White House Privacy Plan Due Next Month

The Department of Commerce is preparing to release its long-awaited white paper on consumer privacy, which industry officials fear may foster government regulation of marketing data.

The privacy panel of the National Information Infrastructure Advisory Council, headed by Commerce Secretary Mickey Kantor, drafted the white paper, which is now being circulated among senior government officials for a final review.

The officials will soon complete their review, allowing the final report to be released in the next two to three weeks, said panel chairman Gerald Gates, administrative records program officer at the Commerce Department's Census Bureau.

Gates declined to discuss recommendations in the white paper. But last August, he said the report would focus on the creation of a government-backed oversight organization and on developing rules for the "fair use of information" in an information-driven society. In late 1994, Gates' panel released a report, "Privacy and the NII; Safeguarding Telecommunications-Related Personal Information," which called on industry to develop voluntary guidelines for the protection of consumers' privacy.

The impending white paper will shape government policy toward companies' practice of collecting and using computerized information about consumers. For example, a company can use simple software to gather much information about visitors to its World Wide Web pages, including what products they buy, or what credit card information they release. This information allows the company -- or another company that buys the data -- to aim tailored marketing messages at consumers.

But the information also threatens the privacy of consumers, and especially Internet users, who sometimes do not want companies to know of their electronic visits to sex- or health-related Web sites.

Industry's fears that such data collection could be hit by privacy-protection regulations have been heightened by the Federal Trade Commission's growing interest in online privacy issues. The FTC held a public hearing on privacy in early June, but FTC officials say they have no plans yet to issue rules governing the collection and use of personal data by companies.

To prevent government regulation, the industry-funded Interactive Services Association, based in Silver Spring, Md., announced in June that it had prepared voluntary privacy guidelines in cooperation with the Direct Marketing Association. The Washington-based DMA represents the interests of the marketing companies, who increasingly want to supplement their mass-mailing marketing campaigns with e-mail advertising. The ISA is backed by Microsoft.

These voluntary guidelines were developed after industry officials saw how public concern over sex-related Web sites spawned the controversial Internet-smut law authored by Sen. James Exon, D-Neb. Growing public concern over the collection and trading of personal data gathered by Internet companies may result in the industry being "Exoned" by government-written privacy rules, said one industry executive.

"It is possible we could have legislation and regulation... [but the government] is willing to give industry a chance to see what it can do" to protect consumers' personal data, said Sara Fitzgerald, a spokeswoman for the ISA.

However, Congress will likely debate privacy issues next year, said industry officials, because it is expected to complete work on a health-insurance law containing new privacy provisions. The health bill, sponsored by Sen. Nancy Kassebaum, R-Kan., and Sen. Ted Kennedy, D-Mass., establishes a nationwide network for sharing consumers' private medical information. The data would be protected by new privacy rules, which must be drafted by Congress or the Department of Health and Human Services.

The ISA's privacy-protection guidelines are voluntary, but if a company violates its commitment to obey them, "conceivably, we could take action against them, or might ask them not do so," said Fitzgerald.

"I don't think [the ISA privacy system] has any teeth," said John Petitt, chief technology officer at Cybersource Corp., which sells software via the Internet from its headquarters in Menlo Park, Calif. Cybersource is one of the four founding companies of eTrust, a new consortium intended to promote consumers' confidence that their online privacy will be protected.

Under the eTrust system, companies must sign a binding privacy-protection agreement before they can display the proprietary eTrust logos on their Web pages. "The system enables vendors to leverage consumer trust by quickly communicating to customers what personal information is being [electronically] collected, and to what [purpose]," according to an eTrust statement.

In contrast to the voluntary scheme pushed by the ISA, companies who use the eTrust logos must comply with the rules or face privacy-violation lawsuits, Petitt said. "What keeps them straight is [the threat of] hordes of ambulance chasers coming over the hill," he said.

However, industry's enthusiasm for the eTrust system depends on the uncertain demand by consumers for privacy, said Fitzgerald.