In testimony, Council urges lawmakers to seek carefully crafted privacy protections


Director of Communications

Legislative proposals designed to protect consumers' privacy should be carefully crafted to avoid imposing needless or unintended restrictions on commerce, The Business Council advised state lawmakers this week.

Four representatives of The Business Council delivered this message in joint testimony June 7 before three Assembly committees. Those testifying were: Tom Eldering of Unified Technologies; Lynn Lyford of Electronic Data Systems (EDS); Harriet Pearson of IBM; and Ed Reinfurt, vice president of The Business Council.

Their joint testimony emphasized the importance of granting consumers choice about how their information is used, and the value of industry self-regulation as a cornerstone of privacy policy designed to reach that goal.

"The fullest fruits of the information revolution will remain elusive unless individuals understand how information about them is collected and communicated to others and are able to exercise a choice," Pearson of IBM testified. "This is the heart of the Internet privacy challenge."

In determining how to meet that challenge, industry practices will themselves provide much of the governance, said Lyford of EDS.

"Economics will naturally prompt the best data protection and privacy practices to rise to the top," said Lyford of EDS. "Consumers who are not comfortable with the way a company deals with their information will simply go elsewhere. In short, our view is: Adopt best practices and let consumers decide. If their decisions suggest different best practices, these will become the new standard."

These best practices will change as technology evolves, noted Eldering of Unified Technologies.

""We cannot anticipate all the ways in which the innovative use of information will change society," he said. "We can only foster an environment that balances growth and innovation with responsibility.

A key concern of the business community is that policymakers addressing privacy on the Internet do not at the same time "impose restrictions on the vast majority of the other commercial players who have a long history of protecting and respecting the confidentiality of the information they obtain from their customers," Reinfurt said.

Reinfurt noted that much of the current interest in consumer privacy is driven by the recent explosion in high-profile web sites that invite visitors to provide information.

"These include some of the most widely known ‘' companies," Reinfurt said. "These companies have spent millions of dollars developing their sites and, often, millions of dollars advertising their sites.

"But these sites are not average web sites any more than General Motors is the average business on Main Street in any city of this country," he added.

Business Council survey of its members' web sites: The Business Council has been discussing privacy issues for several months with Attorney General Eliot Spitzer, and with the Senate and Assembly task forces on privacy.

As a result of discussions with Attorney General Spitzer, The Council has asked the Marist College Institute of Public Opinion to survey the web sites of a representative New York State employers that are Business Council members.

The survey is intended to shed light on state-of-the-art privacy policies of member companies "so that we could establish a benchmark of best practices and then work with our members to improve their privacy policies and practices," Reinfurt said.

A random sampling of members was selected in three categories: small (fewer than 100 employees), medium (100 to 500 employers), and large (more than 500 employees). In addition, web sites of the 46 Fortune 500 companies headquartered in New York State were also evaluated in the survey.

What kinds of information are typically collected: Although the survey is not yet complete, Reinfurt noted that preliminary results showed that most companies accept mainly routine information needed to fulfill the most fundamental customer requests.

The survey showed that virtually all companies accept, or have the ability to collect, at least some information. The item that was most frequently invited is the visitor's e-mail address. The next most common information collected was the name and address of the visitor.

That makes sense, given the nature and purpose of the typical purposes of visits to commercial web sites, Reinfurt said.

"It is very difficult to respond to a customer inquiry over the Internet without having some way of responding to that customer," Reinfurt testified. "E-mail is by far the preference of choice, so, it is perfectly logical that if you want an e-mail response you need to provide the business to which you have directed your inquiry with your e-mail address. Likewise, if you want a product shipped to you, the business needs a name and a shipping address."

However, a much lower percentage of surveyed web sites are able to collect credit-card or Social Security numbers, which is considered much more sensitive information, Reinfurt noted. Only 8, 11, and 18 percent of small, medium-sized, and large employers (respectively) can accept credit-card numbers; even lower percentages (4, 8, and 18 percent, respectively) can accept Social Security numbers.

Reinfurt expressed particular concern about a number of proposals being considered in Albany that proposed restrictions on information-sharing without distinguishing among different types of data-sharing. He distinguished information shared in business-to-business transactions from information shared by consumers requesting product information or making purchases on the Internet.

In her testimony, Harriet Pearson of IBM shared the perspective of a global leader in Internet-based commerce that has worked aggressively to show the merits of industry self-regulation as a means or ensuring privacy protection. Lynn Lyford outlined the privacy policy that Electronic Data Systems uses. And Tom Eldering of Unified Technologies discussed the privacy issues that confront a smaller technology companies that must deal with these issues to meet the information and data needs of its clients.

To read all four parts of The Business Council's testimony, click here.