While the lack of federal privacy legislation to pre-empt individual state privacy laws means direct marketers have to comply state by state, enforcement officials from three large states said yesterday that they are willing to work with businesses.
The comments came during an audio conference, “State Privacy Laws: A Discussion With Top State Enforcement Officials,” sponsored by the Privacy Officers Association.
“We really do intend to be reasonable people,” said panelist Susan E. Henrichsen, deputy attorney general, California Department of Justice, San Diego. “Ultimately, what we are trying to do is ensure that consumers are protected.”
Her fellow panelists were William J. O'Byrne, enforcement manager, Division of Regulatory Affairs, New Jersey Department of Banking and Insurance, Trenton, NJ; and David A. Stampley, assistant attorney general for New York. The moderator was John T. Bentivoglio, a partner at law firm Arnold and Porter, Washington.
Though each panelist discussed specific regulations in their state, they also offered general advice for keeping in compliance with state privacy laws. The participants agreed that while investigations can be prompted by consumer complaints, competitor complaints, news coverage or other means, state enforcement officials' goal is to help businesses make sense of the laws.
“We are not in the business of punishing people,” O'Byrne said. “We are here to hopefully draw up clear rules that are easy to comply with.”
Some states such as California even have a separate resource for privacy issues. The California Office of Privacy Protection was opened within the past two months to help consumers and businesses, Henrichsen said. Similarly, state attorneys general Web sites for each state as well as privacy groups' Web sites serve as resources on current and pending state privacy legislation, Stampley said.
Though Henrichsen said that most state attorneys general agree that medical privacy, Internet privacy and privacy issues related to bankruptcy proceedings are a priority, she stressed that there is not universal agreement about these issues. State-to-state interpretation of federal rules can differ, too.
Though the FTC defines deception as a practice likely to mislead a consumer who is acting reasonably to their detriment, many states do not have to prove reasonable action on the part of a consumer or prove that damage was done, Henrichsen said. Her point further demonstrates the need for marketers to be aware of the laws in the states they do business in.
Finally, one panelist seemed doubtful that one federal privacy law would be adequate to cover all the complex issues.
“I don't think there could ever be one law,” Stampley said.