Cyberprivacy debate, cyberprivacy debacle

Warning against the hidden cost of ignoring consumer concerns, lawyer John Hancock of Fenwick & West says federal legislation is needed now more than ever.

4 min read
Privacy is hot.

Business and consumer groups have blasted away at each other lately over the "opt in" issue: Should businesses ask first and share personal data later, or just share unless the customer says not to? This is only the most recent, visible skirmish in the privacy wars.

Privacy has generated front-page news for a couple of years now, with battles fought in the courts, in Congress and in columns like this one.

Are cookies illegal? Should we worry about Web bugs? Is Truste doing all it should? What will Europe do? And who, exactly, cares? Perhaps all this is much ado about nothing--is business just trying to offer consumers a more pleasing, personal experience?

A year ago, most people working on privacy issues predicted that all the talk and concern would produce federal legislation in 2001. An issue this potent is ready-made for political action, and on the "pro-consumer" side (read "voter"), it draws broad support. However, with the change in administration, the likelihood of federal legislation has faded. First Dick Armey, then Richard Gephardt urged Congress not to rush to pass privacy laws. While political buzz over privacy continues, the smart money now says we won't have federal legislation anytime soon.

That hardly means the issue is going away. Survey after survey highlights privacy as a prime concern for Internet users, and business is listening. Time magazine recently splashed online privacy across its cover, ratcheting up online anxiety for the same shoppers who hand waiters their credit card without a second thought. A recent study from Statistical Research found that two out of three Internet users abandon a site that asks for personal information. One in five users has supplied false information to gain access to a site.

And the pressure will only increase. As online business reaches beyond the United States for customers, it encounters foreign laws that force a response to privacy issues. Europe requires businesses to give notice about their privacy practices. In Canada, certain data can be shared only with opt-in permission. Japan hopes to get a privacy law in effect, and Australia is concerned that its laws aren't tough enough to meet European standards.

Technology may help. Microsoft's new browser will implement P3P (Platform for Privacy Preferences), automating surfers' decisions about privacy practices of the Web sites they visit. The Privacy Foundation released "Bugnosis," which highlights Web bugs so surfers can react appropriately. Tools such as ZeroKnowledge and SafeWeb let Netizens counteract what some see as unwarranted electronic snooping.

So, where do we find ourselves? Even as technology creates new threats to privacy, market trends and technological developments are starting to give heart to privacy advocates. For now, our political institutions have decided that broad legislation is not the solution.

Is this the right answer? I don't think so.

Making sense of the mess
A recent study by the Association for Competitive Technology attempted to show the high cost of compliance with privacy legislation. Privacy advocates rushed out with a rebuttal by Peter Swire, the Clinton administration's "privacy czar." What these arguments don't address is the high cost of privacy worries in terms of foregone business. Who wants to wade through long privacy policies, tinker with browser privacy settings, and install plug-ins that highlight privacy threats? It's easier to drive to the store.

A recent federal law was supposed to enhance the privacy of our financial data, giving us "opt out" rights to prevent unwanted disclosures. Our mailboxes were stuffed with discussions of privacy practices by banks and stockbrokers in endless, obscure prose.

Did we read them?

Studies show that most of these disclosures are understandable only to those with at least a college education. Virtually no one responded. Is that because nearly everyone is satisfied that business is doing a good job with privacy? Not if you believe the surveys. Perhaps most people, like Washington Post columnist William Raspberry, who worries about privacy matters, have just given up.

Online commerce? It's a jungle out there. I'd rather go to the mall.

Suppose federal law set simple but reasonable requirements that gave basic privacy protections. Would you like having your main privacy concerns addressed without wading through privacy policies or downloading cookie software? Of course. If Big Browser didn't make buying online an Orwellian adventure, would you rather shop in your pajamas or fight for parking spaces downtown? It's a no-brainer.

What the privacy debates have mostly missed is the cost of not addressing people's concerns. Figuring out Web bugs, cookies, profiling and P3P settings just isn't the solution most people choose--life's too short. It's not anti-business to see a federal law as an enabler of online business.

Reasonable federal legislation could set people's minds at ease. Sure, finding a set of legislative compromises that offers reasonable, universal privacy protections while letting businesses do business is tough. But it's not as tough as getting people comfortable with online commerce when they're convinced there's a nest of spies lurking in every Web site.