A patchwork of state, federal, and international privacy regulations threatens the confidence of consumers and businesses, says Brad Smith, senior vice president and general counsel for Microsoft. While Microsoft in the past has favored voluntary compliance and improved technology over government involvement, the company is now calling for strong federal U.S. legislation that will establish consistent rules.

Call for Consistency

In a Nov. 3, 2005, talk to the U.S. Congressional Internet Caucus, Smith called for a strong national standard for privacy regulations. Most U.S. privacy regulation occurs at the state level, creating situations in which a practice that is legal in one state is illegal in another, and many of these laws and regulations apply different rules to different industries. In addition, the U.S. federal government has passed separate laws to govern use of personal data by the financial industry, healthcare providers, cable company customers, and telecommunications companies, plus special rules for children's personal data.

Smith called for federal legislation that would achieve the following:

• Establish a baseline standard that preempts current state laws and is consistent with privacy laws around the world
• Require greater transparency about and control of what personal data is collected, how it is used, how consumers are told about it, how they must be notified if it changes, and how they can check on the personal information that an organization holds on them
• Ensure that individuals knowledgeably consent to use of their personal information without "bombarding consumers with excessive and unnecessary levels of choice"
• Set standards for secure storage and transmission of personal data.

Action in the Works

Such rules are important for the success of online commerce, which has been hurt by consumer concerns about fraud and identity theft, but they should apply as equally as possible to information collected by other methods, such as paper forms and telephone, said Smith. According to a study conducted for the Better Business Bureau, the vast majority of identity theft crimes are committed offline, with lost checkbooks or credit cards accounting for 30% of all such crimes, and consumers who make more use of online commerce tend to have fewer and smaller losses.

Smith pointed out that states and the U.S. federal government have been quick to pass laws that deal with parts of the problem (20 states have passed laws since 2004 that provide new protections for financial information), but the prospects for a consistent and wide-ranging federal law that will achieve Microsoft's goals are not as promising. The U.S. House of Representatives' Energy and Commerce Committee is considering national privacy legislation, but the debate thus far has been highly partisan, with Democrats claiming that it is weaker than some existing state legislation and will provide no meaningful penalties for companies that violate it.

In spite of such obstacles, Microsoft's adoption of a public position in favor of such legislation, and support from other quarters—attorneys general from 47 U.S. states recently petitioned the U.S. Congress for stronger security-breach notification and security-freeze legislation—could spur the federal government to take another look at privacy protections.

Resources

An interview with Smith, and a link to a Microsoft white paper on the need for federal legislation, can be found at www.microsoft.com/presspass/features/2005/nov05/11-03Privacy.mspx.

A summary of the Better Business Bureau study of identify theft can be found at www.bbb.org/alerts/article.asp?ID=565.

The letter from state attorneys general to Congress is posted at www.naag.org/news/pdf/20051028-signon-InfoSecurityIDTheftLetter.pdf.