Washington Confidential: Online Privacy and the Law
The expansion of the Internet has enlarged our economy's already voracious appetite for information, prompting the development of personalization technologies that enable businesses to gather richer detail about their customers' finances, location, interests and lives. The availability of this information has been a terrific catalyst of growth, particularly in the financial sector, where quality consumer data--and the ability to share it--has allowed institutions to reduce risk and develop a robust credit market to fuel the powerful U.S. economy.
Yet the collection and dissemination of personally identifiable information has fed a firestorm of fear among consumers wary of government or corporate entities who may share that information inappropriately. The media have headlined such sensational examples of abuse as that of two New York men who, in March, managed to gain access to the credit and bank accounts of several wealthy celebrities. Still more disturbing was the case of Amy Boyer, a 20-year-old New Hampshire woman fatally shot by a former classmate who tracked her down after obtaining her Social Security number from an online broker.
There are more subtle risks to consumers as well.
"Dynamic pricing is a potential issue," explains Andrew Shen, senior policy analyst with the Electronic Privacy Information Center (EPIC), a privacy research and advocacy group in Washington, D.C. "Here, technology allows different people to be offered different prices for the same product based on their profile."
Shen cites as an example the revelation last fall that Amazon.com was selling CDs at different prices to different customers, based on the detailed records the company maintains of its customers' buying habits.
While advocacy groups like EPIC have done much to heighten policymakers' appreciation of the issues at stake, the greater cognizance in Washington of the privacy problem has many legislators skirting the line that divides the interests of consumers from those of business.
"The policymakers see it two ways," says John McCarthy, group director of research at Forrester Research in Cambridge, Massachusetts. "They see it as a concern of people who are going to vote, and our research shows that people view this as something that Congress should protect. Secondly, they must consider whether [the threat of abuse] is potentially holding back the growth of e-commerce."
Greater freedom to collect and apply consumer information, one argument goes, will make the online purchasing experience more relevant to individual consumers, bolstering Internet sales. On the other hand, the abuse of that information--or the fear of it--may hinder the growth of e-commerce. Stronger regulation of data collection and use might strengthen consumer confidence and accelerate electronic commerce.
Laying Down Privacy Law
This uncertain dichotomy accounts for the fact that privacy laws passed by Congress to date have focused rather narrowly on specific types of consumer information: financial, medical and children's data. The three major pieces of legislation have been passed in the last decade to address these information categories: The Financial Services Modernization Act, the Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act.
Although the 1999 Financial Services Modernization Act (also known as the Gramm-Leach-Bliely Act) primarily exists to enable financial institutions (such as banks) to engage in new financial activities (such as brokering securities) through a subsidiary, the law sets expanded requirements for privacy beyond those embodied already in the Fair Credit Reporting Act. For example, the Act requires not only that a clear privacy policy regarding sharing of nonpublic personal information with affiliates and third parties be posted, but it requires that consumers be given the opportunity to "opt-out" of allowing the financial institution to disclose that information to nonaffiliated third parties.
The Children's Online Privacy Protection Act (COPPA), which Congress made law in 1998, applies to online services and commercial Web sites that target and collect personal information from children under 13. Intended to give parents greater control over their children's information online, COPPA requires sites to not only post clear and comprehensive privacy policies describing their information sharing practices, but to obtain verifiable parental consent before collecting information from children. In addition, the law allows parents access to collected information and lets them prevent its further use if they choose. Finally, the Act prohibits sites from making children's participation in an online activity conditional on that child's providing more information than is reasonably necessary to participate.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to reduce administrative costs within the healthcare industry, while setting national uniform standards for the electronic transmission of individual healthcare information. These standards not only aim at improving efficiency through the establishment of efficient methods of exchange, but at protecting patient confidentiality by prohibiting the use or disclosure of information by healthcare organizations except as authorized by the patient. HIPAA applies to all types of information, regardless of form and mandates full disclosure of the healthcare provider's information practices to patients.
In addition to these privacy-specific laws, the Federal Trade Commission Act (FTCA) gives the Federal Trade Commission authority to take action against companies engaged in deceptive or unfair business practices--an enforcement power the Commission has aggressively applied to privacy concerns.
"We've taken law-enforcement action where there's been clear-cut deception," Rosenfeld says, "where a Web site says one thing about how they handle information in their privacy policy, and then do something else with it."
