The twenty-first-century e-commerce environment is a scary place. Lurking within are technologically-sophisticated e-threats ready to compromise an individual’s personally identifying information (PII). At the same time, consumers submit vast amounts of PII into cyberspace without comprehending such dangers while businesses stumble to protect the information they collect and sell it on the open market. The United States legal system – currently a mixture of self-regulation and a patchwork of federal/state legislation – is ill-equipped to deal with these e-threats effectively. A new paradigm is needed. The Privacy Matrix paradigm categorizes the most prominent e-threats into three stages of the PII processing cycle (front-door, inside-the-company and back-door) and helps policy makers analyze the regulatory weapons necessary to combat such e-threats while minimizing the burden of such regulations on e-commerce efficiency.

The Matrix also demonstrates that a new federal law, with sliding-scale regulations tailored to each stage of the cycle, can serve a privacy-enhancing role. During the early stages, e-commerce companies will be governed by a federal regulatory ceiling – requiring a standardized privacy policy, security breach notification and conspicuous disclosure – and will not be forced to comply with differing state laws or a de-facto national standard determined by a legislature elected by the citizens of only one state. Later on in the cycle, once PII is outside of the individual’s control, a federal statutory floor will allow states to experiment with creative solutions – such as PII tagging technology and legitimacy verification – designed to prevent potentially dangerous dissemination through a company’s back door.