Sen. Jim DeMint (R-S.C.) calls the prospect of new privacy laws "a solution in search of a problem." He asserts that market pressures will spur online businesses to develop good privacy practices. "It would be my assumption that the businesses represented at the table have a lot of incentives to compete for best privacy policies," said DeMint, a former marketing executive, during a Wednesday hearing on Capitol Hill.
But Sen. Byron Dorgan (D-N.D.), who presided over the hearing, questions DeMint's logic. He says that if market forces alone were sufficient to protect consumers, there would be no need for the Food and Drug Administration to conduct inspections, because companies that sold spoiled products would simply go out of business.
Bill Nelson (D-Fla.) also expressed concern. "We don't want the government to go and examine what books we're reading at the local libraries," he said. "Right here, we have the question of whether or not we're going to let other private people within the private sector examine the same thing and then use it for a commercial advantage."
The hearing addressed concerns about behavioral targeting, or serving ads to Web users based on their online activity. Many behavioral targeting companies say they don't collect people's names, addresses or phone numbers and contend they allow people to opt out of receiving targeted ads.
Privacy advocates nevertheless are wary of online behavioral targeting, arguing that many consumers don't know or understand what ad companies do with data behind the scenes. Some find the newest variation of behavioral targeting, which involves drawing on data collected from Internet service providers, especially troublesome. Digital rights advocates fear that the vast amount of clickstream data available could compromise privacy even without people's names.
"While each piece of consumer information in a profile may not in itself be personally identifiable, the aggregation of this information in rich profiles means it may more readily be tied into a person's identity," according to Leslie Harris, president and CEO of the Center for Democracy & Technology, who testified Wednesday. Her group and others have called for companies to seek users' express consent before conducting ISP-based targeting.
Several states, including New York and Connecticut, have recently considered whether to regulate online behavioral targeting. But the federal government isn't currently mulling any privacy legislation designed to regulate online behavioral targeting.
Still, the activity at the state level has roiled some online ad industry representatives, who argue in favor of self-regulation. They maintain that any attempt to impose laws on the Web would hurt publishers' ability to offer free content and would impede the effectiveness of online advertising. Industry groups also argue that behavioral targeting doesn't harm consumers but in fact benefits them by providing more relevant ads.
Randy Rothenberg, president of the Interactive Advertising Bureau, espoused this view in New York Wednesday morning. Speaking at an industry conference, Rothenberg said the Senate Commerce Committee hearing was triggered by "spurious claims by anti-commerce, anti-advertising groups."
The Federal Trade Commission has so far come down on the side of self-regulation. Late last year, the agency proposed voluntary principles for behavioral advertising, its term for serving ads to Web users based on sites visited.
But Dorgan indicated that Congress might now get involved. "There's been some discussion about self-regulation and the principles proposed by the Federal Trade Commission. Some would suggest they are a good start, some would suggest they are short of what is necessary."
Meanwhile, two Web companies -- Microsoft and Google -- argued Wednesday at the meeting in New York in favor of a federal law to establish a privacy "baseline."
"Google supports the passage of a comprehensive federal privacy law that would accomplish several goals such as building consumer trust and protections; establishing a uniform framework for privacy, which would create consistent levels of privacy from one jurisdiction to another; and putting penalties in place to punish and dissuade bad actors," according to Jane Horvath, senior privacy counsel at Google.
The Center for Democracy & Technology's Harris said that group also supports legislation that would establish "fair information practices." Harris said such practices would support the principles that people have both the right to know what information is being stored about them and the right to opt out of having information collected and retained.
Dorgan's sharpest questions of the day were for Bob Dykes, CEO of NebuAd, a start-up that uses data from ISPs for targeting. "Isn't that just wiretapping?" Dorgan asked.
Dykes said it was not. "The information that we're looking at as people surf the Web doesn't involve any personally identifiable information," he said, adding that NebuAd doesn't store IP addresses. "We're not keeping the raw data, just qualification for market segments."
Dorgan also questioned NebuAd's decision to let users opt out of the service, as opposed to asking them to affirmatively consent to it. Dorgan said if his ISP approached him to ask if he would allow another company to view every site he visited, his answer would be an unequivocal no. "Of course it's not okay. Are you kidding me?"
Dorgan said he intends to hold a future hearing with Internet service providers. Mark Walsh in New York contributed to this report.