This paper addresses these issues by beginning with a brief exploration of the techniques employed by Internet businesses to build comprehensive personal profiles, and how these practices destroy one's privacy on the Internet. It next details why the self-regulation endorsed by both the industry and the Federal Trade Commission (FTC) has failed to provide adequate protections. The second part of the paper examines a class action lawsuit against Double Click, and the 10th Circuit Court of Appeals recent decision in U.S. West v. Federal Communication Commission 1 (hereinafter U.S. West). These two cases will likely play an integral role in shaping the Internet privacy debate.2  The paper concludes with the suggestion that the only meaningful way to protect privacy rights on the Internet is to require that consumers "opt-in" before their personal information can be collected or distributed. Such an approach would protect against inadvertent collection and disclosure of an individual's personal information.

Imagine jumping into your brand new Ford Explorer and driving down the Interstate on your routine evening commute home. You sit back and relax, listen to the radio, and make periodic phone calls on your cell phone to overcome the monotony and frustration of any evening rush hour. Recently, your commute has become even more hassle-free now that you own the commuter's "E-Z Zip pass," allowing you to quickly pass through interstate toll booths without ever needing to stop.

As your journey continues down the open highway, you reflect upon modern day technology and how much easier your life has become since the creation of cell phones, zip passes, Palm Pilots, On-star and other modern technological innovations.3 You try to imagine how you ever functioned without these modern day marvels, never for a moment considering the consequences of the detailed trail of personal information left behind by this technology. This trail of information is available to potentially interested parties. It can inform others who we are, where we live and work, where we go and the routes we use,4 and even our favorite radio stations.5

Today, many government and private agencies track, collect, and process this information, creating sophisticated databases detailing our movements and actions. The existence and exploitation of such personal data becomes even more potentially destructive of one's privacy if this information is later sold to others for commercial purposes -- whether or not one ever consented, or were even aware of its collection.6

 Although the real-world data collection methods just described are troubling, they pale in comparison to the way in which personal information is compiled about us in the virtual world of cyber-space.

In today's Internet, every transaction, web site visited, contemplated purchase, and even surfing habits can be collected and recorded in a variety of databases. 7 These tidbits of personal information, valuable alone, become even more valuable when they are eventually organized into detailed customer profiles. Such profiles can inform businesses who we are, what and where we like to buy items, our preferred method of purchase, and any other tidbit of personal information that we may have disclosed along the way.8

What makes the collection and dissemination of this personal data disturbing is the realization that there are few, federal laws or other enforceable restraints to prevent commercial entities from exploiting it. The only protective measures currently in place to protect consumers' privacy are the industries' assurances of "self-regulation" and the patchwork of grossly inadequate federal and state laws. 9
 
Through sophisticated collection techniques such as "cookies,10" "data mining,11" "harvesting," and "click-stream data,12" commercial entities can assemble extensive personal profiles that are not only extremely accurate reports on past behavior, but can even provide clues as to our future behavioral patterns.13

As if this invasion of privacy wasn't enough, prominent Internet companies such as Double Click have attempted to consolidate a consumer's online profile with previously existing databases that track individuals' conventional purchasing. These databases may incorporate such intimate details as an individual's annual income, place of residence, occupation, credit history, and other relevant information.14

It is not surprising that databases containing users' personal information is now viewed as an integral part of many Internet companies' business models. In a recent case filed against Yahoo, the personal information compiled about Yahoo's users was believed to have an estimated value of $4 billion dollars.15 Considering the enormous value placed on this kind of information, it is appalling to realize that even though we currently have a federal law recognizing an individual's right to privacy regarding their video rentals, we still don't have any laws protecting consumers from the exploitation of their personal privacy on the Internet.16 

