For nearly a year starting in April 2007, Sears ran My SHC Community, an online feature that invited consumers to download software onto their computers that, according to the Federal Trade Commission (FTC), asked them to "journal your shopping and purchasing behavior." The tracking software ran constantly, even when users left Sears' website, and it collected an astonishing trove of information: details about bank accounts, medical prescriptions and library loans, as well as portions of e-mails and instant messages. Sears paid users $10 to join the community. But the only way you'd know about the scope of the data mining was if you bothered to read deep into the fine print, all the way to the 75th line. Last June, the FTC declared Sears' practice "deceptive" and ordered the data destroyed.
The Sears case may be indicative of a larger trend. A growing share of our time is spent online. In fact, more of us now get our news from the Internet than from newspapers, according to Pew Research Center data. More than half of U.S. consumers buy products online. That level of participation is driving a massive $26 billion online-advertising industry, and a key part of it is a largely unregulated data-collection business. On Foursquare, we "check into" the gym. And at the supermarket, we casually swipe plastic cards bearing our home address and increasingly permanent cell-phone numbers, which are often linked to online identifiers like frequent-flyer accounts, enabling companies to build powerful profiles of who we are, and of our tastes in cheese, beer and soap. We are, often unknowingly, giving companies precious raw material they can sell to prospective employers who may seek, for example, to exclude women who "like" Charlie Sheen on Facebook. Insurance companies may buy that data to deny coverage to people who frequently purchase supersize bags of Doritos. "We're building this surveillance superstate online that government could never dream of, and people aren't nearly aware how pervasive this is," says Chris Calabrese, legislative counsel for the American Civil Liberties Union in Washington.
The issue isn't going unnoticed. On Wednesday, the Senate Commerce Committee is scheduled to hold a hearing on the state of online consumer privacy. Senator John Kerry, a Democrat from Massachusetts, is expected to introduce legislation to set stringent rules on how companies collect data from us. Democratic Representative Jackie Speier has already introduced a bill to force companies to give consumers the choice of having their online activity tracked. Some may find her advocacy surprising considering that Speier is from the San Francisco Bay Area, home to several Internet behemoths, including Google, Facebook and Twitter. "They all want to talk to me and explain why I'm misguided," Speier says. But she's not deterred. "I don't think privacy is negotiable," she says, "and you have to just do what's right."
Several states have stepped into the evolving Internet-privacy debate. Minnesota, for example, requires Internet service providers to get consumers' permission before disclosing information about their online activity. In California, businesses must tell consumers what personal information is being collected from them online and what companies they plan to share it with.
Rules are beginning to evolve at the federal level as well. Last summer, the FTC charged that Twitter had failed to protect consumers from hackers that retrieved tweets believed to be private, as well as so-called direct messages, or private notes between users. In December, the agency offered a framework for dealing with the burgeoning issue, suggesting that companies begin to offer a do-not-track option. FTC officials also recommended that companies set up their own regulatory standards. The Interactive Advertising Bureau (IAB), a Washington trade group of advertisers, newspaper and magazine properties, has signed more than 100 companies onto a project that would standardize a clickable icon that gives consumers the choice to opt out of having their online movements tracked across many sites. "We agree that you should empower consumers not to have data collected and used for advertising purposes if you don't want it to be," says Michael Zaneis, the IAB's general counsel. "But we have to be careful in shaping these policies." The increased scrutiny sparked by Internet-privacy concerns has become a challenge for many Web companies, like Facebook, that have only recently established a lobbying presence in Washington.
The question of where regulatory intervention turns from protection to burden has long been a matter of political debate. Lillie Coney, associate director of the Electronic Privacy Information Center, a nonpartisan Washington think tank, points out that many aspects of our lives — how we buy cars, how we buy health insurance — are fiercely regulated. That's not so for our Internet usage. We think of Gmail, Twitter and Facebook as free services. "But the cost," Coney says, "is our privacy."