Privacy shifting toward legislation

Overwhelmingly, Americans think the Internet is endangering their privacy. They fear credit crooks and identity thieves. They resent spammers and companies that collect and sell their personal information. And they want privacy violators to be punished.

Congress is listening. Since the 107th Congress began less than three months ago, more than 40 bills dealing with privacy have been introduced in the House and Senate.

President Bush is listening, too. After rolling back Clinton administration regulations on water and air quality and workplace safety, Bush opted not to ease Clinton regulations designed to guard the privacy of medical records.

The privacy debate has shifted, said Frank Torres, legislative counsel for the Consumers Union. The debate used to revolve around whether the federal government should regulate privacy or whether the Internet industry could police itself.

Since 1997, self-policing has prevailed, but that is likely to end.

"Self-regulation has been a failure," Torres said during a privacy seminar Monday at George Washington University. Even the Federal Trade Commission, which previously favored industry self-regulation, has concluded that Internet companies are generally not voluntarily adhering to fair information practices, he said.

There is "pent-up demand" for privacy protection that probably won't be satisfied until some sort of privacy legislation is passed, said Robert Atkinson, director of the Technology and New Economy Project at the Progressive Policy Institute.

"We need some basic legislation," Atkinson said. But he's leery of heavy-handed regulation. If Congress passes legislation "that shuts down the flow of information," it may destroy the already fragile economic foundation of the Internet, he said.

"There is value to privacy, but most consumers are not aware of the other side," he said. Few are willing to pay for the Web sites they visit, and collecting and selling personal information is one of the few revenue-generating functions that keeps Web sites up and running.

Acceptable legislation might include laws that require companies to give Internet users the opportunity to "opt out" from providing personal information, Atkinson said. An alternative — legislation to require companies to let Internet users "opt in," or actively agree to let their personal information be used — would be too restrictive, he said.

Internet companies continue to argue that self-regulation can work and that privacy legislation may do more harm than good.

Abuse of privacy on the Internet is "self-correcting," said Kenneth Glueck, Oracle Corp.'s vice president for governmental affairs and public policy. "Consumers vote with their feet, or their mouse," and shun Web sites that abuse privacy.

Officials at Web portal Yahoo argue that existing laws and industry self-regulation already provide adequate privacy protection. "There is more privacy online than off-line," said John Scheibel, Yahoo's director of government relations.

Although the momentum for passing privacy protection legislation appears to be growing, there is little sense that something must be done this year, said Jim Dempsey, deputy director of the Center for Democracy and Technology.

Legislation that deals mainly with other issues, such as identity theft or bankruptcy, may pass this year. But legislation that deals broadly with Internet privacy issues probably won't pass before 2002, he said.