fact not been required in order to bring about more respectful privacy practices. While the FTC has played an important role, its role has been that of a norm entrepreneur rather than a norm imperialist.

III. WEBSITE NORM ENTREPRENUERS PROMOTE

Despite the serious obstacles explored above, significant progress has been made in moving toward industry norms that are more respectful of consumer privacy. In less than a decade, norms of respect for consumer privacy have emerged on the Internet. Evidence of this norm is everywhere. For example, AOL/Time-Warner's advertisements now typically contain assurances that the company ensures consumer privacy. A dramatic shift such as this, occurring over a relatively short period of time, is fairly characterized as a "norm cascade."[112] This cascade in turn was precipitated by a "norm shock," introduced by the FTC.[113] The grundnorm of respect is still aspirational to a large extent, in that many websites are not yet complying, or are under-complying.[114] Nevertheless, many websites are indeed taking consumer privacy more seriously, and those that are tend to be the largest and busiest sites.[115] Furthermore, those sites not currently taking privacy seriously are increasingly feeling the heat to do so.

The situation has gone from one of a solid, albeit unarticulated, norm of permissive non-respect for data privacy in the early to middle 1990s, to one in which there are two competing sets of norms, the old, non-respectful norms of permissiveness with regard to personal data, and the new norms which are more respectful of consumer privacy concerns. In the public mindset, there are now good websites and bad websites, when it comes to the issue of consumer privacy. In effect, a market in websites is emerging, such that consumers are increasingly in a position to choose among websites based on the extent to which these sites participate in personal data practices that suit the particular consumer's individual preferences. This represents a shift toward a situation in which marketplace-oriented norms of fair exchange are increasingly coming to dominate the policy framework governing online privacy.

Based on the manner in which many online privacy advocates talk, one might initially think that the only data-collection practices attractive to consumers were those that collected no data whatsoever. In fact, however, this is not what consumers expect, or indeed want. The vast majority of websites are free. The business models of many of these sites have been based mainly on deriving advertising revenue from banner ads. A secondary source of revenue comes from data collection and processing. In addition, personal data is used increasingly as a means to more personalized marketing. Personal information about individuals is used to market products and services suited to their specific preference profiles. Many consumers willingly will trade away personal data as long as they receive valuable consideration in return.[116] Indeed, the efforts of the norm entrepreneurs that will be discussed below are not best understood as seeking to minimize data collection and use, per se, but rather to change the nature of the relationship between websites and consumers from a non-consensual to a consensual relationship. Under this normative framework, personal data is increasingly becoming a commodity that data subjects can bargain away for valuable consideration.[117]

There have been two main stages in the development of these increasingly consensual and respectful norms. The first stage involved the articulation of aspirational norms. This process was initiated by the public-interest privacy advocacy community. Much of the early advocacy work of defining appropriate privacy norms was performed in the United States. More recently, however, the European Union has exerted pressures that are increasingly affecting the domestic policy agenda regarding data privacy. The website industry has become involved, apparently out of a fear that if it did not, the public-interest advocacy community would completely dominate the terms of the debate.

In the second stage, the FTC began introducing incentives to get the website industry to take these aspirational norms more seriously. The norms promoted by the FTC are seen best as a compromise between the expansive set of aspirational norms promoted by the privacy advocacy community, and the more limited norms proposed by the website industry. Strange as it sounds, the FTC has sought to promote consumer data privacy by seeking to change the nature of the strategic situation faced by the website industry from a coordination game into a large-scale, collective action problem. The FTC has sought to create a situation in which it would be in the industry's interest to better respect consumer privacy as a means to securing a collective good made possible by the FTC. This collective good is the avoidance of a statute that would force the industry to provide a high level of privacy protection. The FTC essentially threatened the website industry that either the industry perform substantially better, industry-wide, in respecting privacy, or else the agency would press for a statute. This threat created a situation in which the larger websites were incentivized to conform to more respectful privacy norms, and to incentivize smaller sites to do so as well, by threatening to withdraw their substantial advertising dollars from these smaller sites if they did not show more respect for consumer privacy.[118]

