Privacy's Preemptive Strike

By Jeffrey Rothfeder  |  Posted 09-05-2006

Hewlett-Packard Co., eBay inc. and Microsoft Corp. have a vested interest in seeing online commerce prosper. Their growth strategies are directly linked to making money from Internet sales and transactions. Hence, these high-tech leaders' worst nightmare is that the failure to protect digital privacy will frighten off Web consumers and lead to federal regulations that will stymie the free-form, lucrative evolution of the Web.

Motivated by that sentiment, these and other companies formed a consortium of a dozen corporations earlier this year, dubbed the Consumer Privacy Legislative Forum. Its primary goal is to produce a model federal privacy law that will be acceptable to U.S. businesses and that can outflank the many recent attempts in Congress to pass data-protection bills, all of which have so far fallen flat. The group has just started to sculpt a proposal that will likely call for these baseline standards:

  • Personal information obtained from consumers must be collected in a transparent manner and with appropriate notice;
  • Consumers must have meaningful choices about the use and disclosure of that information;
  • Consumers must have meaningful access to personal information that they have provided; and
  • Confidential information must be protected from misuse or unauthorized access. With these and similar rules in place, CPL Forum members believe that consumers will have a clear understanding of their fundamental data-privacy rights. Consumers will be able to influence companies, through lobbying and their willingness (or lack of it) to open their pocketbooks, to go well beyond the initial set of principles.

    "We are trying to create a minimum level of expectation about privacy that will ensure basic consumer trust," says Scott Taylor, chief privacy officer at H-P. "Once you establish that baseline, it depends on the company to go above the bar or not."

    The CPL Forum is a significant milestone in that it is the first pro-privacy corporate consortium. It has endorsed the concept of federal privacy legislation, which U.S. companies have strongly resisted, claiming instead that voluntary self-policing is adequate. But the CPL Forum's approach raises suspicions about whether its efforts will be entirely for the good.

    Privacy advocates are concerned that CPL Forum legislation will simply codify lowest-common-denominator privacy protections. They fear it could preempt tougher state rules already in place, as well as proposed federal legislation for strict data-protection systems in every large company, such as the Personal Data Privacy and Security Act sponsored by Senators Arlen Specter and Pat Leahy. Moreover, CPL Forum members demur on the question of whether companies should be penalized for data-protection failures and privacy intrusions. Most of the proposed federal laws provide for explicit fines, and even jail terms, for such violations.

    Compromising personal data or failing to provide necessary protections," says Senator Leahy. "This creates an incentive for companies to protect personal information." H-P's Taylor, a CPL Forum leader, isn't convinced. "Certainly companies need to be held accountable, but penalties are not necessarily the right answer," Taylor says. "I'm not prepared to comment on penalties."

    Be sure to read the main story: The Death of Privacy