Earlier this year, in a remarkable
reversal, the Interactive Advertising Bureau officially urged federal lawmakers to consider “sensible” privacy legislation.
The group, which long argued against new privacy laws,
said in September it supported a “uniform privacy standard” that would override state laws -- including a broad California law, slated to take effect in 2020, that will allow consumers to
learn what personal information about them is held by businesses, and to opt out of the sale of that information.
The IAB didn't offer many specifics back in September, but endorsed the
general proposition that new privacy laws “should provide meaningful consumer controls that are technologically neutral, proportionate to consumer risk, and encourage industry best
practices."
Now, the IAB has fleshed out its position. In comments filed with
the Federal Trade Commission last week, the IAB suggests that new laws should be modeled on the industry's self-regulatory principles. Those principles call for companies to notify consumers about
online tracking -- or the collection of data across multiple sites and apps -- and to allow consumers to opt out of receiving ads targeted based on "non-sensitive" data.
The principles also
call for companies to obtain explicit consent before serving consumers with targeted ads based on financial information, data about medical conditions or other information that the industry considers
"sensitive." Since 2012, the industry's self-regulatory code has prohibited
members from collecting any information about people in order to determine their eligibility for employment, credit, health care or insurance.
“As the FTC assesses how it should
approach digital privacy in the coming year, it should consider the reasonableness of certain practices, balanced against consumer expectations and the sensitivity of data in question,” IAB
executive vice president for public policy David Grimaldi writes in the group's comments. “Applying such an approach to consumer privacy, as opposed to a blanket, one-size fits all regime across
the digital ecosystem, will help strike the appropriate balance between strong consumer privacy choices and continued economic development and innovation.”
Some consumer advocacy groups
are urging the FTC to support broader laws. Public Knowledge, for instance, argues that privacy protections shouldn't depend on whether data is deemed “sensitive.”
“The
so-called sensitive/non-sensitive distinction, which provides heightened protections to so-called sensitive information, like first and last name, social security numbers, bank account numbers, etc.,
and lesser protections to other information is increasingly illogical in today’s world and should be eschewed,” the group writes in its comments. “So-called non-sensitive information can be aggregated to reveal sensitive
information, and, in fact, some non-sensitive information, in isolation, may reveal sensitive information.”
The organization points to the use of supposedly “non-sensitive”
data by political consultancies including the now defunct Cambridge Analytica (which famously harvested data from up to 87 million Facebook users) and the Obama campaign (which also reportedly
harvested Facebook data).
“If Cambridge Analytica (and, for that matter, the Obama
campaign) is to be believed, so-called non-sensitive information such as social media likes can be used for highly sensitive activities such as influencing individuals in the voting booth,”
Public Knowledge writes. “In addition, sensitivity is highly subjective. Different individuals are likely to perceive different data points’ sensitivity levels differently.”