Congress sticks its nose into online privacy

As multiple bills head for a vote, legislators and the industry debate which approach is best

Congress's ongoing debate over online privacy has generated lots of talk but little action this year. Things could heat up, though, after leaders of the Senate Commerce, Science and Transportation Committee introduce bills that reflect opposite approaches to consumer protection.

Prosecuting in the name of privacy

The debate centers on the best way to shield consumers from the often-unseen prying eyes of Internet companies while allowing online operators to flourish. “You have to have a balance between consumers' sense of trust and not stifling the e-commerce business model,” said Robert D. Atkinson, vice president at the Democratic-allied Progressive Policy Institute.

Recent privacy laws Children's Online Privacy Protection Act of 1998 Requires operators of commercial Web sites directed at children to obtain parental permission before collecting personally identifiable information from children under 13. Effective April 21, 2000 Gramm-Leach-Bliley Act of 2000 Requires financial institutions to inform customers of how online and offline personal information is being used and by whom, with an opportunity to opt out of information sharing; does not apply to information-sharing between subsidiaries and affiliates of a parent company. Effective July 1, 2001 Notes: The FTC has used the FTC Act's prohibition against unfair and deceptive trade practices to investigate, prosecute and settle cases of online privacy invasion. In addition, 13 states enacted privacy laws from Jan. 2, 2000, through April 20, 2001; at least 30 additional state bills were pending in 16 states, according to the National Conference of State Legislatures

Sen. Ernest F. Hollings, D-S.C., the new committee chairman, is likely to turn the debate toward consumer-friendly ground when he introduces a bill containing an “opt-in” approach. Ranking minority member Sen. John McCain, R-Ariz., is expected to offer a bill with an “opt-out” approach.

Favored by privacy and consumer advocates, the opt-in approach prohibits Web site operators and Internet marketers from collecting and sharing Internet users' personal information without their consent. The opt-out approach, now widely used, automatically allows such data to be gathered and sold unless users opt out, often by checking an on-screen box before they submit information.

Privacy groups say the opt-out approach burdens consumers because they must take action to protect information instead of assuming it will remain private. Lobbyists for e-commerce companies say the opt-in approach makes the job of Internet marketing too difficult. “[Opt-in is] a barrier to entry for new businesses,” said Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association.

Internet privacy legislation could cost businesses from $9 billion to $36 billion, concluded a study by the industry-backed Association for Competitive Technology.

Web site operators, Internet retailers and online profilers increasingly have added and improved their privacy policies over the last several months as public pressure has mounted against their activities. Profiling and digital marketing firms such as DoubleClick and AdForce collect personal data about Internet users with cookies, Web bugs and other tools. The result: vast databases of names, addresses and other “personally identifiable” information that is shared with and sold to online publishers and retailers to target banner ads, send e-mail and sell merchandise online.

Congress has introduced dozens of bills this year, ranging from broad mandates for online data collection to specific measures protecting Social Security numbers and medical information and guarding against identity theft and junk e-mail.

The industry says these techniques merely extend direct-marketing methods that have been around for years to the Internet. “Junk mail is in the eye of the beholder,” said a spokeswoman for the Online Privacy Alliance, a group of trade associations and companies, including AOL Time Warner, AT&T and Bell South, that opposes privacy legislation.

Privacy advocates contend the online activities are more invasive than their offline counterparts and require legislation to control. Currently, only one law, the Children's Online Privacy Protection Act (1998), explicitly controls privacy online.

“Technology allows you to follow someone wherever they go,” said Chris Hoofnagle, legislative counsel of the Electronic Privacy Information Center in Washington, D.C. For example, some cookies track Web surfers' movements, then sit on hard drives and later return information about users' browsing and purchasing habits.

“If the information is collected without your knowledge, that's unfair. But even if the information is disclosed, it can be unfair” if shared with third parties without authorization, said Jason Catlett, president and founder of Junkbusters Corp., a privacy consulting firm in Green Brook, N.J.

Three (of many) online privacy bills H.R. 89 Sponsor: Rep. Rodney Freylinghuysen, R-N.J. Makes it unlawful for Web site operators or online services to collect, use or disclose personal information about individuals 13 and older in ways that violate FTC regulations; requires operators to allow individuals to consent to or limit disclosure of information. Pending in House Energy and Commerce Committee H.R. 237 Sponsor: Rep. Anna G. Eshoo, D-Calif. Makes it unlawful for commercial Web site operators to collect personally identifiable information online unless they provide notice and opportunity to limit its use and disclosure; directs FTC to contract with National Research Council to study online privacy H.R. 718 Rep. Heather Wilson, R-N.M. Provides criminal penalties for intentionally initiating transmission of unsolicited commercial e-mail with knowledge that any domain name or other identifying information in the message is false or inaccurate; prohibits e-mailers from selling or exchanging recipients' e-mail addresses. On House floor

Bills by the dozen

Such sentiments have led Congress to introduce dozens of bills this year, ranging from broad mandates for online data collection to specific measures protecting Social Security numbers and medical information and guarding against identity theft and junk e-mail.

