Insurers Decry Internet Privacy Bill

The legislation would establish strict rules governing the collection and disclosure of "sensitive" personal information?including name, address, phone number, health, race, political party, religious belief, sexual orientation, social security number or financial data?by Internet service providers or operators of commercial Web sites.

Gary Karr, a representative of the Washington-based American Insurance Association, said the main concern is that insurance companies offering insurance online will not be able to get the information they need to set premiums and establish coverage.

Because of the focus of S. 2201 on the collection of information, he said, it will be hard for insurance companies to offer products over the Internet and indeed many companies have said they will shut down their Web sites if the legislation is enacted.

Maria Berthoud, senior vice president of federal government affairs for the Alexandria, Va.-based Independent Insurance Agents and Brokers of America, added that the legislation would also lead to a flood of litigation.

She noted that S. 2201 allows for a private right of action over privacy breaches. This means, Ms. Berthoud said, that any leak of information would, more often than not, lead to a lawsuit.

Under S. 2201, Internet service providers and commercial Web site operators would be barred from collecting or disclosing the personal information of a user unless they provide "clear and conspicuous notice" to the user.

Providers and Web site operators would have to obtain consent of the user before collecting and disclosing information about health, race and other "sensitive" issues.

In addition, S. 2201 requires providers and operators to give users "robust" notice of the opportunity to opt-out of information gathering and to give users access to all the personal information about them.

The legislation would allow private lawsuits against providers and operators for violations of the act, in addition to vesting the states and the Federal Trade Commission with enforcement authority.

In recent testimony before the Committee, John C. Dugan, an attorney representing the Washington-based Financial Services Coordinating Council, said S. 2201 would have a disproportionate impact on financial institutions.

In effect, he said, the legislation creates an opt-in standard for sensitive information. While this is not an issue for most types of businesses, Mr. Dugan said, it is central to the business of insurance companies, banks and securities firms.

By restricting any use of personal information by the financial institution, he said, the legislation creates a new and unnecessary roadblock between all companies and their customers.

Mr. Dugan contrasted S. 2201 with the Gramm-Leach-Bliley Act's privacy provisions. The GLB provisions, he said, apply only to disclosures.

Since the S. 2201 provisions also apply to use, it would in effect require financial institutions to contact customers and obtain permission prior to engaging in core business activities involving personal information, Mr. Dugan said.

This, in effect, would be a de facto prohibition on responsible information sharing by financial institutions that benefit customers, he said.

Members of the FSCC include AIA, the American Council of Life Insurers, the American Bankers Association, and the Securities Industry Association, all of Washington.