A. Stage One: The Articulation of Aspirational Norms

The public-interest, privacy advocacy community has played a venerable role in articulating aspirational website privacy norms. The community first arose in the 1960s in response to the United States government's initial efforts to use supercomputers to construct comprehensive databases of personal data on its citizens. When websites first emerged in the early 1990s and began to take part in questionable data-collection practices, this community had a normative framework already available, which could then be applied to the new set of facts. Especially influential early on were the norms developed by the Organization for Economic Cooperation and Development ("OECD"), which endorsed eight "privacy guidelines," as set out in the following list:

OECD Privacy Guidelines[119]

1. Collection limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Openness
7. Individual participation
8. Accountability

Marc Rotenberg, director of EPIC, has stated that OECD's eight principles for data protection are still the "benchmark for assessing privacy policy and legislation."[120] Recently, EPIC has translated the OECD's privacy norms to the context of websites. The following five website-specific privacy norms are the result.

EPIC Website Privacy Norms

1. Web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the homepage by looking for the word "privacy."
2. Privacy policies should state clearly how and when personal information is collected.
3. Web sites should make it possible for individuals to get access to their own data.
4. Cookies transactions should be transparent.
5. Web sites should continue to support anonymous access for Internet users.[121]

These aspirational website privacy norms are fairly seen as representative of the sorts of protection currently being demanded by public-interest privacy advocates generally. The five items on the list are each "thick" norms that concretely describe specific practices that will increase consumer privacy vis-à-vis websites.[122] In fact, these proposed norms are so ambitious that they created fear in the website industry, which views the norms as unworkable and overly expensive to implement.[123] The industry's response has been to promote less demanding norms.

The website industry acknowledges that consumers have legitimate privacy interests in their personal data.[124] This is a striking admission. One might well have expected the industry to take the more aggressive position that since personal data is in the public domain, they are as entitled to its use as the data subjects. Instead, the typical posture of industry is to acknowledge, in effect, that data subjects have some special entitlement to their personal data, despite a dearth of protection within the letter of the law.

The website industry's bone of contention with public-interest, privacy advocates is over the proper conception of privacy, how much privacy is appropriate, and which thick behavioral practices should instantiate the norm of respect for privacy. In other words, the disagreement is not over respect for privacy, per se, but instead over which second-order norms and which thick behavioral norms should be instantiated to promote this respect.

The website industry generally has promoted a fairly minimalist set of practices. In principle, the industry supports giving consumers "notice" and "consent" to the collection and use of personal data. The crucial debate, however, is over how the general requirements of notice and consent are to be concretely implemented. The most heated debate has focused on whether fair notice and consent require an "opt-in" regime or instead whether an "opt-out" regime is satisfactory. With opt-out, personal data will automatically be collected unless a consumer specifically takes some action to indicate that she does not wish to have her data collected, while with opt-in, the default is that personal data will not be collected unless the consumer takes a specific action to explicitly agree to the collection of data.[125] EPIC and other public interest advocates support an "opt-in" regime while the website industry supports an "opt-out" regime.

This section briefly has considered the competing aspirational norms promoted by public-interest electronic privacy advocates, such as EPIC on the one hand, and the website industry, on the other hand. While these organizations articulated aspirational norms, they were not well positioned to bring them into reality. Private industry advocates generally lacked the desire, while public-interest advocates generally lacked the power. The website industry had adopted a reactive posture, in essence, contending that online privacy is not a significant problem worth addressing, but if it is to be addressed, then the industry's more minimal norms are preferable. The pubic-interest advocates, on the other hand, have done everything in their power to promote expansive privacy norms. While this group may have lacked the direct power to change website norms, nevertheless it has dramatically raised the level of public awareness regarding the threat to consumer privacy posed by commercial online activities. This impact appears to have been significant, engendering an outcry among the public and media.[126] This outcry, in turn, is plausibly being reflected in the increase in attention shown to online privacy issues in Congress and the previous Administration.[127]

