Privacy advocates had high hopes that President George W. Bush would champion their cause. During the 2000 campaign, candidate Bush boasted in an interview with BusinessWeek that he was a "privacy-rights person." When it came to online privacy, he said, "customers should be allowed to opt in [to sharing information]. The company has got to ask permission." (See BW, 5/29/00, "How George W. Bush Would Steer the Economy.")
But lately, the Bush Administration seems to have lost much of its ardor for expanded privacy rights. Since the September 11 terrorist attacks, Attorney General John Ashcroft has pressed Congress to expand the circumstances under which law enforcement agencies can wiretap and gather personal information. And now another Bush appointee, Federal Trade Commission Chairman Timothy J. Muris, is rescinding the agency's previous call for tough new Internet privacy laws.
Muris outlined his support for industry self-regulation coupled with stiffer enforcement of existing privacy laws in a speech on Oct. 4 in Cleveland. He recently talked about his new approach with BusinessWeek Washington Correspondent Amy Borrus. What follows are edited excerpts from their conversation:
Q: Back in mid-2000, your predecessor, Robert Pitofsky, called for new online privacy legislation. You say it's not needed. Why?
A: When you ask people what they care about, they say they care about identity theft, the economic harm that can come when they lose insurance or credit because of faulty credit reports. Privacy involves all of those issues, not just Internet issues.... [What's needed now] is not new laws but more law enforcement.
Our one experience with broad-based privacy by notice [the 2000 Gramm-Leach-Bliley law, which requires banks and insurers to mail customers notices about what kind of personal data they collect and how they use it, and offer customers the right to "opt out" of data-sharing], has not been a resounding success. We shouldn't pass new legislation until we figure out why.... We're going to have a workshop to figure out how to do it better.
Q: On the campaign trail in 2000, then-candidate Bush said in an interview with BusinessWeek that he was a "privacy-rights person" who favored letting people "opt in" to sharing of their personal data online. Are you out of step with the President?
A: My understanding was that the President was most concerned about particularly sensitive information, such as medical and health data. We have very good laws for protection of medical and health information. I certainly agree...that the most sensitive info should have the most protections.... But these are my sentiments [only], they're not official sentiments of the Bush Administration. Since September 11, they've been very busy on other issues.
Q: One reason some companies that had looked askance at legislation have changed their position is they're worried about states passing their own laws, creating a patchwork quilt of privacy laws. Isn't that a reason for federal rules?
A: That's a good argument. I'm not saying we should never have legislation. The states haven't passed such legislation yet. If they do, that would certainly change the calculus.
Q: If you eliminate the threat of legislation, what's the incentive for companies that do follow the strictest privacy practices to keep doing so?
A: There are market incentives and there are legal incentives. Companies have responded to consumer interest in privacy. All of the top Web sites have privacy policies. Companies have privacy officers. We don't need new laws, we need new law enforcement.
Q: How can consumers protect their privacy online if there are no federal rules?
A: Just a few years ago, virtually no one posted privacy policies online. Now, all the top [Web] sites post privacy policies. Second, we are aggressively involved...in enforcing those policies. If people violate their privacy policies, we will bring cases. Third, the Commission, through its self-regulating mechanisms, has worked out additional protections. People are worried about profiling -- people following your clickstream through cyberspace. If anyone wants to link your personally identifiable information with your past clickstream, they have to get your permission.
Q: You said you plan to boost the FTC's privacy resources by 50%. What does that mean?
A: We had 36 full-time-equivalent staffers for the fiscal year just ended. We're taking that to around 60. We'll also be making changes to the telemarketing sales rule, [to establish a] national "do not call" list and crack down on telemarketers who use preacquired credit-card information deceptively. Sometimes you get calls from a telemarketer [who] already has your credit-card number. So the telemarketer may pitch you, "How about trying this free for 30 days?" What consumers don't know is, after 30 days, they start getting billed. This is a growing practice.
The commission has never looked at deceptive spam. We get thousands [of complaints] every day, and we put them aside in a box called the refrigerator. We're going to look at what's in the refrigerator and, for the first time, go after the deceptive spammers in a concentrated way.... We are also going to look systematically at whether people are living up to their privacy policies, offline and online. We're going to seed these policies with fictitious consumers' names and addresses and see what happens. If suddenly there are targeted mailings after [assurances were given that the names wouldn't be shared], we'll know if people aren't living up to their privacy policies.
Q: More companies may post privacy policies but there hasn't been much progress when it comes to whether companies offer people a choice about how their personal data is collected and used.
A: Encouraging companies to offer choice is important. The marketplace will have an impact there. But the credit experience tells us that there are some situations where choice can be a problem. If we had choice upfront in the credit area, the miracle of instant credit wouldn't occur.
[It] happens every day in car lots all across the U.S. If you're a middle-class family with a good credit rating, you can walk into a car dealership, borrow $10,000 from a complete stranger, and walk out with a new car in an hour. The reason is that you and I don't have control over our credit information: If we pay our bills or don't, that information automatically goes to credit-reporting agencies. In general, choice is a good idea. But we shouldn't legislate it. The idea of one-size-fits-all legislation to me is a dubious proposition.