- Notice means website operators must explicitly notify consumers about personal information being gathered and how that information is used.
- Choice means consumers can opt-out of information collection.
- Access means consumers can see the information gathered about them and correct errors.
- Integrity means website operators must ensure that consumer information is protected from unauthorised use.
- Despite uncertainty in the outcome of the 2000 presidential election, privacy advocates expect the next US Congress to pass a law providing basic protections for consumer privacy online.
A general-purpose online privacy law would affect all websites run by US companies and nonprofit organsations, and it could require significant investments in network security, database management and auditing systems, experts say.
"Whether Bush or Gore is elected makes very little difference on this issue," says Christine Varney, a former commissioner of the US Federal Trade Commission and a partner at Hogan & Hartson. "
We have a two-year Congress that is very committed to getting itself re-elected...Privacy legislation will happen."
"Privacy is high on the list of bipartisan bills with support in both houses," agrees Jerry Berman, executive director of the Center for Democracy and Technology. "There is a chance to do something that is both bipartisan and balanced."
Berman and Varney made their remarks at a conference on privacy and business held this week.
Privacy advocates expect the 107th Congress to pass an online privacy law that includes such principals as notice, choice, access and integrity.
An online privacy law also would include enforcement mechanisms, such as fines. The FTC wants to be the government agency that enforces a general-purpose online privacy law, as it does an existing law governing websites for children.
"The internet will not evolve to its full potential unless privacy is protected," FTC chairman Robert Pitofsky says. Pitofsky says that 97% of US websites collect personally identifiable information from consumers, but only 20% of those websites provide notice, choice, access and integrity.
"We can't rely entirely on the free market and self regulation," he asserts.
Privacy advocates want a federal online privacy law to include a preemption clause to ensure that it overrules related state laws. They also want to prevent class action lawsuits being filed against website operators for privacy violations. However, these two demands are controversial and may not gain bipartisan support in Congress, experts say.
Berman warns privacy advocates not to kill a good online privacy bill because it isn't perfect. At a minimum, he says, a federal law should require notice and choice.
"There is opportunity for moderation and for deadlock," Berman says. "Deadlock is a disaster because the states are ready to roll, and then companies will have to deal with a crazy patchwork of privacy laws."
Even a moderate online privacy law will have major ramifications for corporate IT departments, says Steven Lucas, chief information officer and senior vice president of Persona, which sells a privacy-enabled permission marketing system.
"The IT departments of companies that plan to collect information about consumers are going to have to protect that information," Lucas says, pointing to investments in firewalls, network sniffers and encryption software. "They need to be very focused on security."
Lucas says IT departments also must provide:
Database management systems that can be purged easily and regularly to accommodate consumers that want to opt-out of information gathering.
Authentication systems to ensure that people requesting access to information gathered about them are entitled to the information.
Either online database access or an e-mail system that allows authenticated people to view the information gathered about them and make changes to it.
Auditing systems that track access to consumer information and changes made.
Lucas recommends that website operators take an opt-in approach to the information they gather about consumers. An opt-in approach means consumers go through a registration process to approve the specific information the company can gather about them and how that information can be used.
"We see a dramatic increase in the amount of information gathered by opt-in systems, and a dramatic decrease in the cost of gathering that information," Lucas says.
Harriet Pearson, the just-named chief privacy officer of IBM, warns that companies involved in the collection and management of consumer data on their websites need to focus on privacy regardless of whether Congress passes an online privacy law.
"This is not a choice between regulation and self regulation," Pearson says. "This is about business being responsible and doing the right thing."