Bill to Revive Political Battle Over Net Privacy

The political battle over online privacy--largely shelved after the Sept. 11 terrorist strikes--is poised for a comeback as a key senator prepares to introduce a bill requiring Web sites to obtain consumers’ permission before collecting sensitive information, including Social Security numbers, financial data and medical records.

A draft of the bill, expected to be introduced as early as Thursday, already is mobilizing privacy advocates and business groups that are preparing for another legislative showdown.

It remains to be seen whether privacy--a hot-button issue 18 months ago--will be able to make it back to the front burner, particularly with so many other issues facing Congress, including legislation related to the collapse of Enron Corp., welfare reform and the budget.

After Sept. 11, many consumers expressed greater willingness to share personal information if it would lead to improved security or help fight terrorism.

Business groups already are asserting that the privacy problem has largely been solved through self-regulation and existing law, including the Gramm-Leach-Bliley Act, which created new protections for financial data.

“The bill is a solution in search of a problem,” said Joe Rubin, lobbyist for the U.S. Chamber of Commerce. “There is no consumer demand for this.”

Rubin said that recent surveys by the Federal Trade Commission show that most large Web sites already post their privacy policies voluntarily.

And only a small fraction of consumers, about 3%, actually read such policies, which Rubin said was another sign of consumers’ lack of interest in the subject.

Privacy advocates say Internet users remain keenly interested in controlling their personal information, as witnessed by the recent uproar over Web portal operator Yahoo Inc.’s modification of its privacy policy to enable greater marketing of users’ e-mail addresses.

Without new laws, consumers would continue to be vulnerable to companies that decide to change their policies or weaken protections, advocates say.

“The industry has shown that it can’t regulate on its own,” said Frank Torres, legislative counsel for Consumers Union, which is endorsing the legislation.

The bill is being sponsored by Sen. Ernest F. Hollings (D-S.C.) chairman of the powerful Senate Commerce Committee.

Hollings has long supported tougher privacy laws, but the current draft--dubbed the Online Personal Privacy Act--is less stringent than his proposal of two years ago.

“He’s pulled back a bit, which has concerned some in the privacy community,” said Marc Rotenberg, director of Electronic Privacy Information Center in Washington.

Two years ago, Hollings sponsored a bill that would have required Web sites to get permission before collecting or disclosing personal information, a process known as opt-in.

The current draft--intended to be more palatable to business groups--requires opt-in only for data deemed sensitive, including information about an individual’s health condition, race, political affiliation, religious beliefs, sexual orientation, Social Security number or finances.

A spokesman for Hollings declined to comment on the draft before it is formally introduced.

Hollings already is moving to win bipartisan support by seeking endorsements from Senate Republicans, including Conrad R. Burns of Montana, Ted Stevens of Alaska and John McCain of Arizona.

“We anticipate supporting the bill,” said a spokeswoman for Burns.

For most other types of information, the bill is expected to require a less onerous, “opt-out” standard, allowing consumers to block the automatic collection and sharing of their personal data by notifying the Web site.

The draft of the bill, dated April 4, requires all Web sites and Internet service providers to disclose their information collection practices; permit consumers to review information collected about them; and notify users of any changes in policies.

The rules would preempt state privacy laws, which would probably upset state officials in California and Minnesota, where debates are underway to pass tougher protections than those provided under federal law.

Another controversial provision of the draft would permit consumers to sue Web sites for violating their privacy and collect $5,000 per violation if they can prove actual harm.

“There is a very significant class-action liability,” Rubin said.

It’s unclear whether President Bush would support such a bill.

During the presidential campaign, Bush expressed support for tougher privacy rules on sensitive data, such as medical and financial records.

But last month, the administration backed away from health privacy rules crafted by President Clinton that would have required written consent before patients’ medical records could be sent to medical facilities, pharmacies or insurance companies.