Senate Hearing Shows No Broad Consensus on Details for Privacy Legislation

With data breaches happening almost every day, there's a lot of interest but little consensus on how new legislation can help protect consumer privacy online.

Lawmakers are trying to balance business interests with consumer needs as they grapple with online security and privacy.

Federal officials appeared to be in broad agreement over the need for data breach laws at the data security and privacy hearing held by the Senate Commerce, Science and Transportation Committee on June 29. The disagreements appeared to be over reconciling consumer wants with companies who claim "do not track" proposals and online privacy laws would hurt business.

There is "broad support" for a national standard on data security, according to Sen. Pat Toomey (R-Penn), a ranking member of the subcommittee. He said Congress was likely to pass some kind of a data security bill "in the near future," but there wasn't a broad consensus on general privacy issues.

"I'm sure no one on the committee wants to break the Internet," Toomey said, arguing that new privacy regulations could hurt Internet businesses and reduce the number of free online services consumers get.

There are currently three privacy and security bills making the rounds in the Senate, including Sens. John Kerry (D-Mass) and John McCain's (R-Ariz) Commercial Privacy Bill of Rights, Chairman Jay Rockefeller (D-W.Va) and Sen. Mark Pryor's (D-Ark) Data Security and Breach Notification Act, and Rockefeller's Do-Not-Track Online Act.

The bills were introduced during amid reports of high-profile data breaches that have dominated the news in the first half of 2011.

"If nothing else, perhaps the frequency, audacity and harmfulness of these attacks will help encourage Congress to enact new legislation to make the Internet a safer place," Sony Network Entertainment president Tim Schaaff said at the hearing.

Rockefeller said it was "high time" organizations were prevented from doing whatever they wanted with personal details belonging to consumers. Rockefeller's data security bill would require companies to have security monitoring tools on their networks to prevent "reasonably foreseeable" attacks. It would also require companies holding personal information to have security policies on the collection and use of the information as well as a clear process for erasing the data.

"I want ordinary consumers to know what's being done with their personal information, and I want to give them the power to do something about that," Rockefeller said during the hearing.

The breach notification rules in the data security bill would also define how soon companies should inform users when their information has been breached. Sony and Citigroup recently came under fire for waiting before disclosing their customers' credit card information was compromised.

Basic security safeguards and breach notification are "a cost of doing business in the new world," Rockefeller said.

The Federal Trade Commission doesn't have an official position on whether privacy bills are needed, FTC member Julie Brill said at the hearing. However, the agency believes "do not track" requirements are needed, even on mobile devices, Brill said. Even though major browsers, including Internet Explorer, Firefox and Chrome, now offer a mechanism for a universal opt-out, there is nothing mandating companies and advertisers to honor those consumer requests and no way for the FTC to enforce compliance, Brill said.

"Advertisers and ad networks are disparate. Unless you get them to uniformly agree, I'm not sure a self -regulatory mechanism can work," Brill said.

Do-no-track legislation will make it easy for Web users to stop all companies from tracking them online, Rockefeller said. "One click, no information collected," he said.

Toomey questioned the need for letting consumers opt-out of data collection, as outlined in the "Do Not Track" bill or the joint Kerry-McCain privacy bill. "In a world where millions of people voluntarily share very personal information on websites like Facebook and Twitter on a daily basis, I'm not sure exactly what consumer expectations are when it comes to privacy, but I am pretty sure different consumers have different expectations," Toomey said.

A recent Consumers Union poll found that eight of ten Internet users said they should be able to opt-out of Internet tracking from a single location, similar to the mechanism proposed in the "Do Not Track" bill. About two-thirds of the 1,007 households surveyed said the government should be safe-guarding their privacy online.

"Although we live in an age of extensive sharing, very few people would agree that every piece of information they transmit should be available to everyone, for any conceivable purpose," Ioana Rusu, regulatory counsel for Consumer Union said at the hearing.