An End to Personal Privacy on the Web?

eLABorations: Is the Online Personal Privacy Act even worse for the public than Senator Holling's previous bill?

Is Senator Fritz Hollings trying to make nice with us Internet folks? Is he throwing us a bone to make up for his backing of the extremely dangerous Consumer Broadband and Digital Television Promotion Act? (click here to read an earlier column on the CBDTPA)

At first glance it would seem so, since Hollings new bill, the Online Personal Privacy Act, purports to protect the personal information of Internet users. However, much like the CBDTPA, which has no provisions for consumer input even though it claims to be a pro-consumer bill, the OPPAs definition of personal privacy probably comes up well short of what most people think of. (For the text of the bill go to and search for bill s2201)

In short, Hollings bill sets out how sites and service providers can handle personal information. However, the bill splits personal information into two areas, sensitive and non-sensitive information, and has separate rules for how this information can be handled.

Sensitive information is defined as detailed financial information and personal information such as race, party affiliation, health information, religion, sexual orientation and Social Security numbers. Non-sensitive information is name, address, phone number, e-mail address, purchasing habits and pretty much anything else.

The bill says that sensitive information cannot be collected or shared without user consent. In addition, non-sensitive information cannot be collected or shared without "robust notice" and an opt-out option.

At first this doesnt seem so bad. All most people want is an opt-out option, anyway. But after taking a closer look at the bill, its easy to find plenty of gaping holes that may actually make personal information less secure then it is now.

The first and most obvious is the non-sensitive information. Im sure a poll of most users would find lots of this information under most peoples definition of sensitive information. Secondly, the bill expressly permits inferring information. This essentially kills the premise of the whole bill, since by looking at a users surfing and buying habits its very easy to infer race, health, sexual orientation and almost everything else listed as sensitive information.

It gets worse. The bill doesnt really define "robust notice" or how opt-outs are handled. Does this mean that robust notice can be buried in a "More Info" page on a Web site? Can clicking on an Agree button be agreeing not to opt-out?

And of course, one of the biggest loopholes is in Section 104 of the bill, entitled Exceptions. Basically, nothing applies, meaning the sites can collect all the data they want, if the data is collected to "conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information". Even worse is what follows: "or to provide other products and services integrally related to the transaction, service, product, or arrangement for which the user provided the information".

This basically means a site can collect all information all the time.

So what we end up with is a bill that weakens privacy and makes it impossible for states and other entities to enforce stricter privacy protections.

No wonder Hollings is behind this. Say Im a big Hollywood company, and Im delivering a service or product, like movies on demand. Im going to need all the personal info I can get so I can suggest movies, see if youre a likely copyright pirate, and charge you every time you think about using the content.

Unfortunately, this bill has a much greater stealth factor and better on the surface appearance then the CBDTPA, meaning it has a much better chance of passing. Internet users who dont want to surrender all privacy rights should make their feelings known.

After all, its one thing to be told that Internet privacy is difficult to achieve. Its another to have it legislated out of existence.

Is personal privacy dead? Contact Jim Rapoza at