B. Stage Two: The FTC's Attempt to Create an Industry-Wide Collective Action Problem

In 1995, the FTC was asked by Congress to investigate the privacy risks associated with computer databases. The agency has been increasingly involved with the issue of online privacy ever since. The FTC acts pursuant to its authority under § 5 of the Federal Trade Commission Act, which mandates that the agency address "unfair" and "deceptive" trade practices.[128] Generally speaking, then, the FTC's hook into the privacy debate comes by means of casting website data-gathering practices as potentially unfair and deceptive.[129]

Significantly, the FTC claims it is moved to action because consumers strongly feel entitled to data privacy.[130] In other words, it is the existence of a strongly held community norm of entitlement to one's own data that pulls the initial causal levers leading the FTC toward greater consumer online privacy protection.[131] The FTC does not take note of the fact that in other contexts, a mere desire for control of property in the public domain does not create entitlement to control this property. As the previous discussion indicated, while the website industry disputes the level of privacy protection necessary, it does not contest the fundamental proposition that data subjects have some sort of entitlement to, or property claims in, their personal data. Thus, the FTC has not met with resistance from the website industry on the issue of data subject entitlement to personal data, per se.

The FTC has promoted more respectful website privacy norms by attempting to affect the behavior both of consumers and of the website industry. As discussed in Part I, the agency early on made efforts to educate the public about industry uses of their personal data, maintained a website that provided information, as well as tools, to assist consumers who wished to be proactive in seeking their own privacy, and held workshops to get industry representatives and privacy advocates together.[132]

The FTC appeared, however, to have reached the conclusion that these educational efforts by themselves, were not enough. Rather, they must be coupled with incentives to change the payoff structure of current norms, such that cooperation would come to promote the self-interest of websites. The FTC integrated its education and incentive approaches in the following manner. First, it began educating the website industry about the agency's expectations regarding an adequate degree of respect for privacy in more concrete terms, by proffering the so-called "fair information practice principles" ("FIPPs"). Second, the FTC issued threats to change the incentive structure faced by the website industry. The fair practice principles are discussed in the following section. The FTC's use of threats to incentivize websites to adopt these norms will be examined in the section following that.[133]

1. The Issuance of Fair Information Practice Principles

The following list sets out the fair information practice principles promoted by the FTC.

The FTC's Fair Information Practice Principles

1. The Notice/Awareness principle
2. The Choice/Consent principle
3. The Access/Participation principle
4. The Integrity/Security principle
5. The Enforcement/Redress principle

These five principles are best understood as second-order norms, as they are susceptible to a number of colorable concrete interpretations. The FTC contends that these principles would be promoted best by their incorporation into website "privacy policies." Consider first the basic characterizations of these principles and then their relationship to privacy policies.

The FTC considers the Notice/Awareness principle to be the most fundamental. According to this principle, consumers must be given notice of a company's information practices before personal information is collected from them. The scope and content of the notice may properly vary with a company's substantive information practices, but the notice itself is essential, as the other core principles have meaning only if a consumer has notice of an entity's information practices and his or her respective rights.[134]

The Choice/Consent principle requires that consumers be given options with respect to whether and how personal information collected from them may be used. The Access/Participation principle requires that consumers be given reasonable access to information collected about them and the ability to contest that data's accuracy and completeness. The Integrity/Security principle requires that companies take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use. Finally, the effectiveness of the foregoing privacy protections is dependent upon implementation of the Enforcement/Redress principle, which requires that governmental and/or self-regulatory mechanisms impose sanctions for noncompliance with fair information practices.[135]

