If U.S. lawmakers push through new online privacy rules, industry watchers say companies running e-commerce sites will have a long, expensive and complicated job in front of them.
Chairman of the Senate Commerce Committee, Ernest "Fritz" Hollings, D-S.C., is trying to push through a privacy bill - S. 2201 - that would set a national standard for all online transactions. It's a move Hollings says will promote consumer confidence in buying online, bolster spending and give some much-needed support to the lagging high-tech industry.
But some in the e-commerce arena worry that the passage of the bill would mean expensive overhauls of e-commerce systems and databases, and create security nightmares by letting customers into the system to check, and change, their personal information.
The bill, which also opens the door to "private right of action," or individual and class-action lawsuits, over privacy breaches, means that one technical glitch that fouls up personal data collection could be financially catastrophic.
"It has provoked grave concern, particular in our engineering department," said Paul Misener, vice president of Global Public Policy at Amazon.com, during his testimony at Thursday's Senate hearing on the bill. "These can-do engineers and programmers, who have built up our computer system all the way from our CEO's garage to the Fortune 500 in just seven years, seriously question whether we possibly could comply with the technical requirements of this bill."
Misener, who calls the online retail giant "pro-privacy," says the rules outlined in the bill would undermine the security procedures and technology they already have in place.
A Double-Edged Sword
"Even if somehow they could make our systems comply, our engineers fear that many of the bill's provisions would seriously jeopardize our systems' security and anti-fraud efforts," he says, adding that it's not fair to regulate on-line and not off-line retailers, as well. "There is no inherent need for privacy legislation...Those companies with high levels of privacy protection are the ones that succeed in this robust market."
Industry analysts say companies are dealing with a double-edge sword here. On one hand, the bill could pull IT workers off other projects and have them spending months rebuilding their e-commerce infrastructure and creating a pathway for consumers to view and change their personal information without compromising security.
But on the other hand, Hollings and his privacy backers say the bill would help people feel more secure in trusting online companies with their personal information. A recent study by Forrester Research Inc. reports that online businesses lost $15 billion last year due to consumer privacy concerns. More trust, Hollings says, would mean more spending.
"The bill is heading us in the right direction," says Ari Schwartz, associate director at the Washington, D.C.-based Center for Democracy and Technology. "Users, from what we know, just don't trust Internet commerce and in order for the Internet to continue to grow, we need to build more trust in. To do that, we need to...make individuals feel that they do have control over their own information."
The bill calls for:
Rules governing consumers' ability to opt-in, or specifically OK, the collection of "sensitive personal data," such as race, income level and sexual preference;
Rules giving consumers the opt-out option for the collection "non-sensitive" information, such as name, address and purchase history;
A national standard, preempting state laws or the ability of states to pass their own online privacy rules;
Individuals gain the right to sue over privacy breaches, opening the door to class-action lawsuits;
"Reasonable access" or the right for consumers to view and change personal data, and
Enforcement by the Federal Trade Commission (FTC) and state Attorneys General.
"As I make it feasible for you to come in and inspect your records, then I'm essentially starting to dilute the security of my system or the security of the system that is protecting your records," says Bob Cohen, senior vice president for the Information Technology Association of America (ITAA). "Striking the balance between security and privacy is difficult. What you think is protecting your privacy is actually making it more possible for hackers to look at your records or steal your identity."
Kelly Thompson, a longtime proponent for online privacy and the standards and practices manager for San Francisco-based Mindshare Design Inc., says the sheer scale of the job that would be in front of her if this bill passes is staggering.
"It would be very big and very expensive," says Thompson. "And the consequences of screwing up the tech part of it could mean inadvertently compromising many people's privacy...and bringing on a class-action lawsuit. It's very scary."