Solveig Singleton:

Q: What additional costs would federal privacy regulations impose on small businesses?
A: [Privacy regulation] might just end up adding a lot of meaningless boilerplate to sites that nobody pays any attention to. But I remain very uneasy about it. Suppose you are a small business. For whatever reason, what you are doing is controversial, and somebody decides they want to bother you. What they could do is get a whole bunch of people to flood you with access requests: "We want to look at our records. We demand that the following changes be made to our records." This sort of thing could very quickly overwhelm a small newspaper or some other organization like that.

Q: Do you have some sense of what the actual costs of regulation would be?
A: It's very difficult to know which impacts on business come from the privacy regulations and which impacts come from something else...So it is really hard to study that.

Q: Do you think such regulation will hinder startups and investments in startups?
A: Yes, I do. Investors understand when dealing with E-commerce companies that they are dealing with a higher risk. They may have to invest in 18 companies to get one that turns into the next Netscape. Regulations increase the risk even further, so other industries become more appealing.

Q: Why are Federal privacy regulations so terrible?
A: I fundamentally see very little need for these kinds of rules. There are possibilities for abuses, but on the other hand, the [proposed] regulations have gone forward on the assumption that the very use of information that it is being collected in a database and not being erased is itself an abuse. And that is just wrong. The second problem is that Federal regulation, especially when you are dealing with rapidly changing technology -- it just isn't going to keep up.

Q: Do small businesses really need to sell data?
A: The need for revenue might be desperate enough that they are going to want to rent their [customer] lists if they can. [But] anyone who goes into a business in an increasingly competitive world with that kind of super-short-term mindset can go two ways. He can enter a market where customers do care what you do with that information, in which case I don't believe it will be a successful business. On the other hand, he might discover he has stumbled upon a group of customers who just don't care, in which case, then I think that kind of business model is perfectly fine.

Q: Are consumers really likely to say they won't let you use their material for marketing purposes? Are they really likely to check with businesses to see what they are collecting? Would startups be inundated with requests for information?
A: I think it is unlikely to happen, as a general rule. But I believe it might very well happen to someone who is in a controversial business that someone wants to shut down...One interesting thing about this debate is that there seems to be a big discrepancy between asking customers in a survey what they think about privacy and actually looking at their behavior. When someone asks them if they are worried about their privacy, it would be pretty rare for someone to say, "No." But what really matters when they actually go out shopping for something? Does privacy enter into their minds, or are they really looking for...the lowest price and the best product? It's really not worth their time to seek out the privacy stuff. That's an empirical claim.

Q: Tell me about the self governance and "safe harbor" provisions? Do you think these are reasonable middle grounds?
A:I am really suspicious when the government says, "Go regulate yourself, and the regulation must look like this, and everybody must comply with it."

Q: Would federal privacy regulations have a different effect on small businesses than on large ones?
A: It is generally easier for large businesses to comply with this kind of regulation. They already have their established customer base. They are not breaking drastically into new markets, or if they are, they can bear the increased expense. In enforcement actions, they are consistently able to afford good legal help or can reach a settlement...Small businesses may have less access to really good legal counsel, and they may not be able to offer the kind of settlements that the [Federal Trade Commission] wants.

Q: Do you think having some regulations is a foregone conclusion?
A: No, I don't think it is a foregone conclusion at this point. The freedom to use personal information is so important to the American economy -- to sell it, to collect it for one's own marketing purposes, to develop new products, or give it to your affiliates. The act of buying information is particularly important. I predict that either legislators will begin to realize that legislation is more complex than they have realized, or alternately, they will pass something -- but it will be a paper tiger.

Jason Catlett:

Q: Would federal regulations add to expenses for small businesses? Is this a cost issue for small businesses? If so, how do you know?
A:It would definitely increase the cost of doing business by a small amount, but you have to look at the context of that. Does complying with Environmental Protection Agency rules cost chemical manufacturers money? The answer is yes. It would actually be much cheaper for any given company to dump their waste wherever they want, and if there weren't regulation, it would be in their best interest to do so, because the waste goes downstream, and they don't have to pay for it.

If companies are allowed to ruin the water for everyone, to continue this analogy, individuals will do it because it is in their economic interest to do it. For that reason, government has a legitimate role for setting a base-line conduct for everybody. The cost of not doing so would be colossal.

