[*]Associate Professor of Law, Vanderbilt University School of Law. J.D., Yale University; M.A. (Public Policy), University of Chicago; Ph.D. (Philosophy), University of Illinois at Chicago; B.A., University of Wisconsin. Earlier portions of this Article were presented at a symposium entitled "Taking Stock: The Law and Economics of Intellectual Property Rights," at Vanderbilt Law School, at a symposium on the need for a federal privacy commission at the John Marshall Law School, and at a faculty workshop at Vanderbilt Law School. I wish to gratefully acknowledge the numerous helpful comments received on those occasions. In addition, Robert Rasmussen provided comments. I also wish to thank the members of my Spring 2000 Advanced Regulation of the Internet course at Vanderbilt Law School, where many of the ideas in the article were first explored. Finally, I am especially grateful for the research assistance of Robert Brewer, Mark Plotkin, Linda Potapova and Angela Vitale.

[1] Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), available at http://www.ftc.gov/reports/privacy3/priv-23a.pdf [hereinafter 1998 FTC Report to Congress] ("While American businesses have always collected some information from consumers in order to facilitate transactions, the Internet allows for the efficient, inexpensive collection of a vast amount of information. It is the prevalence, ease, and relative low cost of such information collection that distinguishes the online environment from more traditional means of commerce and information collection and thus raises consumer concerns."). Emerging online technologies make the transmission of data virtually costless, which has contributed to a situation in which dramatically higher levels of personal data are now flowing across the Internet. Peter Huber and Mark P. Mills have estimated that it takes "about 1 pound of coal to create, package, store and move 2 megabytes of data." Peter W. Huber, Dig More Coal-the PCs are Coming, Forbes (May 31, 1999), available at http://www.forbes.com/forbes/99/0531/6311070a.htm.

[2] See also Maureen S. Dorney, Privacy and the Internet, 19 Hastings Comm. & Ent. L.J. 635, 639 (1997) (explaining that because the Constitution primarily regulates government action, it does not prohibit private party collection and use of personal information).

[3] See Lawrence Lessig, Code: and Other Laws of Cyberspace 85-90 (1999) (distinguishing four principal regulators of human behavior in cyberspace: norms, law, technology, and the market); see also Pamela Samuelson, Privacy as Intellectual Property?, 52 Stan. L. Rev. 1125, 1126 (2000) (endorsing Lessig's four-part approach to regulation in context of privacy).

[4] The Federal Trade Commission has stated that "self-regulation is the least intrusive and most efficient means to ensure fair information practices, given the rapidly evolving nature of the Internet and computer technology." See Federal Trade Commission, Self Regulation and Privacy Online: A Report to Congress 6 (July 1999), available at http://www.ftc.gov/os/1999/9907/privacy99.pdf [hereinafter 1999 FTC Report to Congress]; see LESSIG, supra note 3, chap. 1 (lengthy discussion of dominant anti-regulatory outlook regarding governance of the Internet). Numerous commentators have taken the view that since the Internet is growing so rapidly and successfully, it is sensible to be cautious before adopting any significant regulatory measures that might curtail this development. See, e.g., I. Trotter Hardy, The Proper Legal Regime for "Cyberspace," 55 U. Pitt. L. Rev. 993, 1054 (1994) (contending that rules of conduct in cyberspace should be governed by presumption of decentralization, using self-help, custom, and contract of cyberspace participants, and noting that because the Internet is changing so rapidly, the first answer to how a legal problem in cyberspace should be solved is to "do nothing"); Henry H. Perritt, Jr., Cyberspace Self-Government: Town Hall Democracy or Rediscovered Royalism?, 12 Berkeley Tech. L.J. 413, 419-20 (1997) (contending that as a general rule "self-governance is desirable for electronic communities"). In addition, because the Internet is an inherently transnational phenomenon, it may be improper and overreaching for particular nations to attempt to exert too great an influence over its development. See, e.g., David R. Johnson & David Post, Law and Borders-The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367 (1996); see also John Perry Barlow, A Declaration of the Independence of Cyberspace (visited Jan. 28, 2000), available at http://www.eff.org/~barlow/Declaration-Final.html; A. Michael Froomkin, The Internet as a Source of Regulatory Arbitrage, in BORDERS IN CYBERSPACE 129 (Brian Kahin & Charles Nesson eds., 1997) (discussing the Internet's "resistance to control"); James Boyle, Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwired Censors, 66 U. Cin. L. Rev. 177, 178-83 (1997) (noting the cyber-utopian argument that "the technology of the medium, the geographical distribution of its users, and the nature of its content all make the Internet specially resistant to state regulation").

[5] There are two broad information categories of personal data: information that can be used to identify consumers, such as name, postal or e-mail address ("personal identifying information"); or demographic and preference information (such as age, gender, income level, hobbies, or interests) that can be used either in aggregate, non-identifying form for purposes such as market analysis, or in conjunction with personal identifying information to create detailed personal profiles. See 1998 FTC Report to Congress, supra note 1, at 20. It is the first sort of threat that particularly raises privacy concerns, for the reason that once others have information about a person's identity, they may use the information in new ways that adversely affect the person.

[6] See Samuelson, supra note 3, at 1128 (discussing utilitarian and autonomy-based rationales for regulation of data collection).

[7] Anne Wells Branscomb, Who Owns Information? 3-4 (1994) ("A great deal of information we consider to be highly personal, and of interest to ourselves and the town gossip-our names, telephone numbers, marital status, educational accomplishments, job and credit histories, even medical, dental, and psychiatric records-is now being sold on the open market to anyone who believes he or she might be able to use such information to turn a profit. These transactions usually take place without our knowledge or consent.").

[8] See Online Privacy, Bus. Week, Mar. 20, 2000, available at 2000 WL 7825258 (comparing the stockpiles of information to an Internet gold rush); Kathryn Kranhold & Michael Moss, Companies Are Refusing to Share Their Cookies Tracking Devices' Consumer Data Is Too Precious, Chicago Trib., Apr. 10, 2000, available at 2000 WL 3654616 (discussing how large Fortune 500 companies are protecting online tracking devices from Internet advertising companies because consumer data is a veritable "gold mine"); Melissa Preddy, Metro Teenagers Take Bait, Hook Prize on the Net-The Yield on Privacy in Bid for College Cash, Detroit News, June 15, 2000, available at 2000 WL 348130 (stating "personal information is like gold," especially to "get paid to surf," profiling websites that entice Internet users to give up information about themselves for rewards).

[9] See Erika S. Koster, Zero Privacy: Personal Data on the Internet, The Computer Law., May 1999, at 7-8 (noting that commercial activity involving personal data is growing rapidly).

