What Price Privacy?

Companies should stop wielding scary numbers and help design a law that will protect consumers -- and make business more efficient

By Jane Black

How much would online privacy safeguards really cost? That's the question posed by a new study backed by business groups. It predicts that business could end up shelling out anywhere from $9 billion to $36 billion if privacy-protection legislation now under consideration by Congress is enacted. And if that's not chilling enough, it's a "conservative" estimate, according to the report's author, Robert Hahn, director of the independent American Enterprise Institute-Brookings Joint Center for Regulatory Studies, a Washington think tank.

Business is clearly gearing up for a battle here. The study is sponsored by the Association for Competitive Technology, a coalition of companies with a clear interest in deterring legislation. In my view, the numbers are bit too pat, and the study bypasses some major pluses for business -- namely that, by complying with uniform privacy laws, companies can cut costs over the long haul and better manage their e-businesses. Witness the new privacy laws covering portability of health-care plans that will eventually save HMOs a bundle by streamlining business processes and eliminating paper flows.

Beyond that, it's a pretty fair bet that money spent on enhanced privacy can help retain skittish customers, prevent brand erosion, and stave off class-actions. Rather than carping about costs, business should accept that privacy concerns are real -- and that they aren't going away. And rather than banking on a cost bogeyman to scare off the feds, corporate lobby groups should get some of their best minds together to figure out how to shape any new regulations to make them work for business.


  Let's take a look at the math. First, Hahn estimated the number of Web sites that could be affected by legislation requiring companies to give consumers the right to see what information is collected about them and that companies be able to track their compliance. Citing independent sources and the Federal Trade Commission, Hahn figures that that any proposed law would affect as many as 3.6 million Web sites. Then, he estimates the cost of bringing these sites into compliance with privacy laws at $100,000 per company.

He bases this figure on 17 estimates he got from technology consulting firms in 10 states. At that steep price level, Hahn figures that only 10% of targeted businesses will make the investment in their Web sites to track all uses of personal information and comply with proposed laws. The rest would simply stop collecting any personal data. That means 360,000 businesses would each spend $100,000 to comply, yielding the $36 billion price tag.

In an alternate scenario, Hahn assumes that only business with more than 100 employees would attempt to comply. That's 94,000 companies, or less than 4% of all business, for a total cost of $9 billion.

The calculation falls short in two ways. First, the study doesn't recognize savings that could result from companies learning better and more efficient ways to handle customer data. In the case of health-care portability, the Health & Human Services Dept. estimates that the new privacy regulations -- more complex than anything currently proposed for Internet privacy -- will cost $17.6 billion to implement. But the rules will produce a net savings of approximately $12.3 billion for the health-care industry by improving the way the system works and eliminating paper transactions.


  Second, Hahn's study calculates the cost of implementing proposed legislation as if every Web site were starting from scratch. Yet he cites figures that seem to counter that in his own study. In 1998, the FTC reported that only 14% of 1,400 commercial Web sites sampled provided any notice about its information practices. By February, 2000, 84% of the top 1,000 sites had a privacy policy.

"It is as if you reported the cost of building a house without subtracting out the cost of a foundation and a couple of walls that are already in place," says Peter Swire, a professor of law at George Washington University who formerly served as President Clinton's chief counselor for privacy at the U.S. Office of Management & Budget.

Technology is changing the picture, too. Systems that make it cheaper to maintain privacy are already on the market. Canada's Watchfire just released a new product, called WebCPO, which scans a company's Web site and catalogs any bits of code that are not in line with the privacy policy. Imagine if Internet advertiser DoubleClick had been able to sidestep its March, 2000, public-relations disaster where it was discovered that its software was inadvertently grabbing personal financial information from Intuit's Quicken Loans site. "Products like these do more than aid compliance. In the digital age, privacy software is necessary to reach a company's e-business goals," says Brendon Lynch, a privacy consultant at PricewaterhouseCoopers.

Hahn admits that some of the study's assumptions may be less than rock solid. And he encourages others to try to come up with estimates on what the ultimate bill for privacy could be.


  But for companies, some new thinking is in order. Trying to beat back legislation with big numbers isn't going to stop the privacy drive, especially as more and more business is transacted on an ever more efficiently intrusive Web. And the political climate may have just changed, with Senator Ernest Hollings (D-S.C.), an online-privacy advocate, now holding the Senate Commerce Committee chair. He has made no secret of his displeasure with business on its record of protecting consumer privacy.

Instead of playing the Washington lobby game, businesses should figure out a way to design privacy legislation that helps both the public and themselves. With consumers' fears of a Big Brother economy on the rise, anything less could be a big mistake.

Black covers privacy issues for BusinessWeek Online

Edited by Alex Salkever

Before it's here, it's on the Bloomberg Terminal.