E-Commerce Sites Wary of Proposed Privacy Law

WASHINGTON, D.C. -- Senator Ernest "Fritz" Hollings defended the need to regulate e-commerce with his online personal-privacy bill before a Senate committee on Thursday, but industry experts argued that the legislation does little to protect online consumers.

The bill, introduced last week and backed by ten co-sponsors, distinguishes between "sensitive" and "nonsensitive" data and sets specific standards for each type. Companies' collection and sharing of sensitive information--such as financial and health data, religious and political affiliation, and sexual orientation--would require the consent of the consumer first. Nonsensitive information means just about everything else; consumers would get the option to "opt out" of having that data disclosed.

Senate Bill 2201 also would override individual states' Internet privacy laws. Hollings (D-South Carolina) urged consistency across states in e-commerce policies as a way to allay privacy concerns and promote online transactions. He maintained that if people are confident their private information will not be exploited, the e-commerce market will take off because more people will shop and conduct transactions online.

Many members of the tech community, as well as some members of the Commerce Committee, doubt Hollings' theory would pan out. While the bill is meant to protect consumers and enhance the online market, some argue that it would do just the opposite.

Asks Too Much?

The measure would actually thwart e-commerce development, said John Dugan, a representative of the Financial Services Coordinating Council. Financial institutions, in particular, already have comprehensive privacy regulation, Dugan argued. "It would be both unnecessary and costly to subject them to the new and conflicting restrictions included in [Hollings's bill]," he said.

In general, he argued, the bill is "far too restrictive." Heavy regulation by Congress is not the right approach when free-market forces as well as new technologies make for effective self-regulation, Dugan said.

Other skeptics include Paul Misener, vice president of global public policy for Amazon.com. While supportive of Hollings's commitment to the consumer, Misener objected to some of the bill's specific language. In particular, he opposed a section giving customers the right to pursue class-action litigation if security is breached, as well as the right to access and delete already-stored information.

The class-action litigation provision would force companies to make their privacy policies much more legalistic, Misener argued. The provision that provides for a "data deletion" option, he continued, would hinder Amazon's privacy protection and actually make identity theft easier to commit.

Proponents Want More

However, privacy proponents and consumer advocates heralded the measure as a way to address privacy concerns online.

Mark Rotenberg, executive director of the Electronic Privacy Information Center, called the bill timely and important. If anything, he added, it should provide even stronger privacy protections.

"The exception for disclosure to law enforcement agencies is too broad," Rotenberg said. It would be an easy way for public officials to access personal information by virtue of the bill's vague wording, he explained.

Frank Torres, legislative counsel for the Consumers Union, insisted that consumers should not have to worry whether their personal information is being shared among Web vendors.

"Businesses that choose to collect and share sensitive information should be held accountable for handling of that data," Torres said. "If wrongful disclosure of sensitive data occurs ... shouldn't a consumer be compensated for his or her loss?"

Senators Differ

Some of Hollings's Senate colleagues remain wary as well. Hollings, however, said he hopes to bring the bill to a vote before the Senate Committee on Commerce, Science, and Transportation in May.

Senator John McCain (R-Arizona), the committee's ranking member, took issue with its different treatment of information collected online versus offline. Companies that operate in both worlds often merge customer data into one file, but this bill would complicate such practice because it would require special treatment of the information culled from a consumer's Web site visit.

"What happens to that combined information if we attempt to legislate for the online world without considering its collection or use in the offline one?" McCain asked in his written statement. "As these two worlds merge, we must face the practical reality that restrictions intended for the online world may have unintended but significant impact on accepted business practices in the offline world."

Each of the five panelists agreed that consumer data collected online should not be treated differently than information collected offline.

Also, any privacy notices should be made significantly easier to read, suggested Senator Ron Wyden, (D-Oregon). "Privacy notices that are mailed today end up in the trash can," he said. Companies should take a cue from the food industry and design standard privacy notices similar to nutrition panels on food, which are easy to read and understand, Wyden said.

"I may disagree with the provisions of your bill, but I think it's safe to say that we all agree something should be done," said Senator Sam Brownback (R-Kansas) in a statement to the committee. "The devil, however, is in the details."

Cara Garretson of the IDG News Service contributed to this report.