[10] See, e.g., The End of Privacy: The Surveillance Society, Economist, May 1, 1999, at 21 (covering privacy degradation in online environment); Rep. Asa Hutchinson and Rep. Jim Moran, Commission is First Step to Privacy, Roll Call, July 10, 2000, available at http://www.rollcall.com; Adam L. Penenberg, The End of Privacy, Forbes, Nov. 29, 1999, available at 1999 WL 28466750; Jared Sandberg, Identity Thieves Online, Newsweek, Sept. 20, 1999, available at 1999 WL 19354964; Celia Santander, Web-Site Privacy Policies Aren't Created Equal, Web Finance, Dec. 11, 2000.

[11] See Glenn R. Simpson, E-Commerce Firms Start to Rethink Opposition to Privacy Regulation as Abuses, Anger Rise, Wall St. J., Jan. 6, 2000, at A24. A recent U.S. Business Week/Harris Poll found that 92 per cent of Internet users were uncomfortable about websites sharing personal information with other sites. See Online Privacy, supra note 8.

[12] N.Y. Times, June 8, 2000, at A5 (strategists for major political parties analyze best means to capitalize on voter concern for online privacy). The lobbying muscle of the information industry suggests, however, that any such laws would stop short of providing a level of privacy deemed adequate by privacy advocates. See Jessica Litman, Information Privacy/Information Property, 52 Stan. L. Rev. 1283, 1287 (2000).

[13] See Steven Hetcher, The FTC as Internet Privacy Norm Entrepreneur, 53 Vand. L. Rev. 2041, 2043 (2000).

[14] Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress (May 2000), available at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf [hereinafter 2000 FTC Report to Congress] (recommending continued support of self-regulatory approach along with legislation); see also Rep. Billy Tauzin, How Can Congress Protect Online Privacy? Self-Regulation is Key to Web Privacy, Roll Call, Feb. 22, 1999, available at http://www.rollcall.com (confident that Internet was moving in right direction to make self-regulation a reality).

[15] Judge Richard Posner views law and norms theory as second-generation law and economics. Richard A. Posner, Social Norms, Social Meaning, and Economic Analysis of Law: A Comment, 27 J. Legal Stud. 553 (1998). Ellickson views law and norms as representing a new paradigm within the traditional law and economic approach. Robert C. Ellickson, Law and Economics Discovers Social Norms, 27 J. Legal Stud. 537 (1998). Social norms theory has been the subject of a number of important recent symposia. See Symposium, Law, Economics, and Norms, 144 U. Pa. L. Rev. 1643 (1996); Symposium, Law and Society & Law and Economics, Wis. L. Rev. 375 (1997); Symposium, The Nature and Sources, Formal and Informal, of Law, 82 Cornell L. Rev. 947 (1997). Symposium, Virginia L. Rev. (2000); see also Symposium, The Informal Economy, 103 Yale L. Rev. 2119 (1994).

[16] Robert Ellickson, Order Without Law: How Neighbors Settle Disputes (1991).

[17] Id. at 137.

[18] Russell Hardin, Collective Action (1982).

[19] See Reno v. ACLU, 521 U.S. 844, 851 (1997) (J. Stevens, dissenting) ("Taken together, these tools constitute a unique medium-known to its users as 'cyberspace'-located in no particular geographical location but available to anyone, anywhere in the world, with access to the Internet."); Am. Libraries Ass'n v. Pataki, 969 F. Supp. 160, 168-69 (S.D.N.Y. 1997) ("Typically, states' jurisdictional limits are related to geography; geography, however, is a virtually meaningless construct on the Internet."); Dan L. Burk, Trademark Doctrines for Global Electronic Commerce, 49 S.C. L. Rev. 695, 716 (1998) ("Notwithstanding that the Internet is and will be segmented by economic, social, and technological divisions, those divisions will not necessarily map onto the geographic, political, and economic divisions already existing offline . . . the current technological structure of the Internet . . . ignores customary political and geographical boundaries on which much of our legal system is based.").

[20] See Mark A. Lemley, The Law and Economics of Internet Norms, 73 Chi.-Kent L. Rev. 1257, 1275 (1998) (author dubious of claim that Internet norms are efficient).

[21] See, e.g., Simon G. Davies, Re-engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity, in Technology & Privacy 143-45 (Philip E. Agre & Marc Rotenberg eds., 1997) (noting a change in society's approach from privacy protection to data protection); Joel R. Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 497-498 (1998) (arguing that a citizen's right to participate in government depends "on the ability to control the disclosure of personal information"); Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1611 (1999) (claiming that the absence of privacy norms threatens democracy); see also Julie E. Cohen, A Right to Read Anonymously: A Closer Look at Copyright Management in Cyberspace, 28 Conn. L. Rev. 981, 982-83 (1996) (arguing that digital copyright management technologies violate First Amendment Rights protecting speech and freedom of thought). The EU Directive is based on a conception of personal data protection as a fundamental civil liberty interest. Council Directive 95/46/EEC, art. 1.1, 1995 O.J. (L 281) 281 [hereinafter Privacy Directive].

[22] Pamela Samuelson, supra note 3, at 1128 n. 18 ("It is therefore both unnecessary and counterproductive to choose between, e.g., the market-based and civil liberty-based visions of privacy.").

[23] Minimization of data collection is sometimes stated as the goal of privacy regulation. See, e.g., Litman, supra note 12.

[24] See Samuelson, supra note 3, at 1156-58.

[25] The Web is that portion of the Internet that runs HTTP, TCP/IP and utilizes uniform resource locators. Tim Berners-Lee, Weaving The Web (1999).

[26] See Peter P. Swire & Robert E. Litan, None of Your Business: World Data FLows, Electronic Commerce, and the European Privacy Directive 8 (1998). Yet another feature of the complex normative story behind the convergence of Internet privacy norms has to do with the recognition of entitlements in personal data. At the beginning of the period under study there was a divergence between the legal recognition of entitlements to personal data and the informal social norms that existed with respect to this data. Over the decade, the law has come to more closely represent the informal norms of entitlement.

[27] The tortious relationship between the parties is itself expressed in deontological terms of unfair competition and breach of confidentiality. See Samuelson, supra note 3, at 1154-1157.

[28] By the lights of standard game theory, large-scale collective action problems are the most difficult to solve. See generally Hardin, supra note 18; Ellickson, supra note 16.

[29] Norm entrepreneurs are actors who promote norms. Cass Sunstein, Social Norms and Social Roles, 96 Colum. L. Rev. 903, 909 (1996).

[30] Id.

[31]. An "aspirational norm" is the linguistic expression of a putative norm, that is, an expression regarding a practice that the speaker would like to see come into existence. Steven A. Hetcher, Creating Safe Social Norms in a Dangerous World, 73 S. Cal. L. Rev. 1 (1999).

