SAN FRANCISCO (08/09/2000) - Dealing with Toysmart wasn't fun and games for the Federal Trade Commission. But it was a lesson in how privacy is a very public business.
Days later, the agency boasted a settlement: The ailing company had to sell itself in one piece to a commerce company in a similar market. Declaring victory, the FTC's Jodie Bernstein said that "consumer data collected under a privacy agreement shouldn't be auctioned off to the highest bidder."
But the deal didn't look so good to 41 state attorneys general. After the settlement was announced, Massachusetts Attorney General Tom Reilly and 40 of his peers told a Boston federal bankruptcy judge that the FTC's deal wasn't good enough; all of Toysmart's customers, they argue, should be notified about the data sale. Moreover, they say the company must get permission from each customer before selling files.
So it goes in the world of privacy politics, where federal and state regulators jockey to establish enforcement standards - and privacy advocates and businesses try to keep track of who's making the rules.
Until this year, the FTC operated under the assumption that its mandate to prosecute unfair and deceptive business practices, coupled with industry self-regulation, was enough. Come May, the FTC was asking Congress for baseline privacy legislation governing commercial Web sites. But as the agency finds itself hectored by both state attorneys general and privacy advocates, it's getting no help from Congress, which isn't close to passing any privacy legislation. With an election ahead, no moves are expected this year.
Meanwhile, the National Association of Attorneys General has launched an online privacy task force that is expected to decide on a strategy at its 2001 spring meeting. If Congress hasn't moved on new online privacy rules by then, the states could move to fill the void.
But what rankles the attorneys general is the FTC's dealmaking. So far, the agency's strategy has been to convince Internet companies to play nice, and make deals that both the FTC and businesses can live with.
Consider the FTC's recent deal with the Network Advertising Initiative, a group of leading online ad server companies such as DoubleClick and Engage. Online advertising firms' use of consumer data has been suspect since last summer, when DoubleClick bought offline marketing firm Abacus Direct with an eye toward combining its ostensibly anonymous browser data with Abacus' names and addresses. Facing an outcry, DoubleClick soon changed its tune on Abacus. But the pressure remains high on DoubleClick and other companies - and on the FTC - to stay mindful of consumer privacy. Accordingly, the agency agreed to give the NAI "safe harbor" against new federal privacy legislation - provided they keep the Feds informed about their moves.
The NAI's go-along-to-get-along strategy worked with the FTC, but it hasn't stopped the states. Michigan Attorney General Jennifer Granholm says she isn't letting up on her investigations of DoubleClick and four other Web sites. Both Granholm's and Reilly's offices say they're reviewing the NAI deal.
"People have to know that their thoughts and practices are being tracked on the Net," says Granholm.
And that's what really scares the burgeoning industry: The prospect of fighting approximately 50 battles against 50 different new online privacy policies.