Internet

Industry floats plan on privacy

A Net industry group dubbed the Online Privacy Alliance unveils its enforcement plan to protect users on the Internet.

Amid criticism from the Clinton administration, a major online industry group that includes America Online and Microsoft today unveiled its enforcement plan to protect consumer privacy on the Internet.

Former Federal Trade Commission Commissioner Christine Varney, who helped launch the 50-plus-member Online Privacy Alliance last month, presented the plan today before the House Commerce subcommittee on telecommunications at a hearing on e-commerce and Internet privacy.

The plan calls for Net sites to use privacy seals that link to their privacy statements and are monitored for compliance by third parties such as Truste. Companies also could set up internal systems that work the same way. All alliance members would be required to have consumer complaint and recourse mechanisms. If a site is found to be in violation of its own privacy policy, the seal would be revoked.

The alliance plan requires members to post their privacy policies clearly and easily; to let consumers choose how their information may be used (including a choice to opt out); and take measures to prevent the misuse of personal information when given to third parties.

Privacy advocates praised the alliance's principles but said its penalties are weak. Critics said laws, not industry guidelines, are needed to protect privacy because the alliance has no vested interest in consumers trusting and buying from every company on the Net, just its members.

"The stuff they've written will look good on a color brochure, but it will not do a whole lot to protect privacy," Marc Rotenberg the executive director of Electronic Privacy Information Center, said today.

"For example, GeoCities' privacy practices came under question by the FTC while they were a member or Truste," he added. "These privacy seals provide no baseline assurance. It may be a seal, but it doesn't stick."

The alliance issued its enforcement plan more than two months ahead of schedule, seeking to stave off regulators' recommendations that new laws be enacted to ensure that personal information is protected from abuse.

"For the companies that want to do right on the Net, gain consumer trust and confidence, and grow the Net--how can they do that?" Varney said during a press conference today.

"We think they can do that through practicing good privacy polices and certifying they do through this sort of seal program," she added. "Passing a law doesn't stop the bad actors. It merely gives you tools to prosecute the bad guys, and we have the tools already to prosecute the bad guys."

When the alliance was announced just one night before a Commerce Department summit about online privacy, Commerce Secretary William Daley and FTC chairman Robert Pitofsky applauded the group's principles but were disappointed that its plan lacked enforcement measures. The two officials are charged with reporting to President Clinton and Congress this summer about the state of voluntary online privacy protections.

Like other voluntary plans, the Online Privacy Alliance's enforcement strategy calls for members to use a third-party privacy seal program, licensing program, or membership association to monitor the companies' compliance with their privacy policies for collecting, using, and disclosing of personally identifiable information. In addition, the alliance calls on companies to provide a clear complaint resolution process and to educate consumers and other businesses about Net privacy.

The alliance has not issued its own seal, but it has endorsed several third-party systems that pledge to monitor privacy polices for compliance.

Truste licenses seals that link to a Web site's privacy policy and also revokes seals for noncompliance. The Better Business Bureau's privacy seal program--BBBOnline, which will launch later this year--promises to implement rules to ensure that companies have internal controls to protect user information. Moreover, the organization would require Internet companies to train employees in proper ways to disclose information and appoint management to oversee privacy operations.

But when privacy advocates at the Commerce summit last month reviewed these programs, they blasted Truste for lacking an adequate consumer dispute resolution mechanism. Critics were also skeptical about BBBOnline's plan because the organization said it would not require compliance from all of its members nationwide.

Privacy advocates were not any more smitten with the alliance's plan to rely on these seals.

"The administration's strategy of giving companies a chance to write their own ticket with self-regulation has had the same result you would expect if teachers asked their students to propose a system for self-assessment: They're trying to get the best grades with the least work," Jason Catlett, founder of Junkbusters, said today.

"Any real regulations would specify dollar amounts that offenders have to pay victims, such as the $500 damages against telemarketers who keep calling after you tell them to stop," he added.

The Commerce Department was supposed to deliver a report to Clinton on July 1, assessing industry efforts to shield online privacy, but has not yet done so. The FTC said in June that voluntary efforts weren't adequately protecting personal information on the Net and asked Congress for news laws to prohibit the collection of sensitive data from preteens without parental permission.

In related news today, Pitofsky presented model online privacy protection legislation to the House Commerce subcommittee. He said the legislation should be enacted if industry can't do the job.

"While some industry players may form and join self-regulatory programs, many may not. This would result in a lack of the uniform privacy protections that the commission believes are necessary to allow electronic commerce to flourish," he said in prepared testimony.

Today, Pitofsky said that "the commission believes that, unless industry can demonstrate that it has developed and implemented broad-based and effective self-regulatory programs by the end of this year, additional governmental authority in this area would be appropriate and necessary."

Rotenberg said the model legislation drafted by the FTC is better than the alliance's enforcement plan.

"That is a more serious approach," he added. "Consumers who what to do business on the Net need baseline privacy protections."