[32] See David H. Flaherty, Protecting Privacy in Surveillance Societies 306-08 (1989); Priscilla M. Regan, Legislating Privacy-Technology, Social Values and Public Policy 70 (1995); Interview by Mary Kathleen Flynn with John Berard, Internet Privacy Issues, CNNfn Digital Jam (Feb. 5, 2000).

[33] See infra text accompanying notes 108-12.

[34] See Paul M. Schwartz, Internet Privacy and the State, 32 Conn. L. Rev. 815, 823 (2000) (defining a privacy policy as a document that is often accessed through a hypertext link on a homepage which spells out how it collects and uses personal information).

[35] An in-house lawyer representing Novell, speaking at the tenth annual Computers, Freedom & Privacy Conference, Toronto, April 4-7, 2000, remarked on the rapid rise of privacy specialists within large corporations such as hers. Universities have begun developing programs to train privacy specialists. See SMU Teams with Privacy Council: Announces First Executive Chief Privacy Officer Training Program, Financial News, Jan. 29, 2001; see also David Bicknell, Directors Face E-Laws Overload, Computer Weekly, Feb. 24, 2000, at 16 (the coordination of complying with European privacy policies has led some companies to be pro-active and engaging in "self-help" through privacy specialists).

[36] For example, in bankruptcy proceedings, Toysmart.com recently moved to sell personal data it had collected pursuant to a specific privacy guarantee. See Judge Is Urged to Reject Toysmart.com Settlement, Wall St. J., July 26, 2000, available at 2000 WL-WSJ 3037882; Toysmart.com's Plan To Sell Customer Data Is Challenged by FTC, Wall St. J., July 11, 2000, available at 2000 WL-WSJ 3035966; FTC Announces Settlement With Bankrupt Website, Toysmart.com, Regarding Alleged Privacy Policy Violations, available at http://www.ftc.gov/opa/2000/07/toysmart2.htm (July 21, 2000). While the FTC may settle, Toysmart still faces a lawsuit filed by TRUSTe, which contends that Toysmart is in violation of its online agreement not to sell consumer data to third parties. See Elinor Abreu, TRUSTe to File Antiprivacy Brief Against Toysmart, Industry Standard (June 30, 2000), available at http://www.thestandard.com/article/display/0,1151,16577,00.html; see also Susan E. Gindin, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 San Diego L. Rev. 1153, 1180 (1997).

[37] See Solveig Singleton, Privacy Versus the First Amendment: A Skeptical Approach, 11 Fordham intl. Prop. Media & Ent. L.J. 97, 98 (2000); Domingo R. Tan, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union, 21 Loy. L.A. Int'l & Comp. L.J. 661, 665.

[38] Stephen Segaller, Nerds 2.0.1: A Brief History of the Internet 92 (1998).

[39] Id. at Chapter Four.

[40] Ellickson specifically mentions academic communities as often close-knit. Ellickson, supra note 16.

[41] Tim Berners-Lee, Weaving the Web (1999).

[42] See Segaller, supra note 38, at 224-25.

[43] See id. at 297.

[44] See generally Margaret Jane Radin, Contested Commodities 15 (1996); Margaret Jane Radin & R. Polk Wagner, The Myth of Private Ordering: Rediscovering Legal Realism in Cyberspace, 73 Chi.-Kent L. Rev. 1295, 1302 (1998). The term "commodification" is not inherently pejorative. Whether, and to what extent, the commodification of personal data is a negative development depends on one's normative theory. For utilitarian theories generally, and economic analysis in particular, "commodification," per se, has no sui generis moral meaning. The core idea of this type of moral theory is that all things of value may be put on a single scale. Thus, to commodify data, or anything else, is not to change its moral status. In fact, economic theorists may view commodification as an instrumental good, as commodifying data may promote efficiency by allowing this data to more easily reach the hands of those who will value it most. For some versions of deontological theory, on the other hand, personal data may not morally be made the subject of market exchanges. See Samuelson, supra note 3, at 1143 ("If information privacy is a civil liberty, it may make no more sense to propertize personal data than to commodify voting rights."). See generally Pamela S. Karlan, Not By Money but By Virtue Won? Vote Trafficking and the Voting Rights System, 80 Va. L. Rev. 1455 (1994) (explaining rationale for public policies against vote trafficking). This type of deontological theory, however, is not the type that is implicit in most discussions of online privacy. Most deontologically-oriented discussions of privacy implicitly accept the notion that under proper conditions, such as when there is informed consent, a data subject my morally alienate personal data in a market exchange.

[45] Neil Randal, How Cookies Work, PC Magazine Online, available at http://www.zdnet.com/pcmag/ventures/cookie/cksl.htm (last visited July 4, 2000). There is a shortage of social scientific information about cookie use. In its survey of Web sites, the FTC staff did not ascertain whether sites use cookies, or other hidden electronic means, to collect personal information, but looked instead to sites' information practice disclosures as a gauge of the extent of such practices. See 1998 FTC Report to Congress, supra note 1, at 45 n. 4.

[46] Lessig, supra note 3, at 34-42 .

[47] See Andrew L. Shapiro, Privacy For Sale: Peddling Data on the Internet, Hum. Rts., Winter, 1999, at 10.

[48] Generally, a unique identifier is connected to the machine and not to a named individual. The problem is that this is a small gap to bridge. Consequently, privacy advocates have been concerned about unique identifiers even when connected to machines and not individuals. See, e.g., Electronic Communications Privacy Policy Disclosures: Hearing Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 106th Cong. (1999) (statement of Mark Rotenberg, Executive Director, Electronic Privacy Information Center). Recently, both Intel and Microsoft have made efforts to tie numbers to names. See Edward C. Baig, Privacy: The Internet Wants Your Personal Info. What's In It for You?, Bus. Week, April 5, 1999, available at 1999 WL 8226796; Don Clark & Kara Swisher, Microsoft to Alter Windows 98 So Data About Users Won't Be Sent to Company, Wall St. J., March 8, 1999, available at 1999 WL-WSJ 5443409; Robert Lemos, The Biggest Computer Bugs of 1999!, ZD Internet Magazine, Dec. 23, 1999, available at 1999 WL 14538475 (discussing Intel's Pentium III serial number, global unique identifiers, and two Microsoft products, Office 97 and Windows 98, that attempted to match various numbers to personal information and names); see also In re the Matter of Intel Pentium Processor Serial Number, Compl., Case No. 982 (Federal Trade Commission Feb. 26, 1999).

[49] An industry has emerged to market a variety of software products designed to assist websites in collecting and analyzing visitor data and in providing targeted advertising. See, e.g., Rivka Tadher, Following the Patron Path, ZD Internet Magazine, Dec. 23, 1997, at 95; Thomas E. Weber, Software Lets Marketers Target Web Ads, Wall St. J., Apr. 21, 1997, at B1.

