WASHINGTON--Plans for industry self-regulation to protect online privacy came under heavy criticism from government and Internet groups at a national summit here today.
Commerce Secretary William Daley called a new coalition's plans to protect Net users' privacy "disappointing" because the group failed to outline how it will ensure that its 50 member companies remain in compliance.
The industry also got low marks from the Electronic Privacy Information Center, which has released a survey of Web sites owned by direct-marketing companies that found few of the firms abiding by their industry's 1997 self-regulatory privacy protection rules.
The Commerce Department's Internet summit, which lasts until tomorrow, is one of the industry's last chances to prove it can shield surfers' personal information before the department assesses private-sector efforts in a report to President Clinton on July 1.
The online industry has argued for more than two years that the private sector--not government--is best suited to establish policies for the online collection and use of personally identifiable information. But after a scathing Federal Trade Commission online privacy report earlier this month and independent studies, Daley said self-regulatory efforts to shield online privacy haven't made enough progress.
"Articulating principles isn't adequate," Daley said today at the summit. "There have to be meaningful consequences to companies that don't comply."
Referring to yesterday's launch of the Online Privacy Alliance, whose members promise to comply with privacy protection guidelines, Daley said he would like to see an enforcement mechanism proposed before September 15, when the coalition said it would have a plan in place.
"I want self-regulation to work," he added. "There are people who think industry has been dancing around, avoiding the real issues, buying time, and that government should step up to the plate."
Commerce's elements for effective self-regulation include disclosure about collection practices, giving people access to the information collected, and sanctions for not complying with a policy, and points to the FTC as a body to crack down on such sites.
"I sincerely hope industry steps up. But if it doesn't, we will have to consider all the options we have for protecting the American consumer," Daley declared.
Regulation vs. industry guidelines, or a combination of both to protect privacy, is just one issue being weighed at the summit. Also on the table is how to best protect children's privacy, with panelists drilling down through issues such as the likelihood that parental permissions forms, for example, would help prevent youngsters from unwittingly giving up private details about themselves and their families.
Still, enforcement is topping the agenda.
For example, of the 40 Direct Marketing Association member Web sites reviewed by EPIC, only three abide by the group's privacy guidelines, the nonprofit group reported.
But leaders of the DMA, which has 3,600 members, criticized the survey's methodology and pointed to an earlier poll that found privacy practices improving.
Connie Heatley, the DMA's senior vice president, responded that new members would be less familiar with the privacy guidelines. The industry's efforts have consistently improved as members became more educated about the issue, she added. A survey of leading business Web sites conducted for the association in May found 64 percent of sites had privacy policies, compared to 38 percent in January.
Along with consumer protection issues in the online privacy debate, government and industry say that quelling personal security concerns is a key to bolstering e-commerce.
A study released today by Privacy and American Business and Price Waterhouse found that 81 percent of Net users are concerned about their privacy. Eighty-five percent said collecting personal information from young surfers was a "very serious" concern. Moreover, 61 percent had never seen a business notice on any Web site about privacy practices.
Of those surveyed, many supported industry self-regulation if the policies were effective, but 60 percent of Net users believed that only legislation and legal enforcement would ensure that businesses protect personal information and don't pass it on to third parties without a consumer's consent.
Until the FTC's report this month, the government had issued only empty threats to regulate the online collection of people's names, addresses, buying habits, and even Social Security numbers. But now, the commission has recommended that legislation be enacted to prohibit collecting these sensitive details from children ages 12 and under without parental permission.
The recommendation could be easier said than done, however. Children's site operators here today questioned the feasibility of getting written permission from preteens' parents when requiring registration for monitored chat rooms, for example, which are set up to ensure that predators don't interact with children and to deter vulgar conversations. Children's advocates countered that if it was too hard to get parental permission, then sites shouldn't collect the data.
The debate over children highlights a bigger privacy question, though: Should companies or consumers have the upper hand when exchanging information and services for personal data?
"I think there should be e-commerce and e-privacy," Rotenberg said today. "Why do we need to make a trade-off?"
Web sites and marketers argue that the value of the Web is that it allows them to customize news, information, and shopping features for consumers who give out their data.
"Data capturing and use, when managed well and in the hands of a company people trust, greatly increases the potential of e-commerce," said Wendy Brown of America Online.
AOL, she admitted, has had "some bumps in the road" such as a customer service representative revealing the identity of a member to Navy officials. But AOL has joined the Online Privacy Alliance in hopes of spreading use of its principles.
Groups such as the Online Privacy alliance have formed to try and fight off the regulation. For example, its members will not collect data from preteens and will let all consumers opt out of data collection requests. Some consumer advocates support regulations to set a standard for the online industry.
Backers of the alliance include AOL, Hewlett-Packard, IBM, Microsoft, and several major high-tech associations. As reported earlier, many of the same organizations also announced they will back a privacy initiative of the Better Business Bureau called BBBOnline, which expects by year's end to issue privacy marks to companies that meet policies backed by the Online Privacy Alliance.
The Online Privacy Alliance represents major players on the Internet, and counts former Federal Trade Commissioner Christine Varney as an adviser. For two years, Varney chaired FTC hearings on privacy, pushing the industry to police itself. In February, however, she declared that self-regulation wasn't working, in part spurring the two industry initiatives announced this week.
The new alliance is not the first group to come forward with a privacy protection plan. In a similar eleventh-hour move, trade groups representing more than 11,000 online companies proposed a nine-point plan to President Clinton the day the FTC's report was released. Led by groups such as the Software Publishers Association, the companies promise to create consumer recourse mechanisms but do not plan to be in compliance until July 1, 1999.
Today, Varney asserted she understood Daley's concerns about enforcement and that the alliance was working on that.
"The enforcement piece is critical," she said in an interview. "But it's going to take some more time. They know they need to have it or there is no deal."
Reuters contributed to this report.