As some members of Congress continue to voice concern over whether the financial reform bill signed into law last week sufficiently protects consumer privacy, many state legislators have already made up their minds that it does not.

State governments have been prolific in introducing privacy laws that are much tougher than federal laws, and the passage of what some state legislators perceive to be yet another weak national measure may boost stringent privacy proposals that are pending in several large states. This year 1,875 privacy bills were introduced and 356 enacted in 41 states as of August, according to StateNet, a legislation tracking service in Washington.

"The federal government is the late arriver," said Alan F. Westin, publisher and editor of the newsletter Privacy & American Business, which last week sponsored an Arlington, Va., conference on privacy. "The states are far more active."

A primary issue for the states is the presence or absence of policies that let consumers decide whether companies can use their personal information for marketing purposes. The federal financial reform bill endorses "opt-out" notices, which let consumers remove themselves from these marketing programs, but some states are requiring "opt-in" notices, which force companies to seek consumers' permission before using or selling personal information.

Some states have taken it upon themselves to pick up what they perceive as federal slack. Massachusetts, New York, and California have the most comprehensive pending privacy bills regarding opt-in notices. Other states are considering similar proposals, or already have some opt-in provisions.

In July, Massachusetts Gov. A. Paul Cellucci proposed legislation that would require businesses to give consumers access to the data kept on them, and to notify them whenever their information is sold. It also would prohibit retailers and credit card issuers from collecting or selling personal information without a customer's consent.

"The centerpiece of our legislation is the establishment of an opt-in system," said Massachusetts Lt. Gov. Jane Swift.

Ms. Swift said the new national law does not fully protect consumer privacy. As a result, "someone with a checking account at a bank can expect a phone call from an affiliated stockbroker or insurance agent who knows precisely what that customer has to spend," she said. "This legislation is so loosely written that it would exempt corporations that enter marketing agreements."

Legislators in New York are working closely with Massachusetts to mirror its approach. Daniel Feldman, deputy attorney general of New York, said states should enforce opt-in notices by levying "severe financial penalties" against companies that violate them. Fines must be harsh enough "to change the subculture," he said.

Opponents of opt-out notices say this type of privacy provision puts the onus on the consumer to take action.

"It take an enormous amount of self-education by consumers to understand just exactly to whom they need to say 'No,' " Ms. Swift said.

Moreover, "some companies muddy their opt-out agreements with so much legalese that a consumer may believe they are free, only to have their information still available for public consumption," Ms. Swift said. "Opt-in is cleaner, simpler, and much more equitable for consumers."

Christine Varney, the former Federal Trade Commissioner who now practices law at the Washington firm of Hogan & Hartson, said companies face a challenge when states enact privacy laws that conflict with federal standards. "The worse scenario is 50 different privacy regimes," she said.

Ms. Varney said the most flagrant privacy abuses -- those that typically capture headlines -- have involved companies that used data in ways the consumer did not authorize.

"Privacy advocates make a good point when they question how companies will use the information they collect," said Mr. Westin, the newsletter publisher, who is also a professor of law at Columbia University. "A lot of companies would say they don't know how they will use it -- it's still amorphous."


Elsewhere at the Privacy & American Business conference, Pamela Flaherty, a senior vice president of Citigroup Inc. in charge of privacy matters, defended companies' uses of customer information.

"We use information to provide our customers with advice, to assess risk, and make them feel part of our community," Ms. Flaherty said.

Citigroup until now has devoted most of its privacy efforts to protecting customers who "want to be left alone," Ms. Flaherty said. "Now it is time for us to focus on those who don't want to be left alone."

Even so, the results of a privacy survey conducted by Louis Harris & Associates for IBM Global Services suggests that consumers do not trust companies to do the right thing with their data in the absence of laws.

"People are looking for legal measure over corporations," said Mr. Westin, who served as academic advisor for the study. "Trust in institutions is not enough, and not there entirely."

In the survey, Louis Harris & Associates conducted a telephone poll of 1,000 adults in Germany, the United States, and the United Kingdom. Consumers were asked about their attitudes toward on-line privacy protections.

The results showed that U.S. consumers have the least trust in companies that gather information about them on-line. Seventy-eight percent of U.S. respondents said they refused to give information to companies because they thought it was not necessary or too personal, compared with 58% in the United Kingdom and 52% in Germany.

Also, 54% of U.S. respondents -- compared with 32% of U.K. and 35% of German respondents -- decided not to use a company or buy from it because they were not sure how it would use their personal information.

"There is a level of privacy activism by Americans much more than in the U.K. and Germany, whose citizens may assume that the data protection officials (in their countries) are taking care of their rights," Mr. Westin said.

Also at the conference, Secretary of Commerce William M. Daley was awarded Privacy & American Businesses' second annual privacy leadership award. The first one went to Ira Magaziner, the administration's former chief counsel of electronic commerce.

Mr. Daley said, "It is not Big Brother or big business that consumers fear," but "companies they have never heard of."


American Express Co. launched a service last week that is designed to calm consumer fears about Internet companies, and help on-line merchants do more business. The New York-based card company is offering to help merchants establish privacy policies on their Web sites. The Amex e-commerce resource center also helps merchants build Web sites.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.