© 1999 Joel R. Reidenberg.

Professor of Law and Director of Graduate Program Academic Affairs, Fordham University School of Law. An earlier draft of this paper was presented at the University of California, Berkeley Symposium The Legal and Policy Framework for Global Electronic Commerce: A Progress Report held March 4-6, 1999. I am very grateful for the thoughtful comments of Symposium participants and of the editors of the Berkeley Technology Law Journal.

1. See Privacy Exchange.org, 1998 Privacy Concerns & Consumer Choice Survey, Executive Summary, P&AB Survey, Privacy & Am. Bus., Jan./Feb. 1999, at 1 (last modified Dec. 15, 1998) p.1 <http://www.privacyexchange.org/iss/surveys/1298exec-sum.html> (reporting that 82% of those surveyed feel that consumers have lost all control over how companies collect and use their personal information); American Am. AssocAss'n. of Retired Persons, AARP Members' Concerns about Information Privacy, (Dec. 1998 )(reporting that 78% of those polled found existing statutory protections inadequate to protect privacy.).

2. BW/Harris Poll: Online Insecurity, BUS. WK., Mar.ch 16, 1998, at 102. <http://www.businessweek.com/1998/11/b3569107.htmhm>.

3. See WILLIAM J. CLINTON & ALBERT GORE, JR., A FRAMEWORK FOR GLOBAL ELECTRONIC COMMERCE (July 1, 1997), (visited Sept. 19, 1998) available at, available at <http://www.iitf.nist.gov/eleccomm/ecomm.htm> (visited Sept. 19, 1998) [hereinafter FRAMEWORK].

4. See PAUL M. SCHWARTZ & JOEL R. REIDENBERG, DATA PRIVACY LAW: A STUDY OF UNITED STATES DATA PROTECTION 10 (1996).

5. See generally FRED H. CATE, PRIVACY IN THE INFORMATION AGE (1997); SCHWARTZ & REIDENBERG, DATA PRIVACY LAW, supra, note 4.

6. Federal law carefully protects the personal information of individuals who undergo treatment for alcohol or drug abuse in programs receiving federal funds or subject to federal regulation. See 42 U.S.C. 290dd--1, 290dd-2 (1994)ee-3; SCHWARTZ & REIDENBERG, DATA PRIVACY LAW, Data Privacy Lawsupra note 4, at 177-78 (1996). At the same time, only limited protection is available for Internet users. Statutory protection applies to telecommunications transaction information when collected by telecommunications service providers. See 47 U.S.C. 222. However, if the data is collected by web sites, instead of service providers, then the statutory protection does not apply.

7. See O.E.C.D., Recommendations of the Council concerning guidelines governing the protection of privacy and transborder flows of personal data, O.E.C.D. Doc. C58 (final)(Oct. 1, 1980), reprinted in 20 I.L.M. 422 (1981)(visited March 28, 1999)<http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.htm> [hereinafter OECD Guidelines]; Council of Europe, Convention for the protection of individuals with regard to automatic processing of personal data, Jan. 28, 1981, EUR. T.S. No. 108, reprinted in 20 I.L.M. 377 (1981), available at(visited March 28, 1999) <http://www.coe.fr/eng/legaltxt/108e.htm> [hereinafter European Convention]; Council Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L281) 31 (Nov. 23, 1995), available at(visited March 28, 1999) <http://europa.eu.int/eur-lex/en/lif/dat/en_395L0046.html> [hereinafter European Directive]; O.E.C.D., RECOMMENDATIONS OF THE COUNCIL CONCERNING GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA, O.E.C.D. DOC. C58 (final) (Oct. 1, 1980), reprinted in 20 I.L.M. 422 (1981), available at <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.htm> [hereinafter OECD Guidelines].

