The battle over privacy legislation has begun in earnest in the states and in Congress, in what may be the pivotal year for this issue.
This week, the first major bipartisan bill regarding online privacy was introduced in Congress. But states which have just begun calling their legislatures into session are seeing a flurry of privacy-related bills, many of which could affect financial service companies.
What may be the biggest problem facing some businesses is the potential hodgepodge of state legislation, with varying rules and standards for protecting privacy.
Dozens of bills are being introduced in response to the Gramm-Leach-Bliley Act, a sweeping financial deregulation bill that was approved by Congress two years ago. That legislation didn't preempt the authority of states to adopt their own financial privacy rules. "The big question is, How does a state government that has been rooted in geography deal with a medium that knows no boundaries?" said Emily Hackett, state policy director at The Internet Alliance, a Washington-based trade group.
Touting Tools, Not Laws
"It is very difficult to deal with a myriad of different types of regulation on the same issue," said Kirk Herath, chief privacy officer at Nationwide Insurance Cos. The Columbus, Ohio-based company could ultimately be forced to model its privacy rules around those states with the toughest privacy bills to ensure compliance nationally, he said.
But compliance may be expensive. For instance, if a company adopts "opt-in" policies across the board for all its business units, its systems will have to be able to easily exchange data, which isn't simple for a firm with a lot of legacy systems, said Herath. "There are some systems people [who] really hope that privacy and security will probably "drive a lot of systems infrastructure investment over the next 10 years," he said.
Some key lawmakers, including the powerful House Energy and Commerce Committee chairman, Rep. W.J. Billy Tauzin (R-La.), have predicted that online privacy legislation will be passed, perhaps in as little as eight months.
"We're gearing up and organizing to take on this issue," said Tauzin, speaking to reporters after a recent forum sponsored by Palo Alto, Calif.-based high-tech public policy group TechNet and the Arlington, Va.-based National Venture Capital Association.
But Bob Herbold, Microsoft Corp.'s executive vice president and chief operating officer, who also spoke at the high-tech forum, urged continued self-regulatory efforts. He said the industry is deploying tools, such as the Platform for Privacy Preferences Project, that customers can trust to protect their privacy.
"We think it's better that companies like Microsoft and others in this industry provide those tools as opposed to dealing with burdensome legislation," Herbold said.
53 Bills Introduced in 21 States
State legislatures are just beginning to convene, but 14 bills related to online identity theft, fraud and children's issues have already been introduced in Arizona, Massachusetts, New Jersey and Missouri, according to research sponsored by The Internet Alliance, a Washington-based trade group.
The Alliance said 53 bills dealing with financial privacy have been introduced in 21 states. And the list is expected to grow.
In Congress, Reps. Chris Cannon (R-Utah) and Anna G. Eshoo (D-Calif.) this week introduced a privacy bill that would set some baseline data protection standards for firms doing business online. Their bill is modeled after one introduced in the Senate last year and is likely to be proposed again in the new congressional session.
That measure, which is expected to be reintroduced by Sens. John McCain (R-Ariz.) and John Kerry (D-Mass.), would give Internet users the ability to limit the use and disclosure of personal information through an "opt-out" mechanism. It would also require companies to post notices about the kind of data they collect and how that information is used.
The federal bills, however, are being criticized by privacy advocates for failing to allow access to information and for relying on an opt-out instead of an opt-in model.
But Jeff Hartley, a spokesman for Cannon, said the bill will likely be changed. "We want all sides at the table in this," said Hartley, adding that all aspects of the proposal are open for discussion.