• by Wendy Davis  @wendyndavis, September 1, 2009

A coalition of privacy groups and consumer advocates are calling on Congress to limit companies' ability to track Web users and serve them targeted ads.

"Today, information from consumers is collected, compiled, and sold secretly, all done without reasonable safeguards," the groups said in letters sent Tuesday to lawmakers on the House Commerce Committee. The letters were signed by 10 advocacy organizations including the Center for Digital Democracy, Electronic Frontier Foundation, U.S. Public Interest Research Group and World Privacy Forum. Recipients included Reps. Rick Boucher (D-Va.), Cliff Stearns (R-Fla.), Bobby L. Rush (D-Ill.), George Radanovich (R-Calif.), Henry A. Waxman (D-Calif.), and Joe Barton (R-Texas).

"Tracking people's every move online is an invasion of privacy," the groups said in an accompanying document. "Often consumers are not asked for their consent and have no meaningful control over the collection and use of their information, often by third parties with which they have no relationships."

The advocacy groups put forward several specific proposals to limit data collection, including an outright prohibition on collecting or using sensitive information. The groups say Congress should ask the Federal Trade Commission to define "sensitive," and that the term should include data about "health, finances, ethnicity, race, sexual orientation, personal relationships and political activity."

The privacy organizations also proposed a new type of opt-in/opt-out regime for behavioral targeting. Current self-regulatory guidelines generally call for companies to notify consumers about online ad targeting and allow them to opt out. The privacy advocates recommend moving to a system where Web sites and ad companies can collect and retain non-sensitive information about computer users for up to 24 hours, unless people opt out. After that initial period, however, the companies would need consumers' opt-in consent to retain the data.

Industry groups said Tuesday they oppose moving to that type of system. Mike Zaneis, vice president of public policy at the IAB, said that obtaining opt-in consent "would be devastating to the consumer experience online."

"Requiring opt-in for all publishers, as well as third parties, would facilitate a bombardment of pop-up notices for consumers as they traversed the Web," he said.

Charles Curran, executive director of the Network Advertising Initiative, likewise said the organization takes the position that opt-in consent should only be required when companies are collecting information that's "truly significant to the consumer."

But the privacy groups' proposal to allow behavioral targeting by default for any period of time -- even one as short as 24 hours -- appears to mark a retreat from the more hard-line stance that tracking and targeting always requires opt-in consent.

In the past, the Federal Trade Commission and industry groups have differentiated between "personally identifiable information," like names and addresses, and other supposedly anonymous information. But that distinction has fallen out of favor lately, as there has been a growing recognition that it's possible to compile detailed profiles about people -- profiles that can result in people being identified -- without collecting their names, addresses and the like.

The privacy groups said Tuesday that individuals should be protected "as long as they can be distinguished as a particular computer user based on their profile."

The advocates also proposed a ban on collecting data from minors under age 18, said that consumers should always be able to obtain any data about them held by behavioral targeting companies, and recommended that the FTC create a do-not-track registry similar to the do-not-call registry.

Pam Dixon, executive director of the World Privacy Forum, said in a conference call with reporters that the industry has so far failed to formulate an acceptable definition of "sensitive" data. "Current definitions are too narrow and weak," Dixon said.

Earlier this year, a task force of ad groups including the Interactive Advertising Bureau proposed new self-regulatory principles for behavioral targeting that defined sensitive data as financial account numbers, social security numbers, pharmaceutical prescriptions, or medical records about a specific individual. The task force also proposed allowing the collection of such information, provided that consumers gave affirmative consent.

Boucher is expected to introduce new privacy legislation later this year. Jeff Chester, executive director of the Center for Digital Democracy, said that advocates are mobilizing consumers to lobby in support of new laws.