Do privacy policies really protect you?

In countries (such as the United States) that lack specific Internet privacy legislation, do privacy policies actually work to protect Web users? This issue has suddenly gained new urgency because of two recent developments:

• The Michigan attorney general has formally notified several U.S. Web sites that the state may file lawsuits against them. The state wants the sites' privacy policies to be rewritten to describe how visitors' information is shared with the advertising services of AdForce, DoubleClick, MatchLogic and Netscape Communications.

• The World Wide Web Consortium (W3C) published on June 21 a standard called the Platform for Privacy Preferences (P3P). But privacy organizations such as Junkbusters and the Electronic Privacy Information Center (EPIC) say P3P will tend to encourage weaker, not stronger, privacy practices.

One thing's certain: Michigan Attorney General Jennifer Granholm got the attention of Web entrepreneurs when she threatened to sue.

One of the four Web sites that was notified--Procrit.com, a pharmaceutical site operated by a subsidiary of Johnson & Johnson--quickly changed its privacy policy to meet the state's concerns. Procrit.com promises that it will tell visitors how information they provide will be used.

John McKeegan, a Johnson & Johnson spokesman, said the state is "holding off on the suit" as a result of the site's changes.

Michigan Assistant Attorney General Tracy Sonneborn said the state's warning to sites was "the first state action regarding insufficient privacy policies we're aware of in the U.S." But it probably won't be the last.

Sonneborn said Web sites that serve people in Michigan are required to obey existing Michigan consumer notification laws. These laws appear to cover almost all Web sites, no matter where they are headquartered. The four sites the state initially notified are spread from Florida to Iowa.

"A Web site could say you have no privacy," Sonneborn said, "but the fact that a third party is collecting information from you is something that consumers cannot reasonably discover. It is also an important fact, especially if that third party is in the business of tracking users on the Internet."

Automatically detecting the privacy policies at various Web sites is the goal of the P3P guidelines for future Web browsers.

The W3C, which sponsored development of the standard, said in a statement that "users need not read the privacy policies at every site they visit" if their browser supports P3P. Updated Web browsers planned by Microsoft and other software makers could read policies from P3P-compliant Web sites for those users who configure the software properly.

But Jason Catlett, president of Junkbusters, said, "P3P is not a privacy standard in the sense of requiring a minimum level of privacy protection."

Catlett pointed out that, unlike the United States, the 12-nation European Union has adopted a consistent level of regulations that firmly protect individual privacy. The EU formally stated in 1998 that the P3P proposal would set "lower common standards" than existing international agreements require.

Karen Coyle, the author of "Coyle's Guide to the Information Highway" (published in 1997 by the American Library Association), said P3P will tempt Web sites to collect more information than they do today.

"All the sites are under the same pressure to collect as much customer information as possible to deliver to their advertisers," Coyle said.

Personal information supplied to a single Web site is often shared to create a database. For a quick demonstration, visit Privacy.net.

P3P would do little to prevent this kind of sharing. To increase the number of Web surfers who feel comfortable shopping online, U.S. e-commerce sites may find that strong privacy laws would build more confidence than P3P ever will.

Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.