With control of the United States Congress changing hands in 2007, we can expect a number of legislative initiatives in the coming year that will affect privacy.
The business-sponsored lobbying groups are already sharpening their press release templates, the ones that predict dire consequences for any and every business if (insert regulatory proposal here) is passed by Congress.
For many businesses that are already laboring under dozens of different privacy and security regulatory schemes around the U.S. – and indeed all around the world – the prospect of new sweeping federal rules on privacy may feel that it’s just what the proverbial doctor ordered.
But they may not realize that the healthiest outcome for everyone concerned requires stronger medicine than they may be willing to stomach.
When it comes to consumer privacy laws and regulations, the current American landscape – which consists of a hodge-podge of approaches that vary wildly depending upon industry and business sector – is a veritable minefield of rules.
The kinds of privacy disclosures and security notifications you receive and your rights to access or protect your own private information may be quite different from state to state. And as complicated as it can be for you to know your rights, it can be even more complicated for businesses that have to be prepared to assist each one of their customers around the nation when any of them assert their rights.
With key lawmakers already making noises about the need for new approaches to issues such as wiretapping, identity theft, medical records privacy, and a whole host of anti-terror activities, many of the more forward-looking high-tech companies are already at work trying to guide those lawmakers toward smart solutions.
Earlier this year, Microsoft, HP, and eBay announced the formation of the Consumer Privacy Legislative Forum, a group of businesses allied to support legislation that will set standards for providing notice and choice to consumers about how their private information is used. They have since been joined by the likes of Oracle, Google, and Intel.
The goal of this effort is to define national standards for a variety of privacy and security issues and then enshrine them in federal law in such a way that they will preempt any existing state laws that might be contradictory or otherwise incompatible.
Of course, privacy advocates fear that the plans being advocated by these companies would define consumers’ rights very narrowly and define businesses’ obligations very minimally.
This is, of course, the standard approach of all business lobbyists, and it is based on the axiomatic belief that there are no good regulations and businesses must be left to do whatever they believe is best, because the market will eventually decide what is “right,” even if masses of innocent people are made miserable in the process.
Yet, we’ve seen an example of just how unhelpful such an approach can be.
Next page: The (very weak) CAN-SPAM Act
A Weak CAN-SPAM Act
Federal anti-spam legislation, known as the CAN-SPAM Act of 2003, was supposed to solve the spam problem. Unfortunately, by defining the problem narrowly, by denying consumers any legal recourse against spammers, and by imposing only trivial burdens on email marketers, Congress gave businesses lobbyists everything they wanted.
In doing so, they ensured that the spam problem would continue to grow virtually unchecked, as it indeed has ever since the law’s passage.
As businesses gear-up to promote the lowest level of privacy protections that they can advocate with a straight face, I hope that some companies will stop and look at the myriad of privacy laws that exist around the world and realize that many of them are already standardized at a level of protection that is higher than American’s are used to.
Many businesses that have been operating in Europe for the better part of the last decade are already quite familiar with the fundamentally different approach to privacy taken by member countries of the European Union.
Building on privacy guidelines issued in 1980 by the Organization for Economic Cooperation and Development, privacy laws in Europe and elsewhere around the globe have largely standardized on some basic principles (You can view them here), including:
• Limits on the collection of personal data without the knowledge and consent of the data subject;
• Limiting the collection of personal data to only when it’s relevant to the transaction and only for use in relation to that transaction;
• Openness about what data is stored and the ability for the data subject to correct or delete data;
• Data security;
• The ability to hold businesses accountable for compliance with these principles.
Contrary to the horror stories that business lobbyists have peddled for nearly a decade, Europe is still in business.
The ability to conduct effective, profitable, and data-intensive business within Europe has not been stifled. In fact, by establishing such clear guidelines many European consumers are even more willing to try new high-tech products and services, secure in the knowledge that vendors will be required to give them strong privacy protections.
Contrast that with a blog posting I saw just recently, in which a college student shied away from joining a popular interactive online community, saying: “I was about to try World of Warcraft free for 10 days, but I got freaked out at the amount of information they wanted out of me as well as their mile long [terms of service] agreement [so I] closed the window.”
American businesses need to remember that their goal should be to encourage regulations that will create the most advantageous business environment possible. A knee-jerk response to push for the lowest common denominator may not be in the long-term best interests of either these companies or their customers.
At this time when Congress is beginning to look seriously at changes to laws on privacy, inspiring confidence among consumers should be the foremost goal, instead of trying to see how much you can get away with.
American businesses need to remember that, sometimes, the worst thing that can happen to you is for your wishes to come true.
In addition to writing for eSecurityPlanet.com, where this column appeared, Ray Everett-Church is a principal with PrivacyClue LLC, a privacy consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of “Internet Privacy for Dummies.”