The FTC calls these five principles "fair information practice" principles. The FTC says nothing of a substantial nature, however, to explain how each of the principles promotes fairness.[136] Nor is it at all intuitively clear what fairness requires when it comes to the collection and use of personal data by websites. The industry has complained, for example, that it is held to a higher standard than off-line firms. Despite this ambiguity, the agency has provided little guidance as to the standards of fairness it intends to apply in determining which websites might fall below an acceptable level of fairness.
It appears, however, that the FTC has been reluctant to bring enforcement actions against websites for simple non-consensual data gathering or use.[137] This is likely due to the fact that the activities of websites are, facially at least, legal. It is not illegal to collect data from consumers and use this data in a variety of ways, such as by selling it, while never informing the data subject, much less seeking explicit consent. Thus, the situation is one in which the data-collection activities of websites are legal, on the one hand, but unfair by the lights of the fairness norms articulated by the FTC, on the other hand. Unwilling or unable to bring enforcement actions based on current website practices, the FTC devised a plan to issue threats in order to cause websites to be more solicitous of their users' privacy, despite the fact that the websites' behavior was not illegal.

2. Creating a New Game Through Threats

In 1998, the FTC threatened the website industry that it would recommend that Congress enact privacy legislation if more respectful industry customs and usages were not forthcoming through industry self-regulation. The threat was highly credible and particularly salient, due to the Commission's recent success in influencing legislation to protect children's online privacy.[138] This threat was a shock to the normative equilibrium of the website industry, causing many firms to alter their behavior. Generally, the impact of the FTC's threat correlated with website size and structure, the larger and more multi-faceted a website's activities, the more likely it was that the website had reason to react to the FTC's threat by seeking to provide more respectful privacy practices. In fact, some large sites apparently felt so threatened that they took it upon themselves to incentivize smaller sites into compliance with more respectful norms.

In modeling the shift in norms that occurred, there are three relevant time periods to consider: 1) the time prior to FTC's threat, 2) the time after the FTC's threat, and 3) the time after the large websites began threatening the small websites. The strategic structure faced by the website industry in each of these time periods will be modeled with three informal, game-theoretic payoff matrices.

Attention will be focused on the FTC's main policy initiative during this period, which was to encourage websites to adopt "privacy policies," or "privacy statements." As already mentioned, the FTC apparently viewed privacy policies as the most effective means to implement fair information practice principles. According to the FTC, all the fair information practice principles can be promoted in a privacy policy.[139] A privacy policy that accurately and completely stated the site's personal data practices would be an instantiation of the key principle of notice/awareness. Once the consumer has notice of the website's practices, she can consent to the data exchange or exit the site. In addition, stipulations concerning access/participation to the user's personal data on file with the site can be set out in the privacy policy, as can stipulations concerning integrity/security and enforcement/redress.

Payoff matrix Three below represents the strategic situation faced by a particular representative website, A, vis-à-vis the rest of the website industry, with regard to two alternative website industry practices: one in which privacy policies are the industry custom and practice, and the other in which they are not. This situation, then, is a particular instantiation of the general coordination game faced by the website industry vis-à-vis respect for privacy, tout court, as represented in Figure 2 above.

Figure 3: Website Industry Before Threat

Note that in the southeast cell, which represents the situation in which no site provides a privacy policy, A receives 4, her highest payoff. Failing to provide a privacy policy gives A greater flexibility. The site can experiment with various business plans that use personal data in different ways, without having to worry that doing so violates previous representations made in the site's privacy policy. If the site seeks to take advantage of new opportunities that make use of new forms of personal data that happen to be available to it as a by-product of its interaction with users, the site will not need to first notify the user and seek consent. And, of course, nor will it need to offer some new consideration to the user in return for its use of the new data. These are significant benefits of avoiding privacy policies. The FTC is wrong to suggest that these concrete benefits would be outweighed by an amorphous and speculative promise of greater consumer willingness to participate in electronic commerce.
Next, consider the situation once the FTC promulgates the fair information practice principles.

Figure 4: Website Industry with Fair Information Practice Principles

In this situation, large websites do better for respecting privacy than not respecting privacy, regardless of what the small or medium websites do. They receive 2, representing their most preferred outcome, in the northwest and southwest cells. They receive the same payoff in each of these boxes, indicating their relative indifference to the actions of the small and medium websites. It is enough for each of the large sites that it individually benefits from conforming. This is plausible as these sites are prominent and they would run the risk of coming under FTC scrutiny for questionable, albeit legal, trade practices, were they to fail to make a respectable effort to show respect for user privacy, as newly spelled out by the FTC, in its fair information practice principles.

