April 24, 2002

Legislative Activity

April 24, 2002

Dear Senator:

The undersigned group of associations, who together represent millions of employers and tens of millions of employees, have very serious concerns with S. 2201, the Online Personal Privacy Act.

This legislation, if enacted, would not protect consumer privacy on the Internet, but would have detrimental effects for consumers, companies, and the economy — both online and off. It would also substantially raise costs for consumers, and makes the on-line world more cumbersome for consumers.

In particular, this legislation:

  • Although the legislation sends potential private litigation into federal court, a step in the right direction that may deal with worst potential abuses, it imposes class action liability on potentially every company with an on-line presence, discouraging further use of this medium to serve customers and consumers. Specifically, the legislation would create an impossible situation for companies, by requiring both reasonable access and reasonable security - two contradictory requirements. The bill also opens firms to liability over a broad swath of data deemed to be sensitive, emulating and in some ways going beyond restrictive European law. Therefore, there is virtually no way a company can avoid potential class action liability with penalties of more than $5000 per person.
  • Would add another federal law to the more than 30 federal privacy laws already in existence, without addressing the multiple contradictory requirements that exist as a result of those laws. In fact it would make the problem worse, creating additional inconsistencies for businesses.
  • Does not deal effectively with the prospect of inconsistent state regulation of the Internet in any meaningful way, even though the Legislative Findings specifically acknowledge this as a significant problem. In fact, the preemptive language in the legislation is narrow, and would only impact the on-line collection and use of information, which few states are contemplating, not financial privacy or other areas in which the states have been active.
  • Makes it more difficult to stop fraud and identity theft. For example, it enables consumers to opt-out of information use, including account verification, identity authentication and fraud and identity theft prevention. Thus, this legislation might actually make identity theft easier to undertake.
  • The requirement for "robust notice" is not suited for non-personal computer devices for accessing the internet, such as wireless phones, and does not contemplate additional advances in technology. Further, although the business community has taken the lead in protecting consumer privacy on-line through the almost ubiquitous use of privacy notices, through notice programs like BBB On-line and Trustee, and through the use of technology like P3P, the robust notice does not allow for technology to enable consumers to choose their own privacy preferences through browser -based tools such as P3P, nor provide a safe-harbor for the use of privacy seals. Robust notice seems to apply only to text-based notices.
  • Although this legislation is purported to be "opt-out" legislation for non-sensitive information, the requirement that consumer consent be obtained before information can be used goes beyond commonly understood fair information practices and in effect creates a "opt-in" requirement for collection and use of information, even when used for the purposes of completing the transaction, verifying identity, preventing fraud, billing, delivery, and account maintenance.

Therefore, we strongly urge the Committee to approach its hearing on this issue very cautiously — there are a significant number of unintended consequences that this legislation would create, and we hope that you will carefully consider those problems.

Sincerely,

American Advertising Federation
American Association of Advertising Agencies
American Bankers Association
Association for Competitive Technology
American Council of Life Insurers
American Insurance Association
CapNet
Electronic Financial Services Council
Financial Services Coordinating Council
The Financial Services Roundtable
Information Technology Association of America
National Retail Federation
Securities Industry Association
U.S. Chamber of Commerce