Congress Asked To Limit Online Data Collection

by Wendy Davis , September 1, 2009

A coalition of privacy groups and consumer advocates are calling on Congress to limit companies' ability to track Web users and serve them targeted ads.

"Today, information from consumers is collected, compiled, and sold secretly, all done without reasonable safeguards," the groups said in letters sent Tuesday to lawmakers on the House Commerce Committee. The letters were signed by 10 advocacy organizations including the Center for Digital Democracy, Electronic Frontier Foundation, U.S. Public Interest Research Group and World Privacy Forum. Recipients included Reps. Rick Boucher (D-Va.), Cliff Stearns (R-Fla.), Bobby L. Rush (D-Ill.), George Radanovich (R-Calif.), Henry A. Waxman (D-Calif.), and Joe Barton (R-Texas).

"Tracking people's every move online is an invasion of privacy," the groups said in an accompanying document. "Often consumers are not asked for their consent and have no meaningful control over the collection and use of their information, often by third parties with which they have no relationships."

The advocacy groups put forward several specific proposals to limit data collection, including an outright prohibition on collecting or using sensitive information. The groups say Congress should ask the Federal Trade Commission to define "sensitive," and that the term should include data about "health, finances, ethnicity, race, sexual orientation, personal relationships and political activity."

The privacy organizations also proposed a new type of opt-in/opt-out regime for behavioral targeting. Current self-regulatory guidelines generally call for companies to notify consumers about online ad targeting and allow them to opt out. The privacy advocates recommend moving to a system where Web sites and ad companies can collect and retain non-sensitive information about computer users for up to 24 hours, unless people opt out. After that initial period, however, the companies would need consumers' opt-in consent to retain the data.

Industry groups said Tuesday they oppose moving to that type of system. Mike Zaneis, vice president of public policy at the IAB, said that obtaining opt-in consent "would be devastating to the consumer experience online."

"Requiring opt-in for all publishers, as well as third parties, would facilitate a bombardment of pop-up notices for consumers as they traversed the Web," he said.

Charles Curran, executive director of the Network Advertising Initiative, likewise said the organization takes the position that opt-in consent should only be required when companies are collecting information that's "truly significant to the consumer."

But the privacy groups' proposal to allow behavioral targeting by default for any period of time -- even one as short as 24 hours -- appears to mark a retreat from the more hard-line stance that tracking and targeting always requires opt-in consent.

In the past, the Federal Trade Commission and industry groups have differentiated between "personally identifiable information," like names and addresses, and other supposedly anonymous information. But that distinction has fallen out of favor lately, as there has been a growing recognition that it's possible to compile detailed profiles about people -- profiles that can result in people being identified -- without collecting their names, addresses and the like.

The privacy groups said Tuesday that individuals should be protected "as long as they can be distinguished as a particular computer user based on their profile."

The advocates also proposed a ban on collecting data from minors under age 18, said that consumers should always be able to obtain any data about them held by behavioral targeting companies, and recommended that the FTC create a do-not-track registry similar to the do-not-call registry.

Pam Dixon, executive director of the World Privacy Forum, said in a conference call with reporters that the industry has so far failed to formulate an acceptable definition of "sensitive" data. "Current definitions are too narrow and weak," Dixon said.

Earlier this year, a task force of ad groups including the Interactive Advertising Bureau proposed new self-regulatory principles for behavioral targeting that defined sensitive data as financial account numbers, social security numbers, pharmaceutical prescriptions, or medical records about a specific individual. The task force also proposed allowing the collection of such information, provided that consumers gave affirmative consent.

Boucher is expected to introduce new privacy legislation later this year. Jeff Chester, executive director of the Center for Digital Democracy, said that advocates are mobilizing consumers to lobby in support of new laws.

behavioral targeting, privacy, regulation

3 comments about "Congress Asked To Limit Online Data Collection".

Check to receive email when comments are posted.

Jim Brock from privacychoice, September 3, 2009 at 9:21 a.m.
One of the best ideas in the recommendations that you didn't mention is the Behavioral Tracking Registry. This is being misunderstood by some to mean a registry where consumers opt-out, like the Do-Not-Call Registry. In fact, what the privacy advocates propose is smarter -- which is to require tracking companies to register and make the technical means available for third-parties to create tools (like browser addons) to allow consumer preferences to be honored.
All that is missing from the proposal is to also require each tracking company to claim the domains that they use for tracking activities, and to bind those to their privacy policy so there is a clear chain of accountability between actions and promised practices. That would enable the creation of lots of third-party tools to give consumers meaningful choice and allow everyone to see the benefits of interest-driven marketing.
For more detail on this, see this post:
http://wp.me/pscko-ay
Reply

Lior Leser from LYL Law Group, September 3, 2009 at 2:28 p.m.

The key to resolving these issues is consent and control. Explain to people what you are collecting and give then a simple way to control the information. Trust people with such control. As an <a href="http://www.web20lawyer.com">Internet Lawyer</a> I am often called to explain clients such principles.

Warren Lee from WHL Consulting, September 8, 2009 at 1:37 p.m.

I wonder if the privacy advocates are considering the additional cost that they are inviting online users to incur by lessening the effectiveness of advertising, and the dollars that they generate for the publisher. The targeting that is being done by the advertising community as a whole, is not what these new privacy concerns and proposed controls are about. I doubt very much that a breach in privacy will ever be traced to a legitimate agency or DM as it is not in their interest to do so. So why put curbs on the legitimate businesses which are easily controlled, while the real damage (stealing PII data) is being done by less legitimate individuals and businesses?