Over the past ten years the Internet has grown into a powerful medium with over 168 million users worldwide and approximately seventy-five percent of these users residing in North America.17 This largely untapped market of consumers forced businesses to incorporate the Internet into their business plans, or risk losing an extremely valuable share of the market. The result is the creation and evolution of electronic commerce (e-commerce) where businesses are perpetually attempting to attract more and more consumers. The growth and success of e-commerce led to forecasts that electronic commercial transactions over the Internet last year would exceed $350 billion dollars in sales.18

As businesses began to appreciate the market potential of the Internet, it wasn't long before software was incorporated in efforts to capture a larger market share. For example, web sites began to employ "cookies.19" Cookies are small bits of data unknowingly stored on an online user's hard drive that track and records an individual's preferences, and reveals this information whenever specific web sites are accessed. 20 Initially, cookies were primary used as a marketing tool to help businesses better understand their faceless consumers. However, over time businesses began to realize the market value in collecting and exploiting personal information pertaining to their consumers. In order to acquire more detailed and accurate information about its users, web sites began to offer free services such as e-mail, personalized news, stock quotes or other special incentives.21 In exchange for these free services, customers agree to create a personalized user profile, including their name, address, e-mail address, their interests, and other relevant information. These user profiles allow web sites to identify customers personally. This personal touch enhances a user's experience by tailoring and personalizing their web sites to maximize their appeal to a particular user's tastes.22

As software improved, businesses became more sophisticated in their exploitation of cookies to collect personal information about their users. By "combining" cookies and personal profiles, businesses are able to record a user's "click-stream" data. This technique discloses information about a user's surfing habits, such as web sites visited, the duration of those visits, the information viewed at those particular web sites, and how the user arrived to a particular web site (e.g., from a hyperlink).23 This click-stream data also allows a company either to create or to supplement an existing online profile. Although the relevance of such supplemental information may not be immediately apparent, over time a particular pattern or relevant tidbit of information may emerge to compliment a user's personal profile. Data mining allows companies to analyze compiled information about a particular user and attempt to discover new patterns or habits that were not previously known. 24  This technique enables a company to forecast a user's habits based on previous revealed tendencies. For example, a user may go to a particular website every fall to plan a cruise to the Caribbean with his family. Once a company is able to identify such a habit, it will then attempt to target similar trips to the Caribbean in order to capture that user's business.

These invasive techniques are constantly collecting and sorting new information into "data warehouses" that can eventually be combed through for more revealing information.25 Industry experts justify their practices of collecting a user's personal information by claiming that these techniques allow businesses to reduce their costs, better serve their customers, provide a better understanding of a particular customer's needs, and allows more effective collection efforts.26 With the premium value placed on this type of information, it is not surprising to hear an industry expert justify her practices as being necessary to ensure the future ability to achieve "more efficient collection efforts." It is just unfortunate that these collection efforts continue to harm and exploit consumers' personal privacy.

There's also a certain irony about this systematic collection of our personal data. Often times it is we who are responsible for voluntarily disclosing information in the first place in exchange for a particular service. 

Cookies have become so commonplace that nearly every company on the Internet collects at least some form of personal information from its web users.27 As alarming as this may be, the real harm to the consumer is the cavalier way in which these companies will sell or distribute the personal information of their users without their express knowledge or consent.

In March 1999, a survey of commercial web sites and their privacy policies conducted by the McDonough School of Business at Georgetown University found that ninety-three percent of web sites collect personal information from consumers. Of these only sixty-six percent of the sites posted information about their disclosure practices.28 The survey also found that only ten percent of these commercial sites implemented all of the substantive "fair information practice" principles adopted by the Federal Trade Commission. (The principles include such things as notice, consent, security, and enforcement.29) This study reinforces the conclusion that businesses certainly do not have any problem collecting personal information, and the only hesitation they do have is fully disclosing to consumers how their private information will be either utilized or disclosed.

