Scrambling for privacy

Congress responds to concerns, but conflict could delay action

By Patrick Ross
Staff Writer, CNET News.com
February 23, 2001, 4:00 a.m. PT

WASHINGTON--Congress is growing more responsive to calls for online privacy legislation, but a major conflict looms that could hurt efforts this year to enact consumer safeguards against prying Web sites.

Last fall saw Republicans and Democrats in the House and Senate vow that 2001 would be the year an online privacy law was passed. Politicians have begun working on multiple bills, and predictably, Internet companies are voicing caution while privacy advocates are urging speed.

Blueprint for privacy
The debate over Internet privacy is a broad one, but it can be boiled down to four central tenets:

• Notice. There is general agreement that Web sites should inform visitors in a clear way how their information will be used, and an increasing number of sites are posting such privacy policies.

• Choice. This is where the opt-in vs. opt-out debate is raging, whether the choice to have personal information accessible falls first with the Web site or with the consumer.

• Access. This is a concern of privacy advocates, who fear that Web sites will permit access to information contained in their sites only if visitors surrender their privacy rights.

• Pre-emption. This is desired mostly by the Internet industry, which argues that if federal legislation must happen, it should at least pre-empt action by states to prevent multiple privacy standards from being in effect.

One wedge in the debate is whether Web sites should have the onus of securing "opt in" permission before using any data gathered about an individual, or whether consumers should be required to take steps to "opt out."

"My gut reaction is that (opt in vs. opt out) could be something that stops the bill," said Vince Sampson, vice president of the Association for Competitive Technology (ACT), an education and advocacy group. "I can't see a bill that's half opt in and half opt out."

By all accounts, the stakes in this debate are huge. Web surfers resent having to divulge personal information when visiting sites and wonder what is done with the information. Spam, or unsolicited e-mail, is a growing problem, and it often finds a particular consumer's in-box is because that person surfed a particular site or entered an e-mail address there. Yet at a time when many dot-coms are being liquidated on Bid4Assets.com, any revenue a Web site can generate from consumer information is going to be closely guarded.

"We must ensure that any initiatives have the least regulatory effect on the growth of e-commerce and on commercial free speech rights protected by the Constitution," said Sen. Orrin Hatch, R-Utah, chairman of the Senate Judiciary Committee. At the same time, legislators must ensure that "consumers are confident that personally identifiable information, which they submit electronically, are afforded adequate levels of privacy protection."

Hatch vowed that a well-balanced privacy bill will be formed in his committee.

All major congressional heavyweights in telecommunications have vowed to either author or aggressively support privacy legislation this year, including Senate Commerce Committee Chairman John McCain, R-Ariz., and his top Democratic colleague, Ernest Hollings of South Carolina, as well as Communications subcommittee Chairman Conrad Burns, R-Mont.

But the balance Hatch seeks isn't always found among individual legislators. McCain and Burns, for example, favor the opt-out approach, in which a Web surfer must click a clearly identifiable button telling the Web owner not to use personal information. Hollings, in contrast, backs opt in, in which a site can only use a surfer's information if that person expressly gives the site owner permission, a method that leads to greater privacy but less commercially useful data for Web sites.

"I do see a schism" between the two camps, ACT's Sampson said. "I just don't see a major privacy bill passing...Congress will likely punt."

Pressure for privacy legislation began building last summer when a Federal Trade Commission report stated that despite a rapid rise in the number of Web sites adopting a privacy policy, a stubborn minority were not cooperating with the industry's self-regulation.

Despite such consumer concerns, some legislators are worried that opt-in privacy regulations will chill online business.

Rep. James Moran of Virginia, head of the House New Democrats, said that an opt-in approach would "arrest private-sector development."

"There are a lot of advantages for having the kinds of synergy of information that you don't have if you take (the opt-in) approach," he said.

