The Painful Path to a Privacy Law

By Jane Black Agitation continues to build for the passage of sweeping federal privacy legislation. Or at least it appears that way. Over the past few weeks, Congress has introduced a raft of bills that propose to boost consumer protections. But Washington insiders from across the political spectrum agree that there's almost zero chance any comprehensive legislation will reach the President's desk this year.

That's a pity. The lack of standards for collecting and sharing personal data looms large for businesses and consumers alike. Why, then, the lack of action? It has nothing to do with the aftershocks from September 11 or a packed legislative session, which ends Oct. 1. Instead, it's an overwhelming lack of consensus on two core issues known as "federal preemption" and "private right of action."

Privacy advocates don't like federal preemption, which would give any new U.S. law precedence over sometimes-stronger state regulations. Business, on the other hand, doesn't like private right of action, the ability for individuals to sue or, worse, bring class actions against companies for what in this case would be unjust use of data. "These are deal-killers," says John Kamp, a Washington lawyer at Wiley, Rein & Fielding who represents businesses in privacy disputes.

THE HOLLINGS APPROACH. Most experts agree the preemption issue will come to a head next year, since that aspect of the critical Fair Credit Reporting Act expires in 2003. If Congress doesn't take action before then, a storm of new state laws could stiffen the data-collection rules for banks, insurance agencies, and auto dealers. For them, a new federal privacy law extending the deadline could be a lifesaver.

That has more than a few experts predicting that next year's legislation could look a lot like this year's Online Privacy Protection Act, a bill sponsored by Senator Ernest "Fritz" Hollings (D-S.C.). It has something for everyone, offering federal preemption, so privacy laws would be consistent across the country, and giving consumers a limited right to file suit against companies that abuse personal data collected online.

Privacy advocates continue to lobby against federal preemption, and history is on their side. Of the major privacy regulations passed in the past decade -- including HIPPA, which regulates health data, and the Graham Leach Bliley Act, which regulates financial-services companies -- none allows federal preemption. "In the past, states enacted laws that go far beyond federal protection. Preemptive bills mean many Americans lose their rights," says Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center (EPIC).

LEGAL BURDENS. Business doesn't see it that way. "Inconsistency in the states would be a barrier of growth to the Internet," says Ronald Plesser, a partner at Washington law firm Piper Rudnick. "Federal preemption is an absolute must."

Plesser has a point. As businesses go global, conforming to a patchwork of laws could become a serious financial and administrative burden. In recent weeks, 13 states have introduced or approved new privacy regulations that affect everything from selling consumer financial data to the ways Internet service providers (ISPs) collect and sell customer information. Add to that the difficulties Internet companies face in determining where their customers are physically, and what rules should apply? What law covers a resident of California using a computer in Tennessee?

The gap over an individual's right to sue is even wider. Business says privacy should be regulated by the Federal Trade Commission (FTC), not trial lawyers looking to squeeze companies for alleged pain and suffering. Damage to someone's privacy, businesses say, is notoriously difficult to quantify: You may not like it when a company sells your data to one of its partner, but what sort of monetary damage results from a phone call at dinner or an extra catalog in the mail?

"LESS CERTAINTY"? Even Hewlett-Packard, a company that has been a model for privacy activism, objects to private right to action. In testimony before the Senate Commerce Committee, Barbara Lawler, HP's chief privacy officer, said HP is "concerned that private right of action will create less certainty and clarity in the marketplace as each court will supply its own definition as to what constitutes 'actual harm'... Calibrating actual monetary loss from privacy violations will therefore be an art rather than a science."

Attorney Kamp says businesses might accept a private right of action measure if it were limited to financial harm and "would look closely" at legislation that allowed individuals the right to sue but forbade class actions. These group suits are on the rise -- a consequence of the bursting of the Internet bubble. In the securities industry alone, class actions rose 60% in 2000. The companies that were sued lost more than $2 trillion in market capitalization, a 157% rise from 2000.

Privacy advocates counter that without the threat of punishment, any privacy law will be toothless. Moreover, the FTC isn't well-funded enough or designed to enforce privacy comprehensively. So far, the commission has taken on only a handful of narrowly defined cases. "The FTC is shooting fish in a barrel," says EPIC's Hoofnagle.

DRAWING CLOSER. On these contentious issues, the Hollings bill seems to be the least offensive to both sides. Unlike many other privacy laws, including the Telephone Consumer Protection Act and the Video Privacy Protection Act, Hollings' bill requires consumers to demonstrate harm, rather than just assert that the law has been broken. It also requires plaintiffs to sue in federal court, rather than small-claims court, which increases the cost for plaintiffs and would reduce the temptation to file frivolous suits.

Of course, some changes to the Hollings approach are inevitable. Besides the two basic stumbling blocks of preemption and private suits, details about who the bill applies to -- only online companies or all businesses? -- still need to be negotiated. While no consensus has been reached, the two sides are converging.

So even though the experts are betting that no major privacy law will pass until next year, "there will be a bill with something for everyone," says Robert Gellman, a Washington privacy expert and former general counsel to the House subcommittee on government information. The sooner the better. Black covers technology issues for BusinessWeek Online in New York

The Good Business Issue
blog comments powered by Disqus