BOSTON (07/12/2000) - Toysmart.com Inc.'s recent legal problems over its plan to sell consumer data have prompted the introduction of federal legislation, but also pointed to how it takes a flare-up to fan the flames of debate for Internet privacy laws in the U.S.
This week, the U.S. Federal Trade Commission (FTC) filed suit against Toysmart to try and block the failed dot-com toy retailer from selling its consumer information. FTC commissioners argued that Toysmart's attempts to sell the data violates the company's own privacy policy, which states it will not share personal data with a third party.
It's debatable, however, if this incident will truly fuel the fire to cause legislative action by Congress. As of now, the U.S. has no federal privacy law on the books, and some suggest it will take an even bigger Internet privacy case to prompt action.
"Until we get the average person excited about this, this isn't going to go anywhere," suggested Meg Smith, a fellow at the Berkman Center for Internet and Society at the Harvard Law School.
Trying to defuse the situation, Walt Disney Co., the majority owner of Toysmart.com, on Wednesday offered to purchase the company's customer list. In a prepared statement, Disney said they want to work with the FTC to keep the customer list confidential.
Nonetheless, moved partly to action by Toysmart's efforts to sell its customer information, U.S. Representative Spencer Bachus, a Republican from Alabama, has introduced legislation that would make it illegal for companies to sell private data as an asset during bankruptcy proceedings.
Up until now, federal lawmakers have been reactive rather than proactive with privacy legislation, said Ari Schwartz, a policy analyst with the Center for Democracy and Technology (CDT) in Washington, D.C., a non-profit organization that advises lawmakers on technology-related policy and also serves as a consumer advocacy group.
"In terms of addressing general privacy ... the U.S. does not have a general vision of how we want to do that, whereas Europe and other countries have that," Schwartz said. "We don't necessarily want to take their vision. We want our own vision."
The U.S. has developed privacy laws that address specific areas, such as financial records, credit reports, video rentals, cable television, educational records, motor vehicle registrations and telephone records.
While U.S. lawmakers bandy about several Internet privacy proposals, Europe already has a general directive in place for protecting consumer information.
"There are data protection laws in the U.K. and also in Europe to prevent that sort of thing (the sale of private data)," said Yaman Akdeniz, founder and director of Cyber-Rights & Cyber-Liberties (UK). "(It would be illegal in the U.K.) unless when you ask for that data, you reveal that you are going to sell that data."
A German attorney concurred.
"In principle, companies cannot sell data about customers unless the customers expressly agreed at the time they gave the data that it could be sold," said Jan Ihlau, an attorney in Magdeburg, Germany. "There's a law for the protection of personal data in Germany. If the customers say nothing, then it's assumed the data cannot be sold."
Smith, at Harvard, said the criticism of the European laws is that they are untested. The U.S. and Europe have not been in total agreement with formulating privacy protections.
The European Union (EU) earlier this year accepted the U.S. voluntary safe harbor principles, in which companies seek consumers' approval before their data can be transferred to another company. European Parliament members, however, rejected in a non-binding vote on July 6 the U.S. data privacy provisions, suggesting they do not provide the level of protection required by European legislation.
Pressure is mounting in the U.S., though, to develop legislation to ensure online privacy.
FTC commissioners released a report in May that indicated that only 42 percent of the 90 most popular Internet sites that collect personal information adhere to the FTC's "fair information practices principles." Subsequently, commissioners voted 3-2 to recommend to Congress that broad legislation to protect private data be enacted.
This was a move away from the board's long-established position of supporting self-regulation. A majority of commissioners now believe self-regulation works hand-in-hand with legislation to provide necessary Internet privacy.
Schwartz, at the CDT, said the current Internet privacy bills circulating in Congress range from requiring some sort of notice if consumer information is going to be collected and circulated to requiring an Internet site to seek the approval of a user before it takes any information.
Education efforts will be needed to make U.S. lawmakers aware of the consequences of implementing new privacy legislation, Schwartz said.
"U.S. law is just one piece of the puzzle, Schwartz said. "We see three pieces: the law, better self regulation and technologies that can put people in better in control of their information. We shouldn't be just focusing on privacy law.
We should be focusing on all three factors."
(Rick Perera in Berlin and Doug Gray in London contributed to this report.)