We will pay for all this privacy

By Paul McNamara
Network World, 04/29/02

The Internet Privacy Fife and Drum Corps has been making quite a racket recently. Witness:

Freshly filed legislation from Sen. Fritz Hollings (D-S.C.) that would force e-commerce sites to divvy up personal information into "sensitive" and "non-sensitive" piles and apply a different set of privacy standards to each. It also would make easier that favorite of American pastimes: litigation.

The World Wide Web Consortium's blessing of the Platform for Privacy Preferences (P3P), which if it works as advocates envision - a big if - will give 'Net users notice of what they can expect in terms of privacy protection from whatever site they stumble onto.

The Federal Trade Commission's $35,000 fine against an Ohio company for violating new regulations that prohibit Web sites from obtaining the personal information of children without first getting parental consent. (The company that was fined makes the world-famous Etch-a-Sketch, which doesn't immediately strike me as the type of online threat parents might worry about.)

Buzz has never marched to the same beat as those who seemingly lie awake nights fretting that some e-commerce outfit will peddle their e-mail address or shopping history. Sure, in the abstract, I'd rather that not happen and believe that Web merchants should adopt, publicize and respect meaningful privacy policies. Most reputable businesses already do this.

But the prospect of all these privacy "fixes" - especially the political ones - creating more problems than benefits seems all too real to me.

Same goes for Jim Harvey, an attorney with the Atlanta law firm of Alston & Bird, who specializes in advising large corporations on how to handle the expanding potpourri of privacy laws and regulations. Harvey has an obvious bias here, given the nature of his clients. But he's also right about the burdens these efforts are going to place on Web merchants.

Take the Hollings bill, for example.

"I think there's good and bad in the bill; the best part being that it would preempt inconsistent state laws, which will help businesses immensely," Harvey says.

"However, one of the things that is going to give the business world great concern is the fact that it only covers online businesses, and therefore could legitimately be said to disadvantage online businesses," he adds. "It also establishes a private right of action, which [may] provide more class-action fodder."

In other words, if this bill becomes law, watch for a spate of frivolous lawsuits over the "misuse" of personal information.

"It will be very difficult to pass something related only to online privacy," Harvey predicts. "And it will be very difficult to pass something that doesn't impose a lot of costs on businesses and therefore consumers."

The preoccupation with online privacy - as differentiated from security and identity fraud - has always seemed puzzling given the apparent lack of a similarly heightened concern relative to the offline world. For example, most consumers - including this one - seem perfectly willing to part with a good deal of personal information in exchange for a good deal from, say, the local grocery store. And yet those folks operate right around the corner from where we live.

As for the expenses businesses can expect to incur, Harvey cites the case of one client who coughed up $2 million - just for postage - in an effort to comply with the federal Gramm-Leach-Bliley Act that defines privacy standards for the financial industry.

No one would suggest that online banking shouldn't be regulated, just that all these measures stand to benefit from sober cost-benefit analysis, which unfortunately is something the political process does not generally handle well.

And all this comes before we even consider the mishmash of privacy initiatives from foreign governments, which, as Harvey notes, often require different approaches that are inherently irreconcilable.

Don't keep your thoughts private. The address is buzz@nww.com.