Should a Web Site's Privacy Policy be Set by Law?

WASHINGTON, D.C. -- Respecting customers' privacy doesn't have to be the law, it's simply good business, some dot-com executives say. But a Congressional subcommittee is concerned about the less-conscientious companies.

Representatives of online companies and brick-and-mortar businesses with online operations urged a House subcommittee on Thursday to avoid restrictive privacy legislation. It was the sixth hearing on the issue by the House Committee on Energy and Commerce's Subcommittee on Commerce, Trade, and Consumer Protection. But some lawmakers are leaning toward information privacy legislation.

"The privacy of personal information is important to our customers and, thus, is important to us," says Paul Misener, vice president of global public policy with Amazon.com. "I don't think legislation is necessary. These [privacy measures] are things we need to do to hold onto our customers."

Yet, because not every company practices good customer service, Congress cannot assume all consumers will be protected through industry standards, says Representative Jane Harman (D-California).

"These are the good guys," Harman says of the tech leaders who addressed the subcommittee. "And I congratulate you for being sensitive to privacy concerns. But what about the bad guys?"

She offers as an example the privacy policy of Katrillion.com, an entertainment Web site for teenagers. Its policy says if viewers do not agree to all of its terms, they should not access the site. It adds that the terms of the policy can change at any time without notice, and by accessing the site visitors are agreeing to those changes.

"Basically that says they can do whatever they want," Harman says. "What do you say about this?"

Education--particularly of young Web users--is the key to greater privacy protection, suggest the tech leaders. Participants on the panel included representatives from IBM, Amazon.com, Procter & Gamble, General Motors, and Lands' End.

"We're very concerned about that," says Harriet Pearson, chief privacy officer at IBM. "It's critical that we educate our children to look for privacy indicators or seals." Companies that violate their own privacy policies should be prosecuted, she adds.

If legislation is inevitable, what should it cover? inquires Representative Cliff Sterns (R-Florida), who chairs the subcommittee.

Amazon.com's Misener says federal legislation on information privacy should preempt inconsistent state laws, bar privacy rights of action (to prevent litigation), and apply equally to online and offline activities. IBM's Pearson suggests any privacy-related products specified by legislation would be technology neutral.

Representative W.J. "Billy" Tauzin (R-Louisiana), chair of the House Committee on Energy and Commerce, warns his colleagues to avoid trying to legislate would-be scenarios.

"We ought to avoid [coming up with] a solution that is simply looking for a problem," he says. "It's easy to imagine how data might be used."