Privacy may mean different things to different people, but at a certain level everybody wants their privacy protected.  The advent and growth of the Internet has greatly amplified privacy issues. 

As with every other subject that comes to the forefront of the American psyche, Congress is gearing up to offer legislation to “protect privacy.”  As usual, this means Congress could do more harm than good.

Rep. Rick Boucher (D-Va.) has a draft of a privacy bill with the following provisions:

• Everything is to be enforced by the Federal trade Commission (FTC).  All penalties for those who don’t comply with the Act are covered under the FTC Act.
• State attorneys general can bring civil actions against companies that do not comply with the act, but not individuals.
• Companies/websites cannot collect user information unless they have a privacy policy posted “clearly and conspicuously” on their websites detailing the kind of info they collect, how they use it, and how they store it. 
• Companies have to post changes to their privacy policy, unless the information was collected in person.
• People should always have the option to opt out, and opting out should be easy.
• Personalized ads on websites need to have links to a page where the ad company explains what information they have that prompted them to show you that ad. Also, individuals should be able to see their entire “preference profile,” or all of the information the company has about them, and be able to opt out of any or all of it.
• Sensitive personal information, like name, sexual orientation, religion, geographic location, is opt-in only.

Rep. Bobby Rush (D-Ill.)has a bill, H.R. 5777, known as the BEST PRACTICES Act, which is an acronym for Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act.  It has the following provisions:

• A company’s privacy policy must contain a hyperlink to or the toll-free number of the FTC’s consumer complaint form/consumer response center.
• General information is opt out, as long as companies make it easy to opt-out; the opt out would be permanent unless otherwise specified.
• Companies cannot monitor “all or substantially all” of someone’s Internet use unless they have the person’s express permission, or are only monitoring it to give the data back to the person.
• There is a large list of exceptions to the information collection policy, which include if the information is necessary to “protect or defend the rights or property” of the company against fraud, if the collection of information is necessary to protect the individual from imminent danger, and if the information is publically available.
• A detailed process for individuals to dispute the information that a company has collected about them.
• It would take precedence over all existing state laws concerning online information privacy.

Both bills sound harmless and look like a step forward in “protecting privacy,” but there are problems.  First, there will be a cost to taxpayers.  Surely there will be a cost to “monitor” activities.  A $13 trillion debt reminds taxpayers that nothing is free in DC.

Second, the bills attempt to solve a problem that does not exist, and they do so with an intrusive and overbearing regulatory scheme.  Jim Harper, director of information studies at the Cato Institute, has highlighted problems with Rep. Rush’s bill,calling its substance “concerning, to say the least.   The bill’s scope is massive: Just about every person or business that systematically collects information would be subject to a new federal regulatory regime governing information practices. By systematic, I mean: If you get a lot of emails or run a website that collects IP addresses (and they all do), you’re governed by the bill. There’s one exception to that: The bill specifically exempts the government. What chutzpah our government has to point the finger at us while its sprawling administrative data collection and surveillance infrastructure spiral out of control.”

Another problem is to determine the liability of a website if it links to another that doesn’t follow government issued privacy standards.  Where does the chain end?  This could severely stifle the amount of information sharing on the Internet.

A list of new rules of what someone can and cannot do is not an effective way of spurring innovation.  An over-regulated Internet is a boring, static Internet. 

Ultimately, the biggest and most fundamental problem with any legislation is that it may not even be needed because the private sector is already responding to the demands of consumers by offering enhanced privacy policies and user settings.

Google Privacy lawyer Peter Fleisher has acknowledged that “The internet is driving a need to think about these things globally,” but also recognized the difficulty in accomplishing this when he stated, “It can’t be done in a vacuum.”  Fleisher also noted that, in Germany, “there has been intensive political debate about Street View over recent months and it hasn’t even launched yet.  And yet, in neighboring countries like Denmark and the Netherlands there’s been no debate whatsoever…no controversy.”

The lack of a current global standard for privacy may be a blessing in disguise because every website has a different purpose and Internet service providers, content providers, and consumers benefit from that flexibility.

  -- David Williams