8. U.S. DEPT. OF COMMERCE, PRIVACY AND ELECTRONIC COMMERCE (June 1998) <http://www.doc.gov/ecommerce/privacy.htm>.

9. See U.S. DEP'T OF HEALTH, EDUC. & WELFARE, SECRETARY'S ADVISORY COMM. ON AUTOMATED PERSONAL DATA SYSTEMS, Records, Computers and the Rights of Citizens (1973), reprinted in U.S. PRIVACY PROTECTION STUDY COMMISSION, PERSONAL PRIVACY IN AN INFORMATION SOCIETY, 15 n.7 (1977).

10. See Robert M. Gellman, Fragmented, Incomplete, and Discontinuous: The Failure of Federal Privacy Regulatory Proposals and Institutions, 6 SOFTWARE L.J. 199 (1993).

11. 15 U.S.C.C. 1681 (Supp. 3).

12. 18 U.S.C. 2710-2711 (1994).

13. See, e.g., U.S. DEPT. OF COMMERCE, NAT'L TELECOMM. AND INFO. ADM., PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE, Ch. I.A. (visited March 23, 1999) (June 1997) (visited March 23, 1999) <http://www.ntia.doc.gov/reports/privacy/privacy_rpt.htm>.

14. See, e.g., U.S. PRIVACY PROTECTION STUDY COMMISSION, PERSONAL PRIVACY IN AN INFORMATION SOCIETY (1977); FEDERAL TRADE COMMISSION, PRIVACY ONLINE: A REPORT TO CONGRESS (June 1998) (visited March 28, 1999) <http://www.ftc.gov/reports/privacy3/toc.htm>; INFORMATION POLICY COMMITTEE, NATIONAL INFORMATION INFRASTRUCTURE TASK FORCE, OPTIONS FOR PROMOTING PRIVACY ON THE NATIONAL INFORMATION INFRASTRUCTURE (Apr.il 1997) (visited March 26, 1999) <http://www.iitf.nist.gov/ipc/privacy.htm>; FEDERAL TRADE COMMISSION, STAFF REPORT: PUBLIC WORKSHOP ON CONSUMER PRIVACY ON THE GLOBAL INFORMATION INFRASTRUCTURE (Dec. 1996)(visited March 28, 1999) <http://www.ftc.gov/reports/privacy/privacy1.htm>; NAT'L TELECOMM. AND INFO. ADM., U.S. DEPT. OF COMMERCE, PRIVACY AND THE NII: SAFEGUARDING TELECOMMUNICATIONS-RELATED PERSONAL INFORMATION (Oct. 1995) <http://www.ntia.doc.gov/ntiahome/privwhitepaper.html>; U.S. ADVISORY COUNCIL, NATIONAL INFORMATION INFRASTRUCTURE, COMMON GROUND: FUNDAMENTAL PRINCIPLES FOR THE NATIONAL INFORMATION INFRASTRUCTURE (Mar.ch 1995) ; U.S. INFORMATION INFRASTRUCTURE TASK FORCE WORKING GROUP ON PRIVACY, PRIVACY AND THE NATIONAL INFORMATION INFRASTRUCTURE: PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION (Oct. 1995) (visited March 28, 1999) <http://www.iitf.nist.gov/ipc/ipc/ipc-pubs/niiprivprin_final.html>.; Nat'l Telecomm. and Info. Adm., U.S. Dept. of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (Oct. 1995) (visited March 28, 1999)<http://www.ntia.doc.gov/ntiahome/privwhitepaper.html>; U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (1977).

15. FRAMEWORK, supra note 3, at 14 (Issue 5).

16. See In re Trans Union, FTC Docket No. 9255, at 53 (July 31, 1998) , at 53 (visited on March 28, 1999) <http://www.ftc.gov/os/1998/9808/d9255pub.id.pdf>.

17. See ALAN F. WESTIN, PRIVACY AND FREEDOM 23-26 (1967).

18. See Paul Schwartz, Privacy and Participation: Personal Information and Public Sector Regulation in the United States, 80 IOWA L. REV. 553 (1995); Spiros Simitis, Reviewing Privacy in an Information Society, 135 U. PA. L. REV. 707, at 732 (1987).

