(Page 2 of 2)

The cost of this muddle, surveys show, is trust. A report released yesterday by the Conference Board, a business research organization, showed that just 31 percent of online consumers thought their personal information would be safe — a slight increase from 27 percent a year ago.

Any company that makes a privacy misstep opens itself to public excoriation. When Yahoo changed its policies earlier this year to make it clear that it could send e-mail and paper mail and even make sales calls to its tens of millions of registered users, it set off a storm of protest. Outbursts have followed similar moves by eBay and AOL Time Warner's America Online.

David Medine, a lawyer in Washington and a former privacy official for the Federal Trade Commission, said that even when given a choice few consumers went to the trouble to shift their privacy options one way or another. "Where you set the default is where 95 percent of people will end up," he said. But that does not mean they are happy with the result, he added, or that their trust in the online world is not damaged.

Advertisement

The challenge, privacy experts say, is to find ways to give people choices that are meaningful and easy to exercise. L. Richard Fischer, a Washington lawyer who deals with privacy issues, cited an Indiana initiative as an example. Last year that state created a single system for citizens to place themselves on a do- not-call list for telemarketers by calling a toll-free number or filling out an online form. Even though the system requires the customer to ask not to be called, the state received blocking requests from 784,000 household phone lines out of 2 million in the state; by this summer 1.2 million lines were on the list. New York State offers a similar service through a site (www.nynocall.com) on the Web.

Lawmakers and regulators are beginning to turn up the pressure.

Many of the new state and federal proposals draw a line: the more personal data — like that on health or finances, or Ms. Bechtold's phone use — requires explicit permission of the customer to be sold to outside companies. Other information, often including e-mail addresses, is protected by a less stringent standard that puts the burden on consumers to take action.

The Federal Communications Commission now requires phone companies to get permission from customers before selling "sensitive personal information," including data on who customers call, when they make calls and how long they talk.

In Congress, a bill sponsored by Senator Ernest F. Hollings, Democrat of South Carolina, would require any Internet service provider to get explicit permission from customers before sharing or selling sensitive data. "There's a lot of money involved when you go after private information and turn it into a business," Senator Hollings said.

A spokesman for Mr. Hollings said that the bill, which was passed by the Senate Commerce Committee, would probably not move forward in the press of unfinished business at the end of the current Congressional session, but said that the senator expected to bring up the bill next year.

Minnesota has passed a similar law requiring customer approval before Internet service providers can sell personal data. Laws that exceed federal standards by requiring customer permission before financial institutions can share data have been passed by Alaska, Connecticut, Illinois, North Dakota and Vermont.

But there is counterpressure as well. Representative Cliff Stearns, Republican of Florida, has introduced a bill that would pre-empt state laws and set a lower national standard for online privacy protection than would the Hollings bill.

And in the area most consumers would identify as the most critical — medical and health insurance information — the Bush administration recently rolled back a Clinton administration proposal requiring patient permission for sharing medical data among doctors, hospitals and other health care providers.

Ultimately, Mr. Rotenberg of the Electronic Privacy Information Center said, companies will learn that meaningful consumer consent is good for business. It is, he added, "not only the right thing to do, but the profitable thing to do."