Since 1995, the Federal Trade Commission has encouraged self-regulation by the industry.30 This approach relies on businesses that are either motivated or principled enough to adopt a self imposed privacy policy.31 Unfortunately, self-regulation is fundamentally flawed for a number of reasons. First, there is no incentive for a business to adopt a restrictive privacy policy since the potential uses for such personal information have yet to be fully realized. As collection methods improve, and the cost of data storage decreases, a business cannot accurately predict the divergent ways such information can be used for commercial purposes. Therefore, there's little incentive for a firm to bind itself to a restrictive privacy policy when its competitors are free to act in any manner they deem appropriate. It is naive of the Federal Trade Commission to believe that businesses in such a highly competitive industry would be voluntarily willing to restrict their behavior. The second fundamental reason why self-regulation has failed is that the FTC has no authority to require businesses to adopt privacy policies. However, once a privacy policy has been adopted and a business violates that privacy policy, the FTC is then empowered under Section 5 of the Federal Trade Commission Act (15 U.S.C. 41 involving deceptive acts or practices) to bring legal action against that company.32

Recently, the FTC exercised these Section 5 powers when it brought a legal action against GeoCities.33 It charged GeoCities with violating its own privacy policy by selling information about its members to third parties. (The policy expressly stated such disclosure would only occur after receiving a user's consent.34) GeoCities eventually settled this claim with the FTC, but not before becoming the government's poster child on how to violate customers' privacy. GeoCities probably could have avoided this legal predicament altogether had it never adopted a privacy policy in the first place, since the law does not require one.35

One can be certain that businesses observing the whole GeoCities fiasco have concluded that adopting a privacy policy may unnecessarily expose a company to legal liability and may not be worth the risk. Arguably the long-term effect resulting from the GeoCities episode would be the refusal by more businesses voluntarily to adopt privacy policies, further undermining the notion of self-regulation.

This attempt at "self-regulation" has also resulted in several high profile lawsuits against such Internet premiere companies like Yahoo!, Double Click, Amazon, Intuit, eToys, America Online and Real Networks to name just a few. In each one of these cases, consumers allege that these companies use deceptive practices involving the collection of personal information.36 How these cases are ultimately resolved isn't all that important. The realization that these cases had to be filed demonstrates the severity of the current problem. These cases should demonstrate to the FTC, and Congress that self-regulation has failed and that federal legislation is necessary in order to protect consumers' interests. 

Although each of these previously mentioned lawsuits will certainly play some role in shaping the privacy debate, the pending class action lawsuit against Double Click still remains the pivotal case. 37

 Double Click, the leading on-line advertiser responsible for delivering 1.5 billion banner ads a day on behalf of 1800 customers, has come under fire for its invasive use of cookies on its servers to monitor and track users' surfing habits.38 This case is unique since Double Click utilized cookies on its server, rather then on a particular website (which is the traditional practice), to track users' movements throughout the Internet. This revolutionary technique allowed Double Click to continuously track a particular user (who remained on one their servers) regardless of the type of browser used or the website content being viewed. 39 This method of tracking and collecting click-steam data enables them to compile extremely accurate profiles of its consumers' activities across a spectrum of different web sites. 40

The most important question confronting the Court is whether Double Click may unknowingly place a cookie on a user's hard drive, without his or her consent, any time they happen to visit a website displaying one of its advertisements. 41 This practice by Double Click is unique since it stretches the current notion of "implied consent." Traditionally, businesses imply consent from its users anytime they access one of its web sites. The placement of the cookie is thought of as an exchange for providing access to information or services to its users. Double Click attempts to imply this same consent, regardless of whether users have actually clicked-on or accessed one of their advertisements, due to the mere presence of its advertisements on a particular web site they happen to be browsing.

No matter how this case is ultimately decided, it will play a critical role in defining the outer limits of acceptable business practices for the collection of personal information. If the Court concludes that Double Click has engaged in unfair business practices, this decision would begin to define a bright line test as to what's acceptable, and would cause a chilling effect throughout the industry. However, if the Court were to conclude that Double Click had done nothing wrong, the floodgates to such practices would be unleashed and other companies would begin to incorporate similar methods. Ultimately, Congress would be forced to act.