19. See WESTIN, supra note 17, at 23.

20. See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193, 1248 (1998) (observing that transaction costs are ignored in the market-based solutions); Paul Schwartz, Privacy and the Economics of Personal Health Care Information, 76 TEX. L. REV. 1 (1997).

21. See Acxiom Catalog, at 9 (ethnic data), 11 (specialty apparel data), 12-13 (car data) (1999) (visited March 30, 1999) <http://www.acxiom.com/infobase/catalog/catalog99.pdf> (PDF file).

22. See Joel R. Reidenberg & Paul M. Schwartz, Legal Perspectives on Privacy, in INFORMATION PRIVACY: LOOKING FORWARD, LOOKING BACKward (Mary Culnan & Robert Bies, eds., forthcoming 1999) (noting particular failure of industry codes to encompass significant amounts of personal information and the failure to include remedies for victims of information abuse).

23. See U.S. DEPT. OF COMMERCE, Agenda for Public Meeting on Internet Privacy (June 23-24, 1998) (visited on March 30, 1999) <http://www.ntia.doc.gov/ntiahome/privacy/confinfo/agenda.htm>.

24. See Commerce Secretary William H. Daley, Remarks to Privacy Summit (June 23, 1998), (visited March 28, 1999) (transcript available at <<http://www.doc.gov/opa/Speeches/980623.html> (visited March 28, 1999)).

25. Electronic Commerce: Privacy in Cyberspace, Hearings on H.R. 2368 Bbefore the Subcomm. on Telecommunications, Trade and Consumer Protection of the House Comm. on Commerce, 105 Cong., 2nd Sess., July 21, 1998 (testimony of Robert Pitofsky, Chairman of the FTC), available at (visited March 31, 1999) <http://www.ftc.gov/os/1998/9807/privac98.htm#N_3_>.

26. U.S. GOV'T WORKING GROUP ON ELEC. COMMERCE, FIRST ANNUAL REPORT 16 (November Nov. 1998), available at (visited March 28, 1999) <http://www.doc.gov/ecommerce/E-comm.pdf>.

27. See Commerce Secretary William H. Daley, Remarks at Press Conference on E-Commerce (Feb. 5, 1999) (visited March 28, 1999)(transcript available at <http://www.doc.gov/opa/Speeches/ecommerceremarks.html>).

28. See TRUSTe, TRUSTe Program Principles (visited on Mar.ch 30, 1999) <http://www.truste.org/webpublishers/pub_principles.html>.

29. See In re GeoCities Decision and Order, F.T.C. Docket No. C-3850 (visited Mar.ch 29, 1999) <http://www.ftc.gov/os/1999/9902/9823015d&o.htm>.

30. As of March 2, 1999, TRUSTe had 51 sponsors; only 26 were registered as licensees of the TRUSTe logo to show a commitment to privacy. Compare TRUSTe, TRUSTe Sponsors (visited March Mar. 30, 1999) <http://www.truste.org/about/about_sponsors.html>, with TRUSTe, Look Up A Company (visited March Mar.30, 1999) <http://www.truste.org/users/users_lookup.html>.

31. TRUSTe requires that "web sites ... must disclose their personal information collection and privacy practices." TRUSTe, The TRUSTe Program: How it Protects Your Privacy (visited March Mar. 30, 1999) <http://www.truste.org/users/users_how.html>. However, from the main TRUSTe member directory web page, TRUSTe, Member Directory (visited March Mar. 30, 1999) <http://www.truste.com>, there is a link to <http://www.worldpages.com/whitepages>. This latter site uses cookies to collect information from the user and allows a user to search for the address and phone number of anyone in the United States. The site does not display a TRUSTe logo, nor does it disclose any privacy policy. There is a link in fine print at the bottom of the web page "About Worldpages" to another web page: <http://www.worldpages.com/docs/about.whtml> (visited March Mar. 30, 1999). This last web page similarly says nothing about privacy, but does identify the owner of the page: Web YP, Inc. Web YP, Inc. is not listed as a licensee of TRUSTe, though a company identified as "World Pages, Inc." is listed.

