• by Steve Smith , Staff Writer @popeyesm, March 21, 2008

Once again this week, the issue of personal privacy and online ad targeting vaulted from the realm of trade chatter into national headlines. A pending bill in the New York State Assembly would put legal restrictions on the collection and use of personal data.

Meanwhile, the Federal Trade Commission extended a deadline for industry comments on the policy guidelines it suggested months ago for self-regulation of behavioral targeting. A legal representative for several companies in the BT value chain, D. Reed Freeman Jr. is partner of Washington law firm Kelley Drye & Warren. The former chief of privacy at Claria, Freeman urges companies to submit comments to the FTC to demonstrate the range of business models and technologies any comprehensive privacy policy might affect.

Behavioral Insider: At what stage are we in the FTC's process after their proposed principles for self-regulation? Did you find anything about their proposals surprising?

D. Reed Freeman Jr: Comments are due on April 11. [The policy outlines] are remarkably broad, by intention, in order to generate significant comment from industry on this issue and to help the FTC better understand the issue.

A few things I think bear mentioning. First, the proposed principles are, as far as I know, the broadest expression by the FTC on what privacy principles ought to apply, even when the data at issue is not personally identifiable.

So one of the principles is reasonable security for the information collected. One question that occurs to me is that if the information collection were compromised [but it] could not possibly lead to any consumer harm such as identity theft, I don't know why there should be a security principle. It seems to me that the security of data should be on a sliding scale relative to the potential harm that could result from the break or unauthorized disclosure of the data. The same thing applies to reasonable data retention.

Also, there are principles calling for affirmative expressed consent for the retroactive application of material changes to a privacy policy. Opt-in is a very high standard. If opt-in were required in every instance, you could imagine a scenario where some opt in and some don't, and you have some people treated under one privacy policy and some under another. If you make changes later, you have another divided database. Over time it appears unworkable from a business perspective. And it's not clear that there is precedent supporting such a high standard where the data at issue is not PII.

BI: Is a solid definition of PII one first step the industry might take to help satisfy and direct FTC principles?

Freeman: The first step is to take advantage of this comment opportunity and talk about how differing business models offer differing types and mechanisms of protecting consumer privacy by way of transparency and consumer choice. Talk about whether given [a company's] own business model, whether the proposed principles make sense or don't. Would it create such a disincentive for companies to grow and change that would outweigh any marginal privacy benefits from the principles being adopted?

I think the FTC would be interested to know that. They would also like to hear what alternatives to the principles may be appropriate. [We] can help them understand the complexities within business models, and the variety and breadth of business models, and maybe reach the conclusion that a one-size-fits-all answer may not be right.

BI: Since the FTC is asking for self-regulation, shouldn't the industry also be showing that it can organize around a set of standards -- and under which body that might occur?

Freeman: I don't know whether there needs to be a centralized group, because there are multiple business models. But I do think the FTC would like to see within the various model at least an effective self-regulatory regime. It would be ideal if the regimes that emerge were complementary to one another and were appropriate for the business models at issue. But I don't think it necessarily follows that there must be one single regulatory body. And I don't think the FTC would be disappointed if one self-regulatory body failed to emerge - but, instead, more than one emerged.

BI: On the legislative front, apart from the FTC, are there bills and proposals companies should be tracking?

Freeman: There are bills pending in New York and Connecticut on behavioral advertising, and there may be movement on those bills. I would say that this is a national issue. A state-specific solution, particularly where non-PII is involved, makes it very difficult for a company to operate one way in one state and another way in another state. The state bills do generate discussion and awareness on how the issue should be addressed, but a state-specific solution is not ideal here.

BI: What is the reasonable timetable or next steps for the FTC?

Freeman: The next steps will depend on what comments they get. I think the best way to proceed here would be a two-tiered comment period modeled after the way the FTC issues trade regulation rules under the Administrative Procedures Act. In that instance, the FTC begins with advance notice of proposed rule-making and a general document laying out what they propose to do, and they get a lot of comments. Then they come back with a notice of rule-making, which is a much more specific set of proposals based on and informed by the comments. Then the industry comments again on that specific proposal, and the FTC ends up in a regulatory regime with a final rule.

Here, by analogy, they have released a very general set of self-regulatory principles and they are going to get a lot of comments from a lot of stakeholders. A terrific approach here would be to take that and make their set of proposals more specific and tailored for different business models, and allow a second round of comment before they offer their final proposed guidelines for self-regulation. I think that would help industry the most, because it would give it the clearest guidance on self-regulation based on lots of input on specific proposals.

BI: Are there precedents for this we could look toward, where the FTC has given final proposals for self-regulation of an industry?

Freeman: I have never in my career seen anything quite like this. I have never seen the FTC lay out specific proposals for self-regulation of an industry. But that is not to say it is inappropriate here. The FTC is wisely taking a measured approach. Moving too quickly with one-size-fits-all regulatory mandates, especially where the Internet is involved, can have serious unintended consequences, and nobody really knows what those are. So I think taking a measured, deliberate, almost academic approach to this is exactly right. But it is a unique situation where they have acted in a unique way as far as I am aware.

advertisement

advertisement