No matter how the Court eventually decides this case, one can be assured that the industry will be watching and the attention from the trial should result in a closer examination of the collection practices currently used. 

The other major battleground for privacy advocates is the recent adverse decision handed down in a case dealing with the disclosure of personal data. In U.S. West, Inc. v. FCC 42, the 10th Circuit Court of Appeals concluded that an "opt-in" provision violated U.S. West's right to commercial speech and was therefore unconstitutional.43 Upon first glance this case might appear to be an isolated anomaly, resulting in no long-term adverse effect. Unfortunately, one becomes quickly troubled by the Court's conclusions after reviewing its language. In its opinion, the Court makes it clear that it does not subscribe to the notion of one's presumed right to privacy in data. In reaching this decision the Court of Appeals adopts a broad interpretation of commercial speech and raises the government's standard of proof in establishing a valid state interest protecting against the disclosure of an individual's private information.

In U.S. West, the issue before the Court was whether the Federal Communication Commission was justified in adopting an "opt-in" provision as a way to satisfy the requirements of 47 U.S.C. § 222. This law required telecommunication companies to obtain a customer's affirmative approval before they would be allowed to use the customer's personal information.44 The Court began its analysis by defining speech protected by the First Amendment, and concluded that when personal data is used to "facilitate the marketing...of services to individual customers, we find the speech integral to and inseparable from the ultimate commercial solicitation. Therefore, the speech is properly categorized as commercial speech."45

This conclusion presents problems to privacy advocates since the Court is asserting that personal data deserves First Amendment protection under commercial speech. Such a conclusion establishes a dangerous precedent in the 10th Circuit since cookies, data mining, data warehousing, and click stream data are all techniques use to 'facilitate the marketing of services to individual customers' and therefore could also be protected under such an analysis.46 Although a court would certainly draw a distinction between data previously collected (U.S. West already possessed the data they were attempting to use), and techniques used to collect data, the problem presented is that once data is collected it becomes protected under commercial speech. Such an analysis would prevent individuals from controlling the disclosure of their personal information once it has already been collected. This is especially troubling in situations where an individual's required to disclose this information, just like the U.S. West's customers. One can only hope that such an interpretation does not eventually make its way into other circuits.

Upon reaching the conclusion that personal data constitutes commercial speech, the Court then applied a four-part test originally set forth in Central Hudson Gas and Electric Corporation v. Public Service Commission of New York47, to determine whether the government was justified in restricting this speech.48 The four-part test considers the following factors: 1) does the commercial speech concern a lawful activity and is it not misleading; 2) does the government have a substantial state interest in regulating the speech; 3) does the regulation directly and materially advance that interest; and 4) is the regulation no more extensive than necessary to serve that interest.49

After quickly concluding that the speech being regulated passed the first test, the Court then proceeded on to the next step and whether the state has a substantial interest in regulating the commercial speech. The Court states that in order for the government to regulate commercial speech, the government "must show that the dissemination of the information desired to be kept private would inflict specific and significant harm on individuals, such as undue embarrassment or ridicule, intimidation or harassment (emphasis added)."50 The Court then emphasizes that "a general level of discomfort from knowing that people can access information about us does not necessarily rise to the level of a substantial state interest."51 The Court does mention that the state could satisfy this prong of the test, by showing a substantial interest through empirical information that would justify its interest.52 Although the Court is unpersuaded that the FCC has met this heightened standard, it ultimately defers to the FCC's conclusion that a valid state interest does exist.53

In applying the final test as to whether the regulation is no more restrictive then necessary to serve the state's interest, the Court concludes that an "opt-in" provision is too restrictive and therefore must fail. 54 The Court believes that when a less restrictive alternative exists, such as an "opt-out" provision, such evidence indicates that the state did not narrowly tailor its regulations to achieve its desired interest.55

This decision was a major victory for businesses that collect and exploit personal information for commercial purposes. The 10th Circuit Court of Appeals has broadened the category of commercial speech to include personal data that would eventually be used for commercial purposes. The Court fails to realize that just about any type of information collected in today's "information age" could be protected under this broad definition.

