• by Wendy Davis  @wendyndavis, February 12, 2009

The Federal Trade Commission Thursday endorsed the view that Web companies that track people online should follow voluntary self-regulatory standards to protect users' privacy. But some consumer advocates who have been championing new privacy laws criticized the long-awaited 55-page report.

 

The FTC's new guidelines for behavioral advertising, or serving ads to people based on tracking their Web activities over time, state that companies should provide "clear, concise, consumer-friendly, and prominent" notice of the practice and allow consumers to opt out.

The FTC also said companies should provide "reasonable security" for consumer data, seek express consent before using consumer data differently than originally promised and refrain from collecting "sensitive" data without users' explicit consent. The agency provided examples of certain types of sensitive data, but left the term undefined. "Although financial data, data about children, health information, precise geographic location information, and Social Security numbers are the clearest examples, staff encourages industry, consumer and privacy advocates, and other stakeholders to develop more specific standards to address this issue," according to the report.

Two of the four current commissioners issued separate concurrences expressing doubt about self-regulation. Jon Leibowitz wrote that the industry could be facing its "last clear chance" to prove it can protect consumers' privacy. "Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our Commission," he wrote.

Pamela Jones Harbour wrote that new laws were "not prudent at this time," but added that she didn't "fully support a self-regulatory approach to behavioral advertising, which the staff report appears to advocate."

Some privacy advocates said they didn't think the new proposals were sufficient to protect consumers. Chris Hoofnagle, director of the Berkeley Center for Law & Technology's information privacy programs, said it wasn't realistic to expect consumers to opt out of tracking on a site-by-site basis.

He said the FTC's blueprint resembled the company-by-company system used by the telemarketing industry prior to the do-not-call list. The need to opt out of each company "was too weighty for consumers to navigate," he said, adding that it was also unlikely to work online.

In 2007, a coalition of privacy groups including the World Privacy Forum and Center for Democracy & Technology proposed that the FTC create a do-not-track registry, where people could opt out of all online behavioral tracking.

Jeff Chester, executive director of the Center for Digital Democracy, added that the FTC hasn't "sufficiently analyzed the current state of interactive marketing and data collection."

He also criticized the agency for punting on spelling out what it means by "sensitive" data. "By urging a conversation between industry and consumer groups to 'develop more specific standards,' the commission has effectively and needlessly delayed the enactment of meaningful safeguards."

The Center for Democracy & Technology intends to work with the FTC and Senate Commerce Committee on new legislation addressing behavioral targeting and consumer privacy.

The agency's definition of behavioral advertising excludes first-party advertising, which it defined as advertising "where no data is shared with third parties," and contextual advertising, where an ad is based on a single visit to a Web page or single search query. The Online Publishers Association said Thursday that it was pleased to see that principles are not meant to apply to first-party and contextual ads.

The FTC also said in its report that even non-personally identifiable information--that is, information other than name, address, phone numbers, etc.--could be used to identify specific users. "The best approach is to include within the 'principles' scope any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device," according to the report. The FTC specifically mentioned clickstream data as one example of the type of information that could be associated with particular users.

A joint industry task force of the Interactive Advertising Bureau, Association of National Advertisers, the American Association of Advertising Agencies, the Interactive Advertising Bureau and the Direct Marketing Association issued a statement Thursday that it supports "a comprehensive and effective self-regulatory program that protects both consumers and businesses engaged in interactive advertising."

The FTC began investigating behavioral targeting after the Center for Digital Democracy and the U.S. Public Interest Research Group filed a complaint in November 2006. The agency released proposed principles in December of 2007.

Those drew comments from numerous groups. One of the most vocal opponents was the Newspaper Association of America, which argued that the privacy standards could infringe on newspapers' First Amendment rights.

Some observers viewed the fact that two commissioners wrote separate opinions as a signal that the online ad industry needs to act quickly. "It's clear that the window for business to prove that they can do both privacy and personalization is quite narrow," said Jules Polonetsky, co-chair of the AT&T-funded think tank Future of Privacy Forum. "The FTC is being quite clear in saying, 'We have really specific things that we want to see, or this is it.'"