105th Congress Takes on Privacy Issues
A search of the congressional database found that 329 bills introduced contained the word "privacy." Of the bills sent to the White House for approval, at least 16 mentioned privacy somewhere. However, the raw numbers are misleading. Computer searches double-count bills introduced in multiple versions, and simple searches miss bills intended to improve privacy but that don't use the magic word. Of the bills sent to the White House, most mention privacy only in passing and have little substance. Some contain amendments that weaken rather than enhance privacy.
Four congressional actions on information privacy struck me as most significant. The Children's Online Privacy Protection Act of 1998 will have the broadest effect on marketers. Another new law addresses identity theft. The third and fourth actions impose a one-year moratorium on government actions with privacy implications.
The children's privacy law began in the 104th Congress as a Republican proposal. It came back to life in 1998 after the Federal Trade Commission issued a report on online privacy. Vice President Gore endorsed children's privacy legislation this summer, and the appeal of legislation designed to benefit children made the bill hard to stop.
The principal feature of the legislation is a parental consent requirement for commercial Web sites. Operators of online services targeting children must obtain verifiable parental consent before collecting, using, and disclosing personal information from children. They also must provide notice on the Web site of their information practices and they must provide a parent with access to any personal information collected from a child.
Other requirements address contest rules, security and enforcement. The FTC is the principal enforcement agency, but the Federal Reserve, Transportation Department, Agriculture Department and others also have some responsibilities. The jurisdictional hodgepodge cannot be explained by a sudden burst of interest in privacy by these agencies. It is simply another Washington turf war.
Measured by a fair information practices yardstick, the new children's privacy law has plusses and minuses. The law relies mostly on a parental consent model, but it imposes no independent limits on information use or disclosure. The policy is that almost anything goes as long as parental consent is obtained. The law does allow one-time responses to children without consent. Civil liberties advocates see that as a positive blow for a child's First Amendment interests and right to use e-mail.
The law is also very narrow. Only information collected online from a child is protected in any way. Information about a child collected from the parent is not regulated. Once a child reaches the age of 13, neither the parent nor the child may have any rights under the law, and a Web site owner may be free to use all information without regard to the legislation, prior promises or parental or child wishes. An alternate interpretation is that the information from the child remains restricted forever. The law is not clear here.
The law's requirement for parental access applies to information provided by a child. This mandatory access provision will be troublesome for those fighting with the European Union about compliance with the EU Data Protection Directive. American industry and the Commerce Department are strongly resisting EU demands for data subject access as called for in the Directive and basic fair information practices. The Europeans will surely see this law as undercutting American claims about the impossibility of providing access.
Overall, the children's privacy law is unclear in some spots, riddled with loopholes and mostly limited in scope. At the same time, however, one provision is potentially expansive. It limits the collection of more information from a child than is reasonably necessary to participate in a contest, game or any activity. This policy is not limited to children's Web sites and parental consent is not a defense. We will not be able to fully evaluate this or other provisions until we see the FTC regulations next year.
Another new law makes identity theft a federal crime. It also establishes a reporting system for information about the scope of the problem. The law does nothing, however, to address the root of the problem. Credit grantors and credit bureaus aren't required to take any actions that would make identity theft harder or that would offer protections to consumers who want to avoid being victims. The law will be largely ineffective in preventing identity theft, but it will help punish a few criminals.
The remaining two privacy items slow implementation of federal identity card requirements from previous laws. A 1996 law directed the Secretary of Transportation to mandate the collection of Social Security Numbers for state drivers' licenses. Another 1996 law directed the Secretary of Health and Human Services to develop an individual identifier for healthcare use.
In both cases, a wave of popular opposition provided the impetus for the congressional action. Privacy groups used the Internet to generate thousands of comments on proposed DOT regulations. They then used the telephone to convince the House to accept a Senate amendment that would stop the regulations for a year. The health identifier was not so far advanced in the administrative process. However, as soon as word leaked out, a new national health card was under consideration, public opposition was intense and nationwide.
These two congressional actions to put a one-year halt on identification schemes may have more long-term significance. They suggest that there are strong popular concerns about some privacy issues and that politicians will listen and act when the public speaks. If that public concern is harnessed and focused, we can expect to see more privacy legislation in the next Congress.