The Court also used poor judgment in concluding that the only way the state can protect personal information is by showing that disclosure of such information would inflict specific and significant harm on individuals (emphasis added).56 The approach is fundamentally flawed since you will never know the specific harm until after the information has been disclosed and used in an inappropriate manner. However, the Court does appear more flexible in applying this criterion, and implies that it would defer to a state interest if it were supported by empirical information demonstrating the harm.

Unfortunately, this decision by the 10th Circuit Court of Appeals has struck a major blow to privacy advocates, and may ultimately require legislative action in order to correct the Court's erroneous conclusions. 

Our current patchwork of state and federal laws, coupled with the industry's promise to self-regulate, has been a complete failure. More importantly, in light of the recent decision in U.S. West, there is no guarantee that the Courts can provide the much-needed relief in protecting one's personal information on the Internet. These concerns are beginning to have a chilling effect on consumers and their use of the Internet to make routine purchases. As this trend continues to worsen, Congress will be required implement legislation to address these problems.57

So how does Congress solve this problem? Congress should begin by passing an "Internet consumer bill of rights" that requires an automatic opt-in requirement on behalf of all consumers. An opt-in provision would require businesses to provide its consumers a user-friendly summary highlighting the terms and conditions regarding the collection, sharing, and disclosure of personal information. Such a bill would forbid a business from collecting any personal information prior to receiving an affirmative consent from its consumers.

The user-friendly summary of terms and conditions would be similar in format and content as ones currently employed by financial institutions to issue credit cards. The summary would expressly inform the consumers the information collected, purpose of its collection, and whether such information will be disclosed/shared with third parties. Businesses would also be required to make assurances that no disclosures will occur in violation of these express terms.

Whenever a business wished to change or modify one of these express provisions, its consumers would automatically by default be excluded from their application. A business would be required to receive a consumer's affirmative consent to the new terms and conditions before their application could take effect.

Such harsh provisions would discourage companies from making frequent changes to its stated privacy policies. Under the present system, the consumer bears the burden of periodically checking with the web site to determine whether a privacy policy has been changed or modified. This flawed approach allows businesses to adapt and modify their policies to meet their selfish business interests, and have the effect of disregarding a consumer's interest altogether. In other words, there is no affirmative obligation on the company's part to ensure that its consumers consent to changes to the policy.

An opt-in approach would rectify these problems by empowering the consumer. Under this approach, both consumers and businesses would have a valuable commodity the other one desires. Since all businesses would be required to comply with the same law, businesses would focus their marketing energies in way to provide greater privacy protection to its consumers. Instead of the current race to the bottom, businesses would offer consumers enhanced services in exchange for personal information. The biggest benefit of an opt-in approach is that it will reassure consumers that the information they disclose will only be used for its intended purpose and not as a commercial commodity of the company.

Critics would argue that the opt-in approach is unconstitutional in light of U.S. West. This argument lacks merit since any law confronting this issue could withstand the four-part test required by Hudson. Congress could certainly meet the second and third prongs of this test by citing recent surveys indicating consumers' concerns with privacy on the Internet and its chilling effect. A recent Forrester Research report estimates that companies miss out on $14 billion dollars in commercial transactions due to such privacy concerns. 58 Any rational court would quickly concede that a substantial interest indeed exists, and that Congress has the authority to act.

According to the Court in U.S. West, the biggest obstacle for any proposed Internet privacy legislation is presented by the last prong of the Hudson test requiring the regulation to be no more extensive than necessary. Congress could justify an opt-in approach since empirical evidence shows (an example would be the $14 billion dollars lost in e-commerce due to privacy concerns on the Internet) that our current system roughly based on an opt-out approach has failed to adequately protect consumers' privacy.

