Hardly a month goes by without a new alarm being sounded about privacy online, either because companies are surreptitiously collecting and using data about Web users or because they're releasing information that users thought would be kept private. Web surfers' sense that they have little or no control over these data makes them suspicious even of efforts to make advertising more palatable, such as the shift from one-size-fits-all ads to more personalized and relevant pitches.
Simply put, the current approach to online privacy isn't working. Most sites have voluntarily adopted privacy policies that disclose what information they collect and how they plan to use it. But in all too many cases the policies are so dense and legalistic that they're useless to consumers. Nor is there any penalty for weak or incomprehensible policies. Instead, the Federal Trade Commission's enforcement has focused on companies that don't abide by their published policies or fail to prevent unauthorized disclosures.
In response, Reps. Rick Boucher (D-Va.) and Bobby L. Rush (D-Ill.) have put forward bills that would require sites to notify Web users before collecting and using their personal information and allow them to opt out. Sites would also have to obtain permission before disclosing certain data to third parties (such as online advertisers) or changing how they use them.
Lawmakers' concern about privacy is well founded, but regulating the flow of information online is a tricky business. The bills' simple-sounding notification requirements could force consumers to wade through messages from multiple ad networks on any given website. Obtaining permission to share users' data isn't as straightforward as the bills suggest either. Users who don't want personal data revealed in some contexts may welcome it in others — for example, they may not want Facebook telling advertisers about the interests they reveal to their friends, but they may be eager for Facebook to share that information with Amazon so their friends can buy them better gifts.
Before layering on more rules, lawmakers should wait for the recommendations that come out of the privacy roundtables the FTC conducted in the past year. The FTC's main principles — building privacy protections into website design, making privacy policies easier to understand and simplifying the choices facing consumers — are good ones. Also due shortly is a labeling effort by the Interactive Advertising Bureau, a trade group for online advertisers, which aims to notify Web users about the data being collected by advertisers and give them an easy way to opt out. It's not a complete solution, but it's worth seeing how much trust the industry can restore just by being more forthcoming.