Commerce weighs in on Net privacy

In another push to keep the Net free of privacy regulation, the Commerce Department today proposed voluntary guidelines for protecting consumers' sensitive information.

The move comes on the heels of the Federal Trade Commission's call last week for legislation to at least protect children's information.

The Commerce Department--along with the Office of Management and Budget--has released its "Elements of Effective Self-Regulation for the Protection of Privacy" discussion paper. The department is accepting public comment on the principles until July 5, which can be emailed to: "privacy@ntia.doc.gov."

In line with its hands-off approach to the Net, the White House called on the agencies to work with the private sector to develop the self-regulatory principles. The Clinton administration is concerned that people won't shop online if they are worried about the security of their personal information.

Later this month, Commerce will hold a two-day meeting to examine the online industry's current practices for collecting sensitive identification, medical, and financial data from surfers. Commerce also is seeking feedback on the larger issue of relying on industry to safeguard people's privacy.

In a survey of 1,400 sites in March, the FTC reported that just 14 percent informed visitors of their information-collection practices. Only 28 sites posted a "comprehensive" privacy statement. With children's sites the results were worse, the agency said.

As a result, the FTC recommended that Congress pass a new law that Web sites and database companies must get parental permission before collecting personal information from children under 12.

The FTC had been reluctant to call for online privacy laws until last week. Industry still is hoping to avoid regulation--and Commerce is trying to help.

The Commerce guidelines echo privacy principles released by high-tech trade groups representing 11,000 companies the day before the FTC came out with its scathing report.

"To be meaningful, self-regulation must do more than articulate broad policies or guidelines," the Commerce paper states.

"Effective self-regulation involves substantive rules, as well as the means to ensure that consumers know the rules, that companies comply with them, and that consumers have appropriate recourse when injuries result from noncompliance," it continues. "This paper discusses the elements of effective self-regulatory regimes--one that incorporates principles of fair information practices with enforcement mechanisms that assure compliance with those practices."

Commerce's elements for protecting online privacy are as follows:

Privacy policies: Web sites must disclose how data is collected, used, and protected. Policies should let consumers decide to what extent they wish to share their information.

Notification: Policies should be clear, displayed prominently, and made available before Net surfers are asked to provide personal information.

Consumer education: Companies and trade associations should help educate consumers to ask why information is being collected, what it will be used for, and how it will be protected.

Choice and access: Consumers should be given choices about how their personal information is used by businesses or third parties. When it comes to medical records, companies should not use the data unless they have explicit consent. Data must not be collected from children without parental permission. Consumers should have reasonable access to their information so they can correct or amend it.

Data Integrity: Only relevant data should be stored for the purposes for which it has been gathered, and it should be accurate, complete, and current.

Accountability: Companies should be held accountable when a privacy policy is violated.

The Commerce paper goes on to say that self-regulatory policies should ensure compliance. "They may take a variety of forms and businesses may need to use more than one depending upon the nature of the enterprise and the kind and sensitivity of information the company collects and uses," the paper states.

The agency said consumers should have an avenue to complain and a mechanism to resolve disputes. Auditing companies for compliance also is suggested, such as the system by TRUSTe, for example. And if companies fail to meet guidelines, there should be consequences.

"Examples of such consequences include cancellation of the right to use a certifying seal or logo, posting the name of the noncomplier on a 'bad-actor' list, or disqualification from membership in an industry trade association," the paper states.

Commerce also pointed to the FTC as the regulatory body to crack down on Web sites that fail to comply with its set policies. "Noncompliers could be required to pay the costs of determining their non-compliance," it continues. "Ultimately, sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion."