22.5. Managing the Balance between Self-regulation and Legislation

One of the most negative outcomes from all the rhetoric around privacy is that companies are actually discouraged from posting their privacy policies. Because only U.S. companies that actually display a privacy policy can get into trouble for not living up to it, companies think they're safer not having a policy. Unfortunately, this is head-in-the-sand thinking. The real result of ignoring privacy will be complicated laws created by legislators who don't understand business realities. These are likely to be much more restrictive and difficult to work with than anything we would enact ourselves or that our customers would demand. Unfortunately, hard-liners on both sides of the privacy questions make things worse. Self-regulation advocates reject all proposed legislation rather than working to make sure the laws are reasonable. Hard-line privacy advocates reject solutions that aren't perfect. An example of a great initiative that many privacy hard-liners criticize because it doesn't solve every bit of the problem is the Platform for Privacy Preferences (for additional information on P3P, see www.w3.org/P3P/) developed by the World Wide Web Consortium. P3P is a software tool that allows a customer to define his privacy preferences so that his computer can check a company's policy and decide whether it's an acceptable place to do business.

On the other hand, direct marketers and database marketing advocates reject any attempts at legislation, no matter how benign. This includes the attempts by the Federal Trade Commission to require that all companies doing business on the web have a basic privacy policy. Having such a policy would, at a minimum, eliminate the problem we just discussed: Some companies avoid displaying a policy because only then might they be vulnerable to privacy complaints. Although this head-in-the-sand thinking might be technically correct, it only makes customers less trusting and more leery of sharing their information with all companies. It's a vicious cycle. We want to be self-regulated, but we're reluctant to take the first step and make any privacy promises. So customers' trust of our sense of intentions goes down, as does the government's opinion of how responsible we're being. Government then raises the prospect of legislation as the only viable alternative because industry isn't taking responsibility. This causes more fear that one small legal step will lead to a totally restrictive environment, so we scream self-regulation even louder. We have to break this cycle. We all must create and post online privacy statements on our web sites now. Because it's a reasonable requirement, we should also get behind the efforts to adopt legislation to that effect, making the playing field level for all of us and taking a step toward building credibility with our customers and the government.