The new chairman of the Federal Trade Commission today called for a "pause" in the pursuit of privacy legislation, saying the emphasis should be on "more law enforcement, not more laws."
And to show that his enforcement message wasn't just talk, Timothy J. Muris, in his first policy statement on privacy issues since his appointment by President Bush earlier this year, said the agency would increase the number of staff members dedicated to privacy issues from 36 to 60.
Muris' plan to better enforce online privacy, spam and identity theft laws won general praise from the privacy experts, advocates and corporate officials to whom he spoke at the Privacy 2001 conference here.
The message for businesses was clear.
"The companies that haven't given privacy any due consideration -- those are the ones that should now be getting concerned," said Peter Reid, a privacy expert at Plano, Texas-based Electronic Data Systems Corp.
But in pushing aside the consideration of new privacy regulations, Muris opened the door for criticism that he is taking an easy way out of a difficult issue.
"It's a pretty clear retraction of where the FTC was before," said Sol Berman, a technology legal expert at the Columbus, Ohio-based Ohio Supercomputer Center's Technology Policy Group, which sponsored the conference.
Muris' predecessor at the FTC, Robert Pitofsky, a Democrat, believed that the private sector wasn't doing enough to safeguard consumer privacy and felt some baseline legal standards were needed.
Although he didn't rule out future privacy legislation, Muris said the FTC should first step up enforcement of current laws.
"I'm not saying 'No how, never, no legislation.' I think, however, given all of the recent legislation ... we at least need to pause, to figure out how to effectively enforce the legislation we have," he said in response to questions after his talk. "I'm convinced that there's a lot that we can do to protect consumer privacy."
Although Muris was expressing his own views, two Republicans who serve on the five-member FTC commission are also opposed to government online privacy regulation.
Any position taken by the FTC wouldn't preclude Congress or the states from adopting privacy rules. But Muris' opposition to regulation will affect the congressional debate on the issue. A number of privacy bills were pending prior to the September 11 terrorist attacks on the U.S., but it's no longer clear when Congress, now focused on security issues, will resume debate on privacy legislation.
Muris defended his position by outlining some of the issues that must be solved before regulation is possible, including access and security requirements. The access issue, in particular, worries many in corporate IT because it could require developing a way to give customers access to data kept in disparate databases.
The FTC chief also acknowledged industry complaints that privacy rules will cost companies money. "We need much better data than we have about the benefit/cost trade-off before we proceed," he said.
Among the other steps Muris called for is a more aggressive attack on deceptive spam, creation of a "universal fraud-complaint form" to make it easier for identity theft victims to notify credit bureaus and others and creation of a national "do-not-call list" that would allow consumers to stop calls from telemarketers.
Most significantly for companies, Muris said there should be no distinction between online and off-line databases when privacy issues are considered. That could mean that companies that thought they were somewhat shielded from the online privacy debate could soon find themselves in the thick of it.
Muris' view that there should be no distinction between online and off-line data will make it more difficult for legislation aimed at online privacy alone to win approval, said Ron Plesser, a Washington-based attorney who represents companies on privacy issues.
Companies that post privacy policies are legally obligated to follow them. If they don't, they could run afoul of the FTC's rules governing deceptive practices.
Fran Maier, the executive director of Truste, a San Jose-based privacy self-certification program, said the push for enforcement "bodes very well for us." She said she expects more companies will seek help in developing privacy practices through certification programs.
Ari Schwartz, a policy analyst at The Center for Democracy & Technology in Washington, said the question for Muris remains, "How do you create that minimum floor [of privacy protections] that will bring people to shop on the Internet?"
Schwartz and other privacy advocates said they believe Muris sees privacy as an important issue. "The focus on privacy is still there, so we fell that is something to work with."