On Thursday, the AeA (formerly the American Electronics Association) released its principles for online privacy. The AeA statement does well to caution legislators to avoid imposing rigid rules for privacy on the complex and changing world of e-commerce; that government should follow the same privacy rules as the private sector, and that the rules for the Internet and the off-line world should be the same. But the AeA also elected to back moderate federal legislation—notice and opt-out—when faced with the threat of unworkable and inconsistent regulation by numerous states. President Bush’s campaign site also notes support for the notice and opt-out model.

The Information Technology Association of America and the Information Technology Industry Council continue to support self-regulation over legislation. This may still be the wiser choice. The federal legislative process too often resembles lining up under the gun, hoping that the legislative firing pin will fall harmlessly on an empty chamber.

Moving too fast to a legislative agenda will tempt companies to give short shrift to educating Congress about the consumer benefits of preserving the freedom to exchange information about their customers to trim costs, design new products, and enter new markets. There’s no reason to hasten along a regulatory boot in the door of the Internet.

At this stage, even opt-out is regulatory overkill, because people’s fears of information being used to harm them by legitimate companies are largely unreasonable. While people have unreasonable fears, no reasonable step is likely to satisfy proponents of regulation. The best course is to support stronger enforcement of existing laws against fraud and identity theft.

Especially in an environment of fear, legislative outcomes are unpredictable. Federal legislation does not mean that the states will be preempted—witness the Gramm-Leach-Bliley Act, which did not preempt state privacy laws. Witness also the Drivers Privacy Protection Act—a tiny word change switched the whole regime from opt-out to opt-in.

Even “minimal” federal legislation may create more serious liability problems than it solves. Could a notice be clear and concise, and yet realistically describe complex business practices? A “notice” requirement gives rise to particularly thorny questions such as, what if the notice is changed?

And even “opt-out” will foreclose some innovative business plans. For example, attempts to build trust and reputation online in forums such as online auctions would be easier if at least some of the identities of known unreliables could be tracked by digital signature. But it’s not possible if they all opt out.

Compromise in the legislative process may be inevitable, but compromise before the process has begun threatens to lead to over-regulation.