[50] "Passive tracking" refers to information collected by using navigational software. 1998 FTC Report to Congress, supra note 1, at 56.

[51] See id. at 3, 45.

[52] Michael Froomkin, The Death of Privacy, 52 Stan. L. Rev. 1461, 1487 (2000).

[53] Forester Research, Inc., Media & Technology Strategies: Making Users Pay 4-6 (1998).

[54] Froomkin, supra note 52, at 1487 ("Cookies, however, are only the tip of the iceberg. Far more intrusive features can be integrated into browsers, into software downloaded from the Internet, and into viruses or Trojan horses. In the worst case, the software could be configured to record every keystroke."). A trojan horse is a "malicious, security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or . . . a program. . . ." FOLDOC, Trojan Horse, available at http://wombat.doc.ic.ac.uk/foldoc/ foldoc.cgi?query=+trojan+horse (last visited Mar. 25, 2001).

[55] Froomkin, supra note 52, at 1473-74.

[56] Mark A. Lemley, supra note 20, at 1276 ("[Non-consensual website interactions are] particularly likely when incentives are asymmetrically distributed in the community, as when buyers and sellers have their own conflicting norms. The norm that results from this conflict may represent a variety of things besides consensus: superior bargaining power on the prevailing side, collective action problems on the other side, or the use of strategic behavior.").

[57] Ellickson emphasizes the important role that knowledge plays in the monitoring process that allows for successful solution of strategic problems. Ellickson, supra note 16.

[58] Patrick Croskery, Institutional Utilitarianism and Intellectual Property, 68 Chi-Kent L. Rev. 631, 632 (1993).

[59] See U.S. Const. art. I, § 8, cl. 8. In the landmark case, Feist v. Rural Telephone Service, the Supreme Court has said that facts are not subject to copyright protection. Rather, they must be left in the public domain-the intellectual commons-available for all to use. 499 U.S. 340 (1991). Feist involved facts of a particular sort, namely, personal data; the names and addresses of the residents of a particular region of Kansas, as contained in a regional telephone directory. See id. at 359-60. Lawyers are just beginning to grapple with special issues raised by the digital commons. See Lessig, supra note 3; Steven Hetcher, Climbing the Walls of Your Electronic Cage, 98 Mich. L. Rev. 801, 814 (2000). Law regarding personal data, indeed all data, is at sea. Some commentators have argued for heightened intellectual property status for personal data as a means to greater privacy protection. See Patricia Mell, Seeking Shade in a Land of Perpetual Sunlight: Privacy as Property in the Electronic Wilderness, 11 Berkeley Tech. L.J. 1, 78 (1996) (advocating statutory recognition of property rights in a "persona" consisting of personal information about the individual); Kenneth C. Laudon, Markets and Privacy, Comm. ACM, Sept. 1996, at 92 (suggesting property rights in personal data as a way to protect privacy). There are First Amendment, however, tensions with this sort of proposal. For a discussion of the First Amendment and privacy, compare Paul M. Schawrtz, Free Speech v. Privacy: Eugene Voloch's First Amendment Jurisprudence, 52 Stan. L. Rev. 1559 (2000), with Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People from Speaking About You, 52 Stan. Law. Rev. 1049 (2000). The tension between privacy and free speech can be avoided if data-subject control, as opposed to ownership, of personal data, can be protected. A trend leading in an opposite direction from heightened intellectual property protection is "copyleft," which argues that the Internet radically undermines ownership concepts for intellectual goods in the online world. See Ira v. Heffan, Copyleft: Licensing Collaborative Work in the Digital Age, 49 Stan. L. Rev. 1487, 1491-92 (1997); see also David Brin, The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? (1998) (arguing that personal data should be subject to open access rules).

[60] See, e.g., Jared Sandberg, supra note 10. Indicating the seriousness of the problem, the FTC has recently appointed a person to handle the issue. See The Prepared Statement of the Federal Trade Commission on "Identity Theft": Hearing Before the Subcommittee on Technology, Terrorism and Government Information of the Senate Committee on the Judiciary, 105th Cong. (1998) (Statement of David Mendine, Ass'n Div. for Credit Practices, Bureau of Consumer Protection, Federal Trade Commission). A recently passed Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028(a), imposes a penalty of fifteen years of imprisonment and fines for theft of personal information with intent to commit an unlawful act. See Kurt M. Saunders and Bruce Zucker, Counteracting Identity Fraud in the Information Age: The Identity Theft and Assumption Deterrence Act, 8 Cornell J.L. & Publ. Pol'y 20 (1999); Peter P. Swire, Financial Privacy and the Theory of High-Tech Government Surveillance, Wash. U. L. Q. 461, 470-74 (giving examples); see also Laracuente v. Laracuente, 599 A.2d 968 (N.J. Law Div. 1991) (showing typical social security number identity theft).

[61] Discussions pertaining to the special concerns regarding data collection from children often mention the inability of children to effectively consent to such data collection. This demonstrates a special concern for the autonomy, or lack thereof, of children.

[62] See 1998 FTC Report to Congress, supra note 1, at 4-5.

[63] Id.

[64] See Jane Birnbaum, Here's How to Protect Your Medical Records, Chicago Trib., Nov. 23, 1999, available at 1999 WL 2935001; David F. Linanes & Ray Apencer, How Employers Handle Employees' Personal Information: Report of a Recent Survey, 1 Employee Rts. & Employment Pol'y J. 153 (1997).

[65] See Paul M. Schwartz, Privacy and the Economics of Personal Health Care Information, 76 Tex. L. Rev. 1, 22 (1997) ("[W]ide disclosure of certain kinds of information may distort individual behavior in an inefficient fashion. Fearing loss of employment and social discrimination, people will either lie to their physicians or avoid seeking care that might lead to the creation of sensitive health care or genetic information."); Patent Confidentiality: Hearing Before the Subcomm. on Health of the House Comm. on Ways and Means, 105th Cong. (1998), available at 1998 WL 18089939 ("In the absence of such trust, patients will be reticent to accurately and honestly disclose personal information, or they may avoid seeking care altogether for fear of suffering negative consequences, such as embarrassment, stigma, and discrimination. Along the continuum, if doctors and other health care providers are receiving incomplete, inaccurate information from patients, the data they disclose for payment, research, public health reporting, outcomes analysis, and other purposes, will carry the same vulnerabilities.").