In contrast, small websites would plausibly have a dominating preference to not provide privacy policies. Because they are small, they will be able to fly under the FTC's radar. The FTC merely has outlined the principles that it contends are fair. It did not mandate them. Accordingly, the small sites receive a higher payoff in either of the southern cells, as compared to the northern cells. Note that the southwest cell is an equilibrium, that is, given the choices of others, no actor could unilaterally have done better. Thus, the situation in which large websites respect privacy and small sites do not, will tend to be stable.

Consider next the situation in which the FTC issues its threat to the website industry. The major websites are no longer indifferent to the actions of the smaller sites, for the failure of these sites to adopt privacy-respecting practices might lead to privacy legislation, which would adversely affect all websites, but particularly the large sites, as they have the most to lose from onerous legislative requirements. The major online firms are mega-corporations with some of the largest market capitalizations in history. The strategic situation once the industry-wide threat is in place is represented in the following payoff matrix:

Figure 5: Website Industry After FTC Threat

Note that there is no longer a stable equilibrium in this situation. Large sites most prefer the northwest cell while small sites prefer the southwest cell. In contrast to the previous situation, as represented in Figure 4, the large sites now prefer that the small sites respect privacy. This is because the FTC has made it clear that it expects industry-wide improvement and that if this is not forthcoming, a statute will be forthcoming. Thus, the large sites now prefer the northwest to the southwest cell. For any particular small site, however, it will still prefer to defect in order to reap the benefits of unrestrained data collection and use. If the larger sites become more respectful of privacy, this may serve a particular small site's interests as there will be less pressure from the FTC on the website industry generally. But the small site will nevertheless do better still if it can successfully free ride on this public good. Thus, the small website's highest payoff comes in the southwest cell, in which it does not provide a privacy policy but the large websites do.

Faced with this situation, large sites devised a means to bring small sites into conformity with more respectful data collection practices. Large sites began threatening to withhold advertising from sites that did not demonstrate adequate respect for privacy.[140] This is apparently contributing toward the desired result as an increasing number of small sites are now offering privacy policies. Indeed, as indicated by the FTC's 1999 Report to Congress, website provision of privacy policies has gone up significantly. Regarding the issuance of threats by large websites, the FTC writes:

Companies like IBM, Microsoft and Disney, which have recently announced, among other things, that they will forego advertising on sites that do not adhere to fair information practices are to be commended for their efforts, which we hope will be emulated by their colleagues.[141]
The FTC, then, is able to indirectly promote its goal of data privacy by getting large websites to do its bidding.
Note that when large websites threaten to withhold advertising from small sites, the effectiveness of the threat does not depend on repeated interaction between the parties. Even if the small websites only interact once with Microsoft or IBM, they will typically prefer that this interaction allow for advertising rather than that it not. In the terminology of informal game theory then, the instrumental allocation of advertising is functioning like a "selective incentive" that rewards cooperative behavior on an individual basis.[142] Selective incentives allow the party seeking to incentivize conformity to be able to provide incentives to individuals in order to elicit their conformity. This is in contrast to the collective good itself, which, by definition, has the feature that the good is public, that is, when provided for one, it is provided for all, and thus is open to free riding.

Note that this type of selective incentive cannot be expected to work for all small sites. Some small sites will have little prospect of receiving advertising revenue from large sites and may stand to benefit significantly from the unfettered use of personal data. These sites may continue to have a dominating preference to free ride on the growing practice of providing privacy policies. The net result of the threats instigated by the FTC and carried forward by the large sites, then, is a bi-normative world in which large sites and some small sites are respectful of privacy while other small sites are not. The important and difficult issue, then, for future scholarship on website privacy norms is whether and how additional small sites might come to show greater respect for privacy.[143]

IV. CONCLUSION

This article has developed a case study of the emergence of website privacy norms. In the short history of the Internet, there has been a major shift-a norm cascade-toward norms that are more respectful of privacy and more efficient. The transition has been from a wild-west world in which websites acted with near impunity in collecting whatever personal data they could, to a world in which a significant percentage of websites are explicitly addressing privacy concerns.