32. See BBBOnLine, Homepage (visited March Mar. 31, 1999) <http://www.bbbonline.com>.

33. See Robert O'Harrow, Better Business Bureaus Offer Online Privacy Seal, WASH. POST, March. 17, 1999, p. at E1.

34. See BBBOnLine, Eligibility Criteria for BBBOnLine Privacy Seal (visited March. 31, 1999) <http://www.bbbonline.com/businesses/privacy/eligibility.html.>.

35. See FEDERAL TRADE COMMISSION, TRANSCRIPT: PUBLIC WORKSHOP ON CONSUMER PRIVACY ON THE GLOBAL INFORMATION INFRASTRUCTURE, F.T.C. PROJECT P954807, Washington, D.C. , at 79-90 (June 4, 1996) (Sstatement of Paul Resnick, AT&T Research),) > (visited March 31, 1999) ( transcript available at < http://www.ftc.gov/bcp/privacy/wkshp96/pw960604.pdf (visited March 31, 1999).>).

36. See W3C, About the World Wide Web Consortium (visited March 31, 1999) (visited Apr. 20, 1999) < http://www.w3.org/Consortium/>.

37. See Chris Oakes, Patent May Threaten E-Privacy, WIRED, Nov. 11, 1998, (visited March 31, 1999) available at <http://www.wired.com/news/news/technology/story/16180.html>; Intermind, About Intermind Communication's Patents (visited March 31, 1999) (visited Apr. 20, 1999) <http://www.intermind.com/materials/patent_desc.html>.

38. See FRAMEWORK, supra note 3, at 12 (Issue #5).

39. Id.

40. Id.

41. See U.S. DEPT. OF COMMERCE, N.T.I.A., ELEMENTS OF EFFECTIVE SELF-REGULATION FOR PROTECTION OF PRIVACY (Jan. 1998) (visited March 31, 1999) <http://www.ntia.doc.gov/reports Elements /privacydraft/198dftprin.htm>.

42. See, supra note 8 and accompanying text; Gellman, supra note 10, at 200.

43. See FCC Second Report and Order and Further Notice of Proposed Rulemaking, FCC Docket No. 96-149, 91 (Feb. 19, 1998) (visited March 31, 1999) <http://www.fcc.gov/Bureaus/Common_Carrier/Orders/1998/fcc98027.txt>.

44. See Jeri Clausing, After Intel Chip's Debut, Critics Step Up Attack, N.Y. TIMES ON THE WEB (Feb. 19, 1999 1999)(visited March 31, 1999) <http://www.nytimes.com/library/tech/99/02/cyber/articles/19intel.html>.

45. See Netscape Corp., What's Related FAQ (visited Apr. 20, 1999) (visited March 31, 1999)<http://home.netscape.com/escapes/related/faq.html#o6>.

46. See FRAMEWORK, supra note 3, at 14 (Issue #5) ("The United States will continue policy discussions ... to increase understanding about the U.S. approach to privacy and to assure that the criteria [Europeans] use for evaluating adequacy are sufficiently flexible to accommodate our approach.").

47. See European Directive, supra note 7, at art. 25.

48. See U.S. Dept. of Commerce, Draft International Safe Harbor Privacy Principles (Nov. 4, 1998) <http://www.ita.doc.gov/ecom/menu.htm>.

