The Online Personal Privacy Act, sponsored by Chairman of the Senate Commerce Committee, Ernest "Fritz" Hollings (D-S.C.), has passed a critical test -- receiving approval from the Senate Commerce Committee by a vote of 15 to 8. The bill now is headed to the full Senate for the final vote.
"For people's sensitive personal information -- their debts, income, assets, and medical records -- we preserve consumer control over that information," Hollings said in a written statement released just after the committee's vote. "If companies want to trade and profit in these sensitive areas, get consumers' consent. It's that simple."
The online privacy bill -- S. 2201 -- would set a national standard for all online transactions. It's a move Hollings says will promote consumer confidence in buying online, bolster spending and give some much-needed support to the lagging high-tech industry.
But some in the e-commerce arena worry that the passage of the bill would mean expensive overhauls of e-commerce systems and databases, and create security nightmares by letting customers into the system to check -- and change -- their personal information.
"The net result will end up leaving people worse off in terms of privacy," says Mark Uncapher, senior vice president and council of the Washington, D.C.-based Information Technology Association of America. "There already is law in areas of sensitive information. There's law concerning health care, financial information and children. And I think 90% of sites have privacy policies posted. That is a legally binding policy when it's posted. This legislation would leave consumers worse off."
Should the full Senate pass the online privacy bill, it will head to the House Committee on Energy and Commerce for discussion and a vote. The House also is considering its own privacy bill -- HR 4678 -- which differs enough from the Senate bill that they are not considered companions.
If the Senate bill finds support there, it would then go to a full House vote. If it advances that far, and differences in language between the two versions are resolved, then it proceeds to the president's desk. President Bush has not expressed a formal opinion on the bill.
Lawsuits A Glitch Away
The bill, which also opens the door to 'private right of action', or individual and class action lawsuits, over privacy breaches, means that one technical glitch that fouls up personal data collection could be financially catastrophic.
"If a company is the victim of a hack attack, then it could be subject to a class action [lawsuit] from consumers" says Uncapher. "That means the victim of a crime could then be victimized again."
"It has provoked grave concern, particular in our engineering department," said Paul Misener, vice president of Global Public Policy at Amazon.com, during his testimony at a recent Senate hearing on the bill. "These can-do engineers and programmers, who have built up our computer system all the way from our CEO's garage to the Fortune 500 in just seven years, seriously question whether we possibly could comply with the technical requirements of this bill."
But Ari Schwartz, associate director at the Washington, D.C.-based Center for Democracy and Technology, contends that the bill would actually protect companies from frivolous lawsuits. And Schwartz, who has worked with Sen. Hollings and his staff on the bill, also says companies involved in e-commerce haven't clearly explained to him how it will weaken security to give consumers access to see the information that companies have collected on them.
"We want to work with the companies to come up with a solution that will make them more comfortable but still provide consumers with access," says Schwartz. "They haven't been helpful with that so we haven't been able to find those solutions."
The bill calls for:
An 'Enforceable Right'
Lee Tien, senior staff attorney with the Electronic Frontier Foundation, a non-profit civil liberties group based in San Francisco, says right now there are some good points and some bad points to the bill. On the positive side, he says, is that it offers consumers access to their information.
"The person who is the subject of a data file has an enforceable right to see what information someone has about them and what is being done with it. It's all hidden behind the curtain now," says Tien. "The information is already there. If the company doesn't do good security and doesn't take care of that information, hackers can already get to it."
However, some in the industry say that one step of allowing consumers even an initial entrance into a company's network would dilute the security they already have in place. And it would be a long, tedious and expensive process to allow that entrance and maintain a high level of network protection.
Tien says the cost of making these changes is something companies simply will have to deal with.
"I'm not denying that the kinds of things called for in this bill won't increase costs," says Tien. "[Companies] will have to make changes. They'll have to adjust. There will be costs to comply with the privacy law. You invest and deal with it now and in the future you'll have made the investment in security and trust."