Protecting Personal Data

0 Comments | Insight on the News, April 16, 2001 | by William Glanz

With consumers searching for safeguards to protect personal information, this may be the year Congress enacts significant privacy protections regulating the Internet.

A wave of bills to protect online privacy have been introduced in Congress as the number of identity-theft cases skyrockets and consumers continue to view the Internet as a Web of deceit. Six measures already have been referred to the House Energy and Commerce Committee. Several others have been referred to separate House and Senate panels (see "Private Ayes").

"There's a groundswell of pressure to pass legislation to protect Internet users' privacy," says Sen. John McCain, R-Ariz., chairman of the Senate Commerce, Science and Transportation Committee, which many believe will drive the debate about privacy laws in the 107th Congress. "This is all well-intentioned, and some legislation is needed, but we must be extremely cautious that any legislation passed correctly balances privacy rights against overzealous regulations that cripple the burgeoning Internet economy."

Technology companies and privacy advocates remain divided on the best solution for protecting personal data. Most corporations want to rely on self-regulatory policies, but the newly formed Privacy Coalition, comprising 30 groups, supports strict standards for protecting privacy on the Internet.

Consumers have little reason to believe Internet companies can continue to police themselves. The number of complaints to the Federal Trade Commission (FTC) about identity theft -- stealing another person's name, address, credit-card number or Social Security number to obtain credit cards, buy merchandise or borrow money -- has increased to 2,000 a week, the agency said, up from 1,700 a week in December 2000.

Much of that theft occurs online. "You might look at 2000 as the year self-regulation lost -- the year the private debate was lost," says Richard Delaney, a Washington-based independent technology-policy analyst and president of the Delaney Policy Group. "There is a whole set of examples of businesses using personal information in Ways that make consumers uneasy. So even if businesses could regulate themselves, I don't think it would be perceived as effective."

Toysmart.com assured customers that personal information never would be shared with a third party. But the company tried selling its database of customer information after going out of business in May. (In a settlement filed with the FTC, a subsidiary of Walt Disney Co., the majority owner of Toysmart.com, agreed to pay Toysmart $50,000 to destroy its records.) Internet-privacy activists argue that if information is sold, it will encourage a wave of other failing online companies to abandon privacy assurances and sell lists for much-needed cash.

Seattle-based N2H2 Inc. has acknowledged it gathers data on children as they surf the Web at 9,000 schools that use its filtering software. N2H2 sells the information it gathers to marketers and the Defense Department.

The Privacy Coalition supports the fair-information practices put forth last year by the FTC, but it hopes to focus debate on certain key issues, including opt-in and opt-out measures. Under opt-in, companies must ask permission from consumers before collecting and disclosing personal data. Under opt-out (the common approach to data collection that companies use), Websites can collect data without a consumer's permission. Privacy advocates also hope to persuade Congress to pass measures that:

* Require commercial Websites to notify consumers of what information is collected and how it will be used;

* Give consumers the option to choose whether information given to a Website is shared with third parties;

* Give consumers access to information a Website has collected about them so they can review it for accuracy; and

* Ensure that personal information given by consumers is stored securely.

The issue of "spam," or unsolicited commercial e-mail, also is up for debate. "I think most everyone believes there is a role for legislation," says Andrew Shen, policy analyst for the Electronic Privacy Information Center, a public-interest research group and one of the founders of the Privacy Coalition. "It's really not a question of whether we need an Internet-privacy law or not. It's a question of what kind of privacy law we need."

Rep. Cliff Stearns, R-Fla., chairman of the House Energy and Commerce subcommittee on Consumer Protection, which has jurisdiction over the FTC and online privacy, expects Congress to have an Internet-privacy bill by November.

Private Ayes

Internet privacy bills introduced this year in Congress include:

* The Spyware Control and Privacy Protection Act (S3180) would require companies installing software containing "spy-ware" to tell consumers what information will be collected and to whom it will be transmitted, and get the consumer's consent.

* The Electronic Privacy Protection Act (HR5571) would require notices on "spying" software and expand the protection to include physical devices attached to a computer.