49. See International Trade Administration, U.S. Dept. Of Commerce, Public Comments filed on "Draft International Safe Harbor Privacy Principles" <http://www.ita.doc.gov/ecom/com.htm>; Working Party of European Data Protection Supervisory Authorities, Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussion between the European Commission and the United States Government, DG XV 5092/98/WP15 (Jan. 26, 1999) (visited March 31, 1999) <http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp15en.htmhttp://www.privacyexchange.org/news/990129wpdoc.html>; Working Party of European Data Protection Supervisory Authorities, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, DG XV D/5025/98/WP12 (July 24, 1998) (visited March 31, 1999) <http://europa.ue.int/comm/dg15/en/media/dataprot/wpdocs/wp12en.htm>.

50. These states are Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, and the United Kingdom.

51. See, e.g., COLIN BENNETT, REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES (1992); DAVID FLAHERTY, PROTECTING PRIVACY IN SURVEILLANCE SOCIETIES (1989); Fred H. Cate, The EU Data Protection Directive, Information Privacy, and the Public Interest 80 IOWA L. REV. 431 (1995); David Flaherty, Protecting Privacy In Surveillance Societies (1989).

52. See European Convention, supra note 7, at art. 1.

53. This term "information self-determination" was coined by a 1983 German court decision prohibiting the intrusiveness of a national census. See Judgment of the First Senate [Bverfge, Karlsruhe],, Dec. 15, 1983], translated in 5 HUM. RTS. L.J. 94 (1984).

54. See, e.g., European Directive, supra note 7, at Recital 10 (explaining that the purpose of the Directive is to "seek to ensure a high level of protection in the Community").

55. ISee id., at Recital 12, art. 3.

56. See Viktor Mayer-Schonberger, Generational Development of Data Protection in Europe, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 220 (Philip E. Agre & Marc Rotenberg eds., 1998).

57. See European Directive, supra note 7, at Recital 7; JOEL R. REIDENBERG & PAUL M. SCHWARTZ, DATA PROTECTION LAW AND ON-LINE SERVICES: REGULATORY RESPONSES (Eur. Comm. 1998),, (visited March 31, 1999) original version available at (visited March 31, 1999) <http://europa.eu.int/comm/dg15/en/media/dataprot/studies/regul.pdf>.

58. See European Directive, supra note 7.

59. See supra note XX.Spiros Simitis, From the Market to the Polis: The EU Directive on the Protection of Personal Data, 80 IOWA L. REV. 445 (1995).

60. This 'transposition' of the European Directive's standards into national law was to have occurred by October 1998. See European Directive, supra note 7, at art. 32. However, as is not uncommon in the European system, few Member States have complied with the deadline.

61. See European Directive, supra note 7, at aArt. 28.

62. ISee id., at art. 18-19.

63. See Douwe Korff (ed.), Existing case-law on compliance with data protection laws and principles in the Member States of the European Union, Annex to the Annual Report 1998 of the Working Party Established by Article 29 of Directive 95/46/EC (Douwe Korff ed., Eur. Comm: 1998).

64. See Joel R. REIDENBERG & SCHWARTZ, DATA PROTECTION LAW, ONLINE SERVICES AND DATA PROTECTION AND PRIVACY: REGULATORY RESPONSES (Off. Publ. of the Eur. Comm: 1998supra note 57); PETER SWIRE & ROBERT LITAN, NONE OF YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE 188-196 (1998).

65. European Directive, supra note 7, at art. 2(a).

66. See REIDENBERG & SCHWARTZ, DATA PROTECTION LAW, supra note 57, at 124-126.

67. Reidenberg & Schwartz, supra note 57See id., at 133-34.

68. See European Directive, supra note 7, at art. 29.

69. International Working Group on Data Protection and Telecommunications, Data Protection and Privacy on the Internet: Report and Guidance (Berlin,: Nov. 18, 1996) (visited March 31, 1999) <http://www.datenschutz-berlin.de/diskus/13_15.htm>.

