Commentary

Internet Commerce Coalition Urges Regulators To Loosen Proposed Privacy Rules

In 2009, Netflix said it would release a slew of "anonymous" data about its customers, including their gender, ages, ZIP codes and movie rental history, as part of a contest for a better recommendation engine.

The company hoped that researchers would draw on that data to figure out how to predict people's movie preferences, but obviously hadn't thought through the potential privacy pitfalls. Privacy guru Paul Ohm -- one of the first observers to call attention to the plan -- publicly urged Netflix to reverse course. He warned that researchers will be able to connect the "supposedly anonymized" records to people's identities.

Four Netflix users filed a class-action lawsuit to block Netflix from moving forward. One of the four alleged that she was a closeted lesbian who would be harmed if people figured out that she had rented a number of "gay-themed" movies from Netflix.

Faced with the lawsuit, and pressure from the Federal Trade Commission, Netflix backed away from its planned data dump.

advertisement

advertisement

That incident has now resurfaced in comments to the Federal Communications Commission about its proposed broadband privacy rules. The FCC's proposed rules would require broadband providers to obtain users' opt-in consent before using their Web-surfing history for ad targeting.

Internet service providers and other opponents argue that companies should only be required to obtain consumers' opt-in consent before using "sensitive" information for targeting purposes.

But privacy advocates say that the controversy surrounding Netflix's decision to release data shows that whether information is "sensitive" depends very much on the circumstances.

"It is difficult, maybe impossible, for carriers to distinguish between sensitive and non-sensitive without actually looking at and assessing a customer’s information to make that distinction -- and it would be administratively difficult for the FCC to oversee any such distinction," dozens of advocates argued to the FCC earlier this month.

"Many people do not consider individual movie ratings (on sites such as Netflix) to be sensitive," the advocates added. "But in a class-action privacy lawsuit against Netflix, the class representative was a person who felt that her sexual orientation could be deduced from her Netflix viewing record."

This week, the trade group Internet Commerce Coalition (members include broadband providers as well as tech companies like Amazon, eBay and Google), argues that the Netflix controversy "is very far afield" of policies relating to online advertising.

"ISPs are not making large swaths of customer data publicly available for researchers to analyze as they wish," the Internet Commerce Coalition argues.

The Internet Commerce Coalition, like other companies opposed to the proposed privacy rules, say the FCC should use the same basic approach as the Federal Trade Commission, which says it views data differently depending on its nature. "ISPs are subject to internal compliance controls and have been subject to privacy enforcement by regulators and presumably will be subject to enforcement under the eventual final rule," the Internet Commerce Coalition contends.

That argument, however, still doesn't address one of the core concerns about different rules for "sensitive" data: No one has come up with a universally accepted definition of "sensitive."

Ohm, who supports the FCC's proposed privacy rules, noted in comments filed with the FCC in June that industry self-regulatory groups use different definitions of the phrase "sensitive health data," as do companies like Google and Facebook.

It's worth noting that the FTC, while endorsing the concept that sensitive data needs more protection than non-sensitive information, defines "sensitive" more broadly than many companies.

Specifically, the FTC said in comments to the FCC that it supports opt-in consent before companies draw on data like financial information, precise geolocation, Social Security numbers, health data and -- critically -- for "contents" of communications, including social media posts, search queries, comments on Web sites, items in shopping carts, books read and movies watched.

Next story loading loading..