In conclusion, it is imperative that Congress begins to take concrete steps to resolve these concerns. The current state of self-regulation coupled with State and Federal laws have proven to be grossly inadequate. The immediate future doesn't appear much brighter since state legislatures are expected to consider more than 300 different online privacy laws. 59 Such disastrous consequences could leave us with an even more complicated patchwork of laws and regulations, and cause greater problems due to the lack of predictability. Unless Congress begins to take meaningful steps toward some type of comprehensive legislation, our personal information will continue to be exploited by more and more intrusive technologies.

No matter what eventually occurs in resolving these privacy issues, at least I will never have to worry about others discovering what videos I rent from Blockbuster!

2  See Charles L. Kerr & Oliver Metzger, Online Privacy: Emerging Issues, 607 PLI/PAT 29, 58-65 (2000) (summarizing pending lawsuits and allegations against a variety of internet companies).

3 See Alan Sipress, 'Big Brother' Could Soon Ride Along in Back Seat; Traffic Monitoring Stirs Privacy Fears, WASH. POST, Oct. 8, 2000, at A1. (reporting that new intelligent transportation systems may raise privacy concerns).

4 Id.

5 Id. See also A. Michael Froomkin, Cyberspace and Privacy: A New Legal Paradigm? The Death of Privacy?, 52 STAN. L. REV. 1461, 1477 (2000) (discussings regulation to become effective in 2001 that will require cellular companies to be able to pinpoint a caller's location to within 400 feet, at least sixty-seven percent of the time).

6 See Carol Morello, 'Ethics Bowl' Takes a High-Tech Turn; Teams From 15 Virginia Colleges Tackle Information Age Dilemmas in Competition, WASH. POST, Feb. 13, 2001, at B3 (discussing the collecting of information and the ethics behind such activities); see also Sipress supra note 1, at A1.

7 See Jennifer Bresnahan, Personalization, Privacy, and the First Amendment: A Look at the Law and Policy Behind Electronic Databases, 5 VA. J.L. & TECH. 8, 8 (2000) (emphasizing the difficulty in making a move on the internet today without your actions being recorded).

8 Id.

9 See Michael S. Yang, E-Commerce: Reshaping the Landscape of Consumer Privacy, 33 AUG MD. B.J. 12, 14 (2000) (explaining how consumers must resort to common law torts due to lack of federal legislation).

10 See Viktor Mayer-Schonberger, The Cookie Concept, available at <http://cookiecentral.com/content.phtml?area=2&id=1>.

11 See What is?com, data mining (last modified Oct. 27, 1999) available at <http://whatis.techtarget.com/definitionsSearchResults/1,289878,sid9,00.html?query=data+mining>

12 See What is?com, data mining (last modified Oct. 27, 1999) available at  <http://whatis.techtarget.com/definitionsSearchResults/1,289878,sid9,00.html?query=click+stream>

13 See Kalinda Basho, The Licensing of Our Personal Information: Is It A Solution to Internet Privacy?, 88 CALIF. L. REV. 1507, 1512-13 (2000) (discussing the type and manner of collecting personal information on the internet and how accurate profiles emerge when aggregated).

14 See Yang supra note 7, at 14-15 (summarizing the pending lawsuit against Double Click for obtaining and selling private information of consumers). See also Jane Kaufman Winn, & James R. Wrathall, Who Owns the Customer? The Emerging Law of Commercial Transactions in Electronic Customer Data, 56 BUS. LAW. 213, 222-23 (2000) (explaining how Double Click collects consumer information by using cookies).

15 See Froomkin supra note 3, at 1491 (citing that in a recent lawsuit filing Yahoo's user information was worth four billion dollars).

16  See, e.g. Federal Videotape Privacy Protection Act, 18 U.S.C. § 2710 (b) (1) (1994) (stating that "a video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person...."); Cable Communication Policy Act, 47 U.S.C. § 551 (1994) (providing that "a cable operator shall not use the cable system to collect personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned).