[66] See Swire & Litan, supra note 26 ("Consider the incentives of a company that acquires private information. The company gains the full benefit of using the information in its own marketing efforts or in the fee it receives when it sells the information to third parties. The company, however, does not suffer losses from the disclosure of private information. Because customers often will not learn of the overdisclosure, they may not be able to discipline the company effectively. In economic terms, the company internalizes the gains from using the information but can externalize some of the losses and so has a systematic incentive to overuse it. This market failure is made worse by the costs of bargaining for the desired level of privacy. It can be daunting for an individual consumer to bargain with a distant Internet merchant . . . about the desired level of privacy. To be successful, bargaining might take time, effort, and considerable expertise in privacy issues.").

[67] See J.R. Hicks, The Valuation of the Social Income, 7 Economica 105, 110 (1940); Nicholas Kaldor, Welfare Propositions of Economics and Inter-Personal Comparisons of Utility, 49 Econ. J. 549, 550 (1939).

[68] Sanctions have the potential to promote efficient norms. The role that sanctions play is to incentivize actors to adjust their norm conformity so as to take account of the sanction in their overall calculation of the worthiness of conforming to the norm.

[69] See George R. Milne, Privacy and Ethical Issues in Database/Interactive Marketing and Public Policy: A Research Framework and Overview of the Special Issue, 19 J. Pub. Pol'y & Mkt. 1, 9 (2000) (summarizing studies: "When Web sites require consumers to provide information to register, many consumers provide false information. Surveys report that half the Internet users report false information about a quarter of the time (Graphic, Visualization, & Usability Center 1998). Many surfers do not fill in reports because they are concerned about their privacy and do not want to be spammed (Greenman 2000). As noted by Petty (2000), unwanted contact is a primary concern of many consumers and a reason that consumers balk at providing information. Sheehan and Hoy (2000) provide empirical evidence that unwanted email contact is of high concern to online consumers."); Tan, supra note 37, at 665 (citing a TRUSTe study stating "40% of Internet users have provided false information at least once when registering at a website, and over 70% worry about making on-line purchases."); Jerry Guidera, Online Shoppers Often Lie To Guard Privacy, Survey Says, Wall St. J., Mar. 16, 2000, available at 2000 WL-WSJE 2948132.

[70] Some commentators have explicitly promoted the acceptability of supplying false information as a self-help measure.

[71] Studies indicate that consumers are particularly afraid of transfers of their personal data to unknown third parties. See 1999 FTC Report to Congress, supra note 4.

[72] A norm need not be expressed in linguistic terms in order to have content, whereas a rule is by definition linguistic. A norm's content is defined in terms of its strategic structure. A norm, then, is behavior of a certain sort, which may or may not have an attached linguistic component. When characterizing a group's norms, it is necessary to keep in mind the difference between norms and rules, as it is important to be able to look at the actual practices of groups, rather than merely going by what they express linguistically. Talk is cheap; it is conforming behavior that creates benefits for conforming groups and externalities for third parties. See Steven Hetcher, Norms, in Encyclopedia of Ethics 909, 909-12 (2d ed., Lawrence C. Becker ed., 1992). Elsewhere, I adopt the term "norm statement" or "rule" for the linguistic component of a full norm. Id.

[73] See generally, Shelley Kagan, The Limits of Morality (1989).

[74] Robert D. Cooter, Expressive Law and Economics, 27 J. Legal Stud. 585, 587-88 (1998); Eric Posner, Symposium, Law, Economics & Norms: Law, Economics, and Inefficient Norms, 144 U. Pa. L. Rev. 1697, 1699 (1996) ("A norm can be understood as a rule that distinguishes desirable and undesirable behavior and gives a third party the authority to punish a person who engages in the undesirable behavior.").

[75] See generally Hardin, supra note 18.

[76] See Hetcher, supra note 31, at 42.

[77] Id. at 42 n. 160.

[78] 1999 FTC Report to Congress, supra note 4, at 2-3; 1998 FTC Report to Congress, supra note 1, at 3-4.

[79] Rotenberg, supra note 48.

[80] See, e.g., Federal Trade Commission, The Information Marketplace: Merging and Exchanging Consumer Data, available at http://www.ftc.gov/bcp/workshops/infomktplace/index.html (March 13, 2001) (Public workshop notices posted on the FTC homepage at www.ftc.gov).

[81] Hardin, supra note 18, at 2 ("Although it can make good sense to say that an individual is rational, there is no obviously useful new sense in which we can typically say that a group is rational. Yet, one of the more widely accepted doctrines of modern political science-the group theory of politics-was based on a presumption from the fallacy of composition: that a group of people with a common interest will take action to further that interest. That doctrine has collapsed in the face of two major developments . . . Mancur Olson's logic of collective action and game theory's Prisoner's Dilemma. In the latter, there is a dilemma precisely because what it makes sense for an individual to do is not what would make sense for the group to do-if one could meaningfully speak of what the group should do.").

[82] Lighthouses are a classic example of a collective good as there is a collective action problem with regard to the provision of the lighthouse. Each individual potential beneficiary would benefit from the provision of a lighthouse. Nevertheless, there is a collective action problem because once the lighthouse is provided, it is provided for all. In other words, the individual cannot be excluded from benefitting from the good even though she did not contribute toward its provision. Thus, each individual does best by defecting from providing her share toward its provision. But since all potential beneficiaries are similarly situated, each will free ride and hence the good will not be provided.

[83] Each of the four pairs of numbers represents the payoffs to each party in each of the four possible outcomes, the left-hand number is the payoff to the row-player and the right-hand number is the payoff to the column player. Higher numbers represent more preferred outcomes.

[84] Based in part on its survey of over 1400 commercial websites, the FTC in 1998 concluded that there was not yet effective self-regulation: "The Commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to online collection, use, and dissemination of personal information has not yet taken hold." 1998 FTC Report to Congress, supra note 1.

[85] Ellickson, supra note 16, at 250. Ellickson defines "close-knit" groups as follows: "A group is close-knit when informal power is broadly distributed among group members and the information pertinent to informal control circulates easily among them." Id. at 177-78. Ellickson's definition of close-knittedness implies "group members" having both "continuing reciprocal power over one another and also a bank of shared information." Id. at 238. Ellickson notes that close-knittedness is inversely related to group size-the smaller the group, the greater the degree of close-knittedness. See id. at 182. However, "[A] group does not necessarily have to be small to be close-knit." Id.

[86] Ellickson, supra note 16.

[87] Mark A. Lemley, Shrinkwraps in Cyberspace, 35 Jurimetrics 311, 314 (1995) ("In addition, the rapid growth in the number of network users has worked to transform cyberspace in important respects. With its forty or fifty million users, the Internet is no longer comprised of a limited set of close-knit communities in which private ordering can be based on shared values and understanding."); see also, The Domain Name System: A Case Study of the Significance of Norms to Internet Governance, 112 Harv. L. Rev. 1657, 1676-1680 (1999).

