nnyq.com

Bill Could Expose Internet Privacy Practices

A bill being passed around the California State Assembly could force companies to show their hand when it comes to collecting your personal information.

The bill (AB2297), also known as "The Online Privacy and Disclosure Act of 2002, does not cover Internet sites that collect e-mail addresses or political Web sites where candidates ask for campaign donations.

But it would require that companies with an e-Commerce site disclose whether or not they collect personal information for business usage, and if so, include a description of that process. The personal information covered by the bill includes a company's usage of your first and last name, address, telephone number, e-mail address and your social security number.

The proposal also contends that the company can reserve the right to change its privacy policy without notice to the individual, but must provide hyperlinks to at least three of the most recent privacy policies if they are substantially different in some form or fashion from the current privacy policy.

Assemblyman Joe Simitian, D-Palo Alto, who introduced the bill contends that it gives consumers a clearer picture of how businesses collect private information.

"Many consumers refuse to do business online because they have little protection against abuse," Simitian said in a statement. "This bill provides meaningful privacy protections that will help foster the continued growth of the Internet economy. Currently the law is unclear on what recourse individuals may have, if any, when somebody chooses not to honor their posted privacy policy. Right now, the only sure method of recourse is to literally make a federal case of the matter. This bill provides for meaningful and accessible enforcement under California Law."

Simitian says AB2297 is also piggybacked onto to bill AB700, which deals with security breaches.

State Republicans like Sen. Ray Haynes, R-Riverside, argue that the bill is too strongly worded - saying if a business Web site did not issue a privacy statement, they might lose business from consumers who believe in the policy.

Despite party-line posturing, the state Senate approved the bill by a vote of 21-17 Wednesday and sent it back to the Assembly for final revisions before heading to the governor's desk.

Online consumer privacy is currently a hot topic. Just this week, two Internet companies were trounced for compromising their customer's privacy.

Technology publisher Ziff Davis Media Wednesday said it would pay $25,000 and implement new online privacy controls as part of a settlement with the Attorneys General in New York, California and Vermont after it was discovered that about 12,000 subscription orders were easily accessible on the site, which exposed subscribers' personal data as well as credit card information. As a result, some subscribers became victims of identity theft.

On Monday, DoubleClick agreed to pay $450,000 to the 10 states that had been investigating the New York-based Web ad server since 2000. The company was accused of violating its stated privacy policies in the process of tracking online consumers and targeting ads using cookies (define).

DoubleClick also agreed to not use consumer data gleaned from clients to build its own profiles, and agreed to not merge data from multiple clients' visitors. Consumers also will be able to register for updates on the company's privacy policy.

According to Simitian's bill, all commercial Web sites could be held accountable if they do business with California residents with a 60-day provision to allow for technical problems. Simitian conceded that prosecuting out of state or overseas e-Businesses would be a bit more challenging.

If it passes, the bill would take effect July 1, 2003.