InformationWeek

Also in March, Internet media company Excite@Home appointed Chris Kelly as its chief privacy officer; Kelly had held that position at Kendara Inc., which Excite@Home acquired. Previously, Kelly was an attorney at the Palo Alto, Calif., law firm Wilson, Sonsini, Goodrich & Rosati, where he counseled numerous companies on privacy policies.

Such efforts may be too late to fend off federal action. In May, the FTC called on Congress to more rigorously protect consumers via laws that establish standard practices for collecting information online. The recent recommendation for legislation was the result of an FTC survey that found only 20% of all Web sites, and less than half of the 100 most-popular Web sites, use industry-accepted fair information practices such as letting users opt out of providing data on themselves or their Web surfing activities.

After the release of that survey, Sen. Ernest Hollings, D-S.C., led a group of senators in introducing the Consumer Privacy Protection Act, which requires online sites to obtain consumers' consent before collecting data and give them the choice to opt out of supplying information. Another bill is expected to be introduced this month by Sen. John Kerry, D-Mass., who argues that "consumers want an Internet that's free and that gives them more choices, rather than fewer." A compromise between self-regulation and strong government regulation, Kerry's bill will mandate "clear and conspicuous disclosure of Web sites' privacy policies." The bill will require Web sites to clearly disclose their privacy policies in plain language, including what information is collected, how it's used, whether it's sold to third parties, and how consumers can opt out of having the data collected and passed along.

A Forrester Research survey of 50 companies indicates that most use customer data for internal analysis and to send marketing E-mails (see chart, left). Less than 10% say they sell or share the data with third parties. And most companies oppose a government-imposed privacy policy, according to the Forrester survey (see chart, below).

Still, there seems to be a growing consensus that some form of legislation is necessary. "I used to be for very little government involvement, but over the past year and a half we've had enough consumer anxiety that government involvement is probably necessary," says the Privacy Council's Clayton. "But I don't mean heavy-handed involvement."

Santanu DasGupta, VP of business development at USAGreetings.com Inc., an online greeting-card company, says legislation will be necessary if more companies try to pull a Toysmart.com--promising not to sell data and then doing it anyway. USAGreetings.com collects E-mail addresses and names, but DasGupta says the company won't sell any customer data under any circumstances. "Toysmart.com was in liquidation, and so it felt that the customer information was an asset," he says. "But generally, I don't think companies will treat customer data that way. Instead, they'll use the information for enhancing their company."

Others are less optimistic. "There's no way in the world I'm going to trust marketers to take the moral high ground when it comes to storing and selling information about me," says Matt Curtin, founder of Interhack Corp., a small company in Columbus, Ohio, that provides products and services for security and privacy. Still, Excite@Home's Kelly worries that government regulation may go too far. "Anything that's going to be done has to be done very carefully, because the whole medium of the Internet is about data exchange," he says.

That gets to the heart of the dilemma. "It's called the Information Age for a reason, and it's because information is now used as a currency and a tool," Clayton says.

In general, privacy legislation focuses on three major issues: what information gets collected; whether to regulate the use of information by the sites to whom consumers give it or only if it's shared with third parties; and whether legislation involving online businesses should differ from that involving offline businesses, says Russ Gates, global director of technology risk consulting at Arthur Andersen. "My advice would be that regardless of the exact nature of legislation that ultimately occurs, you're going to have to give people the ability to opt in or out, and you're going to have to explain in English what you do with the data," Gates says.

Sen. Kerry's bill turns enforcement of the guidelines over to state attorneys general, requiring them to notify the FTC before prosecuting violators. It also sets up a private commission to study how well the industry is doing at regulating itself, gives the commission up to one year to report its findings to Congress, and declares a moratorium on state privacy legislation until then.

continued...page 3
return to page 1