[88] For the classic discussions, see William J. Baumol, Welfare Economics and the Theory of the State (1952); Anthony Downs, An Economic Theory of Democracy (1957).

[89] For example, the E.U. Privacy Directive has a complex set of requirements to which firms that use personal data of Europeans must adhere. See Privacy Directive, supra note 21.

[90] Consumer Internet Privacy: Hearing Before the Senate Comm. on Commerce, Science, and Transportation, 106th Cong. (2000) (Marc Rotenberg, Executive Director, Electronic Privacy Information Center) ("The reliance of privacy guidelines on the FTC Act prohibiting unfair and deceptive business practices has not provided an adequate basis for the protection of privacy interest. . . .").

[91] Elsewhere, I question the FTC's sincerity in its stated desire to promote industry self-regulation. See Hetcher, supra note 13.

[92] Anecdotal evidence suggests, however, that some sites avoid this cost by simply, and illegally, cutting and pasting from the privacy policies of other sites that they find on the Web.

[93] For example, RealNetworks recently admitted that its RealJukebox assigned a personal ID number to users and uploaded information about their listening habits to its server, contrary to its privacy policy. See Sara Robinson, CD Software Is Said to Monitor Users' Listening Habits, N.Y. Times, Nov. 1, 1999, available at http://www.nytimes.com. The company was subsequently slapped with a $500 million class action lawsuit for violating California's unfair business practices law. See RealNetworks is Target of Suit in California Over Privacy Issue, N.Y. Times, Nov. 9, 1999, available at http://www.nytimes.com .

[94] See Hetcher, supra note 31, at 43-45 & nn. 161-68.

[95] See Hetcher, supra note 31, at 44, 74; David Lewis, Convention (1969); Edna Ullmann-Margalit, The Emergence of Norms (1977); see also Margaret Gilbert, Game Theory and Convention, 46 Synthese 41 (1981).

[96] Lewis, supra note 95. With a proper coordination equilibrium, other conformers receive a benefit when a particular actor conforms. It is this feature that causes David Lewis to claim that "conventions" are best modeled as proper coordination equilibria. Conventions, on Lewis' well-known account, are maintained in part by sanctions. Conformers sanction one another for non-conformity because it is in the interest of others that each conform. The sanctions are meant to ensure the conformity of others. The economics literature on "network externalities" encompasses a similar but broader rational structure as not all networks with significant externalities are norms.

[97] Coordination norms have similar structural features to "network effects." On network effects generally, see, e.g., Mark A. Lemley & David McGowan, Legal Implications of Network Economic Effects, 86 Cal. L. Rev. 479 (1998) (arguing for limiting the assumption that network effects produce suboptimal lock-in); S.J. Liebowitz & Stephen E. Margolis, Path Dependence, Lock-In, and History, 11 J.L. Econ. & Org. 205 (1995).

[98] See, e.g., Dorothy Glancy, Symposium on Internet Privacy: At the Intersection of Visible and Invisible Worlds: United States Privacy and the Internet, 16 Santa Clara Computer & High Tech. L.J. 357, 363-64 (2000) ("Assurances of privacy protection by e-commerce vendors and Internet service providers demonstrate that the commercial side of the Internet recognizes that respect for privacy is a significant expectation of Internet users.") (footnotes omitted).

[99] See generally Fletcher v. Price Choppers Foods of Trumann, Inc., 220 F.3d 871 (2000); Cramer v. Consolidated Freightways, Inc., 209 F.3d 1122 (2000).

[100] Andrew B. Buxbaum & Louis A. Curcio, When You Can't Sell to Your Customers, Try Selling Your Customers (But Not Under the Bankruptcy Code), 8 Am. Bankr. Inst. L. Rev. 395, 411-12 (2000) (arguing that the appearance of privacy policies would create an expectation of privacy).

[101] See Hetcher, supra note 31.

[102] The possibility of externalization of the costs of an industry custom is one reason why the established "rule of custom" in tort law is that conformity to industry custom may serve as evidence of due care, but is not dispositive. See Hetcher, supra note 31.

[103] Ullmann-Margalit, supra note 95 (recounting classic norm emergence and emphasizing that the first step is to identify underlying social situations in which an emergent norm would promote efficiency).

[104] Sociologists refer to such relationships as "multiplex." See, e.g., Ellickson, supra note 16, at 55. In the early days of the non-commercial Internet, online interactions were typically between members of particular research communities. The members of those communities often had "multiplex" relationships with one another. These researchers might see each other at conferences; they might be former classmates, or share advisors or mentors; or they might wish to seek future employment at one another's institutions. Accordingly, there would often exist ample opportunities to sanction non-cooperative behavior, or reward cooperative behavior. Listservs such as The Well are of interest in this regard. The Well was pre-Web and non-commercial. In addition, many of its members were part of a relatively close-knit community, the Bay Area Internet cognoscenti. The Well nevertheless allowed members to interact anonymously if they wished. Predictably, serious problems arose with the community. See Esther Dyson, Release 2.0: A Design for Living in the Digital Age (1998).

[105] See David Farber, The Age of Great Dreams: America in the 1960s, 76 (1994). In Nashville, which became the focal point for the sit-in movement, the means by which a protester should politely refuse to accept the legal bounds set by civil society were carefully codified. James Lawson, a longtime student of Gandhian non-violence, explained: 'Do show yourself friendly on the counter at all times. Do sit straight and always face the counter. Don't strike back or curse if attacked.' With discipline, the protesters were turning American society on its head. Id.

[106] Tom Kirchofer, Microsoft Networks Tap Akamai, Boston Herald, Jan. 30, 2001, at 29 (noting that "Denial of Service" attacks overwhelm a company's computer with information and prevent legitimate traffic from getting through); see also Greg Miller, Microsoft Hit by New Wave of Outages; Internet: Hackers Cripple Company's Most Popular Websites; FBI is Asked to Probe "Denial of Service" Attacks, L.A. Times, Jan. 26, 2001, at C3.

[107] In addition, websites may have more ready access to technological means to remove protesters. See Lessig, supra note 3, at 66-70 (noting that no protesters allowed in AOL space through restrictive coding).

[108] Robert D. Cooter, Decentralized Law for a Complex Economy: The Structural Approach to Adjudicating the New Law Merchant, 144 U. Pa. L. Rev. 1643, 1690-94 (1996).

[109] Richard H. McAdams, The Origin, Development, and Regulation of Norms, 96 Mich. L. Rev. 338, 342 (1997) ("theory of origin and growth of norms" in which "the initial force behind norm creation is the desire individuals have for respect or prestige, that is, for the relative esteem of others.").

[110] Eric A. Posner, Law and Social Norms (2000); Eric A Posner, Symbols, Signals, and Social Norms in Politics and the Law, 27 J. Legal Stud. 765, 780 (1998).

