Net privacy plans scrutinized

WASHINGTON--Leading online industry proposals to safeguard privacy were slammed by experts today for lacking strict enforcement mechanisms and consumer recourse.

On the final day of the Commerce Department's summit to evaluate industry policies regarding the collection of personal data, privacy experts critiqued voluntary programs of the Online Privacy Alliance, Truste, the Better Business Bureau's BBBOnline, and the Individual Reference Services Group.

Policies of online banks, stock trading sites, and children's content providers such as America Online and Disney also were examined.

The industry and government are struggling to find a balance in the new medium, which has players on all sides jockeying for different interests. On one hand, retailers and Web sites want to take advantage of the Net's capabilities to deliver targeted and customized services, features that form the cornerstone of the exploding portal market.

On the other hand, consumer advocates want clear rules for the collection of private data, and want to protect the right to remain completely anonymous while online instead of forcing surfers into an environment where they have to barter personal details for goods and services.

Today consumer advocates evaluated prominent industry policies based on the Commerce Department's elements for protecting online privacy, which state that Web sites must disclose how personally identifiable data is collected, used, and protected. The agency said such policies must let consumers decide to what extent they wish to share information such as their name, email and postal addresses, phone number, gender, age, buying habits--or more sensitive details such as a Social Security number.

The policies reviewed today--which undoubtedly represent the best of the crop--fell short of the bar set by the Commerce Department in some critical areas, the panel of privacy advocates concluded.

Today's analysis will likely weigh heavily in Commerce Secretary William Daley's report on the success of self-regulatory efforts to protect consumer online privacy, which is due to President Clinton by July 1.

A year ago, the White House endorsed voluntary rules to shield privacy--and to regulate e-commerce in general--but asked Commerce to monitor industry progress. The administration is a cheerleader for e-commerce, which is expected to really boom when privacy concerns are eliminated.

The 50-member Online Privacy Alliance was given the highest grade for its principles, which were just announced Monday. Led by former Federal Trade Commissioner Christine Varney, alliance members are expected to post privacy policies prominently; let consumers choose how their information may be used (including a choice to opt out); take measures to prevent the misuse of personal information when given to third parties; and refrain from gathering data from preteens without parental permission. The policy excludes public records.

But the alliance will not unveil its enforcement mechanism until September, a decision that drew criticism from Secretary Daley, whose deadline is next week. As of now, observers say it looks like the BBB Online could become the enforcement arm of the companies in the alliance.

"As a set of industry guidelines it's a good start," said panelist Marc Rotenberg, executive director of the Electronic Privacy Information Center, who gave the alliance's principles an "A," but said they would be hard to carry out. "They come up short with no means of enforcement or consumer redress [if the policy is violated]."

Bob Gellman, a privacy consultant, used a scale of 1 to 8 to grade fair information collection practices. He gave the alliance a 4.75. "There have to be limits on what can be done with data," he said. "There has to be a simple statement without a lot of loopholes."

When asked if the alliance would endorse legislation to make its principles law and ensure legal recourse for consumers, Varney wouldn't bite.

"I think that there is a real understanding in industry that e-commerce is not going to get where they want it to go unless there is consumer confidence in the medium," she said. "There are many members of the privacy alliance that, if they truly believed Congress could come up with a clean, simple rule that provided a safe harbor, they may feel that would have a leveling effect on the playing field. I don't think anyone believes that is possible."

When Varney was at the FTC she was bullish about deterring the online collection of children's information. Then in February, she declared that self-regulation wasn't working when it came to privacy. Now she is working with companies such as AOL, IBM, Hewlett-Packard, and members of the Direct Marketing Association to come up with privacy protections that are bullet-proof enough to stave off regulation.

The FTC had been closely examining online privacy for more than two years before it dealt a blow to industry earlier this month when it reported that of 1,400 sites surveyed by the agency in March, only 14 percent informed visitors of their information-collection practices. Fewer than 10 percent of children's sites gave parents control over the harnessing and use of their child's data.

This prompted the FTC to call for legislation mandating that Web sites and database companies get parental permission before collecting personal information from children under 12.

Commerce's guidelines hinge on enforcement of self-regulatory policies. The agency calls on companies to give consumers access to any information a company has about them, and asserts that companies should be held accountable when a privacy policy is violated. Significantly, the agency said sanctions should be "stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion."

Truste is one program that promises to investigate consumer complaints. The nonprofit licenses "trustmarks" that 15 of the 20 most-visited sites on the Net use to flag their privacy policies. The program conducts audits to ensure that sites live up to their promises.

Confirmed violations could lead to a site getting its trustmark revoked or getting referred to a regulatory agency such as the FTC, which could investigate it for unfair or deceptive business practices.

But the review team said Truste's dispute resolution mechanism and baseline requirements were weak. "I don't see a clear remedy for consumers," Gellman said today. "I don't hear standards for data collection."

Truste did announce today that it would require members to let consumers opt-out of data collection and control whether their private information is shared with others. Last summer at the FTC's privacy hearings, Truste was criticized for omitting this mandate.

Echoing the FTC's report and the Online Privacy Alliance, the group also said today that sites must get parental permission before collecting personal contact information from children under age 13.

Until now, Truste hoped consumer pressure would force sites to let them opt out. "We are now saying that consumers should have control over their personal information, and still be able to do business with the site," said Susan Scott, executive director of Truste.

The BBBOnline also promises to monitor sites that carry its seal, and to require that companies appoint a staff member to implement the alliance's privacy principles. The system will be up and running by the end of the year, but the privacy polices only will apply to online companies that sign up--not all of its members around the nation--which was a sticking point for panelists.

Still, Truste's evolution, along with the emergence of the alliance and similar groups--such as a coalition of 11,000 companies that announced privacy guidelines the night before the FTC's scathing report--signal that the industry is picking up the pace to implement privacy controls.

Despite the progress, however, at least one industry effort examined today highlighted a huge disincentive toward disclosing all digital information exchange practices: money.

The Individual Reference Services Group (IRSG) represents 14 database companies that build profiles on people based on public records and other means to help identify, verify, or locate individuals. Lexis-Nexis is a member, as are credit reporting firms such as Equifax and Trans Union.

These companies profit by aggregating data about consumers from outside sources, but since last summer, they have adopted privacy principles that state they will not gather marketing information, such as people's magazine subscription information. Members also say they will give consumers some access to profile information compiled from nonpublic records.

Although the policy has only come into play since December, Beth Givens of the Privacy Rights Clearinghouse said it was too limited in scope.

"Lexis-Nexis has 18,000 databases, only two are included under IRSG's policy," she argued.

To balance the consumers' right to control the privacy of their information, Rotenberg suggested that every time IRSG members send a person's credit report or profile to a third party, they send a copy to the consumer as well.

Piper & Marbury attorney Ron Plesser, who pulled the group together, said such a system would, for example, tip off parents who have failed to pay child support and other people who want to hide their locations from investigators or lawyers.

The ultimate reason came back around to profits, though. "That would be tremendously costly," Plesser said.