Like other case studies in the law and norms tradition, the goal here has been two-fold. First, to utilize a theoretical framework to model a complex and important social phenomenon, namely, the evolving relationship between websites and their visitors vis-à-vis data privacy. Second, to learn more about the theory of law and norms itself, by coming to better understand its powers and limitations in an important applied context. In particular, the most significant theoretical feature of the foregoing account was the study of the complex and complimentary roles played by various norm entrepreneurs.

Part II first looked at the original privacy norms that emerged at the Web's inception in the early 1990s. Two groups have been the main contributors to the emergence of these norms; the thousands of commercial websites on the early Web, on the one hand, and the millions of users of the early Web, on the other hand. The norms originally created by the interaction of websites and consumers had the problem that they created significant negative externalities for consumers, as commercial websites were rampantly extracting personal data with little or no concern for the privacy interests of their visitors. Part II then examined the strategic structure of the relationships between websites and consumers which permitted these highly exploitative norms to develop. Consumers were seen to face a large-scale collective action problem. There is a collective good that consumers could potentially achieve, namely, the abatement of disrespectful data-collection practices by websites. But consumers were not in a position to organize in order to secure this collective good, due to their large numbers, lack of repeat play and overlapping relationships. Not surprisingly, then, the original website data-collection norms did not take account of the privacy interests of website users.

Reacting to this undesirable social situation from the perspective of consumers, "norm entrepreneurs" entered the picture to promote website norms that would better serve consumers' privacy interests. Part III examined how improved website privacy norms have recently emerged, due to the efforts of a number of different norm entrepreneurs. The activities of these norm entrepreneurs were broken down into two main stages. In the first stage, the privacy advocacy community and the website industry battled to define the appropriate set of aspirational norms that each group thought should govern website/consumer interactions. The privacy advocacy community applied its pre-existing second-order norms of data privacy to the context of Internet websites. In response, the Website industry entered the arena in order to promote a competing set of norms that were loss demanding on the industry. In the second stage, the FTC was seen to adopt a set of privacy norms based on those proposed by the competing norm entrepreneurs discussed in Stage One. The FTC then used threats to induce websites to adopt these norms. The FTC created a large-scale collective action problem for the website industry, where none has existed before. It did this by creating a collective good that the industry would be interested to promote: the avoidance of Congressional legislation. The agency threatened to push for legislation unless the industry demonstrated greater respect for privacy.

In a later Stage-Two development, some of the large sites in turn threatened to withhold advertising from smaller sites with whom they did business if these sites were not more respectful of consumer privacy. The result of this network of threats by the FTC and large websites was the emergence of a new social equilibrium in which there was no longer a uniform norm of disrespect for privacy as existed in Stage One, but instead a bi-normative world in which numerous sites continued to conform to disrespectful practices while many other sites adopted more respectful practices. The emergence of the bi-normative equilibrium created favorable conditions for a new stage, which is beginning to develop. In this stage, software firms have begun to sell "privacy solutions" to websites concerned to signal to consumers their respect for consumers' privacy, in the hope that consumers will thereby give the sites their business. This third stage is newly emerging and quickly gaining momentum.

It is important that we continue to make efforts to better understand how privacy norms are emerging. First, we need to see if we can continue to make progress in producing better website practices through predominantly informal means. While there have been significant improvements to date, the current situation is unsatisfactory. By better understanding the processes that have worked thus far to promote website privacy, we will be in a better position to see if more progress may still be made, either through previously utilized methods, or through new ones. With Congress poised to act, it is important that we achieve this clarity now. In particular, if better norms are already emerging through informal social processes, and minimalist governmental guidance, there may not be a need for sweeping legislation of the sort currently being proposed by many privacy advocates.