Giving Users the Final Word

Privacy advocates, others differ on legislation

Keeping a low profile is getting a lot of attention from legislators in a pair of online privacy measures aimed at protecting consumers personal data.

The efforts, privacy advocates say, are required to keep businesses hungry for information from exploiting customer data without consent. But critics charge that the rules are politically motivated, expensive to implement and unnecessary in light of the industrys efforts at self-regulation.

The latest attempt to corral corporate access to personal information came late last month when Sen. John Edwards, D-N.C., introduced the Spyware Control and Privacy Protection Act of 2001. The bill was first introduced last year but not acted on.

The bill seeks to protect consumers from the common vendor practice of using user-installed software to secretly collect data. The data is then transmitted—without the consumers knowledge—over the Internet to the vendor. With the so-called spyware, companies can monitor customers Web surfing behavior and sell that data to the highest bidder. In Edwards Senate floor statement, he cited a number of vendors that employ such spyware, including Intuit Inc. (Quicken), Mattel Interactive (Reader Rabbit and Arthurs Thinking Games), RealNetworks Inc. (RealDownload), Netscape Communications Corp./America Online Inc. (SmartDownload) and NetZip Inc. (Download Demon).

The bill would require that any software that contains spyware provide consumers with an obvious notice of what information the spyware will collect and to whom it will be transmitted. Users would have to agree, or opt in, for the data collection to begin. Data collected for technical support or to verify licensing would be exempt.

"Who could argue with the notion of requiring consent by consumers before making a record of what theyre doing on the Net?" said Jason Catlett, president of Junkbusters Corp., in Green Brook, N.J., and a noted privacy advocate. "Its a step in the right direction."

Chris Hoofnagle, legal counsel at the Electronic Privacy Information Center, in Washington, said the bill meets privacy standards since it requires notice, consent, access and security. Hoofnagle said his only criticism of the bill is that it is too narrow.

"It looks pretty good for the problem that it addresses. But we need a bill thats more comprehensive, that treats all collection of personal information, not just spyware and Web bugs," Hoofnagle said. "The prospects for good privacy legislation are increasing."

Other federal efforts to control private consumer information include the Gramm-Leach-Bliley Act, passed in 1999, which has a stiff privacy section affecting financial institutions and merchants that offer credit cards to consumers. The law requires that vendors provide an annual written notice to customers of their privacy policies—including the types of information they share with third parties. The vendors must also offer customers a convenient means to opt out of third-party information sharing.

The law was to take effect last month but has been delayed until July to give businesses a chance to implement mechanisms for compliance.

To abide by GLB, merchants are developing or changing IT processes to deal with the administration of large databases of opt-out information. They must also create a mailing system to regularly notify consumers of their rights.

"There is an initial investment of creating the bureaucracy to handle the system, then there has to be ongoing compliance oversight—so well have a couple attorneys to make sure were complying," said Jan Drummond, a spokeswoman for Sears, Roebuck & Co., in Hoffman Estates, Ill. "Its going to make life more complicated for us."

Some banks are outsourcing the third-party integration and consumer notification parts to software vendors like Acxiom Corp., which developed an application called Financial Services Preference Solution designed to help banks comply.

"This is bigger than anyone anticipated," said Jennifer Barrett, chief privacy officer at Acxiom, in Little Rock, Ark. "I expect most, if not all, financial institutions will be in compliance. But most are going to brute-force it."

Despite the legislative efforts, EPICs Hoofnagle said that companies would rather have a blanket federal privacy law than myriad, varying state and federal regulations to deal with.

But not everyone agrees that legislation is the answer to controlling online privacy.

The Personalization Consortium attempted to strike a blow for self-regulation over legislation when it issued a set of privacy principles and a framework for conducting third-party audits of members privacy policies. While the principles provide best practices that businesses can follow to ensure consumer confidence in their privacy policies, the auditing framework will establish an industrywide standard for testing businesses actual privacy practices against these principles.

"Were trying to address the issues that are out there. Were under no illusions; theres too much political hay to be made over regulations," said Don Peppers, co-chair of the consortium and partner of Peppers and Rogers Group Inc., a marketing consulting company. "Theres very few regulations that have been introduced so far that wont do more harm than good. We want to provide a platform for companies to compete on."

Junkbusters Catlett said while most industry association attempts at self-regulation have been "lamentable," the consortiums latest effort is "pretty progressive."