Toysmart.com case fuels Privacy Debate
- — 13 July, 2000 16:22
It's unclear, however, whether this incident will lead to Congressional action. The United States has no federal privacy law, and some suggest it will take an even bigger Internet privacy case to prompt action.
"Until we get the average person excited about this, this isn't going to go anywhere," says Meg Smith, a fellow at the Berkman Center for Internet and Society at the Harvard Law School.
Trying to defuse the situation, Walt Disney, the majority owner of Toysmart.com, has offered to purchase the customer list. The company also promises to work with the FTC to keep the list confidential.
Nonetheless, Toysmart.com's actions have already spurred legislation. A bill by Alabama Representative Spencer Bachus would make it illegal for companies to sell private data during bankruptcy proceedings.
Typically, federal lawmakers have been reactive with privacy legislation, says Ari Schwartz, a policy analyst with the consumer advocacy group Center for Democracy and Technology.
The United States "does not have a general vision" on privacy issues, as European countries do, Schwartz notes. "We don't necessarily want to take their vision. We want our own vision."
US privacy laws address specific areas, such as financial records, credit reports, educational records, motor vehicle registrations, and telephone records. Europe already has a general directive in place for protecting consumer information.
"There are data protection laws in the United Kingdom, and also in Europe, to prevent that sort of thing [sale of private data]," says Yaman Akdeniz, founder and director of Cyber-Rights & Cyber-Liberties, a British organisation.
Likewise, in Germany, "companies cannot sell data about customers unless the customers expressly agreed at the time they gave the data that it could be sold," says attorney Jan Ihlau.
The European Union earlier this year accepted the US voluntary safe harbour principles, in which companies seek consumers' approval before they can transfer their data to another company. European Parliament members, however, recently rejected in a nonbinding vote the US data privacy provisions, noting they do not meet the requisite protection level.
Pressure is mounting in the United States, though, to develop legislation to ensure online privacy.
FTC commissioners released a report in May that indicated that only 42 percent of the 90 most popular internet sites that collect personal information adhere to the FTC's "fair information practices principles." Commissioners also voted 3-2 to urge Congress to enact broad legislation to protect private data. This was a switch from the commission's long-established support of self-regulation.
However, legislative efforts should proceed with caution, Schwartz says. Lawmakers should become aware of the consequences of implementing new privacy legislation, he adds.
"US law is just one piece of the puzzle," Schwartz notes. "We see three pieces: the law, better self-regulation, and technologies that can put people in better control of their information. We shouldn't be just focusing on privacy law. We should be focusing on all three factors."