Privacy: E-Firms Just Don’t Get It

William Kennard, chairman of the Federal Communications Commission, believes there are “powerful market incentives” for online companies to develop strong policies on Internet privacy. That would seem logical, considering the obvious concerns of Web companies’ customers about online privacy. Yet, perversely, self-regulation has been a huge disappointment. If the industry really wants to avoid mandatory rules and gain the trust of its customers it will have to do a much better job of policing itself.

Survey after survey shows high public concern over online snooping. The Federal Trade Commission, which closely monitors the privacy issue, says the high level of public angst costs Web retailers billions of dollars because many increasingly skittish consumers won’t buy online.

Yet Web companies react only when prodded, and even then with minimal measures. It took a huge public outcry and investigation by the FTC earlier this year to force the leading online advertising firm, DoubleClick, which collects personal data from millions of consumers, to scrap a plan to match its anonymous records of online consumer preferences with the names of real people.

Industry associations argue that nine out of 10 Web companies now have some kind of privacy notice posted, compared with only 10% two years ago. That may be so, but more often than not these privacy policies on the Web amount to little more than notices that personal data are being collected. In other words, whereas 90% of Net companies flunked the privacy test two years ago, today most would get a D-minus. That’s not good enough.

A model privacy policy has been developed over the years by the governments of the United States and other developed countries, with the help of the industry. Under that policy, an effective privacy notice must tell consumers what information the Web company collects and what it does with the data. It also must give the customer a say in whether such data may be shared with others. In addition, the Web site must give the consumer access to the information collected and reasonable security against misuse.

A study of the 100 most popular shopping Web sites done by the Electronic Privacy Information Center found that 18 had no privacy policy and that none of the 100 had a privacy policy containing all the minimum elements. This is the sad result of at least five years of industry self-regulation. Clearly, Kennard, whose agency shares jurisdiction over Internet commerce, has misplaced his faith in the power of market incentives when it comes to privacy.

The FTC is rightly growing impatient and has asked Congress for authority to regulate online privacy. Meanwhile, too many consumers are losing confidence in e-commerce because they do not believe the companies will deal fairly and safely with their private information. The threat of government regulation and the prospect of antagonizing customers should be incentive even for the most obstinate Web company to begin taking online privacy seriously.