A series of recent high-profile privacy gaffes involving internet firms such as Google, Microsoft and Facebook has spurred a public outcry for stronger privacy protections. Politicians in Congress have responded with a slew of blustering letters, hearings, and legislative threats. On July 19, Rep. Bobby Rush, D-Ill., introduced a sweeping privacy bill in the House of Representatives, and Sen. John Kerry, D-Mass., has pledged to introduce a similar bill in the Senate. This legislation would stifle the dynamic internet economy and targeted advertising while doing little to improve consumer privacy.
Mr. Rush's bill, titled the Best Practices Act, would give the Federal Trade Commission broad new powers to regulate nearly any organization that routinely collects even basic data about individuals, including phone numbers and email addresses. The bill would empower the FTC to dictate businesses' data security practices, perform extensive compliance audits, and even restrict which kinds of information firms can collect and how long they can store it.
This approach may sound sensible, but it ignores the crucial role of responsible data collection in the information age. Limiting such practices will impede e-commerce and endanger free internet content backed by advertising. The internet's ubiquitous information sharing is a feature, not a bug.
Responsible private-data collection has revolutionized the information economy over the past two decades.
E-commerce and online advertising sustain over 3 million U.S. jobs and $300 billion in annual economic activity, according to a 2009 study by two Harvard Business School professors. Strict privacy mandates could decimate this industry. This has already happened in the European Union. According to a recent Massachusetts Institute of Technology paper, after the EU implemented a data-privacy law in 2002, the effectiveness of online advertising fell 65%.
Rigid federal regulations are especially detrimental to small, entrepreneurial start-ups. The Best Practices Act exempts databases with information on fewer than 15,000 individuals, but today many small businesses maintain databases much larger than that. Consider Diaspora, a privacy-oriented social-networking site founded by four New York University students, which already has more than 30,000 followers on the microblogging service Twitter. The site has yet to launch — but under Mr. Rush's legislation, it would face strict FTC rules from day one.
Sharing sensitive information online always entails some risk. But that does not mean we should stop sharing information entirely, nor that companies should be prohibited from using volunteered information. Rather, privacy risks should be combated by educating users about the information they proffer and the trustworthiness of the websites they visit.
Despite the recent privacy hysteria, most companies have a solid privacy track record. Countless firms now hold billions of individual data points, yet breaches are infrequent. Corporate investment in data security continues to grow rapidly. Mistakes do happen, of course, but firms usually fix them quickly to avoid consumer outrage. Competitive markets are not perfect, but they are self-correcting — unlike government.
Putting the feds in charge of micromanaging private-data collection practices will do little to safeguard privacy. Indeed, the federal government's own track record on privacy is hardly reassuring. Consider the Patriot Act, the recent scandal over the storage of full body images, or the Justice Department's push to access cellphone locational data without a warrant. Ironically, Mr. Rush's bill exempts all government agencies, leaving Americans vulnerable to further government abuses.
We do need stronger privacy safeguards, but Washington does not offer our salvation. Privacy-enhancing technologies continue to be developed in response to growing consumer demand. Legislative interference is at best hypocritical, and at worst destructive to the internet economy.