[111] See Marc Rotenberg, supra note 90; see also Brendan Maher, Self-Regulation, Target Marketing, Dec. 1, 2000, available at 2000 WL 10932469 (arguing that consumers and businesses have little confidence in self-regulation and citing to a survey claiming 24% of adults polled felt the federal government should set privacy rules).

[112] See Sunstein, supra note 29.

[113] See Hetcher, supra note 13.

[114] See 2000 FTC Report to Congress, supra note 14.

[115] Id.

[116] The FTC recommends that any legislation passed be in broad and technologically neutral terms so industry and consumers can continue self-regulatory initiatives. See Privacy Online: Fair Information Practices in the Electronic Marketplace: Hearing Before the Senate Comm. on Commerce, Science, and Transportation, 106th Cong. (2000) (Prepared Statement of the FTC), available at http://www.ftc.gov/as/2000/05/testimonyprivacy.htm. This enables consumers to "trade away" their personal data for prizes or discounts if they so choose. See Jennifer Jones, Cashing in on Privacy, Network World Fusion, Sept. 12, 2000 (noting that consumers are willing to trade personal data if the incentives are high enough).

[117] See Radin, supra note 44.

[118] See infra text accompanying notes 109-10.

[119] Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/dsti/sti/it/secur/ (Sept. 23, 1980).

[120] Rotenberg, supra note 48.

[121] Id.

[122] The notion of "thick" moral features derives from the philosophical literature on moral realism. See, e.g., John McDowell, Moral Realism (1991).

[123] Todd R. Weiss, Bush Faces His First Privacy Challenge Proposals from Industry, Advocates Differ, ComputerWorld, Jan. 22, 2001.

[124] Schwartz, supra note 21, at 1691 (arguing that the concept of notice being equivalent to privacy protection seems to be capturing much of the policy debate).

[125] An opt-in policy has been promoted by industry groups such as the Direct Marketing Association ("DMA") and the Online Privacy Alliance. Both groups have been leading proponents of industry self-regulation. The Online Privacy Alliance is a coalition of more than eighty companies and trade associations that formed in early 1998 to encourage self-regulation of data privacy. See 1999 FTC Report to Congress, supra note 4, at 7.

[126] Brian Krebs, IT Industry Council Signals Privacy-Law Advocacy, Newsbytes, Feb. 2, 2001 (reporting that due to public outcry lawmakers are suggesting federal electronic privacy protections); see also Rosalind C. Tritt, Privacy: A Threat to Free Speech?, Presstime, Jan. 2001, at 27; PrivacyRight, Inc. Forms Strategic Equity Partnership with Venture Factory, PR Newsire, June 6, 2000.

[127] In a series of hearings beginning in October and November of 1995, the FTC has examined consumer protection issues, including privacy concerns. See Internet Privacy: Hearing Before House Comm. on the Judiciary, 105th Cong. (1998), available at http://www.ftc.gov/os/1998/9803/privacy.htm.

[128] 15 U.S.C. § 45(a) (1994). The FTC prosecutes "[u]nfair methods of competition . . . and unfair or deceptive acts or practices in or affecting commerce" under § 5 of the Federal Trade Commission Act ("FTCA"). See id. Section 13(b) authorizes the prosecution of actions to enforce § 5. See id. § 57(b). Section 18 permits the FTC to create rules to prohibit deceptive or unfair practice prevalent in certain industries. See id. § 57(a).

[129] Note that the FTC's framework for regulating unfair practices does not require ownership of personal data. The fact that data subjects may have de facto control over their data is enough to generate an instance of an unfair or deceptive trade practice. This means that the agency has jurisdiction over website activities without a change in the intellectual property status of personal data.

[130] The FTC cites consumer preference studies to bolster its claims regarding the public's desire to maintain privacy online. Fair Information Partners in the Electronic Marketplace: Hearing Before the Senate Comm. on Commerce, Science, and Transportation, 106th Cong. (2000) (prepared statement of the FTC noting that 92% of consumers are concerned about misuse of their personal information and 62% are "very concerned"), available at http://www.ftc.gov/os/2000/os/testimonyprivacy.htm.

[131] § 809: "Online Privacy Protection Act of 1999": § 2606 "Consumer Privacy Protection Act," § 2928 "Consumer Internet Privacy Enhancement Act": Hearing Before the Senate Comm. on Commerce, Science and Transportation, 106th Cong. (2000) (FDCH testimony arguing Americans believe they own their personal data).

[132] At the 2000 Computers, Freedom & Privacy conference, a Novell representative who is in charge of worldwide privacy compliance for Novell explained that engineers by training build databases that are capable of gathering as much information as possible, whether this be personal data or data of some other sort, even if the narrow purposes for which the databases are created do not require such comprehensiveness. As she explains it, part of her job has been simply to educate the company's large number of engineers worldwide that more data, per se, is not better. Thus, while education alone cannot change the basic fact that most websites may have a dominant preference to disrespect consumer privacy concerns, nevertheless, education may be able to irradicate unnecessary data collection. Commissioned Research Confirms Privacy is a Key Issue Influencing Consumer Acceptance of Internet Billing; Gallup Poll Uncovers Opportunities to Build Consumer Confidence in 2001 by Implementing Best Practices for Online Privacy, PR Newswire, Jan. 16, 2001.

[133] The FTC has become the leading website privacy norm entrepreneur. While diverse instances of norm entrepreneurs are found in the legal literature, there are only a few instances of governmental entities discussed as norm entrepreneurs. In its everyday use, the word "entrepreneur" applies to someone in business, usually a principal in the business. Government agencies, however, are not in business. In what sense, then, may they function as entrepreneurs? By the lights of economic analysis, all actors are entrepreneurs in the sense that all actors seek to maximize something, whether it be a private firm seeking to maximize profit or a public-interest privacy advocate seeking to maximize the aggregate level of individual privacy throughout society. The core assumption is that actors are rational and that rationality demands that the actor act so as to maximize that which the actor values, its utility function. In the context of live persons, economics generally conceives of actors seeking to maximize their self-interest, welfare or happiness. Firms are thought to aim at maximizing profit. Governmental agencies are often conceived by economists as seeking to maximize size and power of the agency. See Hetcher, supra note 13.

[134] 1999 FTC Report to Congress, supra note 4, at 3; Robert MacMillan, Congress to Air Public Concerns Over Privacy, Newsbytes, Sept. 5, 2000 (arguing that privacy advocates are split with some advocating very strong privacy protections).

