Computer World –
COLUMBUS, OHIO -- For companies worried that the potential approval of new privacy laws could affect their data-collection practices, it may not matter who wins next week's presidential election. The reason is simple, according to attendees at a privacy conference here: The push for privacy legislation is coming from all sides of the political spectrum.
The U.S. Congress and individual state legislatures next year are all but certain to consider a wide range of privacy-related legislation that could affect many industries next year, said privacy experts and corporate officials at this week's Privacy2000 conference. And while many e-commerce companies and industry groups have been urging government officials to favor self-regulation over new regulations, that sentiment may be changing because of the potential for conflicts between federal and state privacy laws.
The ability of the federal government to override state law is one of the reasons why the Walt Disney Internet Group in North Hollywood, Calif., backs a bill proposed last summer by U.S. Sen. John McCain (R-Ariz.) and two other senators. The bill, which isn't expected to win approval this year, would require Web sites to disclose what they plan to do with the personal data they collect and compel them to give customers a chance to limit how the information is used.
"We're supporting that legislation more because of business predictability than . . . the fact that we don't think self-regulation is working," said Alden Schacher, privacy director at the Walt Disney Internet Group, an independently operated company that manages The Walt Disney Co.'s Internet businesses.
The proliferation of proposed state-level privacy bills "creates a very unpredictable environment [in which] to operate," Schacher said. Federal legislation preempting state laws would make the privacy issue less complicated for companies to manage, she added during an interview at Privacy2000.
But federal legislation doesn't automatically preempt state laws: Congress has to choose to include that provision in the bills it passes. The Gramm-Leach-Bliley Act, a sweeping financial deregulation bill that was approved last year, wasn't preemptive -- a fact that's creating problems for some companies looking to use its provisions.
For example, Kirk Herath, chief privacy and public policy officer at Nationwide Financial Services Inc., said 17 states have prohibitions on data sharing among financial services firms that remain in force after the passage of the Gramm-Leach-Bliley Act. Included on the list is Ohio, the corporate home of Columbus-based Nationwide Financial.
Complying with conflicting sets of state and federal laws isn't easy for companies, Herath said. "You can't create two different systems," he noted. "It's not easy to take your customer base and segment it 50 different ways, or even two or three different ways." As a result, Herath said, the most restrictive state laws often become the de facto national standard.
Companies that have spent most of their attention focusing on the possibility of federal prrivacy legislation are going to have to start paying more attention to state legislatures, said Emily Hackett, the state policy director at the Internet Alliance, a Washington-based trade group. Privacy legislation at the state level is "going to be very active," Hackett said. "Any company that is interested in the privacy issue cannot ignore the states."
At least two-thirds of the 50 states are considering an aggregate total of privacy bills numbering into the hundreds, according to estimates made at this week's conference, which was organized by the Ohio Supercomputer Center's Technology Policy Group. And data privacy has become an issue that cuts across party lines, attendees said.
"If you're in business and you think that one party is going to help you on this issue . . . I think you are sorely mistaken," said Steve Emmert, director of government affairs at London-based Reed Elsevier Inc., which owns the Lexis-Nexis information service and other businesses.