California Online Privacy Protection Act of 2003 Good Practice, Bad Prece

It is certainly reasonable for consumers to expect privacy on the Internet, and to know just exactly what companies are planning to do with the information users provide them. For companies to sell that information to third parties without the express consent of the user is downright deceitful, and many seemingly legitimate companies tend to bury that information in the fine print of pages that the consumer is unlikely to even notice, much less read.

A growing awareness of these practices by consumers, thanks to the various privacy advocacy groups, has shaken market confidence in e-commerce, particularly at financial sites. Those sites that choose not to engage in the practice of selling user information are hurt by the practices of those who do. Much of the legislative support for the OPPA has been based on this issue, as much as on the fundamental privacy issues.

The typical small web site owner will expend an estimated four to eight hours of labor to review the law's requirements and implement the necessary changes. Whether it's lost productivity for the time of the site owner or an employee, or an actual expense to outsource, across the hundreds of thousands, or even millions, of websites this affects, it amounts to hundreds of millions of dollars in lost productivity and expenditures just to comply with this one state law.

The first concern is whether or not this was really even necessary. Even as early as 1999, more than 75% of e-commerce sites were posting privacy policies. Is there an obligation to protect the consumer (at the great expense described above) who does not choose to protect himself by only doing business with companies with an acceptable privacy policy?

Of even greater concern is the potential proliferation of similar state-level privacy laws and other internet regulation. Similar laws are already pending in New York, New Jersey, and others. Now imagine even half of the states in the U.S. enacting such legislation. Even assuming it gets easier with each additional one, let's be conservative and estimate two to four hours for each additional state's laws just to review the laws and ensure compliance. For 25 states, that's 50 to 100 man-hours. At, say, $50 an hour for a qualified specialist, that's several thousand dollars. So much for the ability to start up a simple e-commerce Web site affordably.

Privacy policies are a good practice for e-commerce sites, and those laid out by the California Online Privacy Protection Act of 2003 are adequate guidelines for most sites. But the matter of addressing this with state-level legislation is a very slippery slope. On its own, compliance with this one law will cost hundreds of millins of dollars. If other states continue to pass similar laws, the cost of compliance could run into the billions, with small Web site owners being the hardest hit.

Because Internet commerce is international, this really should be addressed at the international level as part of a more encompassing treaty on privacy and Internet policy. At a minimum, this needs to be addressed at a federal level, not at the individual state level. Supporting good privacy practices on the Internet does not have to mean supporting privacy legislation at the state level.

Your site must be in compliance by July 1, 2004. If you agree that this should be a federal or international matter, rather than a state matter, you may want to say so in your privacy policy, and refer visitors to this article for more explanation.