Q: What are the real costs that would result from federal legislation of Internet businesses?
A: All of the surveys say that the No. 1 reason that consumers give for not getting on the Internet is fear for their privacy, and that is above ease of use and cost. If the American consumer is placing something above ease of use and cost, that really tells you it's very important.

The general [cost] is you simply have to engineer your information systems with privacy in mind. If you have a major privacy disaster, that can really damage your brand and customers' trust. For a small business, that can be fatal.

Additional costs [are related to] the ability to tell people what kind of information you are keeping about them. You have the general setup cost of that [system], plus you have the variable cost of actually handing over the information. ...If it is purely automated on the Web, that may be low...Then there may be costs of mailing out a record to a physical address of the consumer. All the legislation that anyone has every passed allows you to charge for this. The credit bureaus certainly look at it that way.

Q: So you are saying this could be fairly straightforward for entrepreneurs, and it could be an additional source of revenue?
A: Yes. They do have to engineer it, and the cost of engineering it may sometimes be difficult. But a lot of businesses want an integrated view of the consumer for marketing purposes, so it is only fair that you share that integrated view with the consumer.

Q: What about legal costs associated with the legislation?
A: It depends on the particular kind of legislation. Quite often these laws provide for statutory damages, which means the statute nominates a particular figure, sometimes referred to as liquidated damages, where the customers can sue for that amount without having to prove that the damage actually occurred. We have had this for years in the Telephone Consumer Protection Act of 1991. The law says the liquidated damages would be $500, and that is the amount they sue for. So there may be similar legislation that says -- the usual figure quoted in discussion is $100-- for something like if your E-mail address is improperly disclosed to another person.

Q: Some people say it would even hurt the investments their companies make.
A: The idea that the whole Internet bubble will burst if we require personal information to be treated fairly is just preposterous. There are a few companies whose business models are based on unfair and unrestricted use of personal information, but there are very few of them to which that is very essential. It won't burst the Internet bubble or drive otherwise worthy companies into bankruptcy. [Legislation] doesn't seem to have driven the telecom industry into bankruptcy. They have enormous restrictions on sharing information...and investments haven't stopped flowing in.

Q: What if small businesses just set up infrastructures that were not abusive of privacy rights in the first place, set up their processes to take into account that they can't manipulate information at will?
A: What you have to worry about is the worst actors here. In the case of spamming, you have people who will behave in an unconscionable manner and will not stop unless taken to court. In 1996, when there were no specific laws, it was a very long task that AOL and Compuserve went through to take these spammers to court and to go through the tort cases, arguing that this was an inappropriate use of their property. [Legislation] has helped enormously in keeping the level of spam down. The intrinsic flaw with self-regulation [is]: Even if you believe that the seal programs are a good thing, then the worst element won't pay any money or in any way put themselves under the ambit of a voluntary program.

Q: Do small businesses really need to sell data in the first place? How important is this or will this be to them?
A: Usually it is less important for small businesses than for big businesses. The more customers you have, the easier it is to sell a big list. For small businesses it...is often more trouble than it is worth. The bad scenarios in the future go as follows: The Internet becomes known as a badlands where you can't trust the average business with your privacy. And in that environment, consumers go with the big businesses with the brand name. Small businesses have more to gain in a general environment of trust and rule of law in the treatment of private information.

Q: Tell me about the self-governance and "safe harbor"? Do you think these are reasonable middle grounds?
A: It is a carrot to businesses. If you comply with some set of rule-making standards, set by a government authority, that helps you in the case of a lawsuit. The defense is usually, "We followed the provisions set down by industry standards." I am wary of escape hatches.You have to be careful that they are not getting at general purpose exemption.

Q: Will Federal regulations have a different effect on small businesses than large ones?
A:In the long term, by raising the level of trust and by removing some of the horror stories, they will allow small businesses to get more [customers]. The FTC was invented in 1913 with the idea that unbridled greed will poison the market for everyone. A certain amount of regulation actually enables the market, rather than hinders it.

Q: Why are Federal regulations a good thing? Why would regulations be more effective than self-policing?
A: Self-policing is an optimistic delusion, and it flies in the face of all experience on the Internet.

Q: Is it necessary at some point to have regulation? Is it a foregone conclusion?
A: Sure, absolutely. It has already happened with COPPA [Children's Online Privacy Protection Act of 1998], which is clearly meant to be a precursor. That is the way the FTC is viewing it. There is too much demand from the American public for real privacy rights for the American Congress to ignore. We may have some very bad legislation before we have any good laws, but some legislation is a foregone conclusion.