[135] The European Union ("EU") has recognized that self-regulation may in certain circumstances constitute "adequate" privacy protection for purposes of the EU Directive's ban on data transfer to countries lacking "adequate" safeguards. See Privacy Directive, supra note 21, art. 25. The EU has noted, however, that non-legal rules such as industry association guidelines are relevant to the "adequacy" determination only to the extent they are complied with and that compliance levels, in turn, are directly related to the availability of sanctions and/or external verification of compliance. See European Commission, Directorate General XV, Judging Industry Self-Regulation: When Does it Make a Meaningful Contribution to the Level of Data Protection in a Third Country? (1998), available at http://www.europa.eu.int/comm/dg15/en/media/dataprot/wp7.htm.

[136] Elsewhere, I argue that there is a compelling public choice explanation for the FTC's shoehorning of the panoply of activities into single normative notion of fairness, which is that doing so allows the FTC to exert jurisdiction over the growing area of public concern. See Hetcher, supra note 13. If the agency is thought of as a business, it can be seen as having executed a heads-up strategic play to move onto the Internet. And unlike many businesses currently facing this task, the FTC did not need to cannibalize from its traditional base, as it continues to regulate in the non-virtual world as well.

[137] Lawsuits filed so far have involved more than simple unconsented data collection and use. See Diane Anderson & Keith Perine, Privacy Issue Makes DoubleClick a Target, Industry Standard (Feb. 3, 2000), available at http://www.thestandard.com/article/display/0,1151,9480,00.html; Jeri Clausing, Privacy Adovcates Fault New DoubleClick Service, N.Y. Times, Feb. 15, 2000, at C2; Will Rodger, Activists Charge DoubleClick Double Cross, USAToday.com (Feb. 21, 2000), available at http://www.usatoday.com/life/cyber/tech/cth211.htm; Privacy on the Internet, N.Y. Times, Feb. 22, 2000, at A26; see also Complaint filed In the Matter of DoubleClick, Inc. (F.T.C. Feb. 10, 2000) (alleging violations of the FTC Act prohibiting unfair or deceptive acts or practices in or affecting commerce in its alleged practice of using cookies to create profiles of Internet users in contradiction of its stated privacy policy), available at http://www.epic.org/privacy/internet/ftc/DCLK_complaint.pdf; Complaint filed in Donaldson v. DoubleClick, Inc. (S.D.N.Y. Feb. 1, 2000) (No. 00-Civ.-0696) (seeking class action status while alleging violations of federal Electronic Communications Privacy Act and other federal statutes, deceptive advertising under New York law, and common law unjust enrichment and invasion or privacy, for DoubleClick's alleged practice of using cookies to create profiles of Internet users in contradiction of its stated privacy policy); Complaint filed in Healey v. DoubleClick, Inc. (S.D.N.Y. Jan. 31, 2000) (No. 00-CIV.-00641) (seeking class action status while alleging violations of federal Electronic Communications Privacy Act and other federal statutes, deceptive advertising under New York law, and common law unjust enrichment and invasion of privacy, for DoubleClick's alleged practice of surreptitiously using cookies to create profiles of Internet users); Complaint filed in Judnick v. DoubleClick, Inc. (Marin Cty. Sup. Ct. Jan. 27, 2000) (No. CV-421) (seeking private attorney general status while alleging state law claims of unfair business practices and false and misleading advertising by DoubleClick for its alleged practice of using cookies to create profiles of Internet users in contradiction of its stated privacy policy), available at http://www.perkinscoie.com/resource/ecomm/netcase/complaint1.pdf; Pamela Parker, DoubleClick's Legal Troubles Deepen, Internet News (Feb. 4, 2000), available at http://www.internetnews.com/bus-news/article/0,1087,3_299771,00.html.articles; Sandeep Junnarkar, DoubleClick Accused of Unlawful Consumer Data Use, CNET News.com (Jan. 28, 2000), available at http://www.cnet.com/news/0-1005-200-1534533.html.

[138] In 1998, after finding self-regulation of children's online privacy to be inadequate, the FTC recommended to Congress that it enact legislation, which Congress quickly did, enacting the Children's Online Protection Act. On October 21, 1998, the President signed into law the Children's Online Privacy Protection Act of 1998 ("COPPA"). Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681, 2681-287 (codified at 15 U.S.C. §§ 6501-6506) (October 21, 1998), reprinted at 144 Cong. Rec. H11,240-42 (Oct. 19, 1998). The stated goals of the Act are: (1) to enhance the parental involvement in a child's online activities in order to protect the privacy of children in the online environment; (2) to help protect the safety of online fora for children such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) to maintain the security of children's personal information collected online; and (4) to limit the collection of personal information from children without parental consent. 144 Cong. Rec. S12,741 (1998) (Statement of Sen. Bryan).

[139] Could Try Harder: Protecting Privacy on the Internet, The Economist, May 27, 2000 (noting that only 20 percent of websites collecting personal information implement all of the fair information practice principles-leaving the FTC to argue that if implemented the principles would be effective. The FTC recommends Congress establish some basic privacy rules and give the FTC the power to implement these rules); see also Nancy Weil, FTC Says Internet Privacy Legislation is Not Needed-Yet, Infoworld Daily News, July 13, 1999, available at 1999 WL 10504347.

[140] 1999 FTC Report to Congress, supra note 4, at 12-13.

[141] Id.

[142] Mancur Olson, The Logic of Collecitve Action (1965).

[143] Recently, software vendors have begun marketing so-called "privacy-solutions." For example, Zero-Knowledge Systems lets Internet users surf the net anonymously. See Tech Leaders of the Year; They're Young; They're Aggressive; They're Taking on the World. And They're Just Getting Started, Profit, Nov. 2000, at 73; see also Company Chosen from Elite Group of Industry Players to Present Its Internet Privacy Solution, PR Newswire, Oct. 27, 2000. Privacy Solutions typically come in the form of software that users, websites, or both can install in order to create a more private online environment. John Graubert & Jill Coleman, Consumer Protection and Antitrust Enforcement at the Speed of Light: The FTC Meets the Internet, 25 Can. U.S. L.J. 275, 290 (1999) ("In the case of Internet privacy, several technologies potentially capable of protecting the online privacy of consumers are evidently already on the market or under development. Technology-based privacy solutions may eventually provide consumers with the confidence and security that they need to conduct business on the Internet on a global scale."); ZDWire, P3P: Just a Start, July 17, 2000, available at 2000 WL 18178259 ("There's no disputing that privacy has emerged as a leading issue of the Internet age. A whole industry is springing up around it, with software and service providers rushing to offer the latest and greatest solution for protecting an individual's personal information and identity online."). There may remain websites that are not reachable. But if there are a small enough number of such sites, this may be an acceptable level of defection from acceptable norms. The hardest sites to reach are those that can completely externalize costs to consumers. These would be sites that would not have repeated interactions with the same consumers and ones that would be able to avoid reputational costs. For consumers might not even go to the site in the first place, if the site's reputation was bad and widely known.