No change to privacy status quo
Online privacy has been making high-tech headlines in recent weeks -- with the Senate and more Congress increasingly likely to enact Web privacy laws and the United States and the European Union edging toward striking a "safe harbor" accord to protect consumers' online data.
Nonetheless, Capitol Hill watchers don't expect many sites to have to change their privacy procedures anytime soon.
"I don't know that sites will have to do much that's different even after the 'safe harbor' deal is finalized," said David Sobel, general counsel at the Electronic Privacy Information Center.
The development of a "safe harbor" accord between the EU and United States is likely to be the next major development on the online privacy front.
If agreed to by the EU, the Safe Harbor Principles submitted by the U.S. Department of Commerce this week would require sites to tell users what data they're collecting and why -- and let users opt out of data collection. The Safe Harbor Principles propose that sites take "reasonable precautions to protect [private data] from loss, misuse and unauthorized access, disclosure, alteration and destruction." It also proposes that sites let users see any data collected from them to ensure its validity and establish procedures for responding to complaints about misuse of data.
EU and U.S. officials said this week that they believe the "safe harbor" deal will be settled before a planned June 21 summit in France -- although some EU officials say they still want stricter enforcement mechanisms.
If the proposals -- which are part of the wider U.S.-EU negotiations over the EU's October 1998 Directive on Data Protection -- are agreed to, they won't have an impact on sites that post clear privacy policies and adhere to them, Sobel and other observers said.
Already safe harbors
Many Web publishers echo Sobel's sentiment -- insisting that their sites already do what the "safe harbor" proposal asks.
"We do all those things already, not just because it's part of being a good corporate citizen, but because it's good business," said Rebecca Anderson, director of corporate communications at The Walt Disney Co.'s (NYSE:DIS) Buena Vista Internet Group.
While Salon.com, a news and commentary site, does stick to a strict policy of telling visitors what data is being collected and allowing them to opt out, the policy hasn't been posted yet, according to one official.
"For a long time we've wanted to post an explicit policy explaining what we've been doing all along," said Scott Rosenberg, vice president and senior editor at Salon.com. A recent redesign pushed the project to the back burner, although the posting should take place within a few weeks, he said.
Rosenberg said he doesn't expect to have to change the site's privacy policy, because Salon.com officials have committed to a policy of notice, opt-out, and no reselling of visitors' data to third parties.
Pot calling the kettle ...
Dave McClure, executive director of the Association of Online Professionals trade group, said it was ironic that a recent Center for Democracy and Technology study found that the majority of federal Web sites lacked privacy policies. "If you look at the majority of the members of the Online Privacy Alliance, they do just fine" on protecting users' privacy, he said. (The OPA is a group of high-tech companies that supports self-regulation on data privacy.)
But EPIC's Sobel, pointing to such controversies as Intel Corp.'s (Nasdaq:INTC) inclusion of an identification number in its new Pentium III chips, said the only thing that will ensure consumers can effectively redress misuse of their data would be for Congress to enact "a baseline privacy rights law."
With Web sites becoming more and more complex, and new Internet users coming online every day "you just cannot expect the average person to go from site to site with a meaningful understanding" of how privacy policies may differ, Sobel said.
"The EU would like to see us establish a basic privacy right," which would bolster the legal defense for those whose online privacy has been violated, he said.
Consumer backlash
A consumer backlash over online data collection is at least partly the cause of the hive of privacy legislation, said Dave McClure, executive director of the Association of Online Professionals trade group. "There's been a consumer backlash against the incessant demand for data every time they visit certain Web sites," McClure said.
Among the slew of slew of proposed privacy bills is the Online Privacy Protection Act, sponsored by Sen. Conrad Burns, R-Mont., and Sen. Ron Wyden, D-Ore., which would extend to adults some of the protections given to child Internet users in a bill passed last year. That bill, introduced last week, would require Web sites to let users know what data is being collected from them, and allow them to refuse to submit data.
Rep. Edward Markey, D-Mass., introduced legislation almost identical to the Burns-Wyden bill in the House of Representatives this week. And Sen. Patrick Leahy, the ranking minority member of the Senate Judiciary Committee, said this week he will introduce a bill to extend Fourth Amendment rights against unreasonable government searches and seizures into the online realm. The Leahy bill would also give Americans the right to access any of their personal records kept by businesses, satellite carriers, libraries and book vendors.
However, the Business Software Alliance fears that any new legislation could harm the industry's growth.
"Bills tend to be static, and the Internet industry is changing very rapidly," said Ann Gavin, public relations manager for the Business Software Alliance, an industry trade group. "The industry has been regulating itself, and a new law at this point could be premature."
FTC fighting online fraud
While the argument continues both within and outside Capitol Hill, certain companies continue to defraud consumers, Federal Trade Commission officials said.
The FTC said Thursday that it has charged a so-called information broker with illegally obtaining and selling consumers' financial data.
The company, Touch Tone Information Inc. of Denver, is charged with calling banks and impersonating account holders in order to extract Social Security numbers and account histories. The information gleaned from unsuspecting bank workers in these calls was then sold to third parties via the company's now-defunct Web site, FTC officials said.
Touch Tone's alleged actions represent "a particularly pernicious invasion of consumers' privacy," FTC Chairman Robert Pitofsky said. "This case should send a strong message to information brokers that the FTC will pursue firms that use false pretenses to profit at the expense of consumer privacy" and leave consumers open to identity theft, he said.