Republican Sen. George Allen, who made a name for himself as governor of Virginia partly by helping develop the technology corridor near Dulles Airport that features AOL Time Warner, said Internet businesses' input must be considered in any legislation.

"Do we want to have the private sector come up with a solution or have the government impose a regulatory regime?" he asked, suggesting he favored the former.

Web sites hold their breath
Business advocates say they support efforts to protect consumers, but they insist that can be done without requiring opt-in measures.

"We're not allergic to legislation," said Rhett Dawson, president of the Information Technology Industry Council (ITI), which has favored self-regulation. Rather, he said, the industry is concerned that Congress is shifting from protecting specific types of information such as medical and financial records to a more comprehensive approach.

"Congress should be deliberative," he said. "Regulatory missteps could cause damage to the market."

Dawson and others conceded that concerns about privacy may be suppressing e-commerce, as Hatch and others have argued. But the issue is more complicated, said Christopher Caine, IBM's vice president for government relations.

Options, options
The fundamental divide on Internet privacy legislation is the level of control consumers should have over their information online. Legislators and lobbyists fall into two camps:

• Opt out. A Web site would be required to tell a visitor that personal information might be retained for internal purposes or even distributed to third parties. That visitor would have the right to opt out and prevent the information from being used. This is the solution backed by most Republicans and some Democrats, as well as by most of the online industry.

• Opt in. In this scenario, the only way a Web site could retain or distribute information on a visitor is if that person explicitly gave the site permission. The most prominent promoter of this approach on Capitol Hill is Sen. Ernest Hollings, D-S.C., and it also is backed by most consumer groups.

Although there are still many people resisting the Web, Caine said, "Only a part of that is attributable to privacy." Given the way online privacy is intertwined with other issues such as Web site security and spam, Caine said, "I don't think any legislation can solve all that."

Dawson was also skeptical. "I don't think government can keep pace with technology," he said.

Such doubts have set off a debate over the degree of privacy businesses should be forced to offer, sending cracks through the thin veneer of bipartisan support for online privacy rules.

Taking a hard line are consumer advocates, who have created a new group to press for strong safeguards against data-collection practices that have not been consented to. The Privacy Coalition--which includes the American Civil Liberties Union, Consumers Union, Electronic Privacy Information Center and others--asked state and federal legislators Feb. 12 to sign a pledge committing to support privacy legislation "in the Information Age."

The coalition advocates legislation that promotes privacy-related technologies and mandates notice and consent by Web sites. To Moran of the House New Democrats, that seems to require Web surfers to opt in, which would "freeze in time existing technology" on the Internet and stifle innovation.

Opt-in legislation would "radically and dramatically change the Internet experience," said Robert Holleyman, chief executive of the Business Software Alliance. He said the Internet "by and large is a free experience" because of the marketing power of information, and restricting it with opt-in legislation would "run the risk of jeopardizing the current underpinnings of the Internet."

Holleyman and ITI's Dawson say they feel regulation isn't necessary, but they will examine any legislation to see if it is comprehensive, gives the government more power, or places heavy burdens on the Web operator.

"We want to empower individuals to buy products they want when they want at a reasonable price," Dawson said.

States apply pressure
Even those who would rather not see legislation acknowledge there may be no choice, however.

"We need to understand that states may act" with their own legislation, Virginia's Allen said, which could be even worse for Web site operators. In fact, privacy is already slated as one of the top priorities for the Florida state legislature, which goes into session March 6, adding time pressure to Congress.

"You can't have 50 different standards for Internet privacy," said Rep. Jerry Weller, R-Ill.

Already this year, 19 bills have been introduced in Congress on privacy, although the members who will be most active in pushing such legislation have yet to produce bills. There's disagreement on what those bills should look like, but privacy still draws broad interest.

"It's not a Democratic or Republican issue," said Rep. Ed Markey, D-Mass., the highest-ranking member of the House Commerce Telecommunications subcommittee. "It's not a liberal or conservative issue."