After years of ignoring the issue, Washington is full of ideas on how to protect privacy
On May 10 executives from Google (GOOG) and Apple (AAPL) participated in the time-tested Washington ritual of a congressional grilling. Alarmed by revelations that smartphones store data on users' locations, legislators demanded details on the companies' privacy policies. "Consumers have a fundamental right to know what data is being collected about them," said Minnesota Democrat Al Franken, who called the hearing. "They have a right to decide whether they want to share that information, with whom they want to share it, and when."
Alan Davidson, Google's director of public policy, and Apple's vice-president for software technology, Bud Tribble, defended their employers' handling of user-location information and said the companies do not track individual customers.
Lawmakers are trying to determine what new rules are needed in the era of 24/7 connectivity. "The flash point is the mobile device," says Jeff Chester, executive director of the Washington-based Center for Digital Democracy. "The ability to combine one's behavior with one's location is about to create a political firestorm."
A series of high-profile data-security breaches have heightened concern about privacy. Sony (SNE) shut down its PlayStation Network last month after its online entertainment and game systems were hacked, compromising some 100 million personal accounts. JPMorgan Chase (JPM), Best Buy (BBY), and Target (TGT), along with some 17 other companies, disclosed last month that customers' e-mail addresses were exposed after cyber thieves hacked into databases at Alliance Data System's (ADS) Epsilon Data Management. "The recent spate of security breaches is off the charts," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).
A consensus has formed in Washington that the patchwork of federal and state privacy laws has not kept pace with the development of the Internet. The U.S. lags Europe, where broad safeguards of personal digital information have been in place since 1995.
One proposal by Senator Jay Rockefeller (D-W. Va.) would create a "do not track" mechanism, similar to the "do not call" list that freed U.S. households from the tyranny of telemarketers. Under the Rockefeller bill, consumers could elect whether to have their browsing data collected.
Such proposals may indicate that the era of the freewheeling Web is drawing to a close. "The original policy was to treat the Internet like a hothouse flower that had to be protected," says Cameron F. Kerry, general counsel to the Commerce Dept. The agency is now calling for a Consumer Bill of Rights that would establish baseline privacy practices and bring the U.S. more in line with Europe. At present, European companies can't send personal data to countries that lack equivalent levels of protection.
At the Federal Trade Commission, Chairman Jon Leibowitz has made privacy a priority. The agency issued a report in December calling for a "do not track" mechanism. The report also pressed companies to make their data policies easy for consumers to understand. "Privacy policies don't translate well to smartphones," says David Vladeck, head of the FTC's Bureau of Consumer Protection. "They are already hard to read on the Internet, but if you are in the car in the middle of Nebraska Avenue, it can be even harder."
In the wake of the FTC report, Microsoft (MSFT), Mozilla, and Google all incorporated tracking-protection features into the latest versions of their browsers. The Digital Advertising Alliance, a coalition of trade associations, in October introduced an opt-out button that allows consumers to indicate they don't want their online behavior collected. Google in March also unveiled a tool that lets users block unwanted websites.
Although some technology companies have taken action in hopes of forestalling additional regulation, it's unlikely that the industry on its own can agree on adequate policies that balance privacy and profits. Spending on online advertising is projected to almost double to $44 billion in 2016, from $26 billion last year, according to Alex Feldman, manager of global forecasting at MagnaGlobal (IPG), a media researcher. Mobile advertising revenue is projected to grow more than fourfold, to $1.8 billion by 2016, while the value of online video advertising could nearly triple, to $3.7 billion, over the same period, according to Feldman.
In several instances, the FTC has acted to curb what it considers unfair and deceptive practices. The agency reached a settlement with Google in March related to privacy breaches associated with the introduction of its Buzz social networking service last year. The 20-year agreement, hailed as a landmark by industry watchers, bars Google from misrepresenting how it handles information, obliges the company to protect consumer data in new products, and requires periodic government reviews. Also in March, the agency forged a similar settlement with Twitter after hackers obtained control of the Internet messaging service.
As a whole, a new federal privacy law should come down to a simple proposition, says EPIC's Rotenberg: "If you can't protect it, you shouldn't collect it."