On Privacy, One Size Doesn't Fit All


What's the thorniest public policy issue when it comes to the Internet?

I would call it a tie between intellectual property and privacy. Napster and other peer-to-peer devices will almost certainly require a new patent and copyright regime. Government has to play some kind of role in enforcing rules to stop people from stealing other people's property – intellectual or otherwise.

Privacy is a different matter. I recently moderated a panel discussion on the subject in Austin, sponsored by Dell and several Texas technology groups. The consensus was that government should have a limited role in policing privacy.

Lately, a majority of the members of the Federal Trade Commission wants to set a uniform code of conduct on Internet privacy. That's a bad idea, and the White House and Congress have quite properly put it on hold. Right now, the FTC's function is to make sure that, when a site publishes a privacy policy, that site lives up to it. Otherwise, the FTC takes legal action. But a site need not have a privacy policy at all, under current law.

The problem with a uniform code is that one size cannot possibly fit all on the Net. Some sites, for example, offer users a trade: tell us about yourself (your address, age, income, interests, shopping habits), either directly or through our monitoring of your activity on the site – and we will give you something in return. Perhaps discounts or access to extra information on the site. As long as users understand the conditions of their engagement with a particular site, they should be free to enter into any deal they want with that site.

But does the government have a role in making sure consumers are informed?

Perhaps it does. For example, federal laws require packaged foods to carry a label with nutritional information. As a believer in free markets, I think that, in principle, that requirement is obnoxious, but, truth is, it does not harm and probably on balance does good.

So why not have a law that says that every site must have a button of a certain size with "Privacy Policy" written on it in a certain typeface. Clicking on it takes the user to the policy – if there is one. The site can simply say, "none" if it wishes – but such a site probably would get very little traffic.

Orson Swindle, the sensibly libertarian FTC commissioner, said at the Austin conference that he would go along with such a requirement, as long as we got something else as well – a federal law that superseded the states on privacy.

Today, as former FTC commissioner Christine Varney, also a panelist, pointed out, many states have their own privacy laws, which require the sort of specific disclosure that the federal law does not. At the Democratic convention, I interviewed Jennifer Granholm, the Michigan attorney general, who told me that sites that did not protect their users against what she termed "privacy abuses" could be prosecuted.

The Commerce Clause of the Constitution undoubtedly would give federal law precedence over state, but, at this point, businesses on the Net can't take that risk.

So I'll take the trade, which is embodied in legislation backed by Sen. John McCain, (R-Ariz) a privacy label in return for an emasculation of state laws, which are simply confusing and obstructionist in an Internet age.

In the end, only the free market can work out the best arrangements for privacy policies. If you don't like what a site is doing with your personal information, you don't have to use it, and other sites will spring up with better policies. They'll get your business.

Meanwhile, the big guys of the high-tech world – like Dell, IBM and Microsoft –should continue to press their suppliers and partners to adopt strong privacy protections or lose their business. We're on our way to untangling this thorny problem, with as little political intervention as possible.