17 See Yang supra note 7, at 12 (discussing general statistics about the internet and its rapid growth).

18  Id.

19 See Scott Killingsworth, eCommerce Strategies for Success in the Digital Economy, 618 PLI/PAT. 663, 671-76 (2000) (discussing the use of cookies to track user's and collect information about their surfing habits); Yang supra note 7, at 14 (briefly discussing the purpose of cookies).

20 See Killingsworth supra note 19, at 671 (discussing the temptations of consumers to disclose personal information in exchange for receiving additional services).

21 Id.

22 See Bresnahan supra note 5 at 8-17 (explaining the utilization of cookies as a tool to market specific products to consumers who are then more likely to make purchases of these items).

23 See Edward Fenno, Federal Internet Privacy Law, 12 JAN S.C. LAW. 36, 37-38 (2001) (discussing methods of data collection and creating online profiles of users); Killingsworth supra note 19, at 671-76 (discussing the use of cookies to track user's and collect information about their habits).

24 See Winn, & Wrathall supra note 12, at 235-36 (explaining the purpose of data mining and examples of how data mining can be useful in anticipating a user's changed habits).

25 Id. at 234.

26 Symposium, Data Privacy Laws and the First Amendment: A Conflict? [hereinafter Data Privacy Laws], 11 FORDHAM I.P., MEDIA & ENT. L.J. 59, 63 (2000) (Remarks by Ms. Jennifer Barrett, Company Leader for Information Practices and Government Affairs justifying the need for companies to collect personal data).

27 See Mary J. Culnan, Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission, (1999) available at http://www.msb.edu/faculty/culnam/GIPPS/gipps1.pdf.

28 Id.

29 Id.

30 See Kerr & Metzger supra note 16, at 31-33 (discussing the Federal Trade Commission's position on self-regulation).

31 See Froomkin, supra note 3, at 1527-29 (concluding that currently there is no incentive for Web sites to voluntarily adopt privacy policies or self regulate themselves since there are no repercussions for disclosing a user's personal information).

32 See Killingsworth supra note 19, at 674-76 (discussing the temptations of consumers to disclose personal information in exchange for receiving enhanced services).

33 Id.

34 Id.

35 Id.

36 See Kerr & Metzger supra note 16, at 58-65 (summarizing the alleged claims against these companies, and the current status of the pending lawsuit).

37 See Data Privacy Laws supra note 26, at 79 Remarks by Mr. David Sobel, General Counsel of the Electronic Privacy Information Center, speaking about the pending Double Click lawsuit and whether provisions under the Electronic Communications Privacy Act will be able to adequately remedy the privacy claim brought by the plaintiffs.

38 See Winn, & Wrathall, supra note 12, at 222-23 (explaining how Double Click collects consumer information through the use of cookies on its server).

39 Id.

40 Id.

41 See Data Privacy Laws supra note 26, at 70.

42 182 F.3d 1224 (10th Cir. 1999).

43 See U.S. West, Inc. v. FCC, 182 F.3d 1224,1238-39  (10th Cir. 1999).

44 See id. at 1228.

45 See id. at 1233.

46 See Bresnahan supra note 5, at 8-10 (explaining the importance of personalization in today's business world and the necessity to collect personal information to achieve this objective).

47 447 U.S. 557 (1980).

48 See U.S. West 182 F.3d at 1233.

49 See Julie Tuan, First Amendment: U.S. West, Inc. v. FCC, 15 BERKELEY TECH. L.J. 353, 357-58 (2000).

50 See U.S. West 182 F.3d at 1235.

51 See Id.

52 See Id.

53 See Id. at 1235-36

54 See Id. at 1238-39.

55 See Id.

56 See Id. at 1235.

57 See L. Scott Tillett, The Push for NetPrivacy -Companies take action as government weighs legislation, INTERNETWEEK, Feb. 5, 2001, at 1 (reporting the insecurity consumers are beginning to have about conducting electronic transactions over the Internet).

58 Id.

59 Id.