In another push to keep the Net free of privacy regulation, the Commerce Department today proposed voluntary guidelines for protecting consumers' sensitive information.
The Commerce Department--along with the Office of Management and Budget--has released its "Elements of Effective Self-Regulation for the Protection of Privacy" discussion paper. The department is accepting public comment on the principles until July 5, which can be emailed to: "firstname.lastname@example.org."
In line with its hands-off approach to the Net, the White House called on the agencies to work with the private sector to develop the self-regulatory principles. The Clinton administration is concerned that people won't shop online if they are worried about the security of their personal information.
Later this month, Commerce will hold a two-day meeting to examine the online industry's current practices for collecting sensitive identification, medical, and financial data from surfers. Commerce also is seeking feedback on the larger issue of relying on industry to safeguard people's privacy.
In a survey of 1,400 sites in March, the FTC reported that just 14 percent informed visitors of their information-collection practices. Only 28 sites posted a "comprehensive" privacy statement. With children's sites the results were worse, the agency said.
As a result, the FTC recommended that Congress pass a new law that Web sites and database companies must get parental permission before collecting personal information from children under 12.
The FTC had been reluctant to call for online privacy laws until last week. Industry still is hoping to avoid regulation--and Commerce is trying to help.
The Commerce guidelines echo privacy principles released by high-tech trade groups representing 11,000 companies the day before the FTC came out with its scathing report.
"To be meaningful, self-regulation must do more than articulate broad policies or guidelines," the Commerce paper states.
"Effective self-regulation involves substantive rules, as well as the means to ensure that consumers know the rules, that companies comply with them, and that consumers have appropriate recourse when injuries result from noncompliance," it continues. "This paper discusses the elements of effective self-regulatory regimes--one that incorporates principles of fair information practices with enforcement mechanisms that assure compliance with those practices."
Commerce's elements for protecting online privacy are as follows:
The Commerce paper goes on to say that self-regulatory policies should ensure compliance. "They may take a variety of forms and businesses may need to use more than one depending upon the nature of the enterprise and the kind and sensitivity of information the company collects and uses," the paper states.
The agency said consumers should have an avenue to complain and a mechanism to resolve disputes. Auditing companies for compliance also is suggested, such as the system by TRUSTe, for example. And if companies fail to meet guidelines, there should be consequences.
"Examples of such consequences include cancellation of the right to use a certifying seal or logo, posting the name of the noncomplier on a 'bad-actor' list, or disqualification from membership in an industry trade association," the paper states.
Commerce also pointed to the FTC as the regulatory body to crack down on Web sites that fail to comply with its set policies. "Noncompliers could be required to pay the costs of determining their non-compliance," it continues. "Ultimately, sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion."