By Rachel Chalmers
Privacy policies are fast emerging as America’s tool of choice for self-regulation of online businesses, but critics say they’re not worth the web pages they’re displayed on, a US government committee has heard. Mark Rotenberg, director of the Electronic Privacy Information Center (EPIC), told an Oversight Hearing on Electronic Communications Privacy Policy Disclosures that most such policies are worthless.
Simply stated, I believe that the current efforts to promote industry self-regulation will not adequately address the public concerns about privacy and the internet, Rotenberg said. Industry policies are typically incomplete, incoherent and unenforceable. They are having little impact on actual data collection practices… industry privacy policies are literally papering over the growing problem of privacy protection online.
He points out that while more web sites are posting privacy policies, there is little evidence that this is translating into practice. Besides, he notes, standards in policies are falling. The reality is that only a small percentage of web sites even begin to approach the type of privacy protection that would be provided by the most rudimentary privacy law in this country. He called for the government to establish a privacy agency with the expertise, competence and resources that the Federal Trade Commission – now filling that role – drastically lacks; to promote the enforcement of Fair Information Practices and to encourage new techniques to limit or eliminate the collection of personal data.
Businesses, however, value that data and don’t want an enforcement agency with teeth. Their lobby groups, TrustE and the Online Privacy Alliance (OPA), also spoke their piece at the hearing. TrustE’s Terry Pittman says the level of privacy assurance on the web is increasing, as evidenced by the increasing numbers of web sites joining TrustE. Yet this is the same organization that let Microsoft off with a slap on the wrist in March 1999 because the company’s particularly gross invasion of consumer privacy – the Global Online User ID, or GUID – did not actually pass through TrustE’s member site, MSN.
Speaking for the OPA, Christine Varney told the hearing that a recent survey conducted by a Georgetown University professor revealed impressive success by the private sector in making privacy online the norm. Yet the same survey showed that fewer than 10% of the sites surveyed had comprehensive privacy policies.
Little wonder that EPIC and its partners, the Electronic Frontier Foundation (EFF) and Junkbusters, continue to agitate for regulation rather than voluntary compliance. Perhaps the simplest and least controversial proposal is the Online Privacy Provision, said Rotenberg. This would require commercial web site operators that collect personal information to post a privacy policy and then to treat a violation as an unfair or deceptive trade practice. This would establish a minimal baseline for privacy in the online world, he concluded, I do not think it goes far enough, but it is a start.