70. See European Directive, supra note 7, at art. 27.

71. See REIDENBERG & SCHWARTZ, DATA PROTECTION LAW, supra note 57, at 153-54147.

72. See id. at 153-54; Working Party of European Data Protection Supervisory Authorities, Opinion 1/98: Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS), DG XV D/5032/98/WP11 (June 16, 1998) (visited March 31, 1999) <http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm>;; Joel R. Reidenberg, International Data Flows and Methods to Strengthen International Co-operation. (Ppaper presented at the 20th International Conference of Data Protection Authorities, Santiago de Compostela, Spain) (Sept.ember 17, 1998) (visited March 31, 1999) <http://home.sprynet.com/~reidenberg/idt.htm>.

73. See European Directive, supra note 7, at aArt. 4 (choice of law) and aArt. 25 (export prohibition).

74. See SWIRE & LITAN, supra note 64, at 188-196.

75. See Joel R. Reidenberg, The Movement toward Obligatory Standards for Fair Information Practices in the United States, in VISIONS FOR PRIVACY: POLICY CHOICES FOR THE DIGITAL AGE (Colin Bennet & Rebecca Grant eds., 1999).

76. See, e.g., HUNGARIAN REPUBLIC, THE FIRST THREE YEARS OF THE PARLIAMENTARY COMMISSIONER FOR DATA PROTECTION AND FREEDOM OF INFORMATION 68-72 (1998) (discussing the influence of the European Directive for Hungarian data protection law); Council of Europe, Chart of Signatories and Ratifications (visited Apr. 20, 1999) <http://www.coe.fr/tablconv/108t.htm>(visited March 31, 1999) (listing countries that have ratified the treaty on data privacy); Industry Canada, Task Force on Electronic Commerce: The International Evolution of Data Protection (Oct. 1, 1998) (visited on March 31, 1999) <http://e-com.ic.gc.ca/english/fastfacts/43d10.htm> (justifying the Canadian proposal for a comprehensive privacy law by reference to the European initiative); Office of the Privacy Commissioner for Personal Data, Hong Kong, Personal Data (Privacy) Ordinance, Chap. 486 (visited Apr. 20, 1999) <http://www.pco.org.hk/ord/section_00.html> (displaying Hong Kong statute that follows theing European comprehensive model);. Hungarian Republic, The First Three Years of the Parliamentary Commissioner for Data Protection and Freedom of Information 68-72 (1998)(discussing the influence of the European Directive for Hungarian data protection law.)

77. See REIDENBERG & SCHWARTZ, DATA PROTECTION LAW, supra note 57, at 142-146.

78. See European Directive, supra note 7, at art. 32.

79. See Westin, supra note 17; Jeb Rubenfeld, The Right of Privacy, 102 HARV. L. REV. 737 (1989); OECD Guidelines, supra note 7, at Preamble ("Member countries have a common interest in protecting privacy and individual liberties."); Schwartz supra note 18; Simitis, supra note 18; WESTIN, supra note 17. Jeb Rubenfeld, The Right of Privacy, 102 Harv. L. Rev. 737 (1989); OECD Guidelines, supra note 7, at Preamble ("Member countries have a common interest in protecting privacy and individual liberties.")

80. Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (describing attempts to categorize pornographic materials as "I know it when I see it.".).

81. See O.E.C.D. Guidelines, supra note 7; U.S. DEPT. OF COMMERCE, PRIVACY AND ELECTRONIC COMMERCE (June 1998) (visited March 31, 1999) <http://www.doc.gov/ecommerce/privacy.htm> (recognizing the OECD Principles as the standard); U.S. Dept. oOf CommerceComm., Nat'l Telecomm. and Info. Adm., The Global Information Infrastructure: Agenda for Cooperation, 60 Fed. Reg. 10359, 10367 (Feb. 24, 1995) (recognizing that the US accepts the OECD Principles).

