Microsoft Corp has come out in support of a single federal consumer privacy statute, reversing an earlier position, saying that there are too many privacy provisions in other laws and they are hampering American business.
In a speech and white paper, Microsoft general counsel Brad Smith said a bewildering jumble of overlapping state and federal laws is creating consumer confusion and major challenges for businesses trying to comply.
Currently, organizations in certain vertical markets in the US have to worry about the privacy implications of legislation such as Gramm-Leach-Bliley, the Communications Act and HIPAA, as well as laws not specific to certain markets, he said.
For example, personal information collected by a bank is covered by one privacy standard, but that same information collected by a hospital is covered by a different standard, Smith wrote.
If that information is from a child under the age of 13, it’s protected by yet another standard if it’s collected online, but it may not be protected at all if it’s collected offline, he added.
Microsoft has four goals here. First, the company wants uniformity — any federal law should pre-empt, that is overrule, any state law that purports to do the same thing. It should also be compatible with privacy laws outside the US.
Second, under the heading of Transparency, Microsoft wants ground rules on privacy policies, notifications when privacy policies are changed, and rights for consumers to know what data has been collected and whether it has been compromised.
Third, the company wants a law that describes companies’ responsibilities to provide opt-in or opt-out of data collection in a tiered structure where critical personal data is afforded much more protection than less important information.
Finally, Microsoft wants a security mandate, so company have to take reasonable steps to protect against unauthorized access, use, disclosure, modification or loss of private data. It does not want the law to specify what technologies should be used.
It’s all a far cry from Microsoft’s previous position of backing industry self-regulation. But Smith said that circumstances have changed in the last few years.
Disclosures of hacking incidents have led to increasing fears about identity theft among consumers, spyware has blossomed, and myriad laws introduced to tackle both problems are not always compatibly and never uniform.
Microsoft’s changed position is not entirely without precedent however. The company began lobbying for a federal anti-spam law when states started legislating themselves and, with the CAN-SPAM Act, it pretty much got what it asked for.