The time has come for Congress to step up to the plate and enact legislation that provides baseline Internet privacy protection. Contrary to popular belief, the U.S. Constitution doesn't generally guarantee personal privacy.
Rather than fill in the gap, however, Congress and the Clinton administration espoused "self-regulation" as a solution to privacy concerns. Unfortunately, some privacy certification programs were criticized for failing to adequately enforce privacy compliance. Meanwhile, for several years in a row, U.S. Federal Trade Commission surveys have shown poor Internet privacy protection by many Web sites.
Because of such concerns, Congress has taken some legislative steps, including the Children's Online Privacy Protection Act, which became operative last April. It has also provided privacy protections for certain sectors through legislation such as the Financial Services Modernization Act.
Lacking definitive federal law, some states have passed their own measures. But much of this legislation is unenforced or incomplete.
An analysis this year of 751 U.S. and international Web sites conducted by Consumers International - a London-based consortium of consumer-protection organizations - found that "most sites collect personal information but fail to tell consumers how that data will be used, how security is maintained and what rights consumers have over their own information."
The good news is that Congress is catching on.
Various Internet privacy bills have already been introduced in the 107th Congress, and there will likely be many more.
Congress should pass legislation that, at a minimum, forces Web sites to display privacy policies prominently, lets consumers know how companies collect data and lets them access their own data and opt out of having their data collected altogether.
Some privacy advocates have suggested that legislation should go even further, barring cookies and Web bugs and requiring consumers to opt in before a Web site can collect personal information.
But should federal privacy regulations preempt state laws? With no realistic geographic boundaries, it's difficult for online businesses to comply with potentially competing laws of different jurisdictions. The National Association of Attorneys General is urging Congress not to hamper state enforcement of privacy violations. And the U.S. Chambers of Commerce has vowed to fight further regulation.
Issues like federal preemption shouldn't slow down the privacy legislative train. Every day, we learn about greater potential for Internet privacy invasion. Just two weeks ago, it was revealed that Nortel's Personal Internet technology suite can enable ISPs to track the online movements of customers.
Enough already. Let's get some baseline privacy protections in place now.
Eric J. Sinrod is a partner in the San Francisco office of Duane, Morris and Heckscher LLP. His Web site is www.sinrodlaw.com, and he can be reached at EJSinrod@duanemorris.com.