82. After the O.E.C.D. adopted the guidelines, major U.S. companies subscribed to the principles. See GENERAL ACCOUNTING OFFICE, PRIVACY POLICY ACTIVITIES OF THE NATIONAL TELECOMMUNICATIONS AND INFORMATION AGENCY (Aug. 31, 1984) cited in Gellman, supra note 10, at 227 n.60; H.P. Gassman, Vers un cadre juridique internationale pour l'informatique et autres nouvelles techniques de l'information, ANNUAIRE FRANCAIS DE DROIT INTERNATIONAL 747, 750 (1985) (according to the author, who was a staff official at the O.E.C.D., noted that 180 U.S. companies had subscribed to the O.E.C.D. guidelines.).

83. See Lawrence Lessig, Reading the Constitution in Cyberspace, 45 EMORY L. J. 869, 898 (1996).

84. SeeJoel R. Reidenberg, Lex Informatica: The Formulation of Information Policy Rules through Technology, 76 Tex. L. Rev. 553 (1998)[hereinafter Lex Informatica]; Joel R. Reidenberg, Governing Networks and Rule Making in Cyberspace, 45 EMORY L. J. 911, 917-919, 929 (1996); Joel R. Reidenberg, Lex Informatica: The Formulation of Information Policy Rules through Technology, 76 TEX. L. REV. 553 (1998) [hereinafter Lex Informatica].

85. P3P is a protocol to enable disclosure and negotiation of the terms of consumer privacy between a web user and a web site collecting personal information. See W3C, Platform for Privacy Preferences P3P Project (visited Mar.ch 31, 1999) <http://www.w3.org/P3P>.

86. See Joel R. Reidenberg, The Use of Technology to Assure Internet Privacy : Adapting Labels and Filters for Data Protection, LEX ELECTRONICA (Fall 1997) (visited March 31, 1999) <http://www.lex-electronica.org/reidenbe.html>.

87. See Mark Slayton, An Introduction to Cookies, HOT WIRED, Nov. 7, 1996 (visited March 31, 1999) <http://www.hotwired.com/webmonkey/webmonkey/geektalk/96/45/index3a.html.>.

88. See James Glave, Next Netscape Will Chew Cookies on Command, WIRED NEWS, Feb. 22, 1997 (visited March 31, 1999) , available at <http://www.wired.com/news/news/technology/story/2196.html>.

89. None of the programs offers any damage remedy to individuals when the company adherents fail to fulfill their privacy commitments.

90. See Polly Sprenger, Intel on Privacy: 'Whoops!', WIRED NEWS, Jan. 25, 1999 (visited Mach 31, 1999) <http://www.wired.com/news/news/politics/story/17513.html>.

91. See Lex Informatica, supra note 864, at 584 (discussing the effect of liability and the structure of the Internet.).

92. For example, instead of publishing notice in the Federal Register for public comment on the draft international privacy principles, Undersecretary Aaron sent a letter, dated November 4, 1998, addressed "Dear Industry Representative" and posted it on a hidden web page several days later. See Letter from David Aaron, Undersecretary of Commerce to Industry Representatives (Nov. 4, 1998), available at <http://www.ita.doc.gov/ecom/aaron114.html>.

93. Declan McCullagh & James Glave, Clinton Tabs Privacy Point Man, WIRED NEWS, Mar. . 3, 1999 (visited March 31, 1999), available at <http://www.wired.com/news/news/politics/story/18249.html>.

94. See Joel R. Reidenberg, Privacy in an Information Economy: A Fortress or Frontier for Individual Rights?, 44 FED. COMM. L.J. 195, 242 (1992) (proposing a legislative model with a safe harbor mechanism for industry).

95. See HElectronic Commerce: Privacy in Cyberspace, Hearings on H.R. 2368 Bearings before the Subcomm. on Telecommunications, Trade and Consumer Protection of the House Comm. on Commerce, 105th Cong., 2nd Sess., July 21, 1998 (tTestimony of Robert Pitofsky, Chairman of the FTC) (visited March 31, 1999) , available at <http://www.ftc.gov/os/1998/9807/privac98.htm#N_3_>.

96. See, e.g., REIDENBERG & SCHWARTZ, DATA PROTECTION LAW, supra note 57, at 153-54.