Study: US privacy proposals could cost billions

The cost of complying with privacy legislation now pending in Congress could run well into the billions of dollars for companies doing business online, according to a report released Tuesday by the Association for Competitive Technology (ACT).

The total cost of pending privacy legislation to companies could run as high as US$36 billion to cover the price of tracking software that would have to be developed and integrated, said the author of the assessment, Robert Hahn, director of the American Enterprise Institute-Brookings Joint Center for Regulatory Studies.

The $36 billion figure was reached by multiplying 361,000 -- about 10 percent of the total number of "active" and "purposeful" Web sites -- by $100,000, the amount that Hahn estimated it would cost companies to develop custom software necessary to comply with pending legislation. Hahn reached the $100,000 figure by analyzing data provided by 17 mostly Washington, D.C.-area consulting companies who were asked to estimate labor and other costs that would be incurred in developing the software.

Hahn said he chose to conservatively estimate that only 10 percent of Web sites would need the software, but he said even if only 5 percent needed it, the cost to the companies would be $9 billion. Although there was no way to determine exactly how many sites would need the software, Hahn said it was certain that many sites would stop collecting personally identifiable information or even close down if faced with a $100,000 bill.

Hahn's research was criticized Wednesday in a news release issued by Peter Swire, former chief counselor for privacy in the U.S. Office of Management and Budget.

"Unfortunately, based on the study's own assumptions, there are serious analytic flaws in the conclusions," Swire said in the release. "The estimates are far too high and should not be relied upon for decisionmaking by policymakers."

Swire said his own book "None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive," which he co-wrote with Robert Litan, concluded that after substantial effort he and Litan could not create a useful estimate of the likely costs of complying with the European Union Data Protection Directive.

Hahn's report also does not adequately address the key issue for any cost estimate -- the baseline against which the cost comparison is made, Swire said.

According to Hahn, one reason the cost of the software would be so high is the access provisions that are included in some pending privacy bills that would require Web sites collecting personally identifiable information to allow users to see that information and correct it. This might involve online access to Web site databases storing the information, increasing the cost of making the access secure.

It's a reasonable assumption that the software would have to be custom made for most of the Web sites because of the difficulty of integrating off-the-shelf products, said Jonathan Zuck, president of ACT, a Washington-based advocacy group for the technology industry whose members include Microsoft Corp. and EBay Inc., as well as many small and medium-sized companies.

"These direct costs, coupled with an opt-in requirement, could endanger free online content and services that are paid for by targeted advertising and marketing," Zuck said, adding that some ACT members fear the proposals will mean their companies will need more lawyers than software developers.

Legislators also should note the marketplace is responding to consumer concerns about privacy by embracing the self-regulatory approach and coming up with policies that meet their needs and the needs of their customers, he said.

Hahn said he would not recommend Congress pass online privacy legislation now, and he thinks the costs of online privacy requires further study. The costs of compliance could be substantial and the benefits of such regulation have yet to be qualified.

At the same time the report was released, representatives of the Gallup Organization, Harris Interactive Inc. and other polling companies told a congressional panel that although their polls sometimes show the public has unclear and inconsistent ideas about privacy, an overwhelming majority of the public wants to maintain control of its personal data.

At a hearing before the House Committee on Energy and Commerce's Subcommittee on Commerce, Trade and Consumer Protection, witnesses affirmed that privacy is a concern among Internet users. About 87 percent of online consumers in the U.S. are "privacy assertive," according to Alan Westin, president and publisher of the Privacy & American Business report.

Being "privacy assertive" means they refuse to give out personal information they feel is not necessary to complete a transaction. Among Internet users, Westin said 61 percent say they have opted against purchasing a good or service because they were unsure how their personal information would be used.

Representative Michael Doyle, a Democrat from Pennsylvania, however, said though some polls give clear information, others don't, leaving the impression that the public is "somewhat schizophrenic" about privacy. Another member of the panel, Ed Bryant, a Republican from Tennessee, said Web users might still need time to develop a "comfort zone."