Washington state attorney general Christine Gregoire in January proposed legislation giving consumers the right to opt out of the use of their personal information, requiring their "explicit and written consent before sensitive, financial information like account numbers and access codes" can be shared or sold; giving victims of identity theft--when someone steals your personal data and pretends to be you--greater protections; and establishing consumer protection penalties that allowed victims of privacy slips to "pursue and recover actual damages."

The effort failed. "Washington state expected smooth sailing for the privacy package," says Smith. "But it was shot down by strong lobbying behind closed doors."

Meanwhile, the IT industry is pushing for its own solutions in an effort to avoid legislation. Groups such as the Online Privacy Alliance and the Network Advertising Initiative are meeting privately with the FTC to come up with alternatives. The Internet Advertising Bureau issued a set of online data privacy guidelines for its 300 member companies. And seven U.S. companies with online interests--America Online, AT&T, Dell Computer, IBM, Microsoft, Network Solutions, and Time Warner--in June formed the Electronic Commerce and Consumer Protection Group, with a site (www.ecommercegroup.org) that lists voluntary guidelines for the protection of E-shoppers that include privacy as well as security concerns.

"Congress is hesitant to regulate the Internet because dynamic growth and innovation are inherently at odds with the heavy hand of government, and you can't hire enough policemen to police the Internet," says Daniel Jaye, co-founder and chief technology officer of Engage Inc., an online marketing company. "It's not clear how legislation will stop a site based in the Cayman Islands."

Congress already has passed bills dealing with the most egregious examples of misuse of personal information. The Gramm-Leach-Bliley Act, signed into law in November, bars financial institutions from disclosing customer account numbers or access codes to third parties for telemarketing or other direct-marketing purposes, and lets consumers opt out of sharing personal financial information. The Medical Financial Privacy Protection Act shields medical data, and the Children's Online Privacy Protection Act provides safeguards for minors.

Still, more bills keep coming up on the Hill. Last month, Rep. James Leach, R-Iowa, chairman of the House Banking and Financial Services Committee, introduced a bill requiring that consumers give permission before their financial institution can use medical information to decide whether to issue them credit; Senate Bill 809 requires the FTC to issue and enforce regulations for the use of online personal data, and authorizes the states to prosecute; House Bill 3321 offers an electronic bill of rights.

Sen. Kerry says introducing a bill now will lay the groundwork for next year. "This year, I'm trying to send a strong message to the industry and to those pushing for a heavy-handed approach to privacy legislation," he says. "I hope my bill will create an incentive for those on both sides to come together without slowing the growth of the Internet."

There's still a chance the industry will come up with a technical solution to the privacy problem. Last month the World Wide Web Consortium, the group responsible for guiding development of Internet standards such as the Extensible Markup Language, conducted the first public tests of its Platform for Privacy Preferences Project, known as P3P. It will let computer users set privacy preferences in their browsers; the technology will then check each Web-site user's visit to determine whether the site matches the user's preferences. More than 10 organizations participated in the P3P tests, including Engage, IBM, and Microsoft. P3P has some influential supporters: The White House issued a press release supporting the technology; Excite@Home's Kelly says he supports P3P, too.

But not everyone is a big fan, mainly because P3P will share information from a Web server with a browser that "reads" the privacy policy. Detractors say the standard is too server-centric, not allowing a mechanism for users to determine if a site is actually complying with its stated policy.

The P3P effort--and President Clinton's backing--seems to indicate that any bill that might make it through Congress will fail at the White House. "It's a signal that Clinton supports the self-regulatory approach," Fowler says.

But don't forget: It's an election year.

return to page 1, 2