“No one in the privacy community is excited about them,” said Shane Ham, a Progressive Policy Institute senior policy analyst.

Two sweeping House bills, H.R. 237 and H.R. 89, are similar to bills introduced last year by Sens. McCain and Conrad Burns, R-Mont., respectively (see box). An anti-spamming bill, H.R. 718, has been voted out of two House committees but is “dead in the water” because “many of its provisions were eviscerated” through amendments, Hoofnagle said.

Adding to the uncertainty is that “nobody knows what the White House thinks about any of these issues,” Ham added.

For now, observers expect action in the Senate Commerce Committee. A Hollings spokesman said that online privacy is “one of his high priorities,” although it's unclear when he will introduce a bill or hold hearings. The senator's bill will be similar to last year's S. 2606 with an opt-in provision, he said.

“If we can ensure better privacy on the Internet, it will be an improvement, not a hindrance” because consumers will feel safer visiting Web sites and making online purchases, the spokesman added.

Analyst Meera Singh of Gartner Dataquest said Web site operators will be upset by the Hollings bill. “If the default scenario is opt out, then they don't have any information to sell.”

The industry instead has been arguing for self-regulation and has put together a set of government-sanctioned privacy guidelines. The Network Advertising Initiative, a coalition of seven network advertisers, came up with principles last year to strengthen consumers' privacy by allowing them to opt out of NAI members' networks, a spokesman said.

A total of 30,000 people visited the NAI Web site during its first week of operation in May, he said.

One NAI principle is that network advertisers can't use personal medical, financial or sexual information or Social Security numbers for “online preference marketing.” Another requires advertisers to post clear, prominent disclosures of their information-sharing practices, with a chance for users to opt out of the arrangement.

The guidelines could make it easier for Web site operators and others to comply with any new privacy laws. The Federal Trade Commission views companies adhering to approved privacy seal programs as complying with COPPA.

Industry organizations have backed bills to protect sensitive medical and financial information and information about children, but they clearly oppose opt-in legislation. One possible solution, they say, lies in Microsoft's new privacy software.

The “Platform for Privacy Preferences,” or P3P, allows Web site visitors to customize their privacy protection. Users with version 6 of Internet Explorer can choose from a range of privacy preferences to share names but not addresses, for example. When they go online, P3P automatically compares the user's preferences to a Web site's privacy policy. If they do not match, the browser automatically blocks the transmission of personal information.

Industry sees P3P as the technical fix to privacy protection that could obviate federal legislation. But Congress isn't waiting to act.

return to top

---

Prosecuting in the name of privacy

by Carolyn Hirschman

Online invasion of privacy is a relatively new area of consumer-protection law. Law enforcement officials, however, have prosecuted and in some cases settled a number of cases:

DoubleClick--A Manhattan federal judge in April dismissed a class-action lawsuit against this Internet advertising company, according to Cyber Law Journal. The plaintiffs alleged that DoubleClick's use of cookies and other technologies for targeting online advertisements to Internet users violated federal laws that prohibit harmful hacking, wrongful wiretapping and unauthorized access to computers. But the district judge ruled that the company's conduct did not violate the laws.

The case is on appeal to the U.S. Second Circuit Court of Appeals. Also pending are suits against DoubleClick in California and Texas state courts alleging violations of privacy and consumer-protection laws.

DoubleClick on June 1 posted a new privacy policy that it says is “more consumer-friendly.” One of the 10 points states that DoubleClick asks its clients to link their privacy policies to its own, so that Internet users can opt out of the DoubleClick cookie and ensure that no unique information or number is associated with their browsers.

Toysmart.com--The Federal Trade Commission alleged that the now-bankrupt toy e-tailer told consumers their personal information including name, address, billing information and family profiles would never be shared with third parties when, in fact, it disclosed and sold that information. The FTC argues the company is in violation of its own privacy policy and federal law barring unfair and deceptive trade practices. The FTC also filed a federal lawsuit in Massachusetts alleging Toysmart collected personal information from children without parental permission, in violation of the Children's Online Privacy Protection Act.

In a settlement last year, Toysmart agreed to sell its entire Web site without separating its customer list only to a “qualified buyer” in a related business. Toysmart was also ordered to destroy all information collected in violation of COPPA.

ReverseAuction.com--This online auction site violated consumers' privacy by harvesting personal information from competitor eBay's Web site, then sending deceptive spam to those consumers, the FTC charged. To promote its Web site, ReverseAuction registered with eBay and agreed to comply with its privacy policy, which prohibited users from gathering and using personal information for unauthorized purposes such as spamming, according to the FTC.

A settlement reached last year required ReverseAuction to delete the personal information of consumers who had received spam but declined to register with the company.

return to top