The suits the FTC has brought to date have served to reinforce for companies the importance of establishing and adhering to privacy policies. A textbook example is the Commission's suit against Toysmart.com in July 2000. The failed online retailer of children's toys attempted, during a bankruptcy proceeding, to sell its customer database (containing personal customer information such as billing addresses, family profiles and names and birth dates of children) in violation of its own posted policy. The FTC charged the company with unfair and misleading practices under authority granted it by FTCA, successfully blocking the sale and eventually settling with the retailer.
The Commission also successfully invoked FTCA in the case of GeoCities, which allegedly shared personal customer data with marketers that it had promised in its posted privacy statement would remain confidential. Several online pharmacies were also sued last year by the FTC under FTCA for making privacy and confidentiality assurances to which they failed to adhere.
Although important blows struck for the consumer, these individual suits do not begin to solve the privacy problem, according to the FTC's Rosenfeld. "We can't do it alone by suing people," she says. "We need the industry to police itself, to develop standards that they can follow. Self-regulation has and will go a long way toward providing the appropriate protection for consumers. And the Commission has been very supportive of self-regulatory efforts."
Congestion in Congress
The FTC views continued efforts to promote industry self-regulation as one half of a two-tiered solution that includes new legislation. In 2000, after deferring judgement on the issue since 1998, the FTC voted 3-2 to recommend to Congress broader privacy legislation that would set baseline standards for commercial online sites.
Despite the public push for progress, Congress continues to ponder its options with respect to this broader privacy legislation. The challenge is, in part, where to begin--whether to attack the issue of online privacy first or to deal with other aspects of the issue as well. Internet industry lobbyists pressing their own agenda have contributed to the confusion.
"There was a lot of momentum coming out the election behind privacy," notes Forrester Research's McCarthy. "It seems to have slowed down, partially because industry is gearing up for the fight, and they're taking what could be a very calculated risk of trying to deal with all privacy instead of just online privacy. It doesn't look like anything's going to happen until later next year or early 2002. Because if it drifts past the first quarter of next year without any significant action, given that it's an election year next year, I'm not sure that politicians are going to take up the charge."
Global Regulation
Congress also confronts the difficult task of reconciling its own efforts with international laws affecting online privacy. The European Union Data Protection Directive of 1995 provides individuals in the 15 EU member states with broad protections that emphasize an "opt-in" as opposed to "opt-out" model, meaning that Web sites cannot collect or use personal information about those individuals unless they receive explicit permission. The directive prohibits the transfer of information between the member country and any other country unless the privacy laws of that other country are at least adequate. This creates a significant technology hurdle for global U.S. businesses whose Web sites are constructed on the opt-out model.
"I am very concerned that U.S. companies, which have been the creators and leaders of e-commerce, will be forced to deal with such a restrictive concept," remarks House Commerce Committee Chair Billy Tauzin (R-LA).
The US makes a tremendous amount of data available for public consumption, reflecting a vastly more liberal approach to privacy than that of European countries, which tend to view it as a basic right. The cost of compliance to the stricter European standards could be prohibitive to U.S.-based e-businesses.
"Companies hoping to provide a universal Internet portal may have to have two models," explains Bill Bradway, co-founder of Meridien Research, based in Newton, Massachusetts. "They'll have to direct the opt-out portal to the U.S. market. For markets like the EU, they'll have to have a separate opt-in portal that will be far more restrictive."
To ease this pressure on American institutions and businesses, the Department of Commerce during the Clinton Administration negotiated the "safe harbor" principle, which allows some flexibility for U.S. companies interacting with European customers, so long as their privacy practices are deemed adequate protection. Under this agreement, the Federal Trade Commission (FTC) can sue a company that signs up for the safe harbor principle and fails to operate according to its guidelines.
But critics of safe harbor note that those who have singed up for it--companies such as Hewlett-Packard and Dun & Bradstreet--make relatively little use of personal information. Moreover, only 60 percent of Web sites have posted privacy policies. And enforcement in Europe is lacking.
"We don't have a sweeping law the way Europeans do," notes the FTC's Rosenfeld. "But we vigorously enforce our laws. The Europeans have a less proactive approach to law enforcement than we do."
This fact should offer encouragement to members of Congress, such as Chairman Tauzin, who fear that the EU directive may become the de facto world standard for privacy. If Congress is able to agree on broad-based legislation of its own, the U.S. may find itself in a stronger negotiating position with respect to international standards. Indeed, the EU directive follows closely on the fair information practices already in place in the FTCA.
"The EU Data Protection Directive is not completely foreign to the US," says EPIC's Shen. "The same principles have been applied [here] to credit reports, cable subscriber records, video rental records. So you're really talking about the same principles and the same system, just with different types of information